infectionvectors.com - vectorspaces.

Agobot has plagued an uncountable number of machines, turning them into just another zombie in someone's bot net. It makes a fascinating study not only because of its remarkable success and feature set, but also due to its public availability.

This paper evaluates the threat of Agobot-derived variants by examining the development of the virus, the release of the source code, and a few of the specific iterations. This analysis places the Agobot code in the category of “virus kit.” From this categorization, Agobot is presented as possibly the most successful kit virus in history, not because of the sheer number of variants or hosts it has infected, but because of the adjustments in virus defense it has required.

Arrest-tob: Zotob Authors Captured (PDF)

The authors of 2005's most famous worm were picked up by Moroccan and Turkish authorities in late August 2005, just weeks after the launch of the malware. However, the pair was immediately linked to Mytob, Rbot, and possibly other pieces of malicious code.

Automatic Startup for Windows-based Viruses PDF

July 2004

Throughout the articles on infection vectors and elsewhere, there are quite a few references to "automatic startup" routines that viruses employ to ensure they load with the operating system. This review of the common ways to accomplish this within Microsoft Windows products provides not only a glimpse of virus writing tactics, but also a starting point for checking a machine for infection in the absence of anti virus software/signature updates.

Awareness Training

October 2004

Sample presentations and papers promoting the use of virus awareness programs.

Chaser: A Year of JP Morgan Chase Scams (PDF)

March 2007

infectionvectors.com followed the phishing trail of a single company, JP Morgan Chase for one year with one box - a total of 71 phishing attempts to a single mailbox. The resulting analysis hits the nature of the scams, the ways Chase is attempting to stop them, and what may become a new trend in Internet crime. A unique look at what every modern business must endure to maintain a web presnece.

China, Cotton, and Bagles: Beagle Worm's Second Anniversary (PDF)

The Beagle worm, with a professional ethic to rival many legitimate software outfits, has defied the odds and remains in business after two full years. The Beagle worm and its related malware have been infecting machines, harvesting personal data, and making revenue (if not a healthy profit) for its authors. This report continues the previous research and analyzes the releases since May of 2005.³ Specifically, this portion of the paper focuses on release trends with the worm.

Complete Year of the Beagle (PDF Only)

All three of the original reports plus a supplement with updates on the latest Beagle-related malware are available as a single, currently 100-page PDF.

Year of the Beagle: Beagle History Part III (PDF)

In the last part of the Beagle History trilogy the "business of Beagle" is explored: from the spam relays through targeted attacks that attempt to lift bank account data from unknowing users. Part III begins with the development of the worm's latest iterations and then examines Beagle's widespread success and the means by which it can generate tremendous profit for its authors.

Beagle Lessons 2 (PDF)

Submitted to the SecurityFocus.com library, the second part of the Beagle Lessons paper is now available after requests from multiple readers. This report examines the History from April 21, 2004 until August 30, 2004, an explosively successful period for the Beagle worm. Beagle continues to compromise boxes around the world, creating an ever-growing drone network at the code author's disposal. Lessons 2 looks at the impact of the Beagle worm since its creation and what may be ahead. Also available at SecurityFocus.com.

Beagle Lessons (PDF)

The success of the Beagle worm is largely founded in the author's dedication to constantly improving his/her product. This detailed report examines the first three months of Beagle's development, the great success it has achieved, and what it means for Internet users and security professionals everywhere. Also available at SecurityFocus.com

Digital Casing and the Modern Worm (PDF)

In the olden days of the Internet, the stereotypical attack involved a long, intense research session. The attacker would pour over every detail available about the target, from selection through personnel issues. not so with the modern worm, these fully-automated attacks do not require a lot of research on the target side as they are about volume, not precision. This report examines why this trend has developed and what changes are likely.

Final Dispatch: Postcard Scams 2007 (PDF)

April 2007

Still one of the most popular topics submitted to infectionvectors.com for support, the postcard scam rolls into another year with a familiar subject, more familiar payload, and no signs of stopping.

Shoot the Messenger: IM Worms (PDF)

Instant Messaging (IM) has rapidly gained popularity, making it an attractive medium for malware coders. However, without the universal interoperation of email, instant messaging worms have so far been much slower to propagate and gain widespread success compared to their SMTP-based cousins. As such, the amount of attention (and development) they have received from malware authors is significantly less than the mass mailer worms. Nonetheless, IM-based malware is a threat to all organizations and should be addressed by both policy and technical safeguards. IM-founded malware carries the same potential for compromising data as any other malcode (and has adopted the tactics of more successful varieties exceptionally quickly). This paper examines the development and importance of IM worms.

Holiday Scheming: Phishing and Cyber Monday (PDF)

Just after the hype of "Cyber Monday" (a supposed sharp rise in Web-based sales after Thanksgiving in the US), two pieces of scam-mail caught the attention of the author. This article looks at the trends in Internet sales, the profits behind them, and their illicit counterparts.

The Mytob Infantry: Balancing the Malware Equation (PDF)

Every malware author has to decide what their particular marketing strategy is going to be, especially true for professional coders hoping to cash in on their creation. Mytob, a combination of mass mailer MyDoom and IRC bot SdBot, takes its own special path to that end. The worm and its overall infection strategy, not just infection vectors, are examined in this report.

One's Complement: On Professional Malware (PDF)

The definition of malware (and related terms) has been a problem for the anti-virus research industry for years. With the increasing use of “professional virus” and “professional virus writer,” the problem has the potential to grow; now incorporating what a “professional virus” means to the community as a whole and how both the media and law enforcement interprets this issue. This report examines whether and how the term “professional” can be applied to malware and malware authors.

Poison Ivy Farmers: Virus Collectors & Collections (PDF)

Danger is cool. Pet scorpions, rattlesnakes, and computer viruses fit the bill for different groups. This report looks at the hobbyist collector and the issues surrounding publicly available collections.

Disposable Victory: Dumping Infected PCs (PDF)

Based on stories of home Internet users that are replacing infected PCs instead of attempting to clean them, this report examines the issues surrounding the tactic of fighting spyware by ditching the compromised machine altogether.

May I Help You: The Search Assistants (PDF)

Spyware and its somewhat more innocuous cousin, adware, frustrate computer users in every country. This report looks at the aggressive tactics these threats employ in their quest to "win" customers by any means necessary. Two well-known "application suites" are used as examples.

Shell Game: Deutsche Bank Phishing Attempts (PDF)

The refinement of phishing tactics, no matter how subtle, are always of interest. This report examines one such "refinement," the use of the hyperlink slight-of-hand to make a very simple-looking con a little more complex.

Fork in the Road: Phishing Deeper (PDF)

North Fork Bank is one of many, many organizations that has found its customers targeted by phishers. This report examines a particularly good-looking scam and what it should say to security managers refining mail-based attack strategies.

Phishing Lures PDF

The business of malware is examined in many reports across infectionvectors.com, this one takes a peek at the high-volume world of email/phony site cons - otherwise affectionately known as phishing. Examined via one popular tactic, a Trojan known as Blinder, this article briefly illustrates the breadth of email scams.

Phishing Trip Part 3: Liability (PDF)

Where does the corporate responsibility to protect consumers end? Where does it even begin? This report looks at current liability issues, the trends in phishing that shape it, and how advances in online fraud may affect Internet-based commerce.

Phishing Trip Part 2: Phishing Defense (PDF)

Every organization has a responsibility to protect users from fraud, whether its the largest online bank or a family with a single PC. This follow-up report takes a peek at a few tools that can help defend a user against the ever-improving phishing attacks and the best tool of all: education.

Phishing Trip Part 1: Washington Mutual (PDF)

Email fraud, aka phishing, affects nearly every Internet user. Scammers are using more and more tricks to entice victims into turning over sensitive personal data. Information is the best weapon against these criminals as the tactics and tools they use change rapidly. This report provides a framework for identifying scams by looking at examples that target Washington Mutual account holders. From here, information assurance groups (and concerned individuals) can begin educating their users.

Based on additional unique samples received just after publication, a special Addendum was added to the web only, as was the final chapter Back Again. Both of these entries examine unique pieces of the WaMu-based scams since the report.

Phishing Trip Part 0: Email-Based Crime (PDF)

The general distrust over email warnings is well-founded, mass mailings went from nuisance to international crime effort in an instant. Today email-borne fraud and malware distribution is one of the most common occurrences on the Internet, one that threatens e-commerce and every home web surfer with the ever-profitable business of compromising computers and stealing personal data. This paper examines the nature of email-based crime and details a few specific examples of existing threats.

Just In Time: Microsoft's Time to Exploit, January - April 2005 (PDF)

Part 2: May - August 2005 (PDF)

Part 3: September - December (PDF)

This brief review of malware in the first four months of 2005 focuses on the time from the release of a vulnerability to the time public exploit code and malware is available. This issue received a great deal of attention after Blaster, and has been the impetus behind large-scale patch management solutions. The report considers the idea that 2005's first batch of malware has been of a "passive" nature, waiting for victims instead of seeking them out. Part 2 examines the next third of the year, May through August, Part 3 reviews the last third of the year and how 2005 went overall.

Free Samples: A Trojan on the Job PDF

March 2005

Most spyware, if not all, is just another name for a class of malware generally referred to as Trojans. This report examines the ad-revenue-motivated Trojan through a pair of applications that jump onto an unsuspecting user's machine and kick the door open for all their friends.

Taxable Income: US Tax Scamming (PDF)

The IRS warns taxpayers every year about the scam efforts of criminals impersonating the government revenue collectors. Like all phishing efforts, the crimes are easy to perpetrate and quick to distribute. This report looks at one particular scam which surfaced on servers all around the world.

Retest: Rootkits, Reckoning, & Rutkowska (PDF)

August 2007

The debate over rootkit detection methods came to a boil in the summer of 2007, thanks to the work of Joanna Rutkowska at invisiblethingslab and her Blue Pill. More importantly, her work has put a spotlight on the things that the Internet community can do to take the momentum away from (indeed, possibly win the battle against) malware authors.

Lessons from Infections

October 2004

infectionvectors.com writer on SecuityFocus with an Infocus article discussing what opportunities exist for security professionals when a virus hits the network.

Netsky Anniversary Report: The Secrets of Success PDF

February 2005

Really no secret at all, the Netsky worm, crafted by a 17-year-old student is a study in combining a lot of things we know will be successful, but wish they weren't. This look at Netsky focuses on what makes it successful and a reasons it shouldn't be.

Securing Virus Code PDF

Much different from "secure coding" many viruses are packaged in ways that make it impossible for non-professionals to examine what they try to accomplish. Even many pros are slowed down by the encryption and compression tricks coders employ. The super virus of the future may simply be a worm that cannot be disassembled, not one with a radical new infection routine. This short paper takes a look at what coders do and why they do them.

Unfections: Examining "Beneficial" Worms PDF

November 2004

Can a worm be benign? How about beneficial? Many worms have tried, none have succeeded. This report investigates the debate and specific examples of "anti-virus viruses" that have been found in the wild.

Virus Evolution and the Internet PDF

December 2004

Does malware evolve? Virus coders learn from previous releases and computer technology improves, both of which provide an author with new tools from which to build malware. In this way, viruses are much more about innovation than evolution. "Virolution" examines whether or not viruses evolve during their lifecycles and the impact they have on the Internet.

Vector List Part 1: Network Worm Vectors 101 PDF

The prevalence of Internet worms requires that anyone responsible for network security become familiar with how they operate. Whether it is targeting a specific OS vulnerability, like Blaster, or searching for file shares with no password , like Lovgate, there are common tactics to which no information assurance professional should fall prey.

Vector List Part 2: The Human Vector PDF

Technical vulnerabilities are often easier to understand and mitigate than social ones. With cultural problems, there are fewer ways to measure strengths and weaknesses, fewer defensive strategies, and less coverage of success stories in the media. This Vector Space report briefs the reader on what holes may be lurking within the user base of their organization and introduces solutions that are developed in the Measuring Success policy document.

Vector Report 2005 PDF

The year saw successes in the form of email worms, just like 2004 and probably just like 2006. This report looks at last year's predictions, the successful malware of 2005, and what may come next.

Vector Propensities: Your Ad Here PDF

September 2004

Discerning common vectors is part of the story, understanding what can be done once a machine is compromised is another, and finding out why is yet another. This report looks as a few recent worm cases and the "for-profit" features included with each of them.

Virus Liability PDF

Is there any hope for restitution from a virus coder? With the growing number of high-profile arrests in 2004, maybe we'll find out.

When an automated virus (worm) breaks into a number of machines and wreaks havoc, what price should the virus author pay? With the growing number of arrests this year, that question will probably be asked quite a bit. This article looks at a few viruses and alleged authors, and asks whether there is any liability for virus writers beyond the code they compile and/or actively distribute?