MoMusings

Well August has come and gone (again) and on the Malware front it was rather a mixed month, as expected lots of new malware was written and released, but very little of it ‘got lucky’, so not many major outbreaks happened. Now that was a welcome change.

Several new Bagle/Mitgleider variants were released at the end of August and caused some concern and confusion for about 24 hours as vendors argued over what family they belonged to. Meanwhile their customers were left confused and desperately trying to get protection in place, but they weren’t sure what to ask for.

Top threats (by family) from my WormCharmer* data were:

Netsky				28.89%
Opaserv 			19.98%
Zafi 				17.65%
Protoride 			6.41%
Bagle 				6.41%
Ranky 				4.96%
SdBot 				4.92%
Ranky and SdBot Dropper 	4.88%
* The raw data can be found later on in this posting.

The total number of known malware (at the end of August) grew to: 100,191 [source: McAfee] that’s a jump of 4,199 in one month.

Here are my statistics for August 2004 from WormCharmer:

[1] Backdoor.Agobot.sv = 2
[2] Backdoor.Rirc.b = 10
[3] Backdoor.SdBot.np = 116
[4] Bagle.AI = 5
[5] SdBot.np_&_Ranky.an_Dropper = 79
[6] SdBot.np_&_Ranky.ap_Dropper = 36
[7] SUSPECT = 2
[8] TrojanProxy.Win32.Ranky.an = 81
[9] TrojanProxy.Win32.Ranky.ap = 36
[10] W32.Bagle.aa@MM = 54
[11] W32.Bagle.af@MM = 20
[12] W32.Bagle.ag@MM = 44
[13] W32.Bagle.ai@MM = 6
[14] W32.Bagle.aj@MM = 2
[15] W32.Bagle.aq@MM = 16
[16] W32.Bagle.j@MM = 1
[17] W32.Bagle.m@MM = 2
[18] W32.Bagle.n@MM = 1
[19] W32.Cabanas = 1
[20] W32.Dupator = 38
[21] W32.Evaman.c@MM = 2
[22] W32.FunLove.gen = 10
[23] W32.Jeefo = 1
[24] W32.Kriz.4050 = 1
[25] W32.Kuang.gen = 1
[26] W32.Lovgate.ac@MM = 1
[27] W32.Lovgate.ak@MM = 5
[28] W32.Mabutu.a@MM = 5
[29] W32.Mydoom.a@MM = 7
[30] W32.Mydoom.o@MM = 38
[31] W32.Mydoom.s@MM = 3
[32] W32.Netsky.b@MM = 36
[33] W32.Netsky.c@MM = 64
[34] W32.Netsky.d@MM = 89
[35] W32.Netsky.j@MM = 1
[36] W32.Netsky.p@MM = 436
[37] W32.Netsky.t@MM = 4
[38] W32.Netsky.z@MM = 51
[39] W32.Opaserv.worm.a = 31
[40] W32.Opaserv.worm.ac = 55
[41] W32.Opaserv.worm.ad = 37
[42] W32.Opaserv.worm.ae = 38
[43] W32.Opaserv.worm.ah = 28
[44] W32.Opaserv.worm.ai = 54
[45] W32.Opaserv.worm.aj = 2
[46] W32.Opaserv.worm.al = 1
[47] W32.Opaserv.worm.am = 1
[48] W32.Opaserv.worm.b = 4
[49] W32.Opaserv.worm.d = 64
[50] W32.Opaserv.worm.e = 29
[51] W32.Opaserv.worm.f = 10
[52] W32.Opaserv.worm.g = 28
[53] W32.Opaserv.worm.gen = 1
[54] W32.Opaserv.worm.i = 40
[55] W32.Opaserv.worm.j = 1
[56] W32.Opaserv.worm.k = 40
[57] W32.Opaserv.worm.p = 7
[58] W32.Pate.a = 1
[59] W32.Pate.b = 4
[60] W32.Plexus.G = 2
[61] W32.Tenrobot.d = 1
[62] W32.Zafi.b@MM = 416
[63] W95.Fono.17152 = 1
[64] W95.Lorez.a = 2
[65] W95.Spaces.gen = 1
[66] Worm.Win32.Protoride.aa = 33
[67] Worm.Win32.Protoride.af = 20
[68] Worm.Win32.Protoride.e = 6
[69] Worm.Win32.Protoride.i = 4
[70] Worm.Win32.Protoride.j = 19
[71] Worm.Win32.Protoride.k = 17
[72] Worm.Win32.Protoride.l = 36
[73] Worm.Win32.Protoride.n = 9
[74] Worm.Win32.Protoride.y = 7
	
74 Distinct malwares trapped
2357 Samples trapped in total

On a personal note August was a painful month as I broke my toe, and also a busy month what with decorating, new malware, and writing the first part of a new article for Virus Bulletin on using SNORT to detect/block malware. This should be published in the October edition.