MoMusings

December 2004 was a very busy month for me, the malware authors [obviously school holidays, again!] and the anti-malware community in general.

This blog entry will look at some of the things that happened during the month.

I submitted twenty-three new [unknown] viruses/worms/bots during the month, which is over double the average number I submit in a ‘normal’ month. This in itself is rather remarkable.

Anyway let’s have a look at some statistics and see what they can tell us:

I have included a number of graphs to show what both I and the anti-virus vendors were seeing during the month and this will hopefully give you a flavour of what was going on.

I have included three sources of information for the graphs and pie-charts, these
are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2+ years, Malware Bayesian Filter 1+ year.

More details on these ‘personal’ projects can be found in the papers section of my website as
both have been written up as conference papers.

The first pie chart shows the top ten malware that were caught by my WormCharmer system, as you can clearly see Sober.j [which was unleashed on the Internet in November] was by far the most prevalent malware that was caught by my ’sample capture’ tools. It also shows that e-mail worms are not always the most prevalent threats, as four out of the ten are share crawling worms and multi-component droppers.

In total during December 2004 I trapped 141 distinct malware types [4878 samples in total], compared to November when I only trapped 106 distinct malware types [4776 samples in total].

If you compare the above to the data from Kaspersky you will see some marked differences.
Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 here. This clearly shows that December was busier than November [but not as busy as April and May] as far as e-mail based malware was concerned. However, as mentioned previously other malware [bots, worms, multi-component malware] have been even more active during December.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site.
If you feel you need access then please contact me to discuss.

I’ll post a review of the whole of 2004 as soon as I can find a little spare time.