Malware in Popular NetworksDmitry O. Gryaznov

The Big Change

► Mostly viruses, few trojans

► Obvious destructive or annoying payload

► Mischief and vandalism

► Nothing gained but “glory”

► Mostly non-replicating malware

► Trying to stay inconspicuous

► Theft and control

► Monetary gains

Then Now

Malware “Highways”

► E-mail

► Usenet

► Internet Relay Chat (IRC)

► Peer-to-peer (P2P)

► Instant Messaging (IM)

Usenet

► Since early 1980s

► Over 100,000 newsgroups

► Millions of users

► Over 2 Terabytes daily

► Mostly binaries – video, audio, software

Top Ten Malware Detections in Usenet in 2005

BackDoor-AZV 46963

W32/Spybot.worm.gen.b 4876

BackDoor-CQZ 1381

W32/Swen@MM 283

W32/Torvil@MM 192

MultiDropper-DC 183

W32/Kelvir.worm.gen 75

W32/Netsky.p@MM 75

BackDoor-ACH 72

BackDoor-Sub7.svr 44

Internet Relay Chat (IRC)

► Since early 1990s

► Dozens of networks (EFNet, DALnet, Undernet, etc.)

► Millions of users

► Direct file spamming (via DCC Send)

► URL spamming (via text messages)

► Used by numerous malwares even when no IRC software was ever installed by user

Top Ten Malware Detections in IRC in 2005

W32/Drefir.worm 453

IRC/Flood 319

VBS/Redlof@MM 224

IRC-Contact 224

VBS/Gedza 143

Downloader-TS 107

BackDoor-JZ 71

W32/Pate.b 42

W32/Jeefo 40

Nuke-Vai 40

Peer-to-peer networks (P2P)

► File sharing: movies, music, software

► Numerous networks (Kazaa, eDonkey, BitTorrent, Gnutella, etc.)

► Millions of users

► “Bridging” between different networks

Top Ten Malware detections in Gnutella in 2005

Downloader-TS 7540

W32/Tibick!p2p 1764

W32/Generic.d!p2p 1597

W32/Sndc.worm!p2p 1438

VBS/Gedza 1029

W32/Bagle.aa@MM 784

Exploit-MS04-028 757

W32/Pate.b 649

W32/Sdbot.Worm.gen 566

W32/Bagle.n@MM 535

Questions?