What do hidden files on CDs, new outlets for malware, an increasingly popular internet scheme, two new Windows vulnerabilities and a destructive worm have in common? They all either happened or were brought to light in the final three months of 2005.

Alexander Gostev, a Kaspersky Lab senior virus analyst, recounted these final-quarter IT highlights in his Malware Evolution piece released Friday by the security firm.

Perhaps the biggest story to come out of the last quarter – and perhaps the entire year - was the Sony-BMG rootkit controversy, he said. The story made headlines well outside the IT community.

"It was due to Sony that hundreds of thousands of computers throughout the world had software installed on them that would hide files and processes from the user," said Gostev. "This meant that theoretically any file with a name beginning with "$sys$" would become invisible unless special tools were used. Such functionality can, of course, potentially be exploited by malicious programs in order to mask their presence in the system."

The final quarter remained active with the discovery of two critical, zero-day vulnerabilities in Windows, Gostev said.

The first came Nov. 21 when a group of British researchers detected a proof-of-concept exploit that allows hackers to install and execute files without a user's knowledge.

The other, more heralded, Windows metafile flaw required an out-of-cycle patch from Microsoft.

Malicious users could use images to execute arbitrary code, cause a denial of service condition or take complete control of an infected PC. But many users were saved by the timing of the vulnerability, Gostev said.

"More than a thousand "pictures" were detected in a single week," he said. "As the vulnerability was present in all versions of Windows, the situation threatened to spiral out of control. Thankfully, all of this took place over Christmas. The number of internet users was far less than normal, and this prevented a major disaster."

 

Malware aimed at mobile devices that run operating systems, such as BlackBerrys and Treos, continued to lay tracks in 2005's final quarter, Gostev said.

Mobile phones are becoming "natural targets" for virus authors because of their popularity, said Shane Coursen, senior technical consultant at Kaspersky Lab.

"As they grow in use and the greater number of people use these things, the more likely they will become a vector, a method by which viruses spread," Coursen said.

Trojan PBstealer, designed to swipe personal information, was one such virus that appeared on the scene last year. The virus accesses the address books of the infected device and sends them through Bluetooth to the nearest accessible device, Gostev said.

Security experts also responded to infections caused by Cabir, a worm that has been detected in more than 30 countries.

Gostev said that although most malicious programs for mobile phones are from overseas, they easily impact American users because of international traveling.

Mobile devices were not the only new platform for viruses, Gostev said. In October, malicious code was first detected in gaming consoles. The motive for malware writers is to create pirated games, he said.

Video games' popularity and hackers' familiarity with the make-up of the systems are making them popular targets, Gostev said.

The Sober mass-mailing worm struck again near the end of the year, when millions of users in Western Europe received strange emails that said they violated copyright regulations by downloading music and videos.

The messages asked recipients to open attached files for proof of their crime, but instead they launched the worm. Tens of millions of copies of the worm began circulating.

Sober surprised experts by how it became so widespread considering its primitive design.

"Sober doesn't exploit any vulnerability," Gostev said, "except the vulnerability of humans themselves. It didn't seem to have been written with any commercial aims, as it didn't steal data, create botnets or conduct DoS attacks. By rights, Sober should not have been able to survive, but instead the worm ranks top of the viruses in the fourth quarter of 2005. This is strange...almost inexplicable."

Gostev also mentioned a Russian-based internet racket that sabotaged computers in the final quarter. The trojan Krotten penetrates victims' machines - which prevents RedEdit and Task Manger from being launched and Internet Explorer from being closed – and the malware writers demand the equivalent of $5 to restore normal operations.

"The case of Krotten shows that internet rackets are becoming more and more popular with virus writers," Gostev said. "This is a very dangerous trend, which is intensifying with each passing month." Similar low-end schemes are not readily used in America, presumably because of hackers' fear of prosecution, Coursen said.