Trend Analysis

The Trend Analysis reports cover the state and direction of virus and anti-virus issues with emphasis on how specific families of malware are constructed, how they infect, why they propagate, and what may be coming next.

Holiday Scheming: Phishing and Cyber Monday (PDF)

December 2005

Just after the hype of "Cyber Monday" (a supposed sharp rise in Web-based sales after Thanksgiving in the US), two pieces of scam-mail caught the attention of the author. This article looks at the trends in Internet sales, the profits behind them, and their illicit counterparts.

Digital Casing and the Modern Worm (PDF)

October 2005

In the olden days of the Internet, the stereotypical attack involved a long, intense research session. The attacker would pour over every detail available about the target, from selection through personnel issues. not so with the modern worm, these fully-automated attacks do not require a lot of research on the target side as they are about volume, not precision. This report examines why this trend has developed and what changes are likely.

Just In Time: Microsoft's Time to Exploit, January - April 2005 (PDF)

Part 2: May - August 2005 (PDF)

Part 3: September - December 2005 (PDF)

This brief review of malware in the first four months of 2005 focuses on the time from the release of a vulnerability to the time public exploit code and malware is available. This issue received a great deal of attention after Blaster, and has been the impetus behind large-scale patch management solutions. The report considers the idea that 2005's first batch of malware has been of a "passive" nature, waiting for victims instead of seeking them out. Part 2 examines the next third of the year, May through August, Part 3 tackles the last third of the year and offers a review of 2005.

Shell Game: Deutsche Bank Phishing Attempt (PDF)

June 2005

The refinement of phishing tactics, no matter how subtle, are always of interest. This report examines one such "refinement," the use of the hyperlink slight-of-hand to make a very simple-looking con a little more complex.

One's Complement: On Professional Malware (PDF)

The definition of malware (and related terms) has been a problem for the anti-virus research industry for years. With the increasing use of “professional virus” and “professional virus writer,” the problem has the potential to grow; now incorporating what a “professional virus” means to the community as a whole and how both the media and law enforcement interprets this issue. This report examines whether and how the term “professional” can be applied to malware and malware authors.

Fork in the Road: Phishing Deeper (PDF)

North Fork Bank is one of many, many organizations that has found its customers targeted by phishers. This report examines a particularly good-looking scam and what it should say to security managers refining mail-based attack strategies.

Free Samples: A Trojan on the Job PDF

March 2005

Most spyware, if not all, is just another name for a class of malware generally referred to as Trojans. This report examines the ad-revenue-motivated Trojan through a pair of applications that jump onto an unsuspecting user's machine and kick the door open for all their friends.

Netsky Anniversary Report: The Secrets of Success PDF

February 2005

Really no secret at all, the Netsky worm, crafted by a 17-year-old student is a study in combining a lot of things we know will be successful, but wish they weren't. This look at Netsky focuses on what makes it successful and a reasons it shouldn't be.

Virus Evolution and the Internet PDF

December 2004

Does malware evolve? Virus coders learn from previous releases and computer technology improves, both of which provide an author with new tools from which to build malware. In this way, viruses are much more about innovation than evolution. "Virolution" examines whether or not viruses evolve during their lifecycles and the impact they have on the Internet. 

Unfections: Examining "Beneficial" Worms PDF

November 2004

Can a worm be benign? How about beneficial? Many worms have tried, none have succeeded. This report investigates the debate and specific examples of "anti-virus viruses" that have been found in the wild.

Vector Propensities: Your Ad Here PDF

September 2004

Discerning common vectors is part of the story, understanding what can be done once a machine is compromised is another, and finding out why is yet another. This report looks as a few recent worm cases and the "for-profit" features included with each of them. 

Vector List Part 1: Network Worm Vectors 101 PDF

The prevalence of Internet worms requires that anyone responsible for network security become familiar with how they operate. Whether it is targeting a specific OS vulnerability, like Blaster, or searching for file shares with no password , like Lovgate, there are common tactics to which no information assurance professional should fall prey. 

Vector List Part 2: The Human Vector PDF

Technical vulnerabilities are often easier to understand and mitigate than social ones. With cultural problems, there are fewer ways to measure strengths and weaknesses, fewer defensive strategies, and less coverage of success stories in the media. This Vector Space report briefs the reader on what holes may be lurking within the user base of their organization and introduces solutions that are developed in the Measuring Success policy document.