Looking back on the security trends for 2004
Security Information Week 1, 2005
Introduction
This article tries to focus on the security trends that could be observed during 2004.
Viruses, worms and other malware
In 2004 Norman issued 12 alerts about malicious programs:
- W32/Bagle.A
- W32/MyDoom.A
- W32/Netsky.B
- W32/Netsky.D
- W32/Bagle.U
- W32/Sasser worms
- W32/Zafi.B
- W32/Bagle.AH
- W32/MyDoom.L
- W32/Bagle.AI
- W32/Bagle.AQ
- W32/Sober.I
The previous year there were 14 alerts.
A war between groups of virus writers
The first half of 2004 were dominated by a war between different groups of virus writers. These groups created the Bagle, the MyDoom and the Netsky families of malware. This malware often had messages to the other group(s) of authors, which made many observers conclude that there was a war going on between at least two different groups.
These groups created a massive amount of new malware, which of course resulted in subsequent very frequent releases of new virus signature files from the antivirus industry. In fact the frequency at times were so high, that this was a stress issue in itself for the industry.
Eventually the person behind the Netsky familiy was arrested and the war ebbed out. However, even after this there has been a constant flow of new variants of the Bagle and MyDoom families of worms.
MyDoom.A was probably the worst single malware incident during 2004.
The Sasser worms
This group of worms spreads over networks (not email propagation) utilizing a security hole in Microsoft's operating system. A patch for the security flaw had been issued from Microsoft before the first version of Sasser was released on the Internet community.
The Sasser familiy of worms is characterized by the ability to infect vulnerable computers without any user intervention at all.
The author of the abovementioned Netsky worms also confessed to being the creator of the Sasser worms.
Bots
"Bots" is an abbreviation for robots, indicating that these are programs controlled by someone.
2004 is the year when this type of malware exploded, with hundreds upon hundreds of new variants. These bots spread over network connections - often by utilizing security flaws - and may perform different tasks like
- Performing Denial of Service (DoS) attacks against computers
- Update themselves
- Download or upload files
- Launch program files
- Infect other computers
A generic description of SDbots is available here (opens in a separate browser window).
One of the reasons why these bots have not gotten much media attention may be that there are a huge amount of different ones, rather than just a few widespread.
Norman Sandbox technology
In 2004 Norman Sandbox technology took a major leap forward when version 2 was released. This version had among other new features, the ability to simulate network technology, thus Sandbox detection of new kinds of malware became possible.
An independant study awarded Norman the highest mark among 23 competing vendors, and singled out Norman SandBox technology as the clear leader in the fight against new, unknown computer viruses.
A major part of the high-profile malware that was released in 2004 was detected by Norman Sandbox technology before virus signature files were released.
Spyware and Adware
The year that is behind us was the year when two new types of programs that most users view as more or less malicious emerged as a major threat, namely the so-called Spyware and Adware.
These are programs that in different ways monitor a user's activities, with the intent to send sensitive information to an "attacker", and/or to display special advertisements aimed at the user.
There has been an ongoing discussion regarding whether these types of programs should be classified as malware (and detected by e.g. antivirus programs), since they are often installed only by (tricking a) user acceptance. The general consensus seems to tend to view such programs as malicious software.
Norman released the Norman Ad-Aware products in 2004 to protect against Spyware and Adware.
Other trends
Among the other tendencies seen in 2004, we will briefly mention:
- The SPAM problem continued to grow to an extent where one estimates that more than half of all emails sent over the Internet should be classified as spam.
- There seems to be a tendency that computers that are infected by malware, are used as spam relays to send unsolicited emails to end users.
- The tendency for writers of malware to focus on security flaws in operating systems and other software continued.
- Several virus writers were caught and prosecuted during the year.
- The "phishing" problem continued. Phishing is attempts to trick a user into entering personal information, like credit card information. This information may later be abused, ultimately for identity theft. This tendency is expected to continue in 2005.
Previous years' trends are discussed here
| Usage | Title | Comment |
|---|---|---|
| 2003 - the worst year ever regarding malicious programs? | ||
| 2002 - a quiet year with respect to malicious programs, or not? |
