English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Who creates malware and why?

Let us first answer the main question. Who benefits from it? Why have computers, networks, and mobile phones become carriers of not only useful information, but also a “habitat” for different malicious programs? It is not difficult to answer this question. All (or almost all) inventions, mass use technologies have, sooner or later, become a tool of hooligans, swindlers, blackmailers and other criminals. As soon as there is an opportunity to misuse something, somebody will definitely find new technologies and use them in a way that was not intended by the inventors, but in an altogether different way — for their own interests or to assert themselves to the detriment of others. Unfortunately, computers, mobile phones, computer and mobile networks have not escaped this fate. As soon as these technologies started being used by the masses, the bad guys stepped in. However, the criminalization of these innovations was a gradual process.

Computer vandalism

In the past the majority of viruses and Trojans were created by students who had just mastered a programming language and wanted to try it out, but failed to find a better platform for their skills. Up to present time writers such viruses were seeking only one thing - to raise self-esteem. Fortunately, a large part of such viruses have not been distributed (by their authors) and shortly viruses “died away” together with the storage disks or authors of viruses sent them only to anti-virus companies with a note that the virus would not be further transferred.

The second group viruses-writers also includes young people (often — students), who have not yet fully mastered the art of programming. Inferiority complex is the only reason prompting them to write viruses, which is compensated by computer hooliganism. Such “craftsmen” often produce primitive viruses with numerous mistakes (the so-called “student viruses”). Life of such virus-writers has become much simpler with the development of Internet and emergence of numerous websites training how to write a computer virus. Web-resources of this kind give detailed recommendations on how to intrude into the system, conceal from anti-virus programs and offer ways of further distribution of a virus. Often ready original texts are provided, which require only minimal “author” changes and compilation as recommended.

When older and more experienced, many virus-writers fall into the third and most dangerous group, creating professional viruses and lets them out to the world. These elaborate and smoothly running programs are created by professionals, not infrequently very talented programmers. These viruses often intrude into data system domains in very unusual ways, use mistakes of security systems of operating environments’, social engineering and other tricks.

The fourth group of malware writers is very special— “researchers”, rather shrewd programmers who invent new methods of infecting, concealing and resistance to anti-viruses etc. They also invent ways of intrusion into new operational systems. These programmers create viruses not for the sake of viruses themselves, but rather to research the potential of “computer fauna” — they produce the so-called “connectional viruses” (Proof of Concept — PoC). Often their authors do not spread these creations, but actively promote their ideas via numerous Internet resources, devoted to the creation of viruses. The danger of such “research viruses” is also very high — when falling among the third groups of “professionals”, new viruses where these ideas are revealed emerge in no time.

“Traditional” viruses created by people mentioned above are still emerging - hooligan teenagers who become adults are constantly replaced by the new generations (of teenagers). Interestingly enough, recently “hooligan viruses” have become less and less relevant — except when malicious programs evoke global network and e-mail epidemics. New viruses of “traditional“ type are considerably decreasing in number — 2005-2006 faced a dramatic decrease in their number as compared to mid and late 1990. There are several possible reasons why students are not as interested to creating viruses.

  1. It was a lot easier to create viruses for MS-DOS in the 1990-s than for the more complex Windows.
  2. Special computer-related articles were introduced to legislation of many countries and arrests of virus writers were widely covered by the press, which definitely cooled students’ interest to viruses.
  3. Moreover, they found a new way to show their worth — network games. Most probably, modern games shifted the interest and attracted computerized young people.

Thus, currently the share of “traditional” hooligan viruses and Trojans is no more than 5% of all programs registered in anti-virus databases. The remaining 95% are much more dangerous than simply viruses. They are created for the following purposes.

Petty theft

Following emergence and promotion of paid internet-services (mail, web, hosting) computer underground members start to take a interest to how to access to network at somebody else’s expense, i.e. by stealing somebody’s login and password (or several logins and passwords from different infected computers) by using specially developed Trojans.

1997 brought the emergence and spread of Trojans designed to steal AOL passwords. In 1998 with further spread of Internet services, Trojans of this kind start to affect other Internet-services as well. Such Trojans, as viruses themselves, are usually written by young people who cannot pay for Internet-services. (It is noteworthy), as the cost of Internet-services gets lower the proportion number of such Trojans decreases accordingly. However, Trojans stealing passwords to dial-up, AOL, ICQ and access codes to other services constitute a considerable part of everyday “inflows’ to labs of anti-virus companies all around the globe.

Petty thieves also create other types of Trojans which steal account information and key files of various program products and resources of infected computers for the benefit of their “master” e. t. c.

In recent years there has been a constant increase in the number of Trojans, stealing personal information from network games (gaming virtual property) for unauthorized use or resale. Such Trojans are especially widely spread in Asian countries, especially China, Korea and Japan.

Cybercrime

The most dangerous group of virus writers is hackers or groups of hackers who intentionally create malicious programs in their own interests. They create such virus and Trojan programs which steal access codes to bank accounts, obtrusively advertise products or services, illegally use resources of the infected computer (for the purpose of getting money again – to develop spam-business or arrange distributed network attacks further aiming at blackmailing). Activities of this kind (of individuals) are multifarious. Let us look at major types of criminal business in the network in more detail.

Support for spammers

Trojan proxy-servers and multipurpose Trojans functioning as proxy servers make up “zombie-networks” (proxy server — utility used for anonymous work in the network, usually installed on a dedicated computer) (designed) to mass-mail spam. Further Trojan proxy-servers get a spam sample and addresses to mail this spam from their “master”.

In sending spam from thousands (or tens of thousands) of infected computers spammers achieve several aims:

  • distribution is anonymous — message headings and other service information in the letter do not allow to discover the real address of the spammer;
  • spam-mailing is very fast, as it involves many “zombie-computers”;
  • “black list” technologies of tracing addresses of infected machines are ineffective in this case — it does not seem possible to trace all spam-mailing computers as there are too many of them.

Distributed network attacks

Also referred to as DDoS-attacks (Distributed Denial of Service). Network resources (eg. web-servers) are limited in the number of requests serviced simultaneously — it is limited in capacities of the server as well as width of the channel used to connect it to the Internet. If the number of requests exceeds allowable, either operation of the server will become considerable slower, or users’ requests will be ignored at all.

Taking advantage if this, computer hackers initiate “garbage” requests to the attacked resource, with the number of such requests manifold exceeding potential of the victim resource. A “zombie-network” a mass DDoS-attack starts attacking one or several internet-resources entailing failure of attacked network nodes.

As a result, the attacked resource becomes inaccessible for common users. Usually Internet-stores, Internet-casinos and other businesses which are highly dependent on efficiency of Internet-services are affected. Most often distributed attacks are arranged either to discredit competitor’s business or request money for stop the attack — an Internet-racket of a sort.

In 2002-2004 this kind of criminal activity was quite common. Later it recoiled, which seemed to be accounted for by successful police investigations (at least several tens of people all around the world have been arrested) and due to quite successful technical countermeasures (to such attacks).

Botnets

Special Trojans – ‘bots’ (from “robot”) are created for this kind of networks, centrally managed by the remote “master”. The Trojan intrudes into thousands, tens of thousands or even millions of computers. This enables the master of the “zombie network” (or “bot-network”) to access resources of all infected computers and use them to own benefits. Sometimes such networks of “zombie-machines” come into the black Internet-market where they are acquired by spammers or rented.

Calls to premium-pay numbers or sending paid SMS

Cybercriminals, or groups of cybercriminals, create and distribute a special program which illegally makes telephone calls or sends SMS messages from mobile phones, which is not authorized by the user. Before this or in parallel the same time the same people register the company on whose behalf a contract with the local mobile provider on paid service is made.

Naturally, the provider is not notified that these calls are not authorized by the user. Then a Trojan calls a paid telephone number, the mobile company выставляет accounts for the numbers which initiated the calls and pays the hacker the sum defined by the contract.

Stealing electronic currency

To be more precise, this includes creation, distribution and maintenance of Trojan spy programs aimed to steal funds from personal e-wallets (e.g. e-gold, WebMoney). Trojan programs of this kind collect information on access codes to accounts and send it to their “master”. Usually the information is collected by searching and decoding files which store personal data of the account’s owner.

Stealing banking information

This is currently one of the most common types of criminal activity on the Internet. In this case numbers of credit cards and access codes to Internet personal (sometimes even corporate) bank accounts ((“Internet-banking”) are at risk. In such attacks Trojan spies use a wide range of methods. For instance, they show a dialogue window or image which duplicates the web-page of the bank and request login and password from the user to access the account or a credit card number (similar methods are also typical of phishing — spam mailings with imitation text which reminds a message from the bank or other Internet-service).

In order to get the user to enter his/ her personal data, social engineering tricks are used. The user is informed about negative consequences if he does not enter the code (e.g. internet-bank will cease to serve the account) or that something very positive will not happen (“a lot of money will be deposited on your account — please, confirm your account details”).

Often a keylogger Trojan (“keyboard spies”) are waiting for the user to connect to his original banking web-page and capture symbols inserted from the keyboard (i.e. login and password). For this purpose they monitor launch and activity of applications and if user uses a browser, compare the name of the website with the list of banks registered in the Trojan’s code. If the web-site is found in the list, the keyboard spy is activated and the tapped information (the sequence of keys) sent to the hacker. Trojans of this type (unlike other bank Trojans) do not reveal themselves in the system.

Stealing other confidential information

Hackers may take an interest not only in financial, but any other valuable information — databases, technical documentation e.t.c. To access and steal this information specially developed Trojan spies intrude into victim computers.

Also legal network applications are known to be used for the attack. An FTP-server, for example, would secretly intrude into the system or file-exchange («Peer-to-Peer» — P2P) program software would also be secretly installed. As a result, computer’s files became accessible from the outside. Due to numerous incidents, connected with felonious use of P2P-networks, they were officially banned in France and Japan in 2006.

Cyber blackmail and cyber extortion

Cybercriminals create Trojans which can encrypt a user's personal files. The Trojan penetrates the system, searches for and encrypts the user data and then leaves a message that files are not subject to restoration and that the decryption program can be obtained by contacting the address given in the message.

Archiving user files encrypted with a long password is another notorious method of cyber blackmail. Once the original files have been archived, they are deleted followed by a request to transfer a certain amount of money in exchange for the password to the archive.

This type of cybercrime (data encryption) is critically dangerous from the technical perspective. In other cases it is possible to protect the computer from the Trojan, however in this case one has to deal with firm encoding algorithms. If such algorithms and keys (passwords) are long enough, it becomes technically impossible to restore files without getting the information from the hacker.

Evolving “delivery methods”

To commit the crimes described above, cybercriminals have created and distribute network worms which have caused numerous Internet epidemics. Their major aim is to install criminal Trojans on as many computers as possible in the global network. Mydoom and Bagle, notorious since 2004, and the Warezov mail worm, which emerged in 2006, are examples of such worms.

In some cases the aim is not that of “maximum coverage” — vice versa, the number of infected computers seems to be purposefully limited, not to attract too much attention of law enforcement agencies. In such cases victim computers are intruded not by the uncontrolled network worm, but, for instance, through infected web-page. Criminals can register the number of visitors to the page and the number of successful infecting — and develop the Trojan code when the required number of infected computer is reached.

Targeted attacks

Unlike mass attacks, aimed to infect as many computers as possible, targeted attacks have an altogether different purpose — to infect the network of a certain company or organization or implement a specially developed Trojan agent to the single node (server) of the network infrastructure. Companies in possession of valuable information, such as banks, billing companies (e.g. telephone companies) e. t. c. are at risk in this case.

The reason why bank servers or networks are attacked is obvious: criminals are trying to access bank information, illegally transfer funds (sometimes — in very considerable amounts) to the account(s) of the hacker. When billing companies are attacked, the aim is to access clients’ accounts. Targeted attacks are seeking any valuable information stored at the network servers, i.e. client databases, financial and technical documentation — everything that can be of interest for a potential hacker.

Usually large companies holding critical and valuable information are attacked. Their network infrastructure is quite well protected from external attacks and without any internal help it is not possible to intrude it. Therefore most frequently such attacks are arranged either by employees of attacked companies (insiders) or with their direct participation.

Other criminal activity

Other cybercrimes do exist, but are not yet widespread. These are the theft (collection) of e-mail addresses from infected computers and selling them to spammers, search of exposures in operating systems and applications and selling them to other computer criminals. These businesses also include development and selling of custom-made Trojans e. t. c. Most probably, as existing Internet-services develop and new ones emerge, new crimes in the cyber-space will also appear.

Grey market business

Beyond student virus-writers and purely criminal business in the Internet there are “grey” businesses - activities existing on the brink of law. Imposing electronic advertisement, utilities, offering user to visit this or that paid web-resource and other types of unwanted software — they all also require technical support of hacker programmer. It is requires to secretly intrude into the system, repetitive renewal of components and various masking (to protect from deletion from the system), resist anti-virus programs — these aims almost fully coincide with the functional of different Trojans.

Adware

Special advertising components penetrate the system, download advertising information from special servers and show it to the user. In most cases (but not always) the intrusion into the system happens unknown for the user and pop-ups appear only when the Internet-browser is operating (as advertising systems are masked as advertisement banners of web-sites).

After several USA states passed anti-advertisement regulations, Adware developers actually turned out to be beyond law (and practically all of them are American companies). Finally some of them legalized their developments to the maximum: Adware is currently supplied with an installator, there is an icon on the systems panel and a deinstallator. However, hardly any person of sound mind will be willing to install an advertising system on his computer, therefore legal Adware is ‘hard-sold’ together with some free software.

Adware is installed together with this software: most users click “OK”, ignoring texts (appearing) on the screen — and get advertising programs together with the ones being installed. As often a half of the desktop and system panel are filled with various icons, the icon of the advertisement program becomes lost among them. Thus Adware, legal de jure, is installed secretly from the user and is not seen in the system.

It should be noted that in some cases it is impossible to delete legal advertising systems without affection of operation of the main software. Thus producers of Adware protect it from deinstallation.

Pornography and premium-pay resources

To attract users to paid web-sites often different programs are used which de jure are not categorized as malicious as they do not conceal their presence, and the user appears on the paid resource having positively answered а corresponding question. However, installation of such is not authorized by the user, and for instance when the user visits dubious web-sites. Then they obtrusively offer (the user) to visit this or that paid resource.

Rogue antivirus and anti-spyware programs

This is a relatively new type of cybercrime. The user is fobbed off with a small program, which informs that spyware or virus has been detected on the computer. The message appears in any case regardless of the actual situation - even if no other programs except ОС Windows are installed on the computer. At the same time the user is offered to purchase a “treatment” for a small sum of money which in fact does not cure anything.