The Fourth Generation of Malware

By Peter Tippett

(Back to article)

Worms, Trojans, viruses, denial of service attacks; many of these seem only to be recent threats to our network environments over the last five years. However, this past January marked the 20th anniversary of the Pakistani Brains virus—the first ever PC virus to replicate itself and spread from one computer to another.

Surely the viruses and Trojans of today are much smarter and in most cases, much more devious than those of 20 years ago. More importantly, today’s worms and viruses are mostly focused on criminal pursuits and theft, so they threaten an organization’s reputation, consumer trust and viability in the marketplace.

But, based on research, it’s quite fascinating to see how these destructive pieces of code have evolved into the threats we know, and fear, today.

The First Generation: DoS Viruses (1986 - 1995)

Beginning in 1986, the first generation of malicious code was comprised of DoS viruses, which infected the operating system and programs of a PC.

You might remember Brain, Lehigh and Form, which infected floppy drives hard drives, spreading through sneaker nets, or non-networked computers. As the Boot-viruses matured, they were able to infect the boot sector of data disks, spreading slowly over several years for their infected numbers to peak. Boot-viruses soon evolved to infect widely- used program files, such as WordPerfect.

Between 1986 and 1995, virus writers were more focused on obfuscation, with viruses becoming polymorphic (encrypted so as to require new virus scanner strings or better algorithms); hardened to avoid being destroyed by anti-virus solutions; stealth-like in their movement; and, bipartite—spreading by both boot and file means.

By the end of this first generation, more than 12,000 unique DoS viruses were written, with about 150 accounting for 95% of infections among PCs all over the world.

The Second Generation: Macro Viruses (1995 - 2000)

The first DoS virus generation ended with the advent of Windows 95 in 1995, and its stricter requirements for application code and segregation of code that ran at boot time.

Virus writers were not able to write Win32 assembler code, so they turned their attention to the macro language in the widely used Microsoft Office applications, and Word documents themselves began spreading the viruses. This evolution of code led to the second generation of malicious attacks via macro viruses.

Between 1995 and 2000, thousands upon thousands of macro viruses were written. However, fewer than 100 unique viruses actually infected PCs and systems.

The most notorious virus was Concept, which appeared in July 1995 and took nine months to reach peak infection; a growth rate that was three to four times faster than the most prolific DoS viruses at that time. But due to several layers of protection built into Microsoft Office applications and the presence of reliable heuristics in almost all anti-virus programs, the macro virus generation was cut relatively short.

The Third Generation: Big Impact Worms (1999 – 2005)

The introduction of high-impact, high-profile mass-mailer worms marked the beginning of the third generation of malicious code: Melissa (1999), “I Love You” (2000), Anna Kournikova (2001), SoBig (2003) and Mydoom (2004).

The highly prolific network worms, such as Code Red (2001), SQL Slammer (2003), Blaster (2003) and Sasser (2003) are also indicative of this generation.

This third generation of worms is responsible for much of the destruction that has paralyzed organizations recently. Each caused major or moderate impact to 20-to-60 percent of corporations. The average third-generation worm doubled its number of victims every one-to-two hours, rapidly reaching peak activity within 12-to-18 hours of being born. SQL Slammer, by far the fastest-spreading worm to date, infected a full 90% of everything it was ever going to infect in just ten minutes.

Mass-mailer worms work almost exclusively through social engineering, or by tricking the user to double-click on an attachment. Thankfully, many organizations now block the three primary attachment types (EXE, PIF and SCR), which has proven successful at blocking repeat occurrences of these third generation attacks.

Many companies have also implemented standard configurations, mini-hardening, router ingress and egress “default deny” access, network segmentation, and policies and education programs. With such broad, holistic education, standards, and other protections in place, many of the big impact worms’ attempts to destroy a PC or network have been thwarted.

The Fourth Generation: Malcode for Profit (2004 – to present)

The last three generations of malicious code authors wrote and distributed malicious code primarily to receive praise from peers and to gain notoriety. However, as we’ve entered the fourth generation, it has become clear that code authors are not looking for bragging rights, but rather cash—and lots of it.

Malicious code authors have found a variety of ways to make a profit, ranging from click-ad revenue to the direct heist of monetary vehicles such as credit card numbers, blackmail and the resale of malicious code resources by the technical master to criminals.

The threat of identity fraud and information theft has become increasingly real over the last two years, with major security breaches at CardSystems, DSW and ChoicePoint, among more than 100 others.

This generation is in many ways increasingly insidious, with its criminal code authors working to stay under the radar. Bot-herds driving millions of zombie (infected) computers to perform numerous different malicious tasks have become the norm. For example, more than 300 different variants of just the Mytob virus were released during 2005 each trying not for massive infection, but instead to gain an incremental one-or-two percent of victims.

More than half of file attachments are in .ZIP files, including encrypted .ZIP files, which are much harder to inspect at our borders. Once infected, these machines are used for almost all types of secondary attacks, phishing, pharming, further distribution of malcode, launching exploits, scanning for vulnerable computers, sending spam, proxyin other attacks, sales of technology and services to organized crime, and more.

The last year has inflicted harm on many consumers with phishing, where constantly evolving messages have been used to trick consumers into giving up login credentials; typically orchestrated via a fraudulent website or email. While recent efforts to warn companies and consumers about the threat of information theft are commendable, hackers and authors grow smarter and more sophisticated with each attack.

Over the last twenty years, worms have used all types of replication vectors, which of course increase with each advance in technology. Authors have worked diligently to have their worms and Trojans avoid detection and reach more victims with every iteration. For instance during this fourth generation, we’ve witnessed Backdoors, Trojans and root kits that enable the free reuse of the infected computer, and bots that create ‘zombies’ out of a network of computers that allow the malcode perpetrator to orchestrate responses among tens of thousands, or even millions, of victims at a time.

With each generation of malware growing more complex and devastating, it’s become increasingly important for CIOs to know not only who is on their network, but who is accessing their network.

While there isn’t an end-all-be-all solution to wiping malicious code authors off the face of the Earth, having the best security policies and procedures in place will help enterprises avoid a crippling network attack that not only puts information at risk, but impedes productivity and ultimately damages the bottom line.

To do this, CIOs and CSOs must work together to achieve a security strategy that aligns with the organization’s business goals to best protect the network from today’s threats, and proactively tackle the threats of tomorrow.

Peter Tippett is CTO of security vendor Cybertrust and chief scientist for ICSA Labs, a division of Cybertrust. He specializes in the utilization of large-scale risk models and research to create pragmatic, corporate-wide security programs.