Security firm Panda Labs has released (PDF) its malware report for the first quarter 2008. The report covers a number of topics and makes predictions about the types of attacks we may see in the future. Forecasting these trends is always tricky—no one expected the Storm Worm to explode when it did—but Panda's prediction that we may see a rise in boot sector viruses is rather surprising. We'll touch on malware first, however, and return to this topic shortly.

Thus far, adware, trojans, and miscellaneous "other" malware including dialers, viruses, and hacking tools have captured the lion's share of the "market" as it were. These three categories account for 80.55 percent of the malware Panda Labs detected over the first quarter.

Password-stealing trojans are still a growing market, and the report cautions users, as always, to be careful of their banking records... and their World of WarCraft/Lineage II passwords. It might be interesting to take a poll of hardcore World of WarCraft players and see which of these two categories they care more about protecting, but the results would likely make a parent weep. One can always make more money, after all, but raiding Sunwell Plateau is serious business.

From here, Panda Labs trots through familiar territory. The monetization of the malware market, the prevalence of JavaScript/IFrame attack vectors, and the growing number of prepackaged virus-building kits are all issues that the report raises. We've covered all of these before, but if you've not been paying attention and want to catch up on general malware trends, the report is a good place to do it. Also, just in case you missed it, social engineering-based attacks are both dangerous and effective, and social networks, particularly those based around Web 2.0, are often tempting attack targets.





Data source: Panda Labs

Panda's report does raise a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible. Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive.

Once a rootkit is loaded into the MBR, it can use its position to obfuscate its own activity. This is obviously rather handy when attempting to hide from rootkit-detection software, and could cause a new set of headaches for antivirus software if the threat actually materializes. Panda Lab's report does a good job of explaining what a boot virus is and how it can infect a system, but it says virtually nothing about why such attack vectors are a concern today.

The problem with boot viruses is that their attack vector is fairly well-guarded. Any antivirus program worth beans will detect a suspicious attempt to modify the MBR and will alert the end user accordingly. Running as a user rather than an administrator should also prevent such modification even if you don't have an antivirus scanner installed. Panda implies that this kind of exploit could be an issue in Linux, and I suppose that's theoretically possible, but Linux always creates a user account without root access by default.

Windows Vista, for its part, recommends that you run in user mode, even though the OS doesn't require it. Even in admin mode, a virus can't just get away with this type of modification, and UAC would pick up and flag any attempt to overwrite the MBR. Even if none of these barriers existed, there's still the issue of BIOS-enabled boot sector protection, which exists entirely to prevent this type of attack from occurring. If you want to catch a boot sector virus, in other words, you'll have to work at it.

Aside from the company's surprising conclusion regarding boot viruses, Panda Lab's report paints the picture of illegal businesses doing business as usual. In a way, this is actually a good thing. AV companies currently have their collective hands full dealing with the number of variants that are still spinning off the attacks and infections from last year, and the last thing the industry needs is for the Son of Storm to make an appearance.