Forgot your password?
typodupeerror
Security Worms

Top Viruses, Worms and Malware in 2006 74

Posted by Zonk
from the and-the-losers-are dept.
An anonymous reader writes "HNS is running an article with a list of those malicious codes which, although they may not have caused serious epidemics, stood out in one way or another. Some of the categories are: the biggest snooper, the most moralistic, the worst job applicant and the most tenacious. From the article: 'The most competitive. Once the Popuper spyware has installed itself on a computer, it runs a pirate version of a well-known antivirus application. Far from trying to do the user a favour, it is actually trying to eliminate any possible rival from the computer. It seems that the fight for supremacy has also reached the world of Internet threats.'"
This discussion has been archived. No new comments can be posted.

Top Viruses, Worms and Malware in 2006

Comments Filter:
  • by Anonymous Coward
    Or will we have to wait for next years list to see our new friend Toddy [wikipedia.org] included? :-)
  • by Anonymous Coward
    None of which affected me simply because I chose to run linux. When will the rest of the world catch on... *sigh*
    • Re: (Score:2, Informative)

      by CapitalT (987101)
      From TFA:
      -The most promiscuous. This title goes without doubt to Gatt.A. This malicious code can infect any platform that it is run on: Windows, Linux, etc.
    • by Klaidas (981300) on Saturday December 23, 2006 @08:46AM (#17347588)
      Well, you see, there are viruses for linux. However, they don't spread a lot (because if someone uses linux, he has enough knowledge not to open an attachment/install an unknown file.)
      And well, saying that WIndows is bad because almost all viruses are designed for them is like saying that houses are bad, because thieves might try to break in...
      • by Porchroof (726270)
        Finally. Some wisdom on this forum.
        • Where?

          (And for the slashdot lamo-slow-the-cowboy-down routine I TYPE SLOWLY YOU INSENSITIVE CLOD!)

      • by LainTouko (926420) on Saturday December 23, 2006 @09:39AM (#17347728)
        Well, that's only part of the truth. There are three reasons why Linux viruses don't get around like Windows viruses; better security, lower population (also encompasses the lack of monoculture in network applications), and more careful users. And none of those reasons is the "real reason", they work in combination with each other to make the difference really really big.
        • by Raideen (975130)
          Also, an executable sent via e-mail can't be executed until the user saves it to the HD and then makes it executable.
      • Re: (Score:3, Insightful)

        by vtcodger (957785)
        ***And well, saying that WIndows is bad because almost all viruses are designed for them is like saying that houses are bad, because thieves might try to break in...***

        No, Windows is a target because it is widely used and vulnerable.

        Windows is bad because there are so many obscure ways to hide malware and restart it on subsequent boots.

      • Re: (Score:3, Insightful)

        by the_bard17 (626642)
        Bad analogy. This is more like saying that your wooden house is bad, since it's very susceptible to fire.

        My stone house, on the other hand, is not very susceptible to fire. That means it's better.

        *Notice that I'm convienently ignoring how difficult it is to run anything through the walls, compared to that wooden house, in addition to how cold the stones get during the winter (and the subsequent lack of insulation), etc.*
      • by NorbrookC (674063)

        However, they don't spread a lot (because if someone uses linux, he has enough knowledge not to open an attachment/install an unknown file.)

        Well, one *hopes* they have that! That practice has been a mainstay since the first viruses cropped up. However, believing that you're safe because you're running Linux, without following good practices is pretty dumb too. The first time someone's running as root and downloads an untrustworthy file...

        Yes, it's harder to get viruses in Linux, and the ones that a

        • by bmo (77928) on Saturday December 23, 2006 @03:34PM (#17349160)
          "The first time someone's running as root and downloads an untrustworthy file..."

          But that's not really an issue is it? What Linux distribution has the default user as Root these days? In fact, it's more difficult to run as root in some distributions instead of as a normal user, in that the "root account" is never enabled. Attempt to login to (X,K,Ed)Ubuntu as root at the login screen and it won't work.

          How to get a Windows computer infected:

          Connect to the 'net without a firewall or run IE and visit a bad page. Or, run OE (interesting that Outlook Express has the same initials as "Operator Error") for your mail. Or run p2p software and download a "song" that doesn't play (but is instead an executable file). In fact, I've got a friend whose daughter did exactly the latter, and I'm going to fix it after the weekend. I beginning to think that these days, that's the most common vector of infection, as I see it time and time again.

          Windows gives execute permission based on the file name extension. For this utterly stupid idea held over from the frickin' CP/M days, users are being hosed left, right, up, and down. This bogosity should have died with Windows 3.1 or at least after Bill Gates discovered the 'net and put out Win98. However, the concept is still with us in Vista, so techs everwhere are going to be guaranteed a paycheck for at least the next 5 years.

          How to infect a Unix or Linux machine:

          Automatically through mail? Impossible to do without user interaction, since everything that comes down the pipe doesn't have the execute bits turned on. Anyone who writes an MUA that does that autmatically will be taken out back and hit with the clue bat.

          Visit a web page? There's no such thing as a drive-by install. The user has to download the file and manually set the execute bits high again, through chmod or by right-clicking on the file.

          Use p2p? Everything downloaded has no execute bit. What data file _ever_ deserves an execute bit? Indeed, I have yet to ever receive a file from the wire that has execute bits turned on except when they're contained within an installation package, and for that to work, I need to pause and use root permission if it's an install for the whole machine and I still have to unpack it even if it's going in my home directory.

          In fact, the simple act of user interaction, even if it's the typing of the current user's password (OS/X) prevents a whole lot of evil. It's that short pause that gives the user the chance to _think_, if even for half a second, and say _no_ to random malware. If you're a malware writer and you give your victims the chance to think, your bit of evil goes nowhere. There are only so many times that people are going to install a fucking purple gorilla.

          This ignores the population that will run silly "cupholder" executables and trojan filled "free screensavers," at every opportunity whether in Linux, Unix, or Windows, but then real stupidity trumps artificial intelligence every time. You can only do so much if a user is determined to blow each toe off his foot with a .44 one by one.

          If this means that Unix and Linux are more difficult, (as if typing the current user's password is complex) so bloody what? It's damn inconvenient when a computer gets infected, isn't it?

          --
          BMO
          • Re: (Score:3, Interesting)

            by spectecjr (31235)
            How to infect a Unix or Linux machine:

            Automatically through mail? Impossible to do without user interaction, since everything that comes down the pipe doesn't have the execute bits turned on. Anyone who writes an MUA that does that autmatically will be taken out back and hit with the clue bat.


            Unless there's a bug in your libpng implementation, and your MUA automatically displays images.
            • by bmo (77928)
              "Unless there's a bug in your libpng implementation, and your MUA automatically displays images."

              Apples. Oranges.

              The former is a design decision - to consciously give execute permission to email content. The latter is a bug. Please learn the difference between the two.

              Bad troll. No cookie.

              --
              BMO
              • by spectecjr (31235)
                The former is a design decision - to consciously give execute permission to email content. The latter is a bug. Please learn the difference between the two.

                I know the difference between the two. You said, however:

                How to infect a Unix or Linux machine:

                Automatically through mail? Impossible to do without user interaction, since everything that comes down the pipe doesn't have the execute bits turned on.


                Which is patently false.
          • by NorbrookC (674063)

            This ignores the population that will run silly "cupholder" executables and trojan filled "free screensavers," at every opportunity whether in Linux, Unix, or Windows, but then real stupidity trumps artificial intelligence every time.

            Which was my point. I cringe every time that someone says "I can't get a virus because I'm running Linux!" Linux makes it more difficult than Windows by several orders of magnitude, but it doesn't mean that it's impossible. In case you're wondering, I have seen people wh

            • by bmo (77928)
              "Running a given operating system does not incur automatic protection in the absence of proper procedure."

              You and I are on the same side. Heh.

              When, at first, I couldn't use the root account in Ubuntu, I enabled it using sudo passwd. But upon reflection, after thinking that not having an active root account was a bit of bogosity (I'm a big boy, I know what I'm doing), I have changed my mind and agreed with the Ubuntu and OS/X method of using sudo for everything. It keeps one from playing "admin" for too l
            • by Tweekster (949766)
              Barely anything requires you to run as root (so it wont be "easier") so that point is moot.

              You cant simply download a cool screensaver and double click it like in windows.
          • "The first time someone's running as root and downloads an untrustworthy file..."

            But that's not really an issue is it? What Linux distribution has the default user as Root these days? In fact, it's more difficult to run as root in some distributions instead of as a normal user, in that the "root account" is never enabled. Attempt to login to (X,K,Ed)Ubuntu as root at the login screen and it won't work.
            -------------
            While that may be true, you want to know how much effort its required to enable that? not much
            • by bmo (77928)
              "While that may be true, you want to know how much effort its required to enable that? "

              I know exactly how much effort. I actually mentioned a way to do it up there, in case you hadn't read. However, the newbie is not TOLD to do it, and so by default, only when the newbie _learns_ what to do, the newbie can enable it or not.

              But by then, the newbie has probably operated under sudo long enough that it's second nature and probably has picked up the clue that it's more secure that way anyway.

              The fact remains,
              • Real world example? Guide to install quake 3 (Alot of people would have a use for this migrating from windows) one of the first things it says to do is LOGIN AS ROOT, INCLUDING A GUIDE
          • by Matumio (1001893)
            I don't see why privilege separation should help. There is no need to run that spambot as root.
            • Re: (Score:3, Insightful)

              by bmo (77928)
              "I don't see why privilege separation should help. There is no need to run that spambot as root."

              Because if a spambot is running as an ordinary user, it's ridiculously easy to kill and remove. A userland spambot is next to useless, because it will have a very short life. Where does it get launched? In .profile? How do you hide it? Unless you're root, you can't modify logs, netstat, or ps. And once you've got root privs, it's stupid to run the bot in userland anyway. So you're wrong. Priv separation
          • What Linux distribution has the default user as Root these days?

            Linspire
      • Well, you see, there are viruses for linux

        Yeah, sure, millions of them.
        I read this lie for many years and never seen any true virus for Linux, only "examples which don't work".
        • by bmo (77928)
          "Yeah, sure, millions of them.
          I read this lie for many years and never seen any true virus for Linux"

          Hear hear!

          I have to expound on this a little.

          One of the reasons that the Windows apologists say that Linux has poor virus propagation is because of the geek ratio, and that Linux geeks "know what they're doing."

          Well, let's take a look at OS/X. OS/X has a higher population of non-geeks that just want to get things done. Indeed, it's got the highest ratio of fashion conscious and arty-types of any user popula
      • Re: (Score:3, Insightful)

        by Metasquares (555685)
        And well, saying that WIndows is bad because almost all viruses are designed for them is like saying that houses are bad, because thieves might try to break in...
        Windows is like a house where all of the doors are unlocked and most of the residents can't figure out how to use the key. It can be made secure, but not if it's being used by an average user. Linux is more secure by default and the users tend to know what they're doing more.
  • by spywhere (824072) on Saturday December 23, 2006 @08:20AM (#17347526)
    Cleansing home PCs, I've seen some of the more exotic exploits become commonplace, including:

    Direct Revenue hiding its core .DLL as a print monitor;
    one lone .DLL, registered in a CLSID key, warning of SPYWARE!!! from the system tray;
    launching executables from Group Policy subkeys;
    populating subkeys of Winolgon\Notify with self-renaming .DLL's.

    Hiding malware so it launches before Explorer (and even before the antivirus app) is sneaky, underhanded, and ensures a steady stream of income so I don't need to get an actual job. Editing the Registry hives from WinPE is the only cost-effective way to remove many of these things, and Suzy Homeuser wull never be ready for that.
    So here's to you, scumbag malware writers... and here's to Microsoft for leaving soooo many ways to launch your malware: Thanks for paying my mortgage. Without security holes, and the slimeballs who exploit them, I'd be back selling auto parts.
    • by Barny (103770) <bakadamage-slashdot@yahoo.com> on Saturday December 23, 2006 @11:06AM (#17348010) Homepage Journal
      /raises glass

      That one that warns of "your pc is infected with malware" from system tray, known some places as smitfraud others as VX2, now uses several hundred reinfection methods, from infected active script desktop images, to the old favourite, making itself the default program to open files of type .exe

      In fact, all those tricks you list are used by one version or the other (or if you are unlucky and get the latest updated version, all of them).

      Faster now just to backup data, format and re-install than try and debug each and every method used by the particular version you have, I have tried auto remove tools, all of them end up out of date less than 24hrs after launch (someone is making enough from this thing that paying lots of money to a few programmers is not a problem).

      The pay-off is of course when the user clicks that task bar balloon and it installs the "protection racket" software of choice onto your PC, which says it found 4366724 virus' and spyware, and to please pay them for a full licence to remove them. Of course if you pay them, it does NOT remove even its own malware, at least yesteryears organised crime DIDN'T break stuff if you paid.

      The real kicker is, the 3-4 times I have seen it infect a pc (had user, on a fresh pc, do what they did when it first happened) it was through an IE "unpatched code execution" bug of the week.

      When I tell people to use firefox, and then pre-install it on their new PC/repair, do they think it is a joke?
      • by maxume (22995)
        -->do they think-- there's your problem right there. I don't mean that to be as harsh as it sounds, they problem isn't that they are stupid, it's that they don't care. Something like 99.9% of people just want a 'internet' thingy, they don't care about having a computer or security or whatever, and if the blue e was the internet before, then it is probably still the internet now, and they don't care about the fire in your pants or whatever the hell you were rambling about when they were paying your bill.

        O
        • by wordsnyc (956034)

          Something like 99.9% of people just want a 'internet' thingy, they don't care about having a computer or security or whatever, and if the blue e was the internet before, then it is probably still the internet now, and they don't care about the fire in your pants or whatever the hell you were rambling about when they were paying your bill.

          Seriously, the only reason most people know they're running Windows is because it says so when they turn on the pc. There's the monitor, there's the "CPU," the mouse,

          • "I just use my Dell."

            When I was the alpha geek on a four-geek Help Desk, we had to ask each caller for the computer name (we later used bginfo for that). We would ring a bell every time we got the answer "Dell," then patiently explain that the computer is a Dell, but the computer has a name on the network, and we need to figure out what that is...
            one woman interrupted me: "Trinitron?"

            I slapped the mute switch just in time, and ROTFLMAO.
      • One repair strategy (Score:4, Informative)

        by spywhere (824072) on Saturday December 23, 2006 @01:15PM (#17348536)
        I see a lot of machines with multiple infestations, but I rarely rebuild 'em.
        My usual algorighm:

        Start up in Safe Mode
        Use AutoRuns.exe to identify most of the offenders; delete those that don't self-reinstall
        Open IE and then System Information; look at Loaded Modules to find the vx2 .DLLs (hint: sort the list by Manufacturer)
        Boot to Windows PE; back up and load the Software and System hives & clean them up; do the same with the user hive(s)
        Boot into Windows and check for stragglers.

        Lots of fun, especially for $1.25/minute.
  • Archaic! (Score:2, Funny)

    by Warbringer87 (969664)

    Whoever created the DarkFloppy.A worm appears not to have heard of e-mail, instant messaging or P2P systems, as the propagation methods they've chosen to spread this malicious code is... floppy disks. Not much chance of a massive epidemic then, is there?

    Oh, well, I think they underestimate just how stupid some people are. I wonder who the unlucky person was who first nabbed that one. Just goes to show, the internet is the "wild frontier" and that probably won't ever change.

    • Re: (Score:2, Funny)

      by spywhere (824072)
      Ten years ago, I pioneered a foolproof way to clean floppy disks.
      I worked at a chain of auto parts stores, with only five Windows machines. The marketing guy was constantly catching the Zombie virus from his drawer full of floppies.
      After about the 5th or 6th time, I took all the floppy disks out of his desk and smashed them with a ballpeen hammer.
  • by Anonymous Coward
    I think that initiatives like these only make the problem much worse and that the people writing them are mere idiots who don't bother to think about the possible consequences. Yes, some people may consider this informative as a way of being kept up to date as to what has happened in the past year. The people who created and spread all this garbage may very well look upon this with a whole different attitude: "Look at that, see, I R teh l33t coder! My h4xkZ r made teh top!" resulting in some other lame clue
  • by Anonymous Coward on Saturday December 23, 2006 @10:02AM (#17347804)
    The time is ripe for a beneficial virus, one that does no harm to the host computer, but acts as a keylogger that will play a very loud annoying buzing noise and kill all open apps if the user types: "misa campo", "made of win", "internets", "begs the question", or any other word or phrase from a list of current phrases used by morons.
  • The general public generally only hears about the viruses that spread quickly and do damage...but the range of exploits is just amazing. One of my favorites is summarized this way, in the article:

    "- The biggest snooper. In this case, it was not a difficult choice. WebMic.A is a malicious code that can record sounds and images, using a microphone and WebCam connected to the computer. Of course this is not the sort of uninvited guest you would like to have on your PC."

    The average joe really doesn't know how

    • Yeah, those 4 items are good, but "Joe" is STILL skating on thin ice unless he adds a 5th item - a clue.

      The other user who, I've noticed, rapidly messes up a computer even with the above 4 things installed is "average teen with half a clue" who is somewhat aware they should not install bad things, but assumes that if it is something that all their friends install, or something they feel they just gotta install, then it can't hurt them.
  • Any ideas how much malware has gone undetected?
  • WGA (Score:4, Interesting)

    by Gonoff (88518) on Saturday December 23, 2006 @12:11PM (#17348282)

    That bit of malware is installed on users machines without their knowledge of what it really means.

    It may monitor what you are up to, We don't really know yet.

    It may pop a message onto your computer suggesting that you go to a certain website and pay money to some questionable organisation.

    A new version is reputed to disable your computer if you do not submit to its blackmail...

  • They say that Gatt.A can infect any platform like "omg noes Linux and Mac!" but according to http://www.pandasoftware.com/virus_info/encycloped ia/overview.aspx?IdVirus=122900&sind=0 [pandasoftware.com] the IDA (which it exploits) is present on multiple platforms, but there are other things about windows that made the virus function.

    I don't know about everyone else, but this damages the credibility of the article for me.
  • For anyone who wants to see the original article, which is without ads, and with links, there's always the original site:
    Panda Software Virus Yearbook 2006 [pandasoftware.com]
  • HNS is running an article with a list of those malicious codes which, although they may not have caused serious epidemics, stood out in one way or another.
    Duh! Vista!

In every non-trivial program there is at least one bug.

Working...