MALWARE IN POPULAR NETWORKS GRYAZNOV
VIRUS BULLETIN CONFERENCE OCTOBER 2005
MALWARE IN POPULAR
McAfee AVERT, Network Associates, Inc.,
Beaverton, OR 97006, USA
While outbreaks of mass-mailing viruses are making the
news, the much greater number of non-replicating malware
gets very little attention. Over the past few years malware
writers apparently shifted their efforts from creating viruses
and worms ‘for fun’, from cybervandalism, to creating
backdoors, remotely-controlled bots, password stealers, etc.
pretty much ‘for profit’. In fact, today we are seeing 8 to 10
times more new non-replicating malware per month than new
viruses or worms.
Since it is non-replicating malware, it cannot spread by itself.
But it is being massively and widely spread over practically all
popular networks and services in the Internet: Usenet, IRC,
P2P, IM, email. It is spread disguised as multimedia files,
pirated software, useful utilities and so on. It is usually packed
with this or that runtime packer, presenting additional
challenges to anti-virus products. Such malware, once run on
an unsuspecting user’s computer, makes that computer
completely controllable remotely by the perpetrator. Such
compromised computers are then used, among other things, as
email ‘proxies’ for spam, including spamming even more of
that kind of malware through a variety of protocols. Quite
often today adware and spyware is disseminated the same way.
Such compromised computers are often combined into a
‘botnet’ of ‘zombie agents’, which can then be used for
Distributed Denial of Service Attacks on any target.
This paper will present statistics on malware in Usenet, P2P,
IRC, discuss the new trends and suggest some possible
countermeasures in addition to using anti-virus software.
THE BIG CHANGE
Over the past years an important change happened in the aims
of malware authors – the ‘bad guys’. It used to be that an
average virus or a Trojan would have a payload of deleting
files, corrupting d