It's two years today since Hungarian Laszlo K, the author of the Magold worm, was found guilty of unauthorized use of computer systems (tens of thousands of systems, in fact) and sentenced to two years probation and a fine of $2,400.

A lot has happened since then.

1. The motivation behind the development of malicious code has changed. Malware is now routinely developed and used to make money. At the time Laszlo K was sentenced, this trend towards crimeware was just beginning.

2. We've seen a corresponding shift in tactics. There has been a relative decline in the use of mass-mailing as a means of distributing malicious code. The global epidemic has been replaced by tactical 'hit and run' attacks in which malware is spammed out to a controlled target population. So email worms like Magold make up a smaller percentage of malicious code overall.

The stakes have risen. Those who develop malicious code stand to benefit financially from their work. However, the risks have increased too. Law enforcement agencies across the world have become more expert in tracking cyber criminals. And there's a significant degree of co-operation between national police authorities. As a result, the number of arrests and convictions has risen considerably during the last two years. This week brought a further example. Three suspected members of the 'M00P' online gang were arrested in the UK and Finland, accused of distributing backdoor Trojans (including the Breplibot Trojan) via spam and using them to attack businesses.

Given the potential profits to be made, the evolution of malicious code is unlikely to slow down any time soon. But we're also likely to see more arrests and convictions.

The other day I was presented with the results of a test conducted by a local office from another antivirus company.
Basically the test comes down to end-users being asked to uninstall their current antivirus software and install the other antivirus product.
After this is done a full system scan takes place and the number of detected malware along with the name of the previously installed product is collected to gather statistics.
The competing antivirus programs are ranked in order of the average number of malware they didn't detect compared to the program the testresults belong to.

Anyone who has a basic understanding of computer security can see why this test is completely flawed and totally useless.
There is no verifiable set of malware samples, meaning that the other product may have identified legitimate files as being malicious.
But, even more importantly, there's no way of telling what state the previously installed antivirus software was in.
Given the way how the test was performed it's likely that most products were either outdated or pirated versions which can no longer be updated. And many more reasons can be thought of why this test is completely flawed.
In short it just comes down to that there are no real controllable variables, completely the opposite of that which makes a good test good.

The antivirus industry is a sensitive one, we must always take great care with what we say and what we do.
This also means that every antivirus company is responsible for the image and reputation of the industry as a whole.
Especially in case of tests this is where the antivirus experts come in. They are the people who have the skills to see which test is good and which is not and advise the marketing department accordingly.

After all, we must prevent misinformation every way we can, even if the misinformation might provide a positive outcome in the end.

I now travel a lot. Trips - mostly business - make up about half my life.
Conferences, exhibitions, meetings (with short stops at the seaside or ski resorts if I stop at all). And at these events I'm asked lots of different questions. Last year one of the most frequently asked questions was my opinion about Microsoft's anti-virus, and the changes it might cause in the anti-virus industry.

That question started me thinking about the situation on the anti-virus market - and here's the result

Once upon a time, back in the USSR, I accidentally got a virus on my computer, an Olivetti M24.

And I started my anti-virus career. That was in September (or October) 1989. And the first record was added to my first utility to fight computer viruses (well, in this case, just one computer virus). It was a challenge for me to analyze the code - and develop an anti-infection routine. I was so curious, and of course I didn't realize that it would become so serious.

Now there's an industry, now there are thousands of people developing anti-* solutions (including hundreds in my company). And just last night we had a major milestone - we added the 200,000th record to our antivirus databases. Cruel world...Two hundred thousand antivirus records! And the number will continue to increase - we're already up to 200,157 records.

Recent advances in browsers as seen in Netscape 8 or IE7 have made it harder for the bad guys to succeed with their phishing schemes. In the malware world, technological advances stimulate the development of new ways to evade detection. And we've came by some interesting e-mails which seem to indicate the same is happening in the phishing area as well.

Our colleague Michael Molsner in Japan got an odd phishing e-mail on his address. The text is the usual "help keep your identity safe" and it pretends to come from PayPal. What's interesting is the URL to the spoofed site, which points to a page on www.aafe.cn - the "Academy of Armoured Force Engenering".

While the website appears to be legit, the page from the PayPal e-mail is not. It redirects the browser to a page on http://www.skycar.net.cn/ which loads an interesting Javascript.

This script runs maximized in the browser and presents the user with a window which looks like this:

As you can see, there is an Address field in the window which says "https://www.paypal.com/us", but it is not the real browser address editbox! It's a special field inside the Java applet which makes it look like it's part of the browser window. Do note the real website address, as displayed by Opera - www.skycar.net.cn, in the blue bar. However, users who aren't too careful about entering their PayPal data on websites might well be fooled.

Interestingly, Firefox doesn't fall for this "trick" - it shows the fake "address bar" for a short time, then it hides it.

...cracked by Kaspersky Lab!

And we've contacted the hosting company - the virus file's been removed from the site.

We have been investigating the source of the recent outbreak of the cyber-blackmail virus GpCode, which is on the loose in the Russian Internet.

Our research shows that the virus was spread in the following manner:

1. As we had thought, the infection stems from a mass mailing. The first mailing was conducted on May 26, 2006, when several thousand Russian users received an email with this text:
   Hello <recipient name>!

   We are writing to you regarding the resume you have posted on the job.ru website. I have a vacancy that is suitable for you. ADC Marketing LTD (UK) is opening an office in Moscow and I am searching for appropriate candidates. I will soon be asking you to come in for an interview at a mutually convenient time.

   If you are interested in my offer, please fill out the attached form related to compensation issues and email the results to me.

   Sincerely,
   Viktor Pavlov
   HR manager

   [the above is a translation from the Russian]

   The attached file is a MS word .doc file named anketa.doc [anketa is the Russian for application form - translator’s note]. Actually, this file contained Trojan-Dropper.MSWord.Tored.a.

2. Once the recipient opened the .doc file, a malicious macro installed another Trojan into the local system - Trojan-Downloader.Win32.Small.crb.

3. This is the Trojan that then loaded GpCode onto the local machine from a URL - [skip].msk.ru/services.txt.

The author of GpCode conducted similar mass mailings over several days. S\he also changed the variants of GpCode that were being downloaded from this URL.

Kaspersky Lab is currently working on closing this site down.

Yesterday evening we started receiving messages from users in Russia who'd been infected by the latest version of GpCode, a cyber blackmail virus.

In comparison to the previous variant, GpCode.ae, which we detected last week, this new variant uses a stronger encryption algorithm (RSA 330 bit); this makes it more difficult for our virus analysts to develop decryption. However, we've been successful, and we added detection and decryption for infected files to our antivirus databases.

Users who have been infected by GpCode.af should download the latest antivirus databases and fully scan their computers.

One point that we want to stress: at the moment, we're still not 100% sure how this virus penetrates victim computers. You should exert maximum caution: don't launch files that you receive via email, and ensure that your operating system and browser is fully patched.

Finally, back up your data on a regular basis. Then if the worst ever does happen - and we hope it won't - you'll still have a copy of whatever you were working on.

Police have been investigating a case of cyber blackmail here in the UK. It appears to be an isolated incident. Nevertheless, it highlights the growing trend we've been tracking during the last year.

Sadly, it looks as though Greater Manchester Police, the police force in question will not be pursuing the case further. Apparently, they consider this to be an Internet crime, so it doesn’t fall within their remit.

This raises the issue of who deals with cybercrime now that the National High Tech Crime Unit (NHCTU) no longer exists. The functions of the NHTCU, launched by the UK government in April 2001 to combat cybercrime, have been taken over by the newly created Serious Organized Crime Agency (SOCA).

It’s to be hoped that SOCA is pursuing this case. However, the message on the old NHTCU website, instructing people to report such crimes to their local police force, doesn’t exactly inspire confidence. Moreover, SOCA’s stated priorities, as listed on its website don't explicitly include cybercrime:

• Drugs trafficking, primarily Class A - 40%
  
• Organized immigration crime - 25%
  
• Individual and private sector fraud - 10%
  
• Other organized crime - 15%
  

It doesn’t seem like cybercrime will be a high priority for SOCA.

New crimeware, including ransomware, points to the fact that cybercrime is becoming increasingly organized. We really hope that the UK won't lose focus, and that SOCA will put significant resources into investigating cybercrime.

We have just received a new version of the StarOffice malware we wrote about last week. Like the previous versions, this one doesn't work either, suffering from the same severe programming errors.

Speaking of which, it's come to our attention that the previous blogpost maybe wasn't very clear regarding the intended nature of Stardust. We'd like to clarify that - Stardust is broken and can't replicate.

You can check our description for details, or simply put, the virus is way too buggy to work.

We're continuing to get requests from users with files which have been encrypted by GpCode.

The good news is that we've sorted the encryption algorithm, and added a decryption routine to the latest antivirus database updates.

If you have files which have been encrypted by GpCode, update your antivirus databases, and scan your machine.Your files will be automatically decrypted.

If you've updated your antivirus databases, and your files are still encrypted, please send them to newvirus@kaspersky.com

Two hours ago we started receiving multiple emails from users with encrypted documents.

Virus.Win32.GpCode.ae is responsible for this outbreak - this is a new variant of something we’ve reported on before. It’s currently affecting Russian Internet users and doesn’t seem to be spreading in the West.

This encryptor is detected with detection for the previous version of this program - Virus.Win32.GpCode.ad.

In comparison to the previous version, one of the main differences is that the encryption algorithm used is stronger - the previous version used RSA 67 bit, but this one uses RSA 260 bit. We're working on the decryption algorithm.

We’ll update you as we get more information.