Beware of slow and quick viruses

13 June 2007

When the Internet had only barely begun, the only way of spreading viruses was via floppy disks. This is a very slow means of propagation, particularly in comparison to the speed at which viruses spread nowadays. To get an idea, the infamous ‘Friday 13’ virus (whose name originates from the day in which it deleted all .exe files on computers) took a long time to spread, and was infecting computers for several years.

In the past, when virus creators planned to create a malicious code, they estimated the time needed for it to spread and established a date that alluded to something or a date they liked. In addition to ‘Friday 13’, there were others such as, ‘April 1st’, ‘Christmas’, ‘14July’ or ‘July 13th'. There are also some viruses that without mentioning a date, are activated on a specific day, such as Michelangelo (March 6) or CIH/Chernobyl (April 26). The virus therefore had ‘latency time’ in which it did not affect computers, it simply reproduced itself in as many computers as possible, waiting for the key date.

The situation has changed considerably. Virus creators use two different time scales: ‘slow’ and ‘quick’ viruses.

The ‘slow’ viruses try to spread silently, without being detected. They can do it through targeted attacks (to a single person or company) or through downloads carried out by other previously installed malicious codes (bots, Trojans). These viruses try not to display messages or screens or do anything to reveal their presence.

They can go unnoticed by a security company for a long time. This is due to two factors: on the one hand, they are not evident and on the other, if the malware has been downloaded by a previously installed code, it means users lack protection tools or that the tools are inadequate.

The ‘quick’ malicious codes, however, are a type of computer ‘suicide bomber’: they search for quick propagation on as many computers as possible. Then, they usually steal some kind of password or confidential data for financial gain.

They are not too concerned about being quickly detected, since the attack will have been launched to hundreds of thousands or millions of systems, generally through a spam-type message.

They resemble primitive viruses in their search for a special date to launch the code. In the same way that Michelangelo waited for March 6, hackers look for events that prompt the user into opening the message.

A good example is the Pirabbean.A Trojan, which was sent massively by email at the end of May. The message offered the possibility of viewing the Pirates of the Caribbean trailer. Did the author care much about it being too obvious? No. Could it quickly be detected by antivirus companies? Yes. Is propagation effective? Definitely.

Users who suspect, or who have security measures which proactively detect the Trojan do not count. Those computers are discarded, since the Trojan cannot reach them. However, users who do not suspect or whose antivirus does not detect the danger could be infected. It doesn’t matter whether the number is low. With only one in a thousand, sending the message to three million email addresses (cost: around 50 dollars per list) would infect three thousand computers.

If a few days later, the Trojan were detected by more companies, half of them would probably eliminate it, leaving the figure of infected computers slightly over a thousand. A thousand email addresses to send spam to, a thousand user names and passwords to access bank accounts, a thousand computers from which to carry out illegal actions. All that for only 50 dollars.

Hackers have enough malicious codes to launch suicide attacks when they want. Are the elections close? Is Christmas approaching? These situations are exploited to tempt users into opening the message. It doesn’t matter if the number of users fooled is minimal, you only have to increase the amount of addresses it is sent to.