Symantec Global internet Security threat report
During this reporting period the induc virus128 was the most widely observed new malicious code family. this virus is notable because it does not perform any known malicious actions other than proliferating. induc propagates by embedding itself into installations of the Delphi129 application development environment.130 When the virus first runs, it attempts to locate an installation of Delphi, specifically targeting versions 4.0 through to 7.0. if it fails to find an appropriate Delphi installation, nothing else happens. this means that the virus is benign for users who do not have Delphi installed.131
the primary reason for the prevalence of induc in 2009 is that developers using an infected Delphi installation were unknowingly including induc in their released products. induc would be included with every new build, resulting in legitimate, official installation packages that included the virus. this resulted in the virus spreading directly through multiple vendors’ software distribution channels, such as automatic software updates and trusted download locations. there were multiple reported cases of legitimate applications inadvertently including the induc virus.132
it is possible that induc was created as a proof-of-concept method of spreading malicious software. Other development environments are equally susceptible to this form of subversion, leading to potentially widespread infection. the successful spreading of the induc virus may mean that there will be more
viruses exploiting this technique in the future.
the second most observed new malicious code family in 2009 was the Changeup133
worm. this worm
propagates by copying itself to removable and mapped drives, using an autorun instruction file to trigger the worm’s automatic execution whenever a local or shared drive is accessed.134 Changeup also connects to tCp port 8000 on a remote website and downloads additional threats, possibly including trojans or
trojan was the third most observed new malicious code family in 2009. Along with using
a range of obfuscation techniques to avoid detection, Bredolab uses several different advanced tactics to propagate, including social engineering, server-side polymorphism, and encrypted communications. it is primarily distributed through spam and drive-by-download attacks. When Bredolab is executed, it copies itself to a computer and creates a registry entry to ensure that it is run every time the computer starts.
Bredolab has been observed downloading numerous other disparate malicious threats, including password stealers, rootkits, back doors, and misleading applications, and its C&C server operators can determine what additional components are downloaded at any time.136 Servers have been observed hosting Bredolab in China, Germany, and Ukraine. it has been used to target social networking sites and to advertise fraudulent money-making scams.137 the popularity of Bredolab in the underground economy potentially stems from its flexibility and robustness, making it a threat that Symantec expects will likely remain popular with attackers into the near future.
128 129 130 131 132 133 134
135 136 137
http://www.symantec.com/security_response/writeup.jsp?docid=2009-081816-3934-99 http://www.embarcadero.com/products/delphi http://edn.embarcadero.com/article/39851 http://www.symantec.com/connect/blogs/delphi-falls-prey http://channel.hexus.net/content/item.php?item=19853 http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99 Autorun is a function of the Windows operating system that launches newly detected processes or applications (e.g., the insertion of a CD-rOM or USB drive). Windows searches the root directory of the drive for an autorun information file that contains instructions for what process or application to launch. http://www.symantec.com/security_response/writeup.jsp?docid=2009-052907-2436-99 http://www.symantec.com/connect/blogs/taking-closer-look-trojanbredolab See http://www.symantec.com/connect/blogs/bredolab-trojan-now-using-popular-social-networking-brand-spread and http://www.symantec.com/connect/blogs/bredolab-delivers-more-parcels-and-cash