Check out our previous article
The Evolution of Malicious Code
Introduction
The latest Symantec Internet Security Threat Report released in September reveals just how prevalent malicious code threats are becoming. In the first half of 2007, 212,101 new malicious code threats were reported to Symantec. This is a 185% increase over the second half of 2006. The new generation of malicious code is different from what we’ve seen in the past. It has evolved into a highly elusive threat, which means you may not even notice that you’ve been infected. But if any machine in your small or medium-size business does become infected, your business data could easily become compromised.
Staged downloaders
Traditionally, malicious code was delivered directly to the intended target. However, today’s malicious code infects computers in new ways. Often, malicious code is installed by attackers who lure users into visiting Web pages that exploit vulnerabilities in the browser or its components. The malicious code itself does not directly exploit a vulnerability in this scenario, but instead is installed on a computer after the vulnerability is exploited.
The introduction of staged downloaders brings another dimension to malicious code. Staged downloader attacks use the initial compromise as a type of beachhead from which they can launch subsequent attacks, which often involves infecting the system with multiple Trojan horses.
Increase in Trojan horses
The Internet Security Threat Report found that Trojan horses made up 54% of the top 50 malicious code reports in the first six months of 2007, an increase over the 45% reported in the final six months of 2006. Most staged downloaders consist of Trojans – in fact, eight of the top 10 staged downloaders this reporting period were Trojans. Also, 35% of computers reporting potential malicious code infections this period reported more than once. Seventeen percent of all computers reporting potential infections reported two potential infections – indicating the strong possibility that a staged downloader had invaded these machines. Of the top 10 new malicious code families detected in the first six months of 2007, four were Trojans, one of which had back door capabilities. Trojans are usually the first means of entry for a staged downloader.
How a staged downloader is executed
The initial Trojan is frequently written for a specific purpose or target. For example, it may be installed when the user accidentally visits a Web page that exploits a browser vulnerability. To avoid being noticed, the initial Trojan is usually quite small in size. The initial stage may disable security applications in place to make way for subsequent infections. The main functionality of a staged downloader system is contained in the second (or possibly third) stage. Frequently, the second stage will be a threat that allows some sort of remote access, enabling the PC to accept commands from the attacker. Once they have control, Trojans are able to do almost anything to your computer, such as downloading other threats, stealing personal or business information, or logging keystrokes.
