New Wave Hackers Chase Bucks, Not Bragging Rights

Malicious code cases surged in October by over 20 percent, lead by a resurgence in Bagle and MyDoom and a continued push by money-hungry hackers who are flooding the Internet with Trojans designed to steal dough, not gain notoriety, said a security firm report released this week.

"What we're seeing is one big new malware cycle," said Joe Hartmann, the director of Trend Micro's North American anti-virus research efforts. "A worm first infects a system, then perhaps downloads an additional infection component like a Trojan horse or a bot, and before you know it, the machine is infected with everything necessary hacker remote control."

Trend Micro, which is headquartered in Tokyo and known for its PC-cillin anti-virus line, noted that even though October was a relatively quiet month in major outbreaks, it saw a 22 percent jump in new malicious code detected compared to September.

The biggest threats are Trojan horses, backdoors, and backdoor-seeding worms, all of which are released into the wild by for-profit hackers with money on their minds, said Hartmann.

The total number of Trojans spotted by Trend Micro in October was up 30 percent over September, with the category now accounting for nearly half (47 percent) of all malware. (That percentage is also up over September, said Trend Micro, by two percent.) Coupled with backdoors, which are basically remote access Trojans, the two made up almost 65 percent of all detected malware.

It's proof, said Hartmann, that hackers are assembling ever bigger bot networks that they can then turn into profit-making machines.

"It's all profit driven now," he said. "Before, hacking used to be like digital graffiti. Once a machine was infected, that was it. But now the purpose of infecting systems to recruit this big zombie army, then use it to steal confidential information or rent it to spammers or use it to deliver pop-up advertisements"

On the worm side of the coin, the top two for the month were long-time list inhabitants Netsky.p and Zafi.b. But it was the departure of Sasser from its number one ranking that was among the big news of the month, said Trend Micro. Sasser's vanishing act -- it disappeared from the top 10 list -- may mean that most systems have finally been patched against the Windows vulnerability that Sasser exploited. The LSASS vulnerability which Sasser used to infect Windows machines was first disclosed in April 2004.

"After spending three months at the top of the list of the most notorious malware, the Sasser seems to have slowed down its onslaught," Trend Micro's report read.

Another trend shown by Trend Micro's numbers was a steady decline of the pernicious Netsky worm family, which has plagued computer users since February. But malicious attacks like Netsky -- and Zafi, too, since it also uses the same tactic of enticing users to open e-mail attachments -- won't go away.

"It'll be a long time before computer users learn not to inflict damage on their own computer systems by not opening attachments on unsolicited email messages," wrote Eric Avena, the author of the report.

In fact, Netsky rebounded a bit in October; for the first time since April, the number of infections climbed.

Also contributing to the spike in malware code cases detected in October was a comeback of sorts by MyDoom and Bagle, particularly the latter. During October, 13 new variants of Bagle were unleashed.

Trend Micro also correctly predicted that another major outbreak of the long-lasting Bagle was likely. "The last medium risk outbreak was on August 31," wrote Avena in his report, which covered data through October 25. "With the fact that at least one alert was called in six of the last ten months, another Bagle outbreak is hovering not too far ahead."

That outbreak opened last Friday, October 29, when a trio of Bagle variants hit the Internet, affecting home users the most.