Virus writers are likely to unleash increasingly sophisticated strains of malware next year in an attempt to bounce back from some high-profile botnet shutdowns in 2008, according to new predictions from managed security provider MessageLabs.

The company predicted that hackers will launch new attacks in which malware will exist as a virtualisation layer running directly on the hardware and undiscoverable by the operating system.

"The operating system does not know it's there, and the malware will be intercepting low-level operating system calls," explained MessageLabs senior analyst Paul Wood.

"The problem will be in realising it's there and understanding how to clean up, because it's so low level and tangled up in the operating system that sometimes the only recourse is to reinstall the machine from scratch."

Mark O'Dell of IT support firm Connect Support Services said the theoretical threat to the operating system has been present since the creation of hypervisor technology.

"This type of malware may be much harder to detect as it runs at a level below the operating system the end user and even the professional user sees, but provided it is appropriately secure it would be hard to achieve," he added.

Cyber criminals will also concentrate on infecting machines with more agile malware which can switch between tasks as appropriate, said MessageLabs' Wood. For example, if a piece of malware determines that the spam it is sending out is being blocked, it could then be told to launch denial-of-service attacks instead.

Mobile malware is also likely to increase in 2009, according to MessageLabs, but not with the goal of infecting devices to create botnets. Attackers will instead seek to make money by subverting the phones so that they call premium rate numbers established by the criminals.

Phishing attacks will also increase in sophistication, as criminals target flaws in the Domain Name Server (DNS) system to launch phishing sites by creating sub-domains in exposed accounts. This method will help to circumvent traditional URL filters that can detect when criminals use typo-squatting techniques, which rely on mistakes made by surfers when entering a web site address into a browser.

"We have seen legitimate businesses with good domains being taken over in some way," said Wood. "The criminals gain access to the admin function of their DNS console, add sub-domains to their records and then use these domains in phishing emails."