Global Threat Report 2007

we protect your digital worlds

Sales Hotline: (852) 2893 8860 www.eset.comwww.eset.hk ESET Global Threat Report for 2007

As another year draws to a close, few can have failed to notice the plagues of malicious software, floods of fraudulent emails and the generally increased pestilence of our online world, marking out 2007 as one of the most remarkable in the history of malware. Since ESET was founded in 1992, all sorts of threats have appeared, evolved, and in some cases disappeared again. 2007 was no exception, and as a company, we’ve had to grow and evolve to find innovative ways to meet those threats. To tie up what was an exciting year - perhaps too exciting in some ways - we’ve taken a look back to consider the trials and triumphs of the past months. ESET has a unique store of data to mine, gathered through our ThreatSense.Net® technology, which automatically collects data about malware threats, and particularly about newly-discovered, heuristically detected threats. Information is constantly fed back from our customers (with their explicit consent of course!) to our Threat Laboratory, enabling us to recognize new threats instantly and gather statistics on the effectiveness of our detection, and so to get a ‘real-world’ view of the evolving threatscape. Not only does ThreatSense.Net allow us to constantly improve our products through analysis of the data, leading to enhanced detection, but it allows us to share our view of the year’s trends and developments with the wider world. There is no prize for guessing that the year ahead of us will be another challenging one. One clear trend is that more and more people are realizing that proactive detection of malware, when dealing with the huge volumes and rapid spread that we see today, is an essential component of a defense strategy. At ESET we know that simply predicting and following trends is not enough to ensure the protection of our customers, and we will continue to pursue our core values, staying ahead of the curve by the consistency of our technological innovation. As successful pioneers of heuristic techniques, you can be sure that we’ll be looking to ensure that we can meet the challenge of the unpredictable! As you read this report, bear in mind that the information is not only limited to ESET’s own unique view, but also reflects what has happened globally over the past twelve months. As with stocks and shares, past threat trends are not a sure predictor of future developments: however, we can be certain of one thing. Although the threats may change and new ones will appear, there will continue to be malicious software threats as long as there are computers to attack and exploit, and computer users to fall victim. Furthermore, as more platforms become mainstream, they will inevitably be used as a medium for exploitation. It’s worth remembering that many malware threats exploit the user, rather than a particular platform, Phishing, for instance, is not unique to a single operating system environment. We hope that you find this report interesting reading and we would love to hear from you with feedback on this report. Please write to [email protected] We wish you a safe journey through 2008, rest assured, we will be doing all we can to protect your digital worlds. The ESET Research Team

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 2

Table of Contents Page Introduction and Overview 3 Top Ten Email-Borne Threats 4 Figure 1: Relative Proportions of the Top Ten E-mail-Borne Threats 4 Table 1: What the Names Mean 5 Proportion of Infected E-mails to Total Messages Monitored 5 Threat Descriptions 6 • Win32/Stration 6 • “Probably unknown NewHeur_PE virus” 6 • Win32/Netsky.Q 6 • Win32/Nuwar.gen 6 • Win32/Fuclip 7 • Win32/Nuwar 7 Figure 2: Top 10 Virus Radar Listings by Detection Type 8 2007 Threat Trend Summary 9 • Malware Top 10 for January 2007 10 • Other Events in January 12 • Malware Top 10 for February 2007 13 • Other Events in February 13 • Malware Top 10 for March 2007 14 • Other Events in March 14 • Malware Top 10 for April 2007 15 • Other Events in April 16 • Malware Top 10 for May 2007 17 • Other Events in May 17 • Malware Top 10 for June 2007 18 • Other Events in June 18 • Malware Top 10 for July 2007 20 • Other Events in July 20 • Malware Top 10 for August 2007 21 • Other Events in August 21 • Malware Top 10 for September 2007 22 • Other Events in September 23 • Malware Top 10 for October 2007 24 • Other Events in October 25 • Malware Top 10 for November 2007 26 • Other Events in November 26 • Malware Top 10 for December 2007 27 • Other Events in December 27 More Malware of Interest 29 Conclusion 30 Resources and Further Reading 31 Glossary 32 About ESET 35 About ESET Nod32 Antivirus and ESET Smart Security 35 About Threatsense® 35

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Introduction & Overview ESET’s product line has, traditionally, been focused on the detection and removal of viruses and other forms of malicious software, though you’ll notice as you read through this document that we do rather more than that, and that our product range is increasing in versatility. Still, the data resources that we’ve mined so as to bring you this summary are still focused on malware, so we won’t make more than a fleeting reference to other fascinating security-related phenomena and issues that have dominated this year, such as: • The use of Acrobat PDF files and other graphics-friendly objects such as Excel spreadsheets in spam and scams, such as pump and dump fraud • The rise of Microsoft’s Vista and some heated discussion about its security enhancements • The increasing attention paid to Web 2.0 technologies (collaborative technologies and platforms, such as wikis, blogs, moodle and so on), to virtual worlds like Second Life, and to social networks like Facebook, MySpace, Ning, and LinkedIn by security specialists and blackhats alike • The ongoing diversification and increasing sophistication of botnet technology and topology • The continuing shift away from replicative malware (viruses and worms) to other forms of malware (backdoors, keyloggers, banking Trojans), and from hobbyist virus creation to professional crimeware development • The recognition by anti-malware developers, researchers and testers that comparative testing and certification has to move away from testing with known malware to more demanding methodologies designed to test a product’s ability to make use of behavior analysis, heuristics and other forms of proactive and dynamic detection, rather than focusing entirely on malware-specific detection by signature. To produce this summary, we’ve drawn on some of the data resources we use continuously to maintain and improve our product range. In particular, Virus Radar collects data on email-borne malware, while our ThreatSense.Net® technology automatically collects data on all sorts of incoming new and old threats trapped by our heuristics, and immediately forwards information to our Threat Laboratory. These data are primarily intended to give us an edge in the security market by allowing us to improve the detection capabilities of our products, so that we continue to detect not just known malware, but brand new threats, by continuing to improve our sophisticated proactive detection technologies. We hope that you’ll find this peek into the innards of our technology and what it’s picked up over the past 12 months interesting, informative and useful.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 4

Top Ten Email-Borne Threats “Virus Radar On-line” is a project initiated by ESET and partners for the monitoring and statistical analysis of malware spread via electronic mail. The top ten email-borne threats of 2007, as reported by Virus Radar, are as follows. The figures represent the number of instances recorded as of 10th December 2007, and an explanation of the names used is given below:

Name by which Malware is Detected by ESET Number of Detections “A variant of Win32/Stration.XW” 11,608,228 “Probably unknown NewHeur_PE virus” 4,184,672 Win32/Netsky.Q worm 3,355,513 Win32/Nuwar.gen worm 2,965,119 Win32/Fuclip.B trojan 1,740,631 Win32/Stration.XW worm 1,300,049 “A variant of Win32/Stration.WL worm” 760,689 “Probably a variant of Win32/Nuwar worm” 745,021 Win32/Stration.WC worm 668,624 “A variant of Win32/Stration.QQ worm” 585,736

Other malware instances recorded: 5,895,524

Figure 1: Relative Proportions of the Top Ten Email-Borne Threats Note: At the time of data capture, 1,142 individual threats were identified by Virus Radar.

More up-to-date and detailed information is available at http://www.virusradar.com/stat_01_current/index_all_c12m_enu.html

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Table 1 What the Names Mean “A variant of Win32/Stration.XW worm” † Malware closely resembling Win32/Stration.XW has been detected. “Probably unknown NewHeur_PE virus” Heuristic (see glossary) detection of unknown malware. Win32/Netsky.Q †† Threat-specific detection of a common internet worm Win32/Nuwar.gen worm ††† Generic detection of a Nuwar variant Win32/Fuclip.B trojan †††† Threat-specific detection of the Fuclip.B Trojan. Win32/Stration.XW worm † Threat-specific detection of a particular Stration variant. “A variant of Win32/Stration.WL worm” † Malware has been identified generically as closely resembling a Stration variant “Probably a variant of Win32/Nuwar worm” ††† Malware has been identified as closely resembling a Nuwar variant Win32/Stration.WC worm † Threat-specific detection of a particular Stration variant† “A variant of Win32/Stration.QQ worm” † Malware has been identified generically as closely resembling a Stration variant † See article below on Win32/Stration †† See the full description at http://www.virus-radar.com/dynamic/dquery.php?mcx=vdesc&instance=top&vna me=Win32/Netsky.Q%20worm&langname=enu ††† See article below on Nuwar †††† See article below on Fuclip

Proportion of Infected E-mails to Total Messages Monitored Our figures indicate that out of a sample of 4,251.9 million messages monitored over the period from January 1st 2007 to December 10th 2007, 33.8 million messages carried malicious content such as a malware attachment or a link to a web site containing malicious code. Of course, we don’t monitor anywhere near all the e-mails sent all over the world, but that’s a large enough sample to give us some idea of what’s happening worldwide. Naturally, there are things we can’t measure: for instance, we don’t know how many infected messages were intercepted by other sensors before they reached the servers we monitor, but every vendor has that problem. Also, we can’t tell you what proportion of the uninfected messages are irritating but “harmless” spam that carries no overtly malicious content: that would require the deployment of quite a different set of tools, and even then, spamminess can’t be measured as precisely as malware content, because to some extent, spam is defined by the recipient, not by the security community. The statistics do, however, reassure us that our proactive detection of new threats – either by their resemblance to known threats using generic signatures, or by sophisticated heuristic techniques that identify brand-new malware – remains as outstandingly effective as our customers have come to expect.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 6

Threat Descriptions Win32/Stration The Stration threat has been around since mid-2006. This mass mailing malware is used to send unsolicited e-mails (spam). It often arrives as an e-mail attachment and tries to disguise itself as a normal text file by modifying its own icon. We have seen variants of Stration that also used MSN Messenger or Skype to send out copies of themselves. Stration spams out a small executable file that, when executed, will download additional components from websites registered by its authors. Stration’s authors have registered dozens of websites so far, in order to help update their network of compromised hosts. The servers are also used to prime all nodes with spam content and targets before they start a spam run. Stration variants use various schemes to convince the user that his machine is not infected. For example, if he tries to open the executable file disguised as a text file, he will be presented with a dialog box displaying an “Unknown Error” message, in order to account for the fact that no text is displayed in Notepad. Other common names for this threat include Warezov and Strati.

“Probably unknown NewHeur_PE virus” This label indicates that the advanced heuristics (see glossary) mechanism implemented in NOD32 determined that the file was malicious. The label is not used to identify a particular family of malware. It indicates proactive detection of malware that has not been seen and classified previously. The huge volume of detections in this category is a good indicator of the outstanding effectiveness of our heuristic technology.

Win32/Netsky.Q This is a very common variant of an internet worm spreading via e-mail messages, P2P (peer-to-peer) networks or shared network drives. It usually propagates through email as a file attachment with a .PIF or .ZIP filename extension, and can exploit a vulnerability in unpatched copies of Internet Explorer 5.x which may allow malicious code to execute when the victim opens or previews the message, even if the attachment isn’t opened. This malware may be identified by other names, including Netsky.P, I-Worm.NetSky.q, W32.Netsky.P@mm, or WORM_NETSKY.GEN. When executed, it generates a .DLL extension file packed with UPX. The mail appears to come from a sender who may be known to the recipient, but the address is forged. The name of the apparent sender is harvested from various types of file on the hard disk of a previously infected computer. The subject and the text of the e-mail message are highly variable. The worm creates files on the infected system and manipulates the Windows registry by adding entries. It incorporates an SMTP engine that allows it to mail itself out to addresses harvested from the infected system each time it detects an active internet connection. It may also launch denial of service (DoS) attacks against selected web sites. The fact that a fairly elderly mass-mailer has continued to circulate so widely this year sends an uncomfortable message about the number of users and sites still not properly protected against malware, and the continuing need for signature detection to identify and remove known malware, despite the advances in heuristic detection and behavior analysis.

Win32/Nuwar.gen The websites used to distribute Nuwar variants(see notes on Win32/Nuwar) release a new version of the malicious program every thirty minutes. To guarantee the detection of every variant of this threat, a generic signature is used, rather than a separate signature for each variant. The Nuwar.gen label identifies samples that have been detected using the generic signature for the Storm Worm family, rather than a specific variant or sub-variant.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Win32/Fuclip The name Fuclip is a contraction of “Full Clip”. This malware was part of the first wave of Nuwar infection. ESET’s Nod32 detects system driver files dropped by Nuwar in an attempt to hide its presence through rootkit techniques and components such as Fuclip. The Fuclip.B variant has been spammed out with a number of message variants, with subjects such as: 230 dead as storm batters Europe British Muslims Genocide U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel Hugo Chavez dead Radical Muslim drinking enemies’ blood Sadam Hussein safe and sound! Sadam Hussein alive! Fidel Castro dead. Fuclip may download and execute a file from the Internet. It can be used to control an infected PC remotely and might attempt to hide its presence in the system, using common rootkit techniques.

Win32/Nuwar Nuwar (see also the notes on Win32/Nuwar.gen and Win32/Fuclip), also commonly known as Storm Worm – though it’s actually a Trojan rather than a worm – arrives on a PC either as an e-mail attachment, or when a user visits a malicious website. Nuwar’s authors have used dozens of different social engineering strategies in order to trick users into clicking on malicious links inside e-mails, or opening attachments. The main purpose of this malware seems to be to build a powerful network of compromised, zombified PCs (a botnet). It has been used to send information relating to “pump and dump” stock fraud, and has also been used to install additional malware for the purpose of trying to steal bank information from compromised hosts. Nuwar is unique in that its programmers, and the botmasters they work with, are paying a great deal of attention to maintaining their botnet, releasing frequent updates in order to evade detection by anti-malware and intrusion detection systems. Other common names for this threat are Peacomm, Zhelatin and Tibs, and it’s listed by the Common Malware Enumeration web site (http://cme.mitre.org) as CME-711. More information on Nuwar can be found in the January threat summary section of this document.

Sales Hotline: (852) 2893 8860 www.eset.hk 8

Figure 2: Top 10 Virus Radar Listings by Detection Type

Malware-specific detection 7,064,817 Detection by generic signature 16,604,793 Heuristic detection 4,184,672

“Malware-specific detection” denotes that a malicious program already known to us has been identified. “Detection by generic signature” denotes that a malicious program that closely resembles a known malware variant or malware family has been identified. Heuristic detection denotes that a malicious program has been identified that doesn’t closely resemble existing malware. Virus Radar figures demonstrate that detection of new threats, and of new variants of old threats, using generic signatures and behavior analysis, is at least as important in today’s security software as traditional signature detection. We think our heuristics are the best in the industry, and when you look at trends in threat and anti- threat technology over the year, you may notice that quite a few experts in the industry agree with us.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

2007 Trend Summary

This section shows trends month by month from January to December 2007. Most of the data presented here are extracted from ThreatSense.net®, interspersed with some material of more general interest. Whereas Virus Radar monitors e-mail, ThreatSense.net® data are based on samples forwarded automatically by participating customers to our Threat Laboratory, and are therefore not confined to email-borne threats.

Sales Hotline: (852) 2893 8860 www.eset.hk 10

January

Figure 3: Malware Top Ten for January 2007

Win32/Adware.Boran Adware.Boran is not a virus: it falls into the category usually described by antimalware vendors as Potentially Unwanted Programs (PUPs) or Applications (PUAs). After it installs itself, it displays pop up advertisements and may redirect some web queries to third party sites. Adware.Boran is sometimes referred to as Adware.Win32. Agent, and tries to contact a number of sites for update information. It also changes the registry so that it is launched after every reboot.

Win32/RJump.A RJump is an internet worm with Trojan characteristics, opening a backdoor on an infected system and sending information back about the compromised computer. It can propagate by copying itself to external devices such as external hard drives, digital cameras, cellphones, and USB flash-drives. Other names sometimes used for it include Backdoor.Rajump, W32/Jisx.A.worm, W32/RJump.A!worm, WORM_SIWEOL.B

Win32/Brontok This is malware with back door capabilities which spreads across email and shared network resources. It uses its own SMTP engine to send email messages, with attachments that use the following extensions: .ASP; .CFM; .CSV; .DOC; .EML; .HTM and .HTML; .PHP; .TXT; and .WAB. It also creates system files and modifies some registry keys.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Nuwar (Storm Worm) This malicious program has attracted enormous media attention since January, when it was spammed out disguised as a news item about the Kyrill wind storm. There are many reasons for this. First of all, this was one of the first widely reported threats to use a peer-to-peer (P2P) network as a Command and Control (C&C) communication mechanism, though bots making use of P2P have been around since 2003 or thereabouts. The fact that Nuwar communicates over a decentralized network makes it very difficult to estimate the number of infected hosts. Some researchers have claimed that there are more than one million infected hosts, while researchers at Microsoft have suggested that only a couple of hundred thousand systems have been compromised. The primary purpose of this threat seems to be to build a strong and reliable botnet (a network of compromised host PCs). The Storm botnet has been used to send “pump and dump” e-mails, common spam, self-propagation e-mails, and even banking Trojans, designed to steal banking information. The authors of the Storm Worm have used a variety of social engineering tactics to entice users into visiting malicious websites, so that their systems will be compromised. The following table shows a list of social engineering topics that have been used for this purpose. The duration of usage of each technique shows that the authors are monitoring the effectiveness of each ploy in terms of aiding propagation and infection closely. They tune their strategies in response, so as to increase the performance and effectiveness of their botnet. Table 2: Storm Worm Social Engineering Ploys

Type Period Scary / Current News December 2006 – May 2007 Electronic greeting cards June – August 2007 Electronic postcards August 2007 Technical support (sending patch or vpn connector) August 2007 (only one day) Beta test program August 2007 (only one day) Video August – September 2007 Labor day September (only one day) Privacy (Tor) September (only one day) NFL Season September Arcade games download September – October 2007 In addition to changing social engineering strategies, Nuwar’s authors release software updates very frequently. The websites they use to distribute the malware serve a different file every 30 minutes. The difference between files is often minor, but the difference is enough to evade the signature patterns relied on by many antivirus products. The Command and Control framework used by Nuwar is completely decentralized, and relies on the Overnet protocol to find resources needed by infected PCs. For example, an infected host will search the peer-to-peer network for update sites where it can download new versions of the malware. The P2P network is also used to receive information and instructions relating to spam that is to be disseminated, and specifying targets for distributed denial of service (DDoS) attacks. The information communicated over the network is always obfuscated and stealthed, using the RSA encryption algorithm. Nuwar is a good example of a modern threat that uses advanced technology to infect PCs and maintain its foothold on compromised systems by any means available. It is a sign of its sophisticated and diversified structure and self-updating mechanism that different components may be detected by several different names, even by a single product.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 12

Win32/PSW.QQRob This is a keylogger capable of stealing information about the user and the infected computer, including passwords, user names and any confidential information entered on any website or document through the keyboard.

Other Events in January Also in January, the Global Islamic Media Front announced “the first Islamic computer program for secure exchange on the Internet”. “LMH” and Kevin Finisterre detailed their “Month of Apple Bugs (http://projects. info-pull.com/moab/), while the Defense Security Service retracted its claim that defense contractors traveling through Canada had been “bugged” with coins containing tiny radio transmitters. People started talking about a Connecticut school teacher called Julie Amero, who was on trial for failing to prevent pupils from being exposed to porn pop-ups in the classroom. Microsoft released something called Vista, whereupon the Electronic Frontier Foundation pointed out some worrying restrictions in the Vista End User License Agreement (EULA) – http://www.eff.org/deeplinks/2007/01/ microsofts-vista-read-fine-print. Randy Abrams, ESET’s Director of Technical Education, took part in a panel discussing zero-day attack coordination at Gadi Evron’s Internet Security Operations and Intelligence II workshop, where security vendors and other organizations, CERTs, US defense & Homeland Security and security-oriented providers got together to talk about “fixing” internet security. NOD32 was rated the overall best antivirus product of 2006 by AV-Comparatives.org.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

February

Figure 4: Malware Top Ten for February 2007

Win32/Adware.Yisou This is adware, apparently of Asian origin, which displays pop ups and Chinese characters. Win32/Adware.Toolbar. SearchColours application, which pops up (pun intended) in the March summary, is somewhat similar.

Win32/Genetik The label Win32/Genetik is used to indicate files that have been detected as being malicious by a new technique implemented in NOD32. This detection technique uses advanced heuristics to take advantage of the knowledge accumulated over years in our database of generic signatures.

Other Events in February Also in February, a Dutch court sentenced two unnamed hackers to (rather short) jail sentences for offences relating to the use of botnets for various criminal purposes, while a Dutch spammer was fined $97,000 dollars for sending out more than 90 billion spam messages. In Los Angeles, Samy Kamkar was sentenced to three years probation and 90 days community service for his MySpace “Superworm”. Several news articles speculated about the widespread nature of Chinese hacking attacks. Meanwhile, controversy raged as to whether Julie Amero was a corrupter of youth, a dolt who couldn’t find the power switch on a PC or monitor, or the victim of a school board covering its own incompetence and a prosecution case based on flawed forensics. Nod32 gained its 42nd VB100 award in a Virus Bulletin comparative review of scanners running on Vista, and reviewer John Hawes also commented on its “ever-impressive speed.” In the same month, ICSAlabs certified the product under their Windows Vista Anti-Virus Certification Program.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 14

March

Figure 5: Malware Top Ten for March 2007

Win32/Perlovga Perlovga is a very simple program that copies files to the %windir% folder, where it makes copies of itself as %windir%\xcopy.exe. It also tries to copy %windir%\autorun.inf to C:\autorun.inf and is sometimes called Trojan. CopySelf. It may be reported as one component of a larger attack.

Win32/TrojanDownloader.Agent.AWF This Trojan tries to connect to a Russian web site. It copies itself into the %windir% folder of the system, manipulates the registry by adding several keys and tries to modify the Hosts file to redirect network traffic. Other names that are sometimes used for it include Agent.NJB, Trojan.Proxy.Mitglieder.B, and Trojan:Win32/ Kukum.A

Other Events in March The Daily Mail exposed potential weaknesses in the UK’s new biometric passports, while the Home Office denied that it would be possible to forge a new passport by any such means. The Washington Post reported that 2,500 local government PCs had to be shutdown in Anne Arundel County due to a widespread Rinbot infestation; Al- Qaeda were reported to be plotting to bring the UK’s internet access crashing down by bombing a Telehouse site in London; and a Microsoft Security Advisory described a vulnerability in Windows Animated Cursor Handling. At ESET, founder Miroslav Trnka was named Slovakia Entrepreneur of the year for 2006 by Ernst and Young, and we made available a white paper on Heuristic Analysis written by Chief Research Officer Andrew Lee with consultant and author David Harley.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

April

Figure 6: Malware Top Ten for April 2007

Win32/TrojanDownloader.Ani.Gen Files detected as TrojanDownloader.Ani.Gen by NOD32 are malicious icon files that try to exploit a security flaw in Windows’s animated icon parser (MS07-017: see http://www.microsoft.com/technet/security/Bulletin/ MS07-017.mspx and http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0038 ). These files can be loaded in a browser with javascript. This security flaw has been widely used to download additional malware onto a victim’s PC. Microsoft’s security update for April 2007 patched this security flaw. Other names for this threat include Exploit.Win32.IMG-ANI and Trojan.Anicmoo.

Win32/Pacex.Gen The Pacex.gen label designates generically malicious files that use a specific obfuscation layer. This obfuscation layer has mostly been seen in use by password stealing trojans.

Win32/Adware.Virtumonde This commonly reported program falls in the “Potentially Unwanted” category. It is used to deliver advertisements to user’s PC and may also be reported under the name Vundo.

Win32/Spy.VBStat.J Spy.VBStat is an information stealing trojan distributed as a DLL and may be installed by other malware. It may also be reported as InfoStealer.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 16

Other Events in April CNET’s April 1st Edition announced that President Bush had signed a measure decreeing that Vista is so complex that it poses a national security threat, that Moore’s Law had been overturned by the Supreme Court, and that the Department of Homeland Security planned to monitor Americans with video cameras built into their computers, as an anti-terrorist measure. Back in the real world, hacker-turned-journalist Kevin Poulsen noted in Wired that Vista doesn’t include a version of telnet, a primitive, somewhat insecure network tool that has been around for some 35 years. Traditionally, telnet has been supported in web browsers by passing requests for a telnet connection to the local telnet client, but the default telnet handler isn’t there in Internet Explorer 7. (It can be re-enabled if you really want to. Of course, it’s still there in many non-Windows systems.) There were reports of messages and links to “hot” pictures of Britney Spears that turned out to exploit animated icon vulnerabilities referred to above. A Proof-of-Concept virus turned up that targeted iPods running Linux. Alex Ionescu released a PoC program that disabled the protection of “protected processes” in Vista, heralded as a way of exploiting Vista Digital Rights Management (DRM) to hide malware. Joanna Rutkowska announced that she was going to demonstrate rootkit techniques and BitLocker avoidance in Vista at Black Hat in July/August. April was also a good month for hoaxes such as the Olympic Torch virus, and the death-by-cellphone virus hoax that circulated in Pakistan. ESET announced the beta program for ESET Smart Security, a product that integrates an exceptional anti- malware engine with spam control and a personal firewall.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

May

Figure 7: Malware Top Ten for May 2007

Other Events in May Spanish industrial security specialists Neutralbit reported problems in the OLE for Process Control protocol (OPC) that could indicate remotely-exploitable vulnerabilities in SCADA (Supervisory Control and Data Acquisition) systems used by facilities such as power stations, refineries, and so on. Two men were sentenced to community service for planting battery powered devices in Boston and Cambridge which turned out to be a promotion for Cartoon Network, but were at first mistaken for bombs when discovered on bridges and at subway stations, leading to significant transport disruption. There was continuing speculation that “cyberwar” attacks on Estonia were originating in Russia, with whom Estonia has been in dispute Verizon bought Cybertrust, thus incidentally acquiring ICSAlabs, who specialize in the certification of security products and also manage the WildList Organization International (http://www.wildlist.org). The organization is a major force in tracking replicative malware and its WildCore sample collection is an essential component of most antivirus product testing. Coincidentally, an International Antivirus Testing Workshop took place in Reykjavik, Iceland, which brought together antivirus vendors and organizations involved with comparative testing and certification: ESET’s Andrew Lee made a well-received presentation there on Time to Update (TtU) testing. ESET announced its free on-line scanning service.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 18

June

Figure 8: Malware Top Ten for June 2007

INF/Autorun This label is used to describe a variety of malicious programs that make use of the file autorun.inf to install themselves or to drop other files onto a system. The file autorun.inf contains information on programs to be run automatically when media such as CDs or USB flash drives are opened. Malware that installs or modifies autorun.inf files is detected as Autorun/INF by NOD32. This is currently a very wide-reported threat vector.

Win32/BHO.G BHO (sometimes referred to as Metajuan) is an information-stealing Trojan. Its name comes from the “Browser Helper Objects” sometimes used by Internet Explorer. The Trojan uses helper objects to harvest information that is entered into fields when IE is used to complete a form and also to gather the addresses of websites visited. There is believed to be a direct link between Adware.BHO.G, Adware.Virtumonde and the BHO.G Trojan.

Other Events in June A new trial was granted for Connecticut ex-teacher Julie Amero. It still hasn’t happened, though, and there is speculation that it never will: the affair will, some believe, simply be allowed to die away inconspicuously. A Tsunami hoax in Indonesia drove thousands of people away from their homes on the coast: there was speculation that the hoax may have been started by looters. (There is some evidence that this also happened after the Boxing Day Tsunami of 2004, which itself generated many hoaxes, semi-hoaxes and scams.) The Department of Justice and the FBI stated that they’d identified more than one million victims of botnet-related crime as part of an initiative to disrupt botnets known as Operation Bot Roast. Some of us particularly enjoyed a report that said that the initiative was intended to “disrupt and dismantle botherders.” (Botherders is a term commonly applied to people who administer malicious botnets: while there might be arguments for hanging, drawing and quartering them, it’s unlikely that even the fiercest US court will go that far.)

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Joanne Rutkowska was challenged by Thomas Ptacek, Nate Lawson and Peter Ferrie to prove her contention that her “Blue Pill” technology can create a 100% undetectable rootkit in a “face-off” at Black Hat. She accepted the challenge on a number of conditions: the challengers were willing to accept four of these, but baulked at paying her $384,000 to turn the Blue Pill prototype into a commercial-grade rootkit, so it didn’t happen. (You can read the full story at http://blogs.zdnet.com/security/?p=334.) ESET’s NOD32 received a five star rating in SC Magazine’s review of anti-malware management tools.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 20

July

Figure 9: Malware Top Ten for July 2007

Win32/Adware.Ezula This “possibly unwanted” software comes with an icon of a normal installer but, when a user double clicks on the icon, no dialog is displayed to the user. Installation is completely surreptitious and offers no information to the user on what is being installed. Once installed, it downloads and executes additional components from a website currently located in the Philippines. Ezula tracks search keywords that are sent by the user to a pre defined list of websites and also intermittently displays ads when the user is browsing the Internet. Aliases include AdClicker- FK, Generic5.CF, TR/Agent.aoy.1, and Trj/Downloader.OZB.

Other Events in July Richard Ford, Research Professor at the Florida Institute of Technology’s Center for Information Assurance and a former editor of Virus Bulletin, reviewed “25 Years of Viruses” (http://www.npr.org/templates/story/story. php?storyId=11954260), taking the Apple II virus “Elk Cloner” as his starting point. Nuwar (Storm Worm) was responsible for a mailstorm of fake greetings cards, inspiring Randy Abrams to explain in detail why eCards and eVites can be such a bad thing in an inappropriate context. (http://www.eset.com/threat-center/blog/?p=76; http://www.eset.com/threat-center/blog/?p=77). ESET made available a comprehensive white paper on phishing and related threats at http://www.eset.com/ download/whitepapers.php, and announced the beta versions of their server product lines for Linux and FreeBSD.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

August

Figure 10: Malware Top Ten for August 2007

Win32/Obfuscated The label “Obfuscated” is used as a generic identifier for malicious software that uses code obfuscation to hide its functionality. The name is applied to a variety of Windows malware hiding through software obfuscation techniques such as packing, polymorphism and junk code injection.

Win32/HackAV.G The family of programs labeled as HackAV represents cracks and other hacks that are used to promote software piracy.

Other Events in August At least once a year, someone comes up with a comparative test of anti-malware products that jangles the nerves of anti-malware researchers everywhere. This year, it was the turn of Untangle, who supply a primarily open source gateway solution. There isn’t necessarily anything wrong in that, but they conducted a test at LinuxWorld that made nearly every methodological error in the book, such as a tiny test set, unvalidated samples, inappropriate use of non-viral test files, and apples and oranges testing. Randy Abrams commented at http://www.eset.com/threat-center/blog/?p=78 that “You have to try hard to be less competent”, and Andrew Lee and David Harley proceeded to write a paper and presentation for the AVAR conference (see the November summary below) that used both the Untangle test and last year’s Consumer Reports test as examples of how not to conduct a comparative test. Lee, who is Chief Research Officer at ESET, was also a major contributor to Harley’s “AVIEN Malware Defense Guide for the Enterprise” (Syngress) which was published in the USA this month. (You may not be surprised to know that Lee and Harley contributed a joint chapter on anti-malware evaluation and testing.) Meanwhile, ESET’s online scanner became available to the public.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 22

September

Figure 11: Malware Top Ten for September 2007

Win32/PSW.Agent.NDP This is an online game password stealer. When executed, it copies itself to the user’s temporary folder and creates a DLL in the same location. The created files may have various names, including “rundl132.dll” and “iexpl0rer.exe”. A registry key is created to run the program every time the system is rebooted. The password information stolen is sent to a remote web server over HTTP. The games targeted by this threat seem to vary according to variant. Other names used include InfoStealer.Gamepass and PWStealer.

IRC/SdBot The label SdBot is given to one of the largest families of malware. SdBot variants are used to build networks of infected hosts, also called zombie networks or “botnets”. The Command and Control mechanism used by most variants of SdBot is the Internet Relay Chat protocol (IRC). Since the source code of this threat is available for anyone to download from the Internet, many malware authors have copied the code to make their own variants. Most SdBot variants spread through network shares and exploit a variety of known software vulnerabilities. Bots like SdBot are a very major threat to the security of the online community. Because of the range and highly variable nature of the threat, they tend not make the very top of threat lists like ThreatSense.net® which are based on prevalence: however, if you look at current monthly WildLists (http://www.wildlist.org/WildList/), which are not based on prevalence, you will see that variants of Agobot, Sdbot, IRCbot and their siblings are well up there with the older (but still prevalent) mass mailers. They also feature very prominently in the ThreatSense. net® lists, but rarely in the top ten.

Win32/Agent ESET NOD32 uses this label generically to apply to a range of malicious programs intended to steal information. This family of malware usually copies itself into temporary locations and adds keys to the registry to ensure that the program is run every time the system starts up.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Other Events in September For the anti-malware research community, the big event of September was the Virus Bulletin conference, when some of the best minds in malware research met in Vienna to exchange views and information (http:// www.virusbtn.com/conference/vb2007/VB2007report.pdf). ESET was well-represented this year: Andrew Lee presented a paper with David Harley on “Phish Phodder: is User Education Helping or Hindering?”, and Randy Abrams and Pierre-Marc Bureau delivered a presentation demonstrating that antivirus is far from dead. There were, as always, many other excellent presentations and papers such as Alex Shipp’s “The Strange Case of Julie Amero” and Dmitry Alperovitch’s presentation on stock spam. The week before, though, the ESET stand at the InfoSecurity Exhibition in New York hosted a significant book signing event, when the “AVIEN Malware Defense Guide” – to which Chief Research Officer Andrew Lee was a major contributor – was launched, and a panel consisting of Andrew and fellow-authors David Harley, Ken Bechtel, and Robert Vibert answered questions from the audience. The book included contributions from many other highly-respected members of AVIEN (http://www.avien.org) and AVIEWS (http://www.aviews.net).

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 24

October

Figure 12: Malware Top Ten for October 2007

Mac Malware In the fall of 2007, we observed one of the first attacks (apart from some macro viruses) targeting both PCs running Microsoft’s Windows and Apple Macintosh computers running OS X. The infection vector for this attack was a fake codec that was only effective when the user was tricked into downloading and executing it. For more details on fake codecs and social engineering techniques, see the following analysis of this common approach to tricking computer users into running malware. The malware attack targeting OS X resembled W32/Zlob, but was rudimentary, compared to cutting-edge Windows malware. It consisted of a dmg installer package that only worked if double-clicked and installed by the user. The malware used the installation script to change critical configuration on the victim system. The payload of this malware was to change the Domain Name Server (DNS) configuration and redirect all DNS queries to a server hosted on the Russian Business Network. Once in control of the DNS information, the attacker could redirect queries to banking and online trading websites in order to steal the victims account information. David Harley pointed out in his Securiteam blog at http://blogs.securiteam.com/index.php/archives/1029 that informal research by Roger Grimes suggests that malware which works by “social engineering” — tricking the victim into running malicious software, in this case — is more “successful” than malware that relies on exploiting software vulnerabilities. There are still those who claim that Mac users are smarter than Windows users, and won’t be fooled by social engineering (curiously, the same people often seem to believe that Windows malware is all about exploits, not social engineering). At the moment, though, Mac users with no particular security knowledge may be particularly vulnerable if they believe that their systems are so intrinsically secure out of the box that they don’t need to know or to do anything about security. He also commented that “Whatever happens next, and whether or not this is the tipping point where Mac users start, to suffer like Windows users, I’m convinced that this is not the time for partisan bickering from either side of the Mac/Windows divide. This is a time to watch and learn, and seek out fact rather than prejudice.”

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Other Events in October In the ESET blog at http://www.eset.com/threat-center/blog/ this month, Pierre-Marc Bureau noted some interesting current behavior on the part of W32/Nuwar, also known as the Storm Worm. He pointed out that the first twenty minutes after infection are used to establish communication with other compromised systems and join the decentralized network. (Nuwar uses the eDonkey peer-to-peer network protocol, rather than the more common IRC or HTTP: this quirk seems to be intended to add resilience to the botnet, since there is no central point to shut down and therefore no single point of failure.) When a compromised machine connects to the botnet, high volumes of traffic result, and it performs hourly network maintenance. The significance of the resulting spikes in traffic is that it gives vigilant network administrators a way of monitoring the local impact of Nuwar and similar malware. As he says, “The authors of this malware seem to have chosen reliability over network stealth. The security industry needs to pay attention to the operational compromises attackers are making. These tradeoffs can point to design weaknesses which help us secure our infrastructure.” Pierre-Marc also drew our attention on October 31st to the fact that the Storm Worm was joining in with the seasonal fun and games by masquerading as a Halloween-flavoured dancing skeleton application. What better time to increase the zombie population? As we note above, a new Trojan threat hit the Mac radar. This one was more interesting than most: it was related to a significant family of malicious programs targeting Windows users, using a fake codec as an infection vector and, once installed, using DNS redirection to lure victims to fake banking and online trading web sites with the intention of stealing their account information. Convincing computer users that they need to download a special video codec so as to view a video has been a popular infection vector in 2007. A codec is a software component that enables video compression and decompression, so as to reduce disk space. Users have frequently been directed to websites claiming to contain videos, where they were told that they needed to download and install a codec, in order to play the video on their PC. Most of the fake codec attacks we have seen so far have been used to infect PCs with variants of the Zlob family of malware. The Zlob Trojan family downloads additional components after installation, and gives the attacker complete access to the victim PC. Fake codecs scams have also been used (both on Windows and OSX) to deliver programs that change the DNS configuration of a host so as to redirect legitimate web queries to a malicious website, in order to steal sensitive data or gather web browsing statistics. Meanwhile, ESET launched the production versions of ESET Smart Security and NOD32 version 3.0.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 26

November

Figure 13: Malware Top Ten for November 2007

Nothing really novel found its way into the Top Ten this month!

Other Events in November The UK’s HM Revenue and Customs (HMRC) admitted to losing two CDs containing 25 million child support records, potentially exposing millions of families to fraudulent exploitation. The data were sent to the National Audit Office via an insecure channel, do not seem to have been encrypted, and the records contained more sensitive data than was actually required by the NAO because it was cheaper not to remove the unwanted information: these issues suggest a breach of several of the Data Protection Principles established by UK and other European legislation. Subsequently, it was admitted that the organization had suffered seven other breaches since 2005. There are three yearly security conferences at which anti-malware researchers are particularly prone to congregate. Sadly, the 2007 EICAR conference in the spring was cancelled, and we’ve already referred to the 2007 Virus Bulletin conference in September. At the end of November, the other big anti-malware event was the AVAR (Association of anti Virus Asia Researchers) conference in Seoul. This one was particularly interesting to anyone watching this year’s developments in anti-malware testing and certification, as there were no less than three papers presented relating to the topic, including one by our own Andrew Lee with David Harley. (These two are rapidly becoming the Abbott and Costello of the anti-malware conference circuit – or should we say Morecambe and Wise, as they’re English?) Also, on November 22nd, Andrew and Pierre-Marc Bureau presented a paper on the evolution of malware called “Du Défi au Profit” (“Bravado to Business: from hobbyist to malware for profit”) at Infosec Paris. ESET released the business editions of ESET Smart Security and NOD32 version 3.0, as well as the release versions of their Linux/FreeBSD protection for enterprise and SMB network environments.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

December

Figure 14: Malware Top Ten for December 2007

W32/Virut Virut is a polymorphic virus that modifies executable files under Windows. Since it can infect executables, it will propagate through network shares and removable storage. This malware has also been distributed through malicious websites. Virut’s payload is to install a backdoor that connects to an IRC server. While Virut didn’t feature in the top ten this month, we include a note on it here, since it was prevalent enough to be included in the Virus Bulletin test referenced below and caused significant detection difficulties for many scanners (not NOD32!)

Other Events in December Elsewhere in the world, there were reports of a Russian chatbot that tricks male victims into divulging sensitive information by flirting with them. It remains to be seen whether “Cyberlover” will go international, but computer science geeks immediately started to wax nostalgic about the Turing Test, about the “Imitation Game” cited by Alan Turing in a 1950 paper called “”Computing Machinery and Intelligence” (http://loebner.net/Prizef/TuringArticle. html), and about a computer program called Liza that once managed to keep its (her?) end up in a conversation about God that lasted 1½ hours. This bot, however, seems to have mastered the art of speed dating, establishing up to ten relationships in an hour and compiling data such as contact information and photographs. Perhaps it’s not totally unsurprising that Gartner reported this month that the number of people falling victim to phishing attacks rose by 40% in 2007. The Internet Storm Center (http://isc.sans.org) highlighted the ongoing problem of “malvertising” (malicious advertising), where victims are tricked into downloading unwanted or malicious applications via advertising and social networks. The most prevalent vector seems to be Adobe Flash SWF files compromised by malicious Flash ActionScripting: Adobe responded with a major patch that fixed a number of Flash vulnerabilities of varying degrees of criticality. Business Intelligence Lowdown published a list of the “Top 10 Hilarious Viruses, Trojans and Worms.” Since items on their list were described as corrupting “image and music files on user systems”, rendering Nokia smartphones “almost useless”, randomly deleting files, and

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 28

posting “confidential and personal” infected Word documents to Usenet newsgroups, the choice of the adjective “hilarious” seems bizarre. Once again, the creators of Storm Worm took advantage of the holiday season by sending fake Xmas and New Year “greetings cards.” We saw many thousands of distinct variants over Christmas and the New Year, with major modifications and updates on a daily basis. It was reported by Forbes magazine (http://www.forbes.com/technology/2007/12/20/apple-army-hackers-tech-security-cx_ag_1221army.html) that the US Army were buying increasing numbers of Apple Xserve systems for its data centers. The Register predicted a deafening clatter of Apple keyboards as the Chinese military cyber forces et alia start digging for vulnerabilities (http://www.theregister.co.uk/2007/12/31/us_army_mac_attack/), and Microsoft’s new Security Vulnerability Research and Defense blog offered better information about their security updates and the vulnerabilities they addressed. Data recovery specialists Ontrack reported that their top 10 data disaster stories included no viruses, but lots of physically abused PCs, USB devices and hard disks, including a PC soaked in insect repellant, a laptop that had to be fished out of a lake, a USB stick that found its way into a washing machine, and a “squeaky” hard disk “repaired” by its owner, who drilled a hole in it and soaked it in oil. (http://www.ontrackdatarecovery.co.uk/ data-disaster-2007/) ESET gained its 47th VB100 award in a Virus Bulletin comparative review that looked at anti-virus products on Windows 2000. This kept us comfortably top-of-the-pile in a test that saw several vendors fail either on the False Positive test set or by missing samples of the polymorphic file infector W32/Virut. VB commented about Nod32’s test performance that “as usual testing sped through in remarkable time, with the usual excellent results.”

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

More Malware of Interest

The malware mentioned above is only a tiny fraction of what we saw reported in 2007 by ThreatSense.Net® and from other sources and resources. Here are a few more examples that have been persistently reported in significant quantities. Please bear in mind, though, that universally accurate statistics about malware prevalence are impossible to obtain. There is no metering facility that keeps track of all malicious traffic, unfortunately, so all statistics represent a partial snapshot through a small window, not the whole picture.

VBS/Butsur.A trojan VBS/ButSur-A is a Visual Basic script worm that copies itself to %windir% as Bha.dll.vbs: it also modifies the Registry and copies itself to removable media and shared drives, using the autorun.inf file to load on other systems.

Win32/Saburex.A virus This is a file infector that spreads by email, P2P and other infection vectors. It drops .DLL files into the %windir% folder and looks for .EXE files to infect.

Win32/Sohanad.NAF worm Sohanad is a worm that spreads through Internet Messaging: its variants may use Yahoo! Messenger, AOL Instant Messenger, Windows Live Messenger and so on, with a wide variety of “hook” messages to persuade the recipient to open it.

Win32/Qhost trojan This Trojan resides on web pages, of which the URLs are spammed out to potential victims. If executed, it runs code to redirect the victim to a different DNS server. It’s often referred to as the Qhosts Trojan.

Win32/AHKHeap.A worm This is a worm that uses AutoHotKey scripts to spread via removable media such as USB flash drives, using an Autorun.inf file with the System and Hidden attributes set. Malware that makes use of the autorun facility to infect from flash drives, CDs and so on has become very prevalent in 2007. Here are a couple of blogs that are well worth reading on the subject: http://blogs.technet.com/steriley/archive/2007/09/22/autorun-good-for-you. aspx; http://www.eset.com/threat-center/blog/?p=94

Win32/TrojanDownloader.Swizzor trojan This is a downloader program that installs a Browser Helper Object for Internet Explorer that is used for spyware/ adware purposes, and was frequently reported to us in the first half of 2007.. It is covertly installed from certain malicious web sites, and may also be delivered through spammed email. It is created using an auto-generation routine, meaning that every time it is downloaded it is likely to look, to an antivirus scanner, like a different program. ESET responded early on to this threat by using a generic signature which is less likely to be confused by minor variations.

TrojanClicker.Small.KJ: Win32/TrojanClicker.Small.KJ is a member of a widely-seen family of Trojans which tries to download and execute other executable files from the internet, allowing a remote attacker to get unauthorized access toinfected systems.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 30

Conclusion So what have we learned from our rollercoaster ride through 2007? That the online world is not short of malicious software and out-and-out security silliness, certainly. Of course, most of us are probably aware that there’s much more to the threat landscape than viruses and worms: spyware, Trojans, phishing, various other forms of spam and scam, they’re all threats that a sophisticated up-to-date antimalware product has to deal with. You might have been surprised to realize that older types of malware, for example mass mailers, are still circulating in huge quantities. Don’t be mislead by the fact that the top ten tends to include somewhere between 15% and 25% of total detections. There are many other threats out there “in the wild” though there is no single, authoritative way of counting them – just think “lots”. Bear in mind, also, that because our top ten detections usually include generic signatures and heuristic detections of completely new malware, they would actually break down into hundreds or thousands of variants and sub-variants, if anyone had the time to do that sort of analysis. If you’re already an ESET customer, though, you probably won’t be surprised that our products detect so much malware generically and proactively, rather than with signatures for specific variants and subvariants. Indeed, many of the detections reported by ThreatSense.net® give you very little idea of exactly what sort of malware has actually detected. That’s because we figure that the first priority is to detect malicious software before it has a chance to get a foothold on your system, rather than after it’s been analyzed and categorized. Of course, the detection of known threats is still vitally important, especially if something nasty has managed to take hold, because it can be very difficult to remove an infection when you don’t know exactly what the infection is, and that’s why it’s so important that ThreatSense.net® feeds information on new malware back to our Threat Laboratories. We hear a great deal nowadays about the “death of anti-virus” and the shortcomings of signature-based detection. Here at ESET, of course, we agree that signature detection is nowhere near enough, and that more proactive techniques are critically important. That’s why so much of our research and development resourcing goes into enhancing our heuristics, behavior analysis and so on. Nevertheless, there are occasions when only exact or near-exact identification of known malware is good enough to disinfect a system properly.

And now, here are some predictions for 2008. • There will be more poorly designed comparative tests of anti-malware products, and hundreds of security amateurs will proclaim that they prove that the antivirus industry is at best incompetent and probably criminal • Someone else will proclaim that antivirus is dead and buried because it “only detects known viruses” and because it’s been replaced by the panacea du jour (probably whitelisting) • Security and defense services all over the world will continue to lose laptops containing confidential information • Botnets will continue to thrive and diversify • There will be even more spam than there was in 2007 • Web 2.0 collaborative technologies, virtual worlds like Second Life, and social networking sites and resources like FaceBook will all attract increasing attention from the bad guys, and therefore from security researchers needing to monitor up-and-coming threats • ESET will continue to provide cutting-edge, proactive protection to its customers!

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Resources and Further Reading

• Anti-Phishing Working Group (APWG): http://www.antiphishing.org • AntiSpyware Coalition (ASC): http://www.antispywarecoalition.org • AVAR (The Association of Anti-Virus Asia Researchers) http://www.aavar.org • AVIEN (Anti-Virus Information Exchange Network): http://www.avien.org • AVIEWS(Anti-Virus Information & Early Warning System): http://www.aviews.net • Botnets: the Killer Web App: Craig Schiller, Jim Binkley et al, Syngress 2007 • Definitions of Malware: http://www.eset.com/threat-center/threats.php • EICAR, The European Institute of Computer Anti-Virus Research, http://www.eicar.org • ESET free Online Scanner: http://www.eset.com/onlinescan/index.php • ESET Threat Center blog: http://www.eset.com/threat-center/blog/index.php • ESET Threat Encyclopedia: http://www.eset.com/threat-center/encyclopedia.php • More about ESET Smart Security: http://www.eset.com/download/whitepapers/ESSwhitePaper20071214.pdf; http://www.eset.com/smartsecurity/index.php • More about heuristic analysis: http://www.eset.com/download/whitepapers/HeurAnalysis(Mar2007)Online.pdf • More about rootkits: http://www.eset.com/download/whitepapers/Whitepaper-Rootkit_Root_Of_All_Evil.pdf • Other white papers: http://www.eset.com/download/whitepapers.php • SANS Internet Storm Center: http://isc.sans.org • The Art of Computer Virus Research and Defense: Peter Szor, Addison-Wesley, 2005. • The AVIEN Malware Defense Guide for the Enterprise: David Harley et al, Syngress, 2007 • Virus Bulletin: http://www.virusbtn.com • WildList Organization International: http://www.wildlist.org

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 32

Glossary

Blackhat, whitehat, Blackhat: Someone who engages in unequivocally malicious activity greyhat (intrusion; unauthorized hacking or cracking; malware creation, dissemination or exploitation; frankly criminal activities such as fraud or extortion). Whitehat: Someone, especially a security professional, engaged in defending the community at large or their own organization or interest group from blackhat activities. Greyhat: Someone whose motivation may be similar to that of a whitehat researcher, but whose methods are sometimes closer to that of blackhat. Ethical classification by hat color is not always as simple as this, and derives from the equally simplistic model of traditional Western movies where the bandits always wore black hats and the hero always wore a white Stetson. Bot, botnet, botmaster Bot: In modern security usage, usually applied to one of a range of malicious programs used to compromise a system so that it can be assimilated into a network of compromised systems (botnet) under the control of a bot herder. Bot herder, botmaster, botmeister: Someone who controls a botnet for diverse criminal or malicious purposes such as spam distribution, malware distribution, and DDoS orchestration. Botnet: Network of bot-compromised/infected systems under the control of a botmaster. Codec Short of compression/decompression, it is a technology designed to reduce the size of a signal (very often audio or video) to save disk space and transfer time over a network. DoS, DDoS DoS: Denial of Service attack: an attempt to prevent a computer system from functioning normally. Frequently associated with extortion: the criminal threatens to prevent systems from functioning so that the victim organization cannot carry out its normal business. DDoS: Distributed Denial of Service attack: a DoS attack amplified by delivering it through a network of compromised systems, nowadays usually a botnet. Exact Identification Recognition of a virus when every section of the non-modifiable parts of the virus body is uniquely identified. Near-exact or almost-exact identification is a term used when the detection is “only” good enough to ensure an attempt to remove the virus will not result in damage to the host by using an inappropriate disinfection method. In this case, every section of the non-modifiable parts of the virus body is not uniquely identified. Generic In anti-malware, the detection or blocking of a threat by class rather than by identification of a specific malware variant. Antonym of “virus specific.” Generic signature In malware detection, a convenient but not universally used term to describe a virus signature or definition which has been generalized so as to detect a family of viruses or variants, rather than detecting a single unique variant. This is similar to but not the same as the distinction between exact and almost exact identification, since almost exact identification is usually associated with generic disinfection.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

Heuristics A blanket term applied to a range of techniques for detecting currently unknown malware and variants. Recognition of an object that has enough viral or malicious characteristics to suggest that it is probably a virus or other malware. As usually used in the context of malware (and spam) detection, it involves a system for gauging the likelihood that a scanned object is malicious by assigning points for characterics and behavior that indicate malice. Keylogger A form of spyware or Trojan that records a computer user’s keystrokes without his or her knowledge and passes the information on to a criminal, botherder etc. A password stealer is often a keylogger that is programmed to look specifically for account names and passwords. Malware-specific The antonym of generic: detection and identification of a particular malicious program or one of its variants or subvariants by name, rather than as a presumed member of a class or family of malicious programs. Detection of known malware using search strings specific to those malicious programs or variants. OS X The current Macintosh operating system: based on BSD UNIX but with an interface that continues the long-running Mac user-friendly “look” as well as access to a more conventional UNIX command line. Major revisions and upgrades to OS X are traditionally named after felines, so the latest version is “Leopard” (OS X 10.5.x), and the version preceding it (OS X 10.4.x) was “Tiger”. We look forward to seeing “Tabby” and “Russian Blue” at some time in the future. Pump and Dump (Hype A form of stock fraud in which the value of stock is artificially inflated so that and Dump) dishonest speculators can make a profit by selling off when the price is high. This works well for the scammer, but not for the (usually small) company, or for the scam victims whose contribution to the raising of stock value is typically rewarded with heavy losses when the scammer sells the stock and stops hyping. Rootkit Technique Technology used mostly in malware to hide form from the operating system and computer users. A rootkit enables the intruder to maintain and exploit an undetected foothold on the system. A more formal working definition might be along the lines of “a form of toolkit installed onto a compromised system in order to: • maintain privileged access and control • allow the individual and/or software to make use of that access in whatever way he chooses • conceal or restrict access to objects or processes such as: — Processes — Threads — Files — Folders/Directories/Subdirectories — Registry Entries — Handles — Open Ports

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk 34

Signature scanning Strictly, searching for the presence of a virus by checking for a more-or-less static byte sequence. In fact, even basic AV scanning uses more complex and effective techniques nowadays, using algorithmic approaches, wildcards and so forth. The term signature is often deprecated in anti-virus research because of this ambiguity, though it’s probably far too late to eradicate it from popular and media use and misuse. However, it is still routinely used in intrusion detection. Signature remains a common synonym for “scan string”, but often misleads people into thinking there is a single byte sequence used by all virus scanners to recognize each virus or variant. Social Engineering Term applied to a wide range of techniques for causing a desired change in behavior or gaining some advantage by psychological manipulation of an individual or group. The term actually derives from social science, where it doesn’t necessarily have a negative connotation, but as used in security it almost invariably involves some form of deception, malice or fraud. Spyware More or less generic term for a range of malware such as keyloggers, Remote Access Trojans (RATs), backdoor Trojans and so on. Malware used for frankly criminal activities such as phishing may also be referred to as crimeware. Stealth,Stealthkit, Stealth: Adjective: often used in security as an alternative to “stealthy”, Stealthware by analogy to “stealth aircraft” and other military terminology relating to concealment strategies. Stealthware: Software (usually malware) that uses stealth techniques to conceal itself. Stealthkit: An (often malicious) suite of tools similar to a rootkit, but which doesn’t necessarily involve privilege escalation and/or maintenance. In other words, it’s intended to be hidden, but not necessarily to exploit administrator- level system privileges. Zombie, zombify In botnet terminology, a zombie is a system (usually a PC) which has been compromised by a bot of some sort, incorporated into a botnet, and at least partly under the control of a remote attacker (the botmaster). To zombify is to compromise a system so that it becomes a zombie.

Sales Hotline: (852) 2893 8860 www.eset.hk ESET Global Threat Report for 2007

About ESET Founded in 1992, ESET is a global provider of security software for enterprises and consumers. ESET’s award-winning, antivirus software system, ESET NOD32 Antivirus, provides real-time protection from known and unknown viruses, spyware, rootkits and other malware. ESET NOD32 Antivirus offers the smallest, fastest and most advanced protection available, with more Virus Bulletin 100 Awards than any other antivirus product. ESET was named to Deloitte’s Technology Fast 500 five years running, and has an extensive partner network, including corporations like Canon, Dell and Microsoft. ESET has offices in Bratislava, SK; Bristol, UK; Buenos Aires, AR; Prague, CZ; and San Diego, USA; and is represented worldwide in more than 100 countries. For more information, visit http://www.eset.com/ or call (619) 876-5400.

About ESET NOD32 Antivirus and ESET Smart Security ESET NOD32 Antivirus isn’t just antivirus: it’s a unified Anti-Threat system which protects against viruses, spyware, adware, trojans, worms and phishing attacks. The proactive ThreatSense® technology stops 93% of zero-day threats before they’re even released. The optimized engine delivers the best detection, fastest scanning, and smallest performance impact of any antivirus or antispyware solution. ESET NOD32 Antivirus is flexible and configurable with centralized management and reporting functionality. The broad product platform protects Windows, Linux, Novell and MS DOS machines. ESET Smart Security builds on this platform to offer all this, plus spam detection and management and a personal firewall. The business editions of NOD32 and ESET Smart Security offer, in addition, Remote Administration, a LAN update “mirror” and the ability to install the product on servers. For a comprehensive list of products, consult http://www.eset.com/products/index.php.

About ThreatSense® ThreatSense® is the advanced Anti-Threat engine that drives NOD32 and ESET Smart Security. It combines the industry’s best advanced heuristics with generic signatures for the best overall protection. Dynamic updates for both technologies are provided automatically, free of charge to all current customers. The client-side software automatically checks with the Threat Lab at eset. com every hour for an update.

Sales1-866-343-ESET Hotline: (852) (3738)2893 8860 www.eset.comwww.eset.hk Exclusive Distributor Version 2 Limited

Unit 307 3/F, West Wing, No. 8 Science Park West Avenue Hong Kong Science Park, Pak Shek Kok, Shatin, N.T.

Office Hours Mon-Fri: 9:30am-1:00pm 2:00pm-6:30pm Sat: 9:30am-1:00pm (Except public holiday)

Contact Us Sales Hotline: (852) 2893 8860 E-Mail: [email protected] Support Hotline: (852) 2893 8186 E-Mail: [email protected] Fax: (852) 2893 8214 Website: http://www.eset.hk

© 2007 ESET, LLC. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET, sro & ESET, LLC. All other names and brands are registered trademarks of their respective companies. GTRWC20080110