MoMusings

In cyber-space no one can hear you click…..but just like the old adage that goes something like this; “a butterfly flaps its wings in Brazil and a storm hits China”….small things can tip the balance, one careless user clicking without thinking on a suspicious attachment can bring a companies network to its knees and/or start a chain reaction that fires off umpteen-thousand infected e-mails to potential budding click-a-holics.

Picture it if you will, a class-room in cyber-space, a circle of uncomfortable orange plastic chairs, at least three sizes too small for their occupants; knees up around their chins, all uncomfortable and not just because of the chairs on which they are squatting on…The smell of cabbage cooked to within a nano-metre of its life pervades the air, as welcome as a pitbull in a cattery and causing as much offence…A man stands up, fidgeting, looking very scared and unsure of himself….

“My name is John…and I’m a click-a-holic”

The rest of the group respond with the customary pack response “Welcome, John”

John stammers, as all eyes turn and fix on him; like vampires sensing a new ‘virgin’ meal. A hungry, needful, almost manic expression on the faces of the assembled throng…He gulps, swallowing his fear and shame; he is among equals here…..nothing to fear. He begins to tell his story…

“It all started when I got a computer with Windows on it…..I had Outlook Express for reading and writing e-mail and I could click on everything…..that’s when I started to get addicted…..Then I found I would click on anything, no matter how silly or unexpected, I just had to click…..but things started to go wrong, I….er….got, you know…..’infected’. He blushes and looks as awkward and self-aware as a teenager caught reading a top shelf magazine by his Granny.

“I felt violated, but I couldn’t stop myself. I got infected lots of times over the next few years, that’s when it dawned on me that I must be a Click-a-holic…..so, I came here, to seek help and support….”

It may be a bit tongue-in-cheek, but it does seem that there are a sizeable number of computer users out there in cyber-space that just have to click (or double-click, or double-click and type in a password, then double-click again!) it does almost seem to be some form of addiction.

You would have thought that by now most of the denizens of cyber-space (especially Windows users) would have learnt the lessons, and kicked the habit, what with this years flood of Netsky, MyDoom and Bagle variants. Further back in time, we had Melissa, SoBig, Badtrans, Sircam, and the so-called ‘I-Love-You’ virus which arrived in your inbox addressed from someone you knew, informing you that they ‘Loved-You’, so of course everyone was so starved of love and attention that many opened the e-mail and in some cases ran the attachment too.

This addiction was highlighted again only last week when the new Sober mass-mailing worm variant was found, so many people launched (clicked or double-clicked) on the attachment that within a few days it had stolen the crown from Netsky.P as the current most prevalent mass-mailer.

Maybe there is a need for a ‘real’ Click-a-holics Anonymous…..you never know it just might work

Many people [except us anoraks] believe that most malware spreads only via e-mail as attachments and embedded scripts in HTML based e-mail, however this has not been a true reflection of the [malware] problem for some time now.

Yes, e-mail is one of the primary infection vectors, however over the last two years, network shares (Windows shares) and peer to peer file sharing (via programs such as KaZaA, WinMX, Gnucleus, eDonkey and the many other file sharing programs) have also become a common route for malware to spread and infect new systems.

Share Me!
A network share simply refers to a folder (directory) on a hard drive that is shared out in such a manner to allow files within that folder to be accessed by other computers [and users] on the network. Some network shares are created by users in order to share files on their computers with friends or colleagues. Other shares may be created by the operating system itself (such as C$, Admin$ or IPC$), and may even be hidden (as indicated by a $ suffix in the share name [as used by Windows]).

In many ways the use of Windows shares is seen by many malware authors as the easiest and most stealthy way to infect new systems, as it doesn’t usually rely on user assistance to install the malware via the user running any code, and it is all done by the malware itself covertly through system and network calls.

The ease of remote installation of such network-crawling worms using Windows shares to gain access to infect a new system is greatly eased by open shares (a Windows share without a password), default administration and other password protected shares that use weak or easily guessed passwords, or even worse use the user id as the password, e.g. User id: DB2ADMIN Password: DB2ADMIN.

Not only are shares used to compromise systems, but also to offer infected files to network and P2P network users, these are usually named as cracks, full applications, screen savers or porn files; so as to attract as wide an audience of victims as possible.

Once installed these share-crawling worms may also load themselves, create registry keys to ensure that they are started automatically when Windows runs, and then start to scan the network looking for more unsecured [or weakly secured] hosts to turn into new typhoid Marys.

Building in Poor Security
The problem is exacerbated by the fact that many default installations of Windows 2000 and XP don’t allow you to set/reset the administrator password until after the operating system has been installed.

Many companies use a static build snapshots, if you are using this method you may be facing a different problem.

Why? Well unless you have set a ’strong’ password on the original system you imaged, you may have well given away the keys to your kingdom!

Furthermore, if you have the same default administrator password on all systems, then you will have a major problem when a brute force attack is successful on just one of your systems, the others are effectively also ‘owned’ by the malware. Game, set and match to the malware author.

IM Out to Get You!
Over the last few years IM (Instant Messaging) worms have appeared, now we have over 1600 of them, many are targeted at MSN Messenger, others use ICQ, AOL or Yahoo instead. However, to date all of these IM worms rely on user action to spread [such as clicking on a link]. Once a new IM worm is created that is automatic [requires no human interaction, other than being signed-in to the affected IM] then we could see millions of users infected in less than a minute…..sobering thought huh?

It makes the spread of Slammer, which infected 90 percent of all active infectable hosts on the internet in under 15 minutes seem positively snail like!

What is a Zero-Day Exploit?

A zero-day exploit is when the exploit for a vulnerability (a flaw/hole) in a product is created before, or on the same day as the vulnerability is learned about by the vendor. It is often also used to describe a situation where a vulnerability is exploited before the vendor has a patch available for their customers.

So far this year we’ve seen at least one so-called ‘Zero-Day’ worm…

What Applications Have Been Targeted?
Black Ice Defender (Witty.worm), almost a Zero-Day worm (+2
Days).

According to Joe Stewart of LURHQ “A vulnerability alert for the ISS products was released on March 18, and the worm [Witty] began spreading March 20. The writer of the worm either knew of the vulnerability before the announcement or wrote and tested the worm in less than two days.”

It is estimated that around 12,000 unpatched systems were infected. What is more worrying is that Witty was intentionally destructive - the worm slowly corrupts the file system of the infected host while it continues to find new hosts for it to spread to.

http://www.f-secure.com/v-descs/witty.shtml

Internet Explorer (MyDoom.AG/Bofra.A/C), a real honest to [insert deity of choice here] Zero-Day worm.

This was discovered on the 9th of November 2004 - Still no patch from Microsoft yet (17th November 2004) for the vulnerability it used. So if you are not running Windows XP with service pack 2 (SP2) [or another non-vulnerable OS, such as Linux, MacOs, etc.] then you may be exposed.

http://www.f-secure.com/v-descs/bofra_c.shtml

Windows NT,2K,XP and Server 2003 (Golten/Alor), +30 Days.

This worm uses the vulnerability described in the Microsoft Security Bulletin known
as MS04-032.

http://www.f-secure.com/v-descs/aler.shtml

Worst ever?
Back in 2001 we saw a ‘real’ Zero-Day worm (well a Minus Twenty Two-Day
worm to be exact)…..

W32.Fever@mm was launched on the 7th of March but no patch was made available to plug the vulnerability until the 29th of the same month, that’s a whopping 22 days later!

http://www.f-secure.com/v-descs/fever.shtml

The Shrinking Window…
The size of the window between a new vulnerability being found and a piece of malware being created and released is getting smaller, it matters little if there is a patch available as most end-users never, or rarely patch their systems.

In the ‘old-days’ it could [and did] take years for such malware to be written and released, the threat landscape has changed beyond recognition in the last 3 years.

Now, we have new malware using vulnerabilities that are barely out of nappies, a few months old at most, others are new-borns and not even back at home yet, and [thankfully] even fewer that are still in the process of birth [vendor not yet informed].

What Can we expect for the future?

The general trend is towards a very small [or non-existent] time-frame between a new vulnerability being announced/found, exploit code being written, and finally malware using this as a method of entry into a vulnerable system being released. So, to answer the question I posed in the title of this blog entry, the threat is real [and becoming more real all the time], however there is still a lot of hype out there….

Links:

http://www.computerworld.com/securitytopics/security/virus/story/0,10801,91528,00.html

http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx

Postscript:
Just remember that only a small percentage of malware relies on vulnerabilities to get into and onto systems, so just because you are fully patched does not make you immune to malware….but that’s another posting.

In a posting last week, explaining what 419s are [aka Nigerian scam and Advance Fee Frauds] I intimated that I’d seen a new version using the death of Yasar Arafat as a new theme to try and get suckers, er…..I mean willing, naive victims to help out the unfortunate author of the e-mail. In this case the author is non other than Suha Arafat, or so the 419 claims…..In reality it is just the latest nasty, bad taste, twist of the boys from Lagos’s latest attempt to dupe people.

Here it is in all it’s sick glory:

From: SUHA ARAFAT [mailto:xxxx@netscape.net]
Sent: Sunday, November 14, 2004 8:10 AM
To: xxx@xxxx.xxx
Subject: I NEED YOUR ASSISTANCE; SUHA ARAFAT
Importance: High

Dear Friend,

This mail may not be surprising to you if you have
been following current events in the international media with reference to the Middle
East and Palestine in particular.

I am Mrs. SUHA ARAFAT, the wife of YASSER ARAFAT,
the Palestinian leader who died recently in Paris. Since his death and even prior
to the announcement, I have been thrown into a state of antagonism, confusion, humiliation,
frustration and hopelessness by the present leadership of the Palestinian Liberation
Organization and the new Prime Minister. I have even been subjected to physical and
psychological torture. As a widow that is so traumatized, I have lost confidence with
everybody in the country at the moment.

You must have heard over the media reports and the
Internet on the discovery of some fund in my husband secret bank account and companies
and the allegations of some huge sums of money deposited by my husband in my name
of which I have refuses to disclose or give up to the corrupt Palestine Government.
In fact the total sum allegedly discovered by the Government so far is in the tune
of about $6.5 Billion Dollars. And they are not relenting on their effort to make
me poor for life. As you know, the Moslem community has no regards for woman, hence
my desire for a foreign assistance.

I have deposited the sum of 20 million dollars with
a security firm abroad whose name is withheld for now until we open communication.
I shall be grateful if you could receive this fund into your bank account for safe
keeping and any Investment opportunity. This arrangement is known to you and my personal
Attorney. He might be dealing with you directly for security reasons as the case may
be.

In view of the above, if you are willing to assist
for our mutual benefits, we will have to negotiate on your Percentage share of the
$20,000,000 that will be kept in your position for a while and invested in your name
for my trust pending when my Daughter, Zahwa, will come off age and take full responsibility
of her Family Estate/inheritance.

Please note that this is a golden opportunity that
comes once in life time and more so, if you are hornet, I am going to entrust more
funds in your care as this is one of the legacy we keep for our children.

In case you don’t accept please do not let me out
to the security and international media as I am giving you this information in total
trust and confidence I will greatly appreciate if you accept my proposal in good faith.
Please expedite action.

Yours sincerely,

Suha Arafat

Whatever you do don’t fall for this scam [or any of it’s relations], it relies on what the Lagos boys call Wad [rich, greedy people]. They also use a less polite name for the people they dupe; Mgbada.

Oh by the way, just in case you didn’t get it, this like all the other multitudinous versions is nothing more than a scam, there is no money [or other valuables, such as Oil, Gold, Diamonds, etc.]. To the boys from Lagos [the 419ers that run these scams] it is a business, some say it should be considered an African cottage industry, however they want to try and justify it, it is still a crime, no more, no less.

[Rant Mode On]

What sort of message is being given out by the current trend of a small minority of security firms who seem to be going out of their way to actively seek out and employ virus writers and ex-virus writers?

The current scenario seems to be, write a virus and get a well paid job in computer security or another IT sector…..is it me or is this just going to encourage more virus [malware] writing?

In the last few months we’ve had SecurePoint employ the creator of Netsky [many of which were quite destructive] and Sasser [Sven Jaschan] as a trainee software developer, working on the companies firewall products. Would you buy a firewall from this company, knowing a self-confessed virus author may have had a hand in it?

Now we have Zoner employing Benny an ex-member of the 29A virus writing group, and what is he working on? Nothing less than Zoner’s own Anti-Virus product…Sheesh, someone needs a reality check! [Who would buy an anti-virus from such a company, would you?]

Don’t get me wrong I’m all for giving someone a second chance, but come off it, isn’t this a bit like letting a known arsonist run a firework factory…OK, yes that is a tad overblown, but you hopefully get the point I’m trying to make?

And if we look further back we can see that this is not a wholly new phenomenon, we have seen Chen Ing-Hau [author of CIH aka Chenobyl] get a job with a Taiwanese company who promptly published a press release boasting that they had a virus author on their staff. Jan de Witt [author of the so-called AnnaKournikova virus] who was offered a job by his towns Mayor in his IT department. And finally, Onel de Guzman [alleged author of LoveBug] was also offered a job.

I think the above clearly shows that some elements in society see malware authors as some form of glorified digital freedom fighters….when in reality they are nothing more than criminals and should be treated as such!

[Rant Mode Off]

Links to related stories:

http://www.theregister.co.uk/2004/11/12/vxer_job_controversy/

http://www.theregister.co.uk/2004/09/20/sasser_kiddo_offered_job/

This is the second in a series of short introductory articles which will focus on specific threats:

The humble 419 (aka Nigerian Scam, Advance Fee Fraud) has been around for many years and keeps mutating to try and increase the number of suckers…er, I mean naive victims that fall for it. To help combat this and to aid understanding of what 419s are and how they work, I have written the following as a short introductory article:

A 419 by any other name……
419 frauds combine the threat of impersonation fraud with a variation of an advance fee scheme in which a letter or e-mail from Nigeria [or just about anywhere now!], offers the recipient the “opportunity” to share in a percentage of millions of dollars [or Euros, Pounds, etc.] that the author, quite often a self-proclaimed government official, doctor, engineer, bank official, etc., is trying to transfer illegally out of wherever.

The recipient is encouraged to send information to the author, such as blank letterhead stationary, bank name and account numbers and other identifying information using a facsimile number provided in the letter [or more often now as scanned images via e-mail].

The scheme relies on convincing a willing victim, who has demonstrated a “propensity for larceny” by responding to the invitation, to send money to the author of the letter in Nigeria in several installments of increasing amounts for a variety of reasons. Payment of taxes, bribes to government officials, and legal fees are often described in great detail with the promise that all expenses will be reimbursed as soon as the funds are spirited out of Nigeria [or wherever].

In fact the millions of dollars do not exist and the victim eventually ends up with nothing but loss. Once the victim stops sending money, the perpetrators have been known to use the personal information and checks that they received to impersonate the victim, draining bank accounts and credit card balances until the victims assets are completely exhausted.

For most law-abiding citizens the 419 e-mails/letters are seen for what they are a hoax/scam, however, millions of dollars in losses are caused by these schemes annually around the world. The Nigerian government is not sympathetic to victims of these schemes, since the victim actually conspires to remove funds from Nigeria in a manner that is contrary to Nigerian law.

So where does the name 419 come from?
The scheme violates section 419 of the Nigerian criminal code, hence the label “419 fraud.” although the fraud is now commonplace outside of Nigeria too, in fact the scam has now circled the globe and I see variations from all over the world.

Variations on a theme…
The old and trusted recipe for 419s are still in use, however new mutations and completely new recipes have been created over the last two years. These include: Bogus lottery winnings [for lotteries that you didn’t even enter], Football teams, Oil, Diamonds, Gold and many, many others.

Occasionally spoof versions are seen, such as ones using names such as George Bush, John Kerry, Osama Bin Laden and Saddam Hussein.

However, just yesterday [11th November 2004] the day that Yasser Arafat died, I saw a new 419 that was using his name and claiming to be from his widow…..talk about being sick and in bad taste!

The results are in…
There are many reports from both the UK and the USA that a surprising number of mugs…er…I mean unsuspecting victims have lost a significant amount of money, been lured to the originating country where they have been imprisoned, tortured and occasionally lost their life too (so much so that it has been subject to an FBI warning as well one from the US Secret Service).You can send copies of these scams to: 419.fcd@usss.treas.gov and they will follow them up. More details and a more exhaustive look at this issue can be found here.

This is the first in a series of short introductory articles which will focus on specific threats:

Phishing has, over a short period of time, become a major source of identity theft. To help combat this and to aid understanding this short article will explain what (in general) Phishing is, and how it works:

Gone Phishing

If you are a customer of HSBC and received an e-mail which says it comes from:

HSBC Bank plc users-billing04@hsbc.co.uk

Which has the subject of: !Attention all HSBC Bank plc users

And the e-mail body looks like this:

What would you do?

Would you follow the instructions or would you send it to the bit-bucket (bin it)?

Those of you that decided to follow the instructions and click on the link would instead of going to the official HSBC site to verify your details would, in this case, be redirected to a phishers* web server hosted in Austin Texas. Any data you entered there would be used by the phishers to empty your bank account, scary huh?

During 2004 the phenomenon of phishing has exploded. For example, the rate of phishing grew by 4,000% between November 2003 and the end of April 2004 alone.

If you think that people don’t fall for this scam then you are rather deluded, it is known that the average Phish trawl nets 5% of those that were offered the bait…hook, line and sinker!
What is Phishing?

Phish is an old term to describe accounts that have been hacked. Phishing is the term used to describe attempts to steal financial credentials from customers of financial corporations and online services.

In its simplest form phishing is social engineering and involves sending an e-mail to the intended victim that looks as if it has come from their bank or other financial institution or online service, such as PayPal, eBay or an ISP. The e-mail will then encourage the intended victim to disclose their confidential information such as login credentials, pass phrase or other account details. This data is then used by the perpetrators to make fraudulent withdrawals or by making purchases using the stolen data by impersonating the victim (identity theft).

All the major UK (as well as many international and other foreign) banks and Building Societies have been targeted in 2004 and use of this technique shows no current sign of slowing. To combat this type of fraud a working group** has been set up to share information, to identify the size and cost of the problem, and finally to find and implement an industry-wide solution (or solutions) to the problem.

So, remember, if it smells or looks phishy, don’t swallow the bait or you’ll be the one landed and your account will be phished-out. If in doubt contact your bank or building society.

More details, statistics and advice can be found here: http://www.antiphishing.org

[*] Those that run phishing scams such as the one shown in this article.
[**]APWG (Anti-Phishing Working Group)

Well, it is starting to happen, the momentum is building…..

What am I talking about? Simply this, The new so-called MyDoom variants are not MyDooms (as stated here on Tuesday), they are a new family altogether; Bofra.

Kaspersky has now joined the re-naming movement with regard to the so-called new MyDoom variants that were found earlier this week. This means that they now join F-Secure and SOPHOS.

Link to Kaspesky’s Blog Posting about this

So come on McAfee, Symantec and TREND* [and anyone else that is slacking in this latest naming game] get with the program, stop calling this MyDoom… It’s like calling us [Humans] cats, when we actually share more genetic heritage with rodents than carnivores, so we should be classified by some AV company logic as cats [or rats for that matter?]

Kaspersky have also just stated that they have found another variant of Bofra, which they will label as I-Worm.Bofra.c
SOPHOS have just posted an IDE/Description for yet another variant [maybe] of Bofra, Bofra.d

I get the feeling that this won’t be the last post on this subject….but that’s another posting.

* TREND has started to rename these, they have so far renamed MyDoom.AH to Bofra.A

Hmmm….. well it seems that we are off to a good start today!

First I received a number of alerts about two new MyDoom variants that appear to have ‘got lucky’ and are spreading in the wild.

Links to descriptions of these so-called MyDooms:

• MyDoom.AH (McAfee)
• MyDoom.AG (McAfee)
• MyDoom.AI (Symantec)
• MyDoom.AH (Symantec)

Now, however it seems they may not be MyDooms at all, but something altogether new instead.
I just adore the ‘high-tech’ illustration of the spreading mechanism on this blog

So what do we know about them so far?

Well the following is the current facts that have been established:

• It uses the new vulnerability only discovered on the 2nd of November. This vulnerability is in Internet Explorer 6 and will work on unpatched systems. The vulnerability is linked to the use of the IFRAME html tags and how they are parsed. More details on this can be found here. NO PATCH EXISTS AT THE TIME OF POSTING
  
• The worm arrives as an e-mail, the following are the body texts that have been seen so far, there are probably others:

  Congratulations! 
  	
  PayPal has successfully charged $175 to your credit card.
  	
  Your order tracking number is A866DEC0, and your item will be shipped within three business days.
  To see details please click this link.
  	
  DO NOT REPLY TO THIS MESSAGE VIA EMAIL!
  This email is being sent by an automated message system and the reply will not be received.
  Thank you for using PayPal
  	
  OR:
  	
  Hi! 
  	
  I am looking for new friends.My name is Jane, I am from Miami, FL.
  See my homepage with my weblog and last webcam photos!
  	
  See you!
  	
  OR:
  	
  Hi! 
  	
  I am looking for new friends. I am from Miami, FL.
  You can see my homepage  with my last webcam photos!
  

• There is NO attachment, the worm gets installed when the recipient clicks on the link (only installs itself on an unpatched system, not non-vulnerable system, such as Windows XP with SP2, Firefox or Linux ).
• The link leads to an already infected system, which ses the vulnerability to install the binary code of the worm onto the recipients system. The worm then installs itself, which spawns a ‘web server’ (believed to be on port 1639) to host the infected file on, and then sends out e-mails (with forged from addresses) to potential new
  victims.
• It also connects to IRC.

Help?

So, what do you use to disinfect yourself at this time? I suggest this for now: McAfee’s Stinger.

To stop the exploit in its tracks, you can do the following:

Use another browser, such as Mozilla, Firefox, etc. instead of IE6.

Well October has come and gone (yet again) and on the Malware front it was rather a mixed month, as expected a fair number of new malware were written and released, although less than in August, and very little of it ‘got lucky’, so very few major outbreaks happened, which is always welcome. However, it seems that the malware authors have gone back to releasing their creations on Fridays once more after a short flirtatious period with Mondays instead.

Several new Bagle variants were released at the end of October and caused some concern and confusion for about 24 hours as vendors argued over what variant they were, partially due to three distinct variants being released at the same time. Meanwhile their customers were left confused and desperately trying to get protection in place, but they weren’t sure what to ask for. This was exacerbated by the Bagles ‘dodgy’ code which meant that it often sent out 0 (zero) byte attachments instead of functional copies of itself.
Why is that a problem? Because it causes panic as users think that their AV is not working properly as it is letting the e-mail through (although it is not viable or infectious).

The total number of known Malware grew to 106,378 [source: McAfee] that’s a jump of 2,928 in one month.

Right, as promised, I’ve collated a pile of statistics from October which are from my many malware sensors and traps, more can be found on my personal web site.

First my Worm Charmer stats:

Top threats (by family) from my WormCharmer* data were:

Netsky	 		18.77%
Opaserv 		18.70%
Protoride		14.54%
Ranky 			10.00%
SdBot 			 9.93%
Ranky and SdBot Dropper  7.20%
Zafi 			 7.16%
Bagle 			 5.59%

* The raw data can be found later on in this posting.
The paper describing the Worm Charmer system can be found here.

Bayesian Filtering Malware stats:

The following chart shows data from my Bayesian Filtering research, which was covered in the paper I recently presented on at the Virus Bulletin International Conference in Chicago. The statistics have been updated to include the data from October and this chart shows the percentage of malware being classified each month, as you can see October was the quietest month so far this year.

As you can clearly see my Bayesian Filtering shows the escalation of the Bagle, MyDoom and Netsky war that started in January and really took off from March and went into overdrive in April.

Here are my detailed statistics for October 2004 from WormCharmer:

Backdoor.Rirc.a = 4
Backdoor.Rirc.b = 11
Backdoor.Win32.Agobot.vm = 79
Backdoor.Win32.SdBot.gen = 150
Backdoor.Win32.Sdbot.nv = 14
Backdoor.Win32.Sdbot.sk = 7
Backdoor.Win32.SdBot.sm = 113
SdBot.gen_&_Ranky.ap_Dropper = 37
SdBot.gen_&_Ranky.at_Dropper = 30
SdBot.nv_&_Ranky.an_Dropper = 13
SdBot.nv_&_Ranky.ax_Dropper = 3
SdBot.sk_&_Ranky.ax_Dropper = 8
SdBot.sm_&_Ranky.an_Dropper = 33
SdBot.sm_&_Ranky.ax_Dropper = 82
TrojanProxy.Win32.Ranky.an = 60
TrojanProxy.Win32.Ranky.ap = 92
TrojanProxy.Win32.Ranky.at = 30
TrojanProxy.Win32.Ranky.ax = 104
W32.Bagle.aa@MM = 81
W32.Bagle.ab@MM = 2
W32.Bagle.af@MM = 1
W32.Bagle.az@MM = 11
W32.Bagle.bb@MM = 27
W32.Bagle.bd@MM = 27
W32.Bagle.eml!ms03-032 = 2
W32.Bagle.gen@MM!pwdzip = 1
W32.Bagle.h@MM = 1
W32.Bagle.j@MM = 1
W32.Bagle.l@MM = 1
W32.Bagle.m@MM = 1
W32.Bagle.n@MM = 2
W32.Bagle.p@MM = 2
W32.Dupator = 44
W32.FunLove.gen = 19
W32.Jeefo = 8
W32.Mabutu.a@MM = 12
W32.Mydoom.o@MM = 3
W32.Netsky.ab@MM = 2
W32.Netsky.b@MM = 45
W32.Netsky.c@MM = 6
W32.Netsky.d@MM = 83
W32.Netsky.j@MM = 1
W32.Netsky.p@MM = 344
W32.Netsky.s@MM = 1
W32.Netsky.w@MM = 1
W32.Netsky.z@MM = 54
W32.Opaserv.worm.a = 38
W32.Opaserv.worm.ac = 62
W32.Opaserv.worm.ad = 35
W32.Opaserv.worm.ae = 46
W32.Opaserv.worm.ah = 33
W32.Opaserv.worm.ai = 58
W32.Opaserv.worm.aj = 1
W32.Opaserv.worm.al = 13
W32.Opaserv.worm.b = 2
W32.Opaserv.worm.d = 68
W32.Opaserv.worm.dam = 1
W32.Opaserv.worm.e = 31
W32.Opaserv.worm.f = 6
W32.Opaserv.worm.g = 37
W32.Opaserv.worm.gen = 2
W32.Opaserv.worm.i = 48
W32.Opaserv.worm.k = 49
W32.Opaserv.worm.p = 5
W32.Pate.a = 1
W32.Pate.b = 2
W32.Tenrobot.b = 1
W32.Valla.a = 1
W32.Zafi.b@MM = 205
W95.Lorez.a = 3
Win32.Weird.10240 = 1
Win95.Spaces.1445.a = 9
Win95.Whog.878.b = 1
Worm.Win32.Pinom.f = 4
Worm.Win32.Pinom.gen = 5
Worm.Win32.Protoride.aa = 77
Worm.Win32.Protoride.ae = 9
Worm.Win32.Protoride.af = 8
Worm.Win32.Protoride.gen = 80
Worm.Win32.Protoride.j = 5
Worm.Win32.Protoride.k = 218
Worm.Win32.Protoride.l = 4
Worm.Win32.Protoride.q = 9
Worm.Win32.Protoride.y = 6
WORM_AGOBOT.QI = 21
WORM_DARBY.G = 1
WORM_PLEXUS.B = 1

87 Distinct malwares trapped
2860 Samples trapped in total

Please drop me a line if you would like me to post future monthly data to this blog, or indeed anything that you’d like me to cover.

Same again next month?