[ISN] Virus authors choosing to infect fewer people

InfoSec News isn at c4i.org
Wed May 25 03:38:25 EDT 2005


By Munir Kotadia
ZDNet Australia 
25 May 2005 

Virus authors are choosing not to create global epidemics -- such as
Melissa or Blaster -- because that distracts them from their core
business of creating and selling zombie networks, according to
anti-virus experts.

Zombie networks are groups of computers that have been infected by
malware that allows the author to control the infected PC and use it
to send spam or launch DDoS attacks.

Speaking at the AusCERT conference in Australia's Gold Coast on
Tuesday, Eugene Kaspersky, founder of Kaspersky Labs, said that the
influence of organised crime on the malware industry has led to a
change of tactics. Instead of trying to create viruses and worms that
infect as many computers as possible, malware authors are instead
trying to infect 5,000 or 10,000 computers at a time to create
personalised zombie armies.

"Do I need a million computers to send spam? No. To do a DDoS attack,
5,000 or 10,000 PCs is more than enough. That is why virus writers and
hackers have changed their tactics of infection -- they don't need a
global epidemic," said Kaspersky.

According to Kaspersky, organised criminals are adverting zombie
computers for rent on underground newsgroups and Web pages. When they
receive an order for a certain-size army, they set about trying to
infect computers using infected e-mail attachments or
socially-engineered spam with links to malicious Web pages. As soon as
they infect enough computers to fulfil the order, they stop using that
particular piece of malware.

"It seems that, say the virus author needs 5,000 infected computers,
they put the Trojan on a Web page and wait for 5,000 machines to be
infected. Then they remove the Trojan because that is enough. When
they get a new request for another zombie network, they release a new
Trojan -- they are able to control the number of infected computers,"  
said Kaspersky.

Adam Biviano, senior systems engineer at anti-virus firm Trend Micro,
agrees. He said that by only infecting a relatively small number of
computers, the malware has a better chance of flying 'under the radar'
and not being spotted by antivirus companies.

"It makes sense to have a discreet number of PCs under your control
and be able to sell that on," said Biviano, who added: "With 5,000 PCs
under your control . none of which are being destroyed or showing
actual qualifiable damage as a result -- you will fit under the radar,
probably make some money and you probably won't get arrested".

Kaspersky said that to fight this new tactic anti-virus companies have
to be more thorough by scouring Web pages and e-mail attachments for
new and obscure pieces of malware . to ensure as few Trojans as
possible escape.

"Before releasing the new infected code they test it using anti-virus
scanners and they don't release the new Trojan or worm if it is
detected. I believe that if only 1,000 machines are infected,
anti-virus companies will never receive the infected file. That is why
anti-virus companies have to collect data reactively and get samples
as quickly as possible," said Kaspersky.

Vincent Gullotto, vice president of McAfee AVERT (anti-virus emergency
response team), told ZDNet Australia that anti-virus companies are
responding to the new threat by proactively seeking out new forms of

"It is standard for us, Kaspersky, Symantec and some of the other
prominent anti-virus companies scour the Web in many different ways.  
We go out looking for [malware] with a very aggressive search and we
do passive searches where we have machines that are just sitting
around waiting to get attacked. When we see a machine getting attacked
we grab a sample rather quickly so we can add it to our database,"  
said Gullotto.

More information about the ISN mailing list