Security threats Toolkit

Virus writers get stealthy

Dan Ilet ZDNet.co.uk

Published: 18 Mar 2005 15:20 GMT

Security researchers have warned that sudden impact viruses, such as the Slammer worm, which cause immediate widespread damage to IT systems are being superseded by slow-burning worms where the focus is on avoiding detection.

According to F-Secure, virus writers are putting more time into making their viruses stealthy in an attempt to sneak them past antivirus software. Malware authors, many of whom now use viruses as a way of making money, are regularly testing their viruses against antivirus packages, said Mikko Hyppönen, director of antivirus research for F-Secure.

"Because virus writers make money from viruses they can test them to a professional level," said Hyppönen. "None of the existing antivirus programs will find these viruses. You can't see anything in the registry, which makes them hard to detect. They try to hide their processes."

Slammer managed to infect 90 percent of vulnerable hosts within 10 minutes of being released as it raced around the Web, disrupting IT networks worldwide. But because the worm caused such damage, most IT staff were quick to patch against it.

Hyppönen said that no one has seen a really hard-hitting worm since May last year and believes this is because virus writers have changed their approach. Many new viruses attempt to install key loggers that can record passwords and personal details, according to Hyppönen, so by attracting less attention the viruses should be more successful.

Mass-mailing worms Bagle, Sober and Netsky all created or manipulated botnets — thousands of compromised computers networked, typically for malicious use. Hyppönen said that so far no slow-burning worms have been found to have this capability.