The amount of new malware has never been higher. F-Secure labs are receiving an average of 25,000 malware samples every day, seven days a week. If this trend continues, the total number of viruses and Trojans will pass the one million mark by the end of 2008.
While there are more viruses being created than ever before, people often actually report seeing less of them.
One reason behind this illusion is that malware authors are once again changing their tactics in how to infect our computers. A year or two ago, most malware was spread via email attachments, which resulted in mass outbreaks like Bagle, Mydoom and Warezov. Nowadays sending .EXE attachments in email doesn't work so well for the criminals because almost every company and organisation is filtering out such risky attachments from their email traffic.
The criminals' new preferred way of spreading malware is by drive-by downloads on the web. These attacks often still start with an email spam run but the attachment in the email has been replaced by a web link, which takes you to the malicious website. So instead of getting infected over SMTP, you get infected over HTTP.
Infection by a drive-by download can happen automatically just by visiting a website, unless you have a fully patched operating system, browser and browser plug-ins. Unfortunately, most people have some vulnerabilities in their systems. Infection can also take place when you are fooled into manually clicking on a download and running a program from the web page that contains the malware.
There are several methods criminals use to gather traffic to these websites. A common approach is to launch an email spam campaign containing messages that tempt people to click on a link. Messages like "There is a video of you on YouTube", or "You have received a greeting card", or "Thank you for your order" have been popular baits.
Another method used by criminals is to create many web pages with thousands of different keywords which are indexed by Google, and then simply wait for people to visit these sites. So when you do a search for something innocuous like "knitting mittens" (as a random example), and click on a search result that looks just like all the others, you are actually getting your computer infected. Typically, an infection by an automatic exploit happens without you realising it or seeing anything strange on the computer screen.
This has happened to the websites of some popular magazines which can have a million users every single day. People trust sites that are part of their daily routine, and they couldn't suspect that anything bad could happen when they go there.
Another vector for drive-by downloads are infiltrated ad networks. We are seeing more and more advertising displayed on high-profile websites. By infiltrating the ad networks, the criminals don't have to hack a site but their exploit code will still be shown to millions of users, often without the knowledge of the webmaster of those sites. Examples of where this has happened include TV4.se, Expedia, NHL, and MLB.
It is important to be aware of this shift from SMTP to HTTP infections, which can be exploited by the criminals in many ways. Companies often measure their risk of getting infected by looking at the amount of stopped attachments at their email gateway. Those numbers are definitely going down, but the actual risk of getting infected probably isn't.
Individuals and companies should therefore be scanning their web traffic for malware - as well as filtering their FTP traffic. In parallel to the switch from SMTP to HTTP as a way of spreading malware, we are now also seeing more and more malicious emails that link to malware via FTP links.
Advanced rootkit emerges
MBR rootkit - known as Mebroot - is probably the stealthiest recent malware we have observed, and has so far been distributed by drive-by downloads.
Mebroot replaces the infected system's Master Boot Record (MBR), which is the first physical sector of the hard drive and contains the first code loaded and executed from the drive during the boot process. It keeps the amount of system modifications to a minimum and is very challenging to detect from within the infected system.
MBR viruses used to be the most common form of viruses at the time of the DOS operating system about 15 years ago. Recently there were academic papers published in conferences discussing whether this kind of MBR stealth could ever happen in the age of Windows. We have been very surprised to see it happening for real now in 2008.
This means that the criminals have both the funds and the high level expertise to develop such complex attacks. They have succeeded in developing code that loads from the boot sector of the hard drive, stays alive while Windows boots up, then loads parts of itself and injects to the operating system when Windows is up and running, and manages to hide all this very effectively.
We are likely to see this technique being used by quite a variety of malware. These first MBR rootkits are banking Trojans targeting several online banks, where the criminals are clearly seeing an opportunity to make a return on their investment.