For some time now, Kaspersky Lab has been tracking a shift in virus writers' tactics. The relative decline in the number of global epidemics during the last year signals a move away from the use of mass attacks on users worldwide. Instead, attacks are becoming more localized.
Of course, changing tactics are nothing new in the field of malicious code. Technological advances have always been the chief driving force behind change. The emergence of the Internet as a means of doing business formed the backdrop to the development of Internet-borne malware. The technological 'tug-of-war' between malware authors and security vendors has also influenced the development of malicious code.
However, technology is not the only factor involved. Social dynamics have an equal influence on the direction in which malware develops. The heavy use of social engineering techniques to lure unsuspecting users into running malicious code is just one example of this. The anatomy of the current Bozori worm outbreaks provides another clear example of the social dynamic in malware development.
On the face of it, Bozori is no different to earlier Internet worms like Blaster or Sasser: it uses an exploit to spread directly to vulnerable machines. Yet there's no global epidemic! We've seen no tell-tale signs of an epidemic on the Internet. And we've had no reports of infection from individual users.
There's no question that this worm is spreading. However, it seems to be confined to localized 'explosions' inside large corporations. These organizations, typically made up of 'small internets' behind heavily defended Internet gateways, have experienced infection.
Bozori, it seems, causes local outbreaks, whenever it's able to reach the critical mass (and this is heavily dependent on the level of management in the organization). The worm can't reach many machines over the Internet because these days everybody deploys a firewall. However, a worm can penetrate a local network without going through the firewall: when an infected laptop is brought into a network with, let's say, 50 Windows 2000 machines, chaos erupts. That's why small companies and home users haven't been affected. On the other hand, a number of globally interconnected corporations, running large networks of computers - practically their own reduced versions of the Internet – have been hit badly.
The Bozori incident suggests that we're on the threshold of a new era, in which 'business worms' will cause 'local network outbreaks' in large corporations, but will have little effect on the Internet as a whole.
This trend is not caused by any technical change in the way virus authors code their malware. What has changed is a shift in the social organization or social dynamics. Organizations have been secured behind their 'impenetrable' firewalls, filtering all e-mails and stripping all executable content. Businesses felt secure and confident that no attack could reach them. The blow from the inside was all the worse for being totally unexpected.