Dmitry Gryaznov McAfee AVERT
While outbreaks of mass-mailing viruses are making the news, the much greater number of non-replicating malware gets very little attention. Over the past few years malware writers have apparently shifted their efforts from creating viruses and worms ‘for fun’, from cybervandalism, to creating backdoors, remotely controlled bots, password stealers, etc. pretty much ‘for profit’.
In fact, today we are seeing 8 to 10 times more new non-replicating malware per month than new viruses or worms. Since it is a non-replicating malware, it cannot spread by itself. But it is being massively and widely spread over practically all popular networks and services in the Internet: Usenet, IRC, P2P, IM, email. It is spread in disguise of multimedia files, pirated software, useful utilities and so on. It is usually packed with this or that runtime packer, presenting additional challenges to anti-virus products. Such malware, once run on an unsuspecting user’s computer, makes that computer completely controllable remotely by the perpetrator. Such compromised computers are then used, among other things, as email ‘proxies’ for spam, including spamming even more of that kind of malware through a variety of protocols. Quite often today adware and spyware is disseminated the same way. Such compromised computers are often combined into a ‘botnet’ of ‘zombie agents’, which can then be used for a Distributed Denial of Service Attacks on any target.
The paper will present statistics on malware in Usenet, P2P, IRC, discuss the new trends and suggest some possible countermeasures in addition to using anti-virus software.