MoMusings

Well October has come and gone (yet again) and on the Malware front it was rather a mixed month, as expected a fair number of new malware were written and released, although less than in August, and very little of it ‘got lucky’, so very few major outbreaks happened, which is always welcome. However, it seems that the malware authors have gone back to releasing their creations on Fridays once more after a short flirtatious period with Mondays instead.

Several new Bagle variants were released at the end of October and caused some concern and confusion for about 24 hours as vendors argued over what variant they were, partially due to three distinct variants being released at the same time. Meanwhile their customers were left confused and desperately trying to get protection in place, but they weren’t sure what to ask for. This was exacerbated by the Bagles ‘dodgy’ code which meant that it often sent out 0 (zero) byte attachments instead of functional copies of itself.
Why is that a problem? Because it causes panic as users think that their AV is not working properly as it is letting the e-mail through (although it is not viable or infectious).

The total number of known Malware grew to 106,378 [source: McAfee] that’s a jump of 2,928 in one month.

Right, as promised, I’ve collated a pile of statistics from October which are from my many malware sensors and traps, more can be found on my personal web site.

First my Worm Charmer stats:

Top threats (by family) from my WormCharmer* data were:

Netsky	 		18.77%
Opaserv 		18.70%
Protoride		14.54%
Ranky 			10.00%
SdBot 			 9.93%
Ranky and SdBot Dropper  7.20%
Zafi 			 7.16%
Bagle 			 5.59%

* The raw data can be found later on in this posting.
The paper describing the Worm Charmer system can be found here.

Bayesian Filtering Malware stats:

The following chart shows data from my Bayesian Filtering research, which was covered in the paper I recently presented on at the Virus Bulletin International Conference in Chicago. The statistics have been updated to include the data from October and this chart shows the percentage of malware being classified each month, as you can see October was the quietest month so far this year.

As you can clearly see my Bayesian Filtering shows the escalation of the Bagle, MyDoom and Netsky war that started in January and really took off from March and went into overdrive in April.

Here are my detailed statistics for October 2004 from WormCharmer:

Backdoor.Rirc.a = 4
Backdoor.Rirc.b = 11
Backdoor.Win32.Agobot.vm = 79
Backdoor.Win32.SdBot.gen = 150
Backdoor.Win32.Sdbot.nv = 14
Backdoor.Win32.Sdbot.sk = 7
Backdoor.Win32.SdBot.sm = 113
SdBot.gen_&_Ranky.ap_Dropper = 37
SdBot.gen_&_Ranky.at_Dropper = 30
SdBot.nv_&_Ranky.an_Dropper = 13
SdBot.nv_&_Ranky.ax_Dropper = 3
SdBot.sk_&_Ranky.ax_Dropper = 8
SdBot.sm_&_Ranky.an_Dropper = 33
SdBot.sm_&_Ranky.ax_Dropper = 82
TrojanProxy.Win32.Ranky.an = 60
TrojanProxy.Win32.Ranky.ap = 92
TrojanProxy.Win32.Ranky.at = 30
TrojanProxy.Win32.Ranky.ax = 104
W32.Bagle.aa@MM = 81
W32.Bagle.ab@MM = 2
W32.Bagle.af@MM = 1
W32.Bagle.az@MM = 11
W32.Bagle.bb@MM = 27
W32.Bagle.bd@MM = 27
W32.Bagle.eml!ms03-032 = 2
W32.Bagle.gen@MM!pwdzip = 1
W32.Bagle.h@MM = 1
W32.Bagle.j@MM = 1
W32.Bagle.l@MM = 1
W32.Bagle.m@MM = 1
W32.Bagle.n@MM = 2
W32.Bagle.p@MM = 2
W32.Dupator = 44
W32.FunLove.gen = 19
W32.Jeefo = 8
W32.Mabutu.a@MM = 12
W32.Mydoom.o@MM = 3
W32.Netsky.ab@MM = 2
W32.Netsky.b@MM = 45
W32.Netsky.c@MM = 6
W32.Netsky.d@MM = 83
W32.Netsky.j@MM = 1
W32.Netsky.p@MM = 344
W32.Netsky.s@MM = 1
W32.Netsky.w@MM = 1
W32.Netsky.z@MM = 54
W32.Opaserv.worm.a = 38
W32.Opaserv.worm.ac = 62
W32.Opaserv.worm.ad = 35
W32.Opaserv.worm.ae = 46
W32.Opaserv.worm.ah = 33
W32.Opaserv.worm.ai = 58
W32.Opaserv.worm.aj = 1
W32.Opaserv.worm.al = 13
W32.Opaserv.worm.b = 2
W32.Opaserv.worm.d = 68
W32.Opaserv.worm.dam = 1
W32.Opaserv.worm.e = 31
W32.Opaserv.worm.f = 6
W32.Opaserv.worm.g = 37
W32.Opaserv.worm.gen = 2
W32.Opaserv.worm.i = 48
W32.Opaserv.worm.k = 49
W32.Opaserv.worm.p = 5
W32.Pate.a = 1
W32.Pate.b = 2
W32.Tenrobot.b = 1
W32.Valla.a = 1
W32.Zafi.b@MM = 205
W95.Lorez.a = 3
Win32.Weird.10240 = 1
Win95.Spaces.1445.a = 9
Win95.Whog.878.b = 1
Worm.Win32.Pinom.f = 4
Worm.Win32.Pinom.gen = 5
Worm.Win32.Protoride.aa = 77
Worm.Win32.Protoride.ae = 9
Worm.Win32.Protoride.af = 8
Worm.Win32.Protoride.gen = 80
Worm.Win32.Protoride.j = 5
Worm.Win32.Protoride.k = 218
Worm.Win32.Protoride.l = 4
Worm.Win32.Protoride.q = 9
Worm.Win32.Protoride.y = 6
WORM_AGOBOT.QI = 21
WORM_DARBY.G = 1
WORM_PLEXUS.B = 1

87 Distinct malwares trapped
2860 Samples trapped in total

Please drop me a line if you would like me to post future monthly data to this blog, or indeed anything that you’d like me to cover.

Same again next month?