From the archive, originally posted by: [ spectre ]

Battle of the botnets

Davey Winder, Staff Writer

For the average user spam has always been an annoyance. For the
average spammer it has always been about making money. For the
criminal gangs that have muscled in on this lucrative industry during
the last few years it is now about territory and control. Control,
that is, of the botnets behind the malware distribution networks that
they rent out to the spamming middle men to enable them to ply their
trade in relative safety from the crippled arm of the law.

Leading AV researchers at Kaspersky have now identified three criminal
gangs which are participating in an increasingly desperate battle of
the botnets. This turf war is, as all turf wars have a habit of doing,
turning nasty and it is the average computer who is getting caught ion
the crossfire. No longer are the gangs happy to settle for a slice of
the spam pie, they want it all. And that means control over as many
compromised third party computers to create the biggest of mega zombie
botnets. To accomplish this, the gangs behind the Bagle, Warezov and
Zhelatin worms are turning their attention to ridding those
compromised computers of rival gang malware infections in order to
install their own and gain that control.

Spammers pay a lot of money to rent time on these mega botnets, and
the bigger the botnet, the bigger its capacity to distribute spam, the
more valuable a commodity it becomes.

Kaspersky Lab senior virus analyst Alexander Gostev writing in the
latest Malware Evolution report states that “war had
been declared in cyberspace between the groups producing Warezov and
Zhelatin. Taking into account the size of the botnets used by both
groups, and their clear aim to conduct a large number of attacks, the
situation was clear: this was threatening to become one of the most
serious problems on the Internet in recent years.” Gostev identifies
three groups from different countries who were all busy with the same
thing, creating spam harvesting and distribution botnets. “This
brought the three groups into conflict with each other, and they are
willing to use everything at their disposal to gain an advantage”
Gostev concludes.

The end result has been a huge increase in attacks on users, with an
emphasis on developing new techniques to infect end users and evade
detection by AV filters. If you need any evidence of this, 32% of all
malicious code in email traffic during March 2007 was made up of
Trojan-Spy.HTML.Bankfraud.ra according to Kaspersky, and indicating
clearly that Bagle, Warezov and Zhelatin have created an epidemic.

Although there has been some success in dealing with high profile
botnet related security incidents, including the 57 month prison term
for Jeanson James Ancheta for infecting 400,000 computers for botnet
use, this really is tip of the iceberg time. The really organised
criminals will be using exactly the same techniques to evade capture
and to protect the business of criminality as is seen in the drugs
war. You can be sure that while sacrificial lambs get jail time, the
gang bosses and the real botnet builders will continue to prosper.
Until, that is, law enforcement, the judiciary and governments around
the world start to take the spam problem as seriously as they do the
drugs one. To be frank, I don’t see any evidence of that happening any
time soon.

Malware Evolution: January – March 2007
May 10 2007

Alexander Gostev
Senior Virus Analyst, Kaspersky Lab

IT security professionals have predicted that 2007 will be a watershed
year in the battle against computer viruses, which would have an
effect on computing and computer users as a whole.

In 2007 virus writers will continue to be active in creating and using
Trojans which are designed to steal user data. The main targets will
be users of a range of banking and e-payment systems, and online
gamers. Virus writers and spammers will continue to work more and more
closing together, with infected machines being used not only to
organize new virus epidemics and attacks, but also as spamming

As for infection vectors, Kaspersky Lab analysts believe that email
and browser vulnerabilities will continue to be widely used. Although
malicious programs will continue to use P2P networks and IRC channels
to spread, this is unlikely to be on a large scale. Generally, this
tactic will be used locally – for instance, Winy, a P2P client which
is very popular in Japan, may start to cause serious headaches for
Asian users. Instant messaging clients will remain in the top three
methods for conducting attacks: however, this infection vector is
unlikely to see a big increase in popularity.

Epidemics, virus outbreaks and attacks will become even more markedly
linked to specific geographical territories. For instance, Trojans
which steal online gaming data and worms with virus functionality are
likely to dominate in Asia, whereas Trojan spy programs and backdoors
will have the lion’s share in Europe and the USA. Latin America will
continue to suffer from a large number of Trojan banking programs.

There’s no question that Vista, and vulnerabilities associated with
this new operating system, will be the main security event of 2007.

It’s also likely that there will be a significant increase in the
number of malicious programs for other operating systems, primarily
for MacOS, and for other *nix systems. Gaming consoles such as
PlayStation and Nintendo are also likely to be targeted, as the
increasing number of such devices and their ability to connect to each
other and the Internet will make them a juicy potential target for
virus writers. It’s true that at the moment, malicious code for these
devices has been confined to the proof of concept/ vandal category.
However, 2007 may be the year when viruses for ‘non-computers’ take a
quantum leap and start to evolve actively, although the likelihood of
this happening is small.

Malicious programs will continue to become more sophisticated
technologically, and will use new methods in order to mask their
presence in the system. Polymorphism, garbage code and rootkit
technologies will be even more widely used and will become the de
facto standard for the majority of new malicious programs.

There will also be an increase in the number of targeted attacks on
medium business and large companies. In addition to traditional
information theft, such attacks will be designed to extort money from
the organizations under attack, including payment for decrypting data.
One of the main infection vectors which will be used will be MS Office
files by exploiting vulnerabilities in this software package.

* The Internet battlefield
* Big trouble in little China
* The highs and lows of Vista
* Conclusion

The Internet battlefield

The end of 2006 was difficult for antivirus companies around the
world. Virus researchers around the world were in a state of high
alert, mobilizing all their resources throughout the final quarter of
the year.

This was caused by the unprecedented long and widespread attacks on
the Internet caused by the unknown authors of the Warezov family of
email worms. The first examples of this worm appeared on the Internet
in October 2006, and were most active towards the end of the month,
when up to 20 new variants appeared in the space of 24 hours.

In many ways, Warezov is extremely similar to the notorious Bagle.
Although Warezov is based on Mydoom.a source code, and Bagle was a
completely original program created by an unknown group of virus
writers, we are inclined to view these two worms as being related.
Firstly, the way in which the epidemics were organized are extremely
similar, with a large number of variants being mass mailed within a
short period of time, which differ according to geographical region
(e.g. the variants mailed in Russia differed to those mailed in
Europe). Secondly, their functionality – installing other worm modules
from Trojanized sites and collecting email addresses which are then
sent to a remote malicious user – is identical. Bagle was the first to
use this virus technology in order to provide fresh material for
spammers address databases – Warezov did exactly the same.

These characteristics, and the appearance of Warezov and the cessation
of new variants of Bagle coincided in the same week. It’s difficult to
believe that the authors of Bagle suddenly decided to go out of
business, with someone else taking over the reins. It’s possible that
both worms are the creation of one and the same group.

By the end of 2006 we had detected more than 400 variants of Warezov.
The authors of this worm organized a large number of short-lived mass
mailings, sending out the latest variants, which led to a gigantic
botnet being created. If we take into account that Warezov also
harvests email addresses, it was clear that a wave of spam and
phishing attacks was coming. Warezov was created and spread with one
aim in mind – to use infected machines as mail proxy servers in the

To all intents and purposes, the worm’s authors and their clients had
annexed a large part of the mass mailing black market. This was likely
to lead to a reaction from competitors, with an answering blow being
only a matter of time.

On 18th January 2007, hurricane Kyrill swept Europe. The snowstorm
took the lives of more than 30 people. Tens of thousands of Europeans
were left without light, mobile connections or normal transport. The
world’s attention was focused on the events which were covered by the
mass media around the clock.

On 20th January, another storm hit, but this time the victim was
email. The gigantic mass mailing contained messages with some of the
subjects included below. The subjects were, naturally, designed to
make the user launch the file within the message:

* 230 dead as storm batters Europe.
* Russian missle shot down Chinese satellite
* Chinese missile shot down USA aircraft
* Sadam Hussein alive!
* Venezuelan leader: “Let’s the War beginning”.
* Fidel Castro dead.
* President of Russia Putin dead
* Third World War just have started!

The attached files were actually a Trojan program, which got
classified as Trojan-Download.Win32.Small.dam and Trojan- This Trojan would download other
components to the victim machine with the result being a new,
extremely aggressive, network worm which utilized rootkit
technologies. Unofficially it was christened ‘the Storm worm’. The
official name given to it in our antivirus databases was Email-

War had been declared in cyberspace between the groups producing
Warezov and Zhelatin. Taking into account the size of the botnets used
by both groups, and their clear aim to conduct a large number of
attacks, the situations was clear: this was threatening to become one
of the most serious problems on the Internet in recent years.

Until now, the best known cyber conflict was that between Mydoom,
Bagle and NetSky, back in spring 2004. The network was flooded with
dozens of variants of these worms: they scanned victim machines for
their competitors and took their place, deleting the original worm.
The war was brought to an end by the arrest of 18 year old Sven
Jaschan, the author of NetSky, in Germany. However, his creations
remain one of the most widespread worms in mail traffic. Out of all
the malware authors involved, only the authors of Bagle have remained
active. It’s true that they disappeared into the shadows for a while,
and didn’t react in any way to the appearance of Warezov, which is why
we thought that they might have been involved in creating this worm.
However, in January Bagle suddenly reappeared, and one variant of this
worm became the most widespread malicious program in mail traffic.

The situation was becoming more and more interesting. Three groups,
from different countries, who were all busy with the same thing –
creating botnets to send spam and harvest email addresses. All these
groups are dependent on money from spammers, who will pay good money
for the biggest botnet and the largest database. This brought the
three groups into conflict with each other, and they are willing to
use everything at their disposal to gain an advantage. The result was
an unending cycle of attacks on users. In order to infect machines,
the virus writers had come up with newer and newer methods to evade
antivirus filters.

The authors of Warezov began responding to Zhelatin attacks in March,
and Bagle started periodically putting its head above the ramparts
several times a month from March onwards. At the end of last year,
antivirus companies were only having to combat attacks from a single
groups, but now the complexity and volume of the task had increased
three times. And all of this was accompanied by an increase in spam
and phishing.

Almost 32% of all malicious code in mail traffic in March 2007 was
made up of Trojan-Spy.HTML.Bankfraud.ra. This was clearly a result of
the epidemics caused by Bagle, Zhelatin and Warezov. This malicious
program is a typical phishing email, and millions of copies were sent
around the world. We also detected repeat sendings of this Trojan,
which was initially detected on 27th February 2007. The Trojan targets
Branch Banking and Trust Company clients, luring them to fake sites
which are registered by malicious users in Croatia and the Cocos
(Keeling) Islands.

We can only guess which group is responsible for making this phishing
attack a reality. Personally, my money would be on Zhelatin.

Big trouble in little China

Kaspersky Lab analysts detected the first variants of Viking, a
network worm, at the beginning of 2005. Initially, it was an
unsophisticated program, and didn’t stand out from the crowd of other,
similar programs. The worm copied itself to accessible network
resources, infected files, attempted to download files from the
Internet, and harvest user names and passwords for some online games.

Throughout 2005 Viking’s author wasn’t very active, releasing only one
new variant of the worm approximately every two months. However, in
April, with the release of Viking.h he became much more animated, and
by September 2006 the number of known variants of this worm was more
than 30. Then an epidemic which was comparable to those caused by
Warezov in terms of scale broke out in China.

There were dozens of new Viking modifications being detected every
week, with tens of thousands of Chinese Internet sites which were
involved in spreading the worm, and multiple requests for help from
Asian users. It very quickly became clear that we were dealing with a
national epidemic.

It was Viking which caused China to take first place in terms of the
number of malicious programs created by the country. And it was due to
Viking that the class of network worms, programs which spread via
local area networks, infect files, and which are normally small in
number, experienced a significant increase in numbers (see the annual
report for further details).

We encountered the next Chinese puzzle in winter 2007. A number of the
new Viking variants differed so significantly from the original
variant that we started classifying them as a new family: Fujack. This
decision coincided with another outbreak. In January and February
Fujack was the main problem for Chinese users, and information about
the “panda virus” (so called because the icon for infected files would
be changed to an icon showing a panda with a stick of bamboo) could be
found on all major Asian news sites.

We need to take a short diversion, and ask the question: how did a non-
email and non-network worm manage to spread in such huge quantities,
and why exactly did this happen in China?

The main factors are as follows:

* In comparison to other countries, the Chinese segment of the
Internet has a relatively high amount of file sharing.

There are thousands of servers in China which act as an enormous file
storage. There’s no question that if piracy is the only way in which
users are able to get hold of the programs that they want, such
servers will be extremely popular. It’s likely that it’s possible to
find any program that has ever been written on these servers. And if
users are exchanging files, then one infected file on such a server
would be enough to ensure tens of thousands of victims. The sites
which we identified as being sites spread Viking and Fujack were,
unsurprisingly, file sharing sites.

* The virus was spread by more than one person. Virus writers were
involved in selling exclusive variants of Fujack designed to steal
user data to online games. This contributed to the enormous number of
variants and the several sources by which the worm was spread.
* The enormous size of local area networks, above all in Chinese
universities. Once a virus gets into such a network, it would be able
to very quickly infect thousands of computers with open network

I think that this was an example of a very particular type of
epidemic, which couldn’t have happened anywhere except China. And in
spite of the number of infections, the virus wasn’t able to transcend
national borders, and there was no significant number of infections in
Europe or the US.

The result was one that we had hoped for, but not expected. On 12th
February, the Chinese news agency Xinhua announced that the police had
arrested several people who were suspected of being involved in the
creation of Fujack. In total, 8 suspects were arrested, including the
25 year old Li Jun, who goes by the pseudonym WhBoy. Li Jun admitted
that he had made approximately $12,500 from creating and selling the
worm to other hackers, and that he started writing viruses because he
could not find work in the IT sector.

According to some sources, this was the first case of a virus writer
being arrested in China. I am not certain that it was the first case,
but it’s certain that it was the first high profile arrest of a virus
writer in China.

I searched our virus collection for malicious programs which contain
the word WhBoy in their code – Li Jun’s signature. The resulting list
is as follows:

* several dozen variants of Trojan-PSW.Win32.Lmir, a Trojan which
steals accounts for Legend of Mir, an online game;
* several dozen variants of Trojan-Downloader.Win32.Leodon;
* all worms in the Email-Worm.Win32.Lewor family;
* a number of variants of Backdoor.Win32.WinterLove;
* several dozen variants of Trojan-PSW.Win32.Nilage, which steals
user accounts to the online game Lineage;
* several dozen variants of Trojan-PSW.Win32.QQRob, a Trojan which
steals QQ accounts (a Chinese instant messaging system);
* the Viking and Fujack worms.

If WhBoy is really the author of all these malicious programs, he
could be seen as being one of the most active virus writers of the
past decade.

There’s an interesting twist to all of this. The Chinese police
demanded that Li write an antivirus which would clean computers
infected by Fujack. He tried. But what he came up with wasn’t capable
of restoring infected systems. The author of the virus couldn’t
control his own creation – can you think of a more ironic situation?

The highs and lows of Vista

There’s no doubt that the release of Microsoft’s new operating system,
Vista, onto the market at the end of January 2007 was a major event,
not just for the antivirus industry but for the computer world as a
whole. Microsoft announced that this latest version of its operating
system would be the most secure in the history of Windows, and that
many security issues which had caused virus epidemics in the past had
been solved.

Questions about how secure the new operating system would actually be
started circulating long before the release of the beta version. What
exactly would the security functions be, and how effective would they
be? Would it be true that Vista would make antivirus solutions

Questions about how secure the new operating system would actually be
started circulating long before the release of the beta version. What
exactly would the security functions be, and how effective would they
be? Would it be true that Vista would make antivirus solutions

The list of key functions was impressive: User Account Control, Patch
Guard (to protect the kernel) and security features in Internet
Explorer 7, Address Space Layer Randomization, Network Access
Protection, and Windows Service Hardening. In addition to all of this,
Vista is equipped with Windows Defender, an integrated firewall and

Information security professionals agreed that none of these
innovations were likely to have a significant effect on computer
viruses. Tests conducted by a number of antivirus companies showed
that approximately 90% of malicious programs designed to run on
Windows XP systems would be capable of functioning on Vista. And of
course, the question of vulnerabilities in the new operating system
would also be an issue.

In spite of Microsoft’s assurances that the new operating system would
be developed almost from scratch, and that unprecedented steps would
be taken to ensure security right from the start of the development
process, and that a unique testing system had been successfully
implemented, everyone was sure that there would be problems. It wasn’t
so much a question of ‘Will critical vulnerabilities be identified in
Vista?’ but rather, ‘When will they be identified?’

Vista was released for sale on 30th January 2007, and the race to find
vulnerabilities was on. Hackers around the world focused their
attention on Vista, searching for a zero-day exploit which could be
used to create malicious programs.

Within two weeks, on 13th February, Microsoft released the latest
bundle of patches. It included patches for six critical
vulnerabilities and 6 important vulnerabilities, one of which was, as
usual, vulnerability in Microsoft Excel. We’ve often written about the
multiple vulnerabilities detected in Microsoft Office in 2006. In
spite of all the patches which have been released, vulnerabilities
continue to be identified and immediately exploited by malicious

However, the February patch bundle didn’t include a single
vulnerability in Vista! This was a surprise, and could be viewed as
confirmation that the new operating system is truly secure. However,
there was one ‘but’. The vulnerabilities which were patched in
February were detected prior to Vista’s release. Even if vulnerability
had already been identified in Vista, it would not be patched in
February. Consequently, we had to wait until March in order to get a
true picture.

11th March came, and with it some surprising news. Microsoft announced
that it would not be issuing any patches that month. This was the
first time in several years that Microsoft did not release any patches
– it could be seen as evidence that all problems in all versions of
Windows had finally been fixed. However, the explanation that
following the announcement showed that the situation was not quite
that rosy. Microsoft was busy testing the patches which had been
released the previous month. The software giant explained that it was
continuing to invest both potential and already disclosed
vulnerabilities in order to protect their customers. However, the
statement continued, creating patches which fully resolve security
issues is a long process made up of several steps. These words clearly
meant one thing: there are known vulnerabilities, and it will take
time to fix them. At the same time, eEye Digital Security announced
that 5 unpatched vulnerabilities had been detected in Windows.

The situation was worrying. And after three weeks, the storm broke.

On 29th March 2007, antivirus companies noticed a strange program in
among the flood of now-standard viruses. ANI format files (animated
cursor files) had been found on a number of Chinese sites. When a user
viewed these sites, a range of Trojan programs, mainly Trojan-
Downloader programs, would be installed to his/ her machine.

In addition to that, email messages which contained the suspicious ANI
files were also circulating. Analysis showed that they were connected
to a new vulnerability in graphic files processing, which was present
in Windows Vista.

This vulnerability was fought over for nearly two months. The struggle
ended in the worst possible way – Chinese hackers used the
vulnerability to spread viruses, and no patch was made available.

Even more worrying was the fact that two years ago there had already
been issues connected to the processing of ANI files. Back in January
2005, hundreds of sites containing Exploit.Win32.IMG-ANI (this is the
Kaspersky Lab classification) were detected. MS05-002 contained a
patch for this hole; however, as time passed, it became clear that the
patch had not been sufficiently tested. In addition to this, all the
assertions that Vista had been written from scratch, that all the code
had been repeatedly tested, and that such errors could not arise were
negated by the appearance of these small vulnerable cursor files.

It only remained for Microsoft to release information about the new
vulnerability, which was labeled CVE-2007-1765 and to provide a list
of affected operating systems and applications. Meanwhile, antivirus
companies were continuing to detect more infected sites and Trojan

Websense detected more than 500 infected sites capable of infecting
unsuspecting users in less than a week. The majority of incidents
resulted in the victim machine being infected by several Trojan spy
variants, which were designed to steal user data to online game
accounts (World of Warcraft, Lineage).

It seemed that this problem might grow into a global epidemic. eEye
Digital Security released an unofficial patch for the vulnerability.
This was reminiscent of other cases, where Microsoft refused to
release an out of schedule patch: for instance, December 2005, and the
vulnerability in processing WMF files. Almost three weeks passed
between the problem being detected, and a solution being provided. On
the other hand, in September 2006, Microsoft only needed 10 days to
release MS06-055, which patched a dangerous vulnerability.

This time Microsoft moved rapidly, and on 3rd April MS07-017 was
issued in an out of schedule release. This vulnerability was described
as ‘Vulnerabilities in GDI Could Allow Remote Code Execution’, and the
number of affected operating system versions certainly made an

* Microsoft Windows 2000 Service Pack 4;
* Microsoft Windows XP Service Pack 2;
* Microsoft Windows XP Professional x64 Edition and Microsoft
Windows XP Professional x64 Edition Service Pack 2;
* Microsoft Windows Server 2003, Microsoft Windows Server 2003
Service Pack 1, and Microsoft Windows Server 2003 Service Pack 2;
* Microsoft Windows Server 2003 for Itanium-based Systems,
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems, and
Microsoft Windows Server 2003 with SP2 for Itanium-based Systems;
* Microsoft Windows Server 2003 x64 Edition and Microsoft Windows
Server 2003 x64 Edition Service Pack 2;
* Windows Vista;
* Windows Vista x64 Edition.

The list of vulnerabilities corrected by this patch was also

* GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758);
* WMF Denial of Service Vulnerability (CVE-2007-1211);
* EMF Elevation of Privilege Vulnerability (CVE-2007-1212);
* GDI Invalid Window Size Elevation of Privilege Vulnerability
* Windows Animated Cursor Remote Code Execution Vulnerability
* GDI Incorrect Parameter Local Elevation of Privilege
Vulnerability (CVE-2007-1215);
* Font Rasterizer Vulnerability (CVE-2007-1213).

Three of these vulnerabilities were present in Vista: EMF Elevation of
Privilege Vulnerability, Windows Animated Cursor Remote Code Execution
Vulnerability, GDI Incorrect Parameter Local Elevation of Privilege
Vulnerability. Two of them had been identified back in 2006, but were
only closed with the release of this patch!

Microsoft did, to some extent, explain how the company had been able
to develop and release a patch which covered such a large number of
vulnerabilities on the Microsoft Security Response Center Blog:

“I’m sure one question in people’s minds is how we’re able to release
an update for this issue so quickly. I mentioned on Friday that this
issue was first brought to us in late December 2006 and we’ve been
working on our investigation and a security update since then. This
update was previously scheduled for release as part of the April
monthly release on April 10, 2007. Due to the increased risk to
customers from these latest attacks, we were able to expedite our
testing to ensure an update is ready for broad distribution sooner
than April 10.”

So: Microsoft had known about the problem since December the previous
year, and had spent the intervening period testing; it decided not to
release the patch as part of the March cycle, but to wait until April,
although the patch was actually released prior to the scheduled date.
The vulnerability had been known about, both by Microsoft and the
computer underground, for more than three months…We can only guess how
many hacker attacks took place during this period.

This case clearly showed that Windows Vista is no different from
previous version of Windows as far as vulnerabilities go. It also
showed that all of Microsoft’s innovations, both in terms of program
security and in terms of flawless code were not all that they were
cracked up to be. And finally, it showed that zero-day
vulnerabilities, which are exploited by virus writers before an
official patch can be released, are still a serious issue.


The events of the first three months of 2007 confirmed our worst
fears. Virus writers are still continuing to organize multiple short
term epidemics by releasing numerous variants of a single malicious
program onto the Internet in a short space of time. Naturally, this
makes life more difficult for antivirus companies. Vista became a
target for hackers, who were not only searching for vulnerabilities,
but also for ways to evade some of the security features such as UAC,
Patch Guard, and protection against buffer overflows.

The second quarter of the year will undoubtedly confirm trends. It
will also give clear pointers as to how secure contemporary operating
systems actually are, and which new methods malicious users are
choosing to conduct their attacks.

Leave a Reply