Two new computer worms have security experts both worried and wondering. One new virus is now capable of monitoring a network to steal passwords or other information, and another virus can hijack the voice capabilities of Windows XP to announce its presence to users.
Experts agree that the network monitoring or “sniffing” capability displayed in the new SDBot worm variant is a progression of worm-writing technology and a troubling sign that network data is at increased risk.
The audible capabilities of the Amus worm, which informs infected users politely that it is “cleaning” their machines, is less worrisome to security professionals, but nonetheless displays the advancements and increased control that virus writers have over the machines they attack.
“Virus writers and malware writers are just showing off,” Webroot vice president of threat research Richard Stiennon told TechNewsWorld. “But a more important thing, which is beyond a trend, is that they are taking all possible vectors and all modes — whether it’s a keystroke logger or a camera logger or a sniffer — and using the entire space of blended threats.”
Sniffing and Spyware
Stiennon said the sniffing capabilities of the new SDBot variant — which previously only logged keystrokes to capture passwords — is the evolution of phishing, a tactic that scammers use to entice victims to malicious Web sites to steal their financial information.
Although the attacks are usually stopped rapidly and relatively easily by shutting down the infected sites, the network-monitoring abilities of the worm could allow attackers to capture all of the traffic on a local Internet connection or university network, Stiennon said.
The security analyst added that the next convergence on the radar might be the blending of viruses with spyware, secret software that can track or watch user behavior. Stiennon said a vulnerability in antispyware software would result in a security gap that might not be addressed by Microsoft.
“Microsoft won’t be able to issue a patch for something that’s not theirs,” Stiennon said of the scenario.
Progressive Malware Movement
Ken Dunham, iDefense malicious code intelligence manager, said that while virus writers typically add several components to their worms, the appearance of a network sniffer — a first — shows that the malicious software has gotten smarter.
“It was just progressive movements toward how they can steal information from people and now we have a sniffer,” Dunham told TechNewsWorld. “The fact that it can sniff is a significant threat.”
Dunham said that such worms could continue to advance and have already displayed an ability to steal encrypted or financial information, making the malware writer’s job even easier.
In addition, Dunham said the network-sniffing capabilities might also be used to gather up “bot armies” — large groups of infected or compromised machines under control of the attacker.
“You’ve got to say now that they’ve got a greater tool and that will give them greater access to networks,” he said.
Motive and the Mix
While there has been an undeniable move from notoriety to profit as the motive for releasing viruses and worms — which are increasingly blended with spamming techniques and technology — there is also more in the mix of components that virus writers assemble, according to Dunham.
He said that virus writers appear to be adding more variety to their worms with increasing reliance on sound, video and other technologies. The result is a different threat landscape that has now widened.
“It’s the convergence of technology for criminal gain,” Dunham said.