Back to the Future
While most of the threats we see today are average infostealers or IRC bots, we still regularly receive malware that sits on the fringes of the malware landscape. The fringes don’t only involve threats that run on uncommon platforms; they also include threats that use old school techniques (such as simple file infectors), or threats that are well before their time.
Recently, a virus magazine (it, in itself, an endangered species) was released that had a collection of more than 30 pieces of malware. These different types of malware fell all along the spectrum, but most of them definitely leaned towards the fringes. Some examples of the malware included were:
- a worm that spreads by modifying all the links on a Wiki to point to itself
- a MatLab scripting virus
- a 64bit infector
- a CHM (Compiled HTML) file infector
- a virus for FreeBSD
- more than one threat written in C#
- a virus that infects Microsoft InfoPath files
- an IDA (a tool used by reverse engineers) IDC script infector
- a virus that inserts itself into ISO images
- a PHP virus that uses PHP exploits to spread
- a Microsoft PowerShell (MSH) infector
- a StarBasic virus affecting OpenOffice/StarOffice
- a macro virus for Word2007
- classic file infectors
Not all of the threats worked properly and some of them were miserable pieces of code that didn't get much further than the second line. However, these threats still illustrate that malware authors are always exploring new techniques and developing threats that can work on different platforms or infect different file formats.
As analysts, this can pose a challenge, as we need to be experts in current threats, experienced in old threats that are almost extinct, and also be aware of future platforms that are susceptible to malware. Good examples include both StarBasic and MSH, both of which were identified as potential targets by security companies well before any malware was created for them. So, classic worms, backdoors, and infostealers may be what hit the news, but rest assured—we still see a fair amount of file infectors and viruses for platforms you may not even be able to buy yet.