Parasitic malware is making a comeback. Even through parasitic malware accounts for less than 10% of all malware (90% of malware is static), it seems to be making a come back. Parasitic infectors are viruses that modify existing files on a disk, injecting code into the file where it resides.
When the user runs the infected file, the virus runs too. W32/Bacalid, W32/Polip and W32Detnat are three popular polymorphic parasitic file infectors identified in 2006 that have stealth capabilities and attempt to download Trojans from compromised Web sites.
Also important to note is that 80 percent of all malware is packed, encrypted, or obfuscated, in some attempt to disguise its malicious purpose. Examples of parasitic infectors that are obfuscated include w32/Bacalid and w32/Polip.
Earlier this month, McAfee Avert Labs also tracked and monitored the payload deployed by W32/Kibik.a, a parasitic and zero-day exploit that includes rootkit heuristics, behavioral detection and IP blacklists that have been the talk of the (security) town in recent years, W32/Kibik.a makes an interesting attempt to survive in the competitive matrix of today.
From silent installation via a zero-day exploit, to silent residence and operations and virtually silent and innocent-looking Google search; W32/Kibik.a could well be the start of a new trend for 2007 in scalable remote controlled malware (a.k.a. botnet).
‘It is no wonder that with its stealthy elements, few security vendors to date have detected or repaired W32/Kibik.a.
Rootkits will increase on 32-bit platforms. But protection and remediation capabilities will increase as well. On 64-bit platforms, particularly Vista, malware trends are difficult to predict pending uptake rates.
Vulnerabilities continue to cause concern. The number of disclosed vulnerabilities is expected to rise in 2007. Thus far in 2006, Microsoft has announced 140 vulnerabilities through its monthly patch program. McAfee Avert Labs expects this number to grow due to the increased use of fuzzers, which allow for large scale testing of applications, and due to the bounty program that rewards researchers for finding vulnerabilities.
This year to date, Microsoft has already patched more critical vulnerabilities than in 2004 and 2005 combined. By September 2006, the combined 2004 and 2005 total of 62 critical vulnerabilities had already been surpassed.
McAfee Avert Labs has also noted a trend in zero-day attacks following Microsoft’s monthly patch cycle. Since the patches are issued only once per month, this encourages exploit writers to release zero-day Microsoft exploits soon after a month’s Patch Tuesday to maximize the vulnerability’s window of exposure.