Courtesy:Kaspersky.com

Kaspersky Lab, a leading developer of secure content management solutions, has released its latest article, entitled ‘Changing threats, changing solutions: the evolution of viruses and antivirus’. The article is authored by David Emm, the company’s senior technology consultant, and is aimed at users and managers who have an interest in the history of malware evolution and the parallel development of antivirus solutions.

The article provides an overview of the changing threat landscape from the late 1980s, when the first PC viruses appeared, to the evolution of mobile threats in the first decade of the 21st century. It also examines how antivirus solutions have evolved to keep pace with the changes in malicious code by implementing new technologies.

Boot sector and DOS file viruses were the first PC viruses, and by the end of the 1980s, these threats had been joined by a few worms and the first Trojans. Virus writers used a range of stealth techniques to extend the life cycle of malicious code by evading antivirus scanners. Some of these techniques, such as suppressing error messages, and polymorphism (which ensures the virus code is different each time it infects a machine) are still used by virus writers today.

Antivirus solutions were initially designed as individual utilities to detect and remove specific viruses. However, as the number of viruses increased, antivirus ‘toolkits’ were released. These included an on-demand scanner which would search for the viruses currently in existence, and in some cases a cleaning utility. By the end of 1990, an increase in the number of viruses to nearly 300 caused antivirus vendors to implement real-time protection, and to supplement signature based analysis with heuristics, behavioural analysis, emulation and other techniques.

The appearance of the first macro virus in 1995 was a major shift, and these viruses came to dominate the threat landscape in the following four years. Such viruses were the first to deliberately infect data files; they are also neither platform-specific nor OS-specific. This move shifted the focus of the virus writing community from executable code to data. Virus macros were easy to modify, and this opened virus writing to a wider group, causing the number of viruses to increase from around 6,000 in June 1995 to more than 25,000 in December 1998.

With both the threat landscape and business practices evolving, antivirus solutions also needed to change. It became clear that gateway and mail server solutions would be required in addition to file server and workstation solutions in order to fully secure networks.

The appearance of the Melissa virus, in March 1999, was another leap forward for malicious code. Melissa’s ability to spread independently ushered in the era of email worms, which spread in a variety of ways, and typically use social engineering to trick the user into running the malicious code. Internet worms, which often spread by exploiting vulnerabilities (and often combine this approach with other techniques for maximum effectiveness) made a return in 2001, and remained prevalent in the following years.

In response to these new threats, antivirus vendors started to offer solutions which were broader in scope: adding personal firewall capability, host- and network-based intrusion protection systems, application activity monitoring, and, in some cases, roll-back capability which will undo changes that malicious programs have made to a victim machine.

The decline in global epidemics since 2003 reflects a shift in the motivation of virus writers: from writing and spreading malicious code in order simply to cause damage to doing this in order to earn money illegally. This has resulted in tailor-made Trojans designed to target a specific system and malicious programs designed to steal user data such as account details and passwords to bank accounts and online games. Trojans can be used to create botnets of infected machines which are then used to send spam which may also contain malicious code. Phishing attacks have also become widespread, with cybercriminals tricking users into entering their bank account details on fake sites.

Against this background, virus writers have also started targeting the mobile devices which are increasingly used in the business world. Since the first worm for smartphones was detected in 2004, viruses, worms and Trojans for mobile devices have also put in an appearance. In the space of a few years, threats for mobile devices have evolved as much as PC malware did over the course of 20 years.

The author concludes by emphasising that the threat landscape has changed beyond recognition, making it more important that ever for users to have effective protection. Security solutions must deliver timely protection against the approximately 200 new threats which appear daily, while also implementing technologies which can block unknown threats as they appear.

Source: Kaspersky.com