Malware classification


Virus: a programme that can copy itself and infect a computer without permission.


Worm: a self-propagating piece of malicious software that spreads on a network.


Trojan: a destructive programme that masquerades as a benign application.


Bot: a programme used for the co-ordination and operation of an automated attack on networked computers.


Rootkit: a set of programmes that work to subvert control of an operating system from its legitimate operators by making changes to the underlying operating system itself.


Spyware: a programme installed surreptitiously to intercept or take partial control over the users interaction with the computer.


Backdoor: a method of bypassing normal authentication obtaining covert access to a computer, while attempting to remain undetected.


Downloader: a programme that downloads and installs malicious software.


Adware: a package that automatically displays or downloads advertising material to a computer.


Ransomware: a type of malicious code that encrypts the data belonging to an individual on a computer, demanding a ransom for its restoration.



Different Roles of Botnets in Organized Crime


In the last few years, the efficiency of the criminal organizations behind most botnets has been apparent, translating their real life hierarchical and organizational structure to the online world. The structure of these organizations is distributed over several countries, and they have militants in every country where they have interests. However, at the moment there are very few connections between distant organizations (e.g., botnet activity in South America seems to be unconnected with botnet activity in Europe). Based on our observations, we can locate organizations behind botnet activities in a number of specific areas of the world (e.g., Brazil, the US, Russia and some Eastern European countries, Hong Kong and China), although sometimes it is the same criminal organization which is behind the malicious activity in different countries.




Botnet Trends


As we have seen over the last few years, botnet features have been changing with new infection methods and new usages, and they will keep adapting to new emerging technologies. For instance, there are currently worms that use Instant Messaging (IM) networks like MSN or Skype to distribute themselves, but there are also worms that distribute themselves by using MMS (e.g. Commwarrior) or SMS (although this needs user interaction) and Bluetooth communications. With full-day Internet connections of multiple mobile devices (e.g., BlackBerry, Windows Mobile, Symbian), we might soon see malicious code targeting those devices (a ‘mobile devices botnet’) as well.

The same occurs with the home devices that are now being connected to the Internet. For instance, some media centre devices now belong to botnets.

Although most ISPs are implementing security measures to protect their customers from infections, the reality is that today many computers do not use static locations (i.e., static addresses or addresses within a specific dynamic range) because they connect to unknown wireless networks (e.g., in hotels, airports, universities) and use different connection technologies (e.g., 3G, Wireless, Bluetooth,

DSL etc.), making the providers’ efforts useless.

Another change is the bot’s C&C communication. Internet Relay Chat was one of the preferred protocols since it was very easy to implement and was able to support the management of thousands of infected computers. IRC is still being used by some botnets, but HTTP is now more widespread, since it is even easier to implement and can be hidden in normal user navigation. (It is easier to detect IRC traffic than to detect malicious HTTP connections within normal HTTP traffic.) The key factor determining the survival of botnets is the use of a protocol that cannot be blocked because it is needed by the infected computer for some legitimate reason. There are other methods of communication that use covert channels (e.g., in DNS, ICMP etc.). Again, such protocols cannot be blocked, but some effort is required by botnet operators to adjust them for their purpose.

Moreover, the real menace will be the use of P2P communications – in fact, there is already some malicious code that uses a protocol similar to P2P (such as the Storm botnet, which uses UDP-port 4000 for communication between peers). Such protocol makes closing down C&Cs – which would normally be an effective countermeasure against botnets – useless.

Two examples of botnet complexity are fast-flux networks and Rock Phish. Fast-flux services are a network of compromised computer systems with public DNS records that are constantly changing, in some cases every few minutes. They can also use reverse proxies to redirect the user to another compromised computer, making it harder to track down the attacks. On the other hand, Rock Phish uses compromised computers and thousands of

DNS subdomains in order to set up phishing scenarios that hide the real phishing site (Rock

Phish is responsible for between one-third and half of all phishing messages being sent out on any given day).

Another trend is the improvement in attackers’ security measures. Frequently both the malicious code and the infrastructure that builds the entire scenario are quite simple (e.g., open directories in web servers, the use of weak cryptography, normal packers etc.), suggesting that nobody is analyzing them, but this is changing. Now attackers are becoming more cautious in every step they take.

When they notice something strange they use public key cryptography, distributed VPN, fast-flux, Rock Phish, PHP encoding, JavaScript obfuscation, kernel packers, covert channels and auto-removal.



Source: European Network and Information Security Agency