Malware authors continue showing their creativity, with new viruses making the rounds by targeting Craigslist fans and AutoCAD users.
One of the new attacks is being spread by malicious links in spam purporting to be a message from Craiglist about a car sale, Mary Mizrahi, product marketing manager at antivirus firm Red Condor, told InternetNews.com.
The virus also escaped detection by a number of AV outfits, she added.
“When we detected it, only 13 of 41 antivirus companies had detected it as a virus,” she said. “It takes companies a while to update their patterns. We’re more able to quickly update patterns.”
Other viruses are attacking AutoCAD, raising eyebrows simply because there are so few viruses written for the software. One such virus surfaced last month, followed by a second last week.
That could spell trouble, considering that AutoCAD security isn’t always in the headlines.
“The last time Sophos wrote about AutoCAD malware was over two years ago,” Sophos security expert Graham Cluley wrote in his blog. “The typical AutoCAD user doesn’t place much importance in considering the security implications of what they’re doing and the script they’re running — which could lead to an unfortunate infection if you were unlucky enough to be in the firing line.”
The news points to the wide variety of viruses plaguing the industry — more than ever before, experts have said. Symantec recently reported that it expects to issue 2.5 million virus signatures covering 120 million threats this year, up from 1,500 signatures in 2000.
Complicating matters for the good guys is that viruses live for an ever-shorter amount of time — making it tough to identify and target a threat before it evolves into different form.
“The trend was that a few years ago, viruses would last for about a week on average,” Sean-Paul Correll, a threat researcher at Panda Security, told InternetNews.com.
Today, Panda Security said in a statement that many now last less than 24 hours.
And the quantity of viruses in the wild will only increase, according to Sean-Paul Correll, Panda Security threat researcher, told InternetNews.com. That’s because criminals find profit in unleashing a fire hose of malware.
“Criminals see a better bottom line with more files,” Correll said, adding that there are more viruses because the malware writers have automated the creation of virus variants. They are releasing polymorphic engines to distribute a massive number of unique samples … They hope to subvert antivirus lab technology by releasing a large number of samples.”
Some criminals are even specializing in manufacturing the variants.
“Some criminals are selling a morphing service. They say, ‘give me an executable file and I’ll give you a thousand copies of it,'” Correll said.
He added that they also have tools to make spamming through botnets easy, borrowing from the design cues of popular consumer Web software like Google’s Gmail.
“They’re managing their networks like Gmail, except that instead of tracking e-mails, they’re tracking infected machines and instead of clicking ‘Forward’ to reply, they click a button to sip data or launch a denial-of-service attack,” he said.
Life’s tougher in the antivirus lab
In response to the automated creation of malware, antivirus outfits are bringing automated detection and analysis of malware to the lab.
“We can do an analysis in under 40 seconds using automated tools,” Peter Beardmore, senior product marketing manager at Kaspersky Lab, told InternetNews.com. “We analyze attributes and deliver URLs, hashes of files, or update heuristics.”
Beardmore added that Kaspersky Lab has also seen a large increase in viruses. “We’re now using signatures to deal with classes of malware, not just individual malware samples,” he said.
To others, however, signatures are not entirely dead as a tactic, but they just need to be used differently.
For instance, Symantec and Kaspersky Lab are using signatures against classes of threats instead of against individual threats.
Although Panda Security’s Correll agreed that it will one day be necessary to abandon signatures if the trends continue, he said that using them to go after classes of threats is the best practice today.
“It’s too soon to abandon the use of signature files,” he said.