MoMusings

Well, another year has come and gone [where do they all go!] and the malware authors have excelled themselves for the second year running.

The following section is a modified [and annoted] extract from my “Malware Review of 2004″ report:

The year 2004 was the 21st anniversary of the birth of malware and it was a real ‘game of two halves’. What do I mean by that?

The first half of 2004 was mainly dominated by the ‘Malware Wars’ between the authors of MyDoom, Netsky and Bagle, this resulted in dozens of variants for each family.
The peak of this war was in April, by May it had started to slow and by the end of June the war had degenerated into the occasional bout of name calling and handbags at six-paces.

The top performers were, Netsky.P which accounted for more than a quarter of all reported virus incidents (source: SOPHOS) and was the most prevalent threat for eight months; Furthermore four other Netsky variants also made it into the top ten. The other big worm that caused a lot of grief was Sasser. The thing to note here is that the author of Netsky and Sasser are one and the same; Sven Jaschan, an 18 year-old German who was arrested in May 2004. Ironically Jaschan was ‘fingered’ by one of his friends who were after the Microsoft Bounty of $250,000 USD. Even more ironically Jaschan now works for a computer security company in Germany.

The second half of the year has been more dominated by the Bots and other network worms, The Agobot, Rbot, SdBot and Protoride families have been particularly fecund; producing new variants with increasing frequency and features to boot. The SDbot family now has over 3,000 variants [members] in its family.

The other major shifts this year have been the rise of Phishing which has grown around 5,000 percent over the last year, Spyware becoming a major headache for home users and showing signs that it will become a headache for many companies during 2005. The move from very visible ‘in-your-face‘ malware, to more sneaky and stealthy worms that are almost invisible as they spread without user intervention. The methods used include: Open Windows Shares, exploiting vulnerabilities in the OS and applications and carrying password files to perform dictionary attacks on Windows shares.

The malware problem in 2004 mainly concentrated on the Windows platform. No new major malware were detected for Linux, although there is an increase in malware specifically written to target Linux. The Apple Mac was targeted this year by a ‘rootkit’. A small but growing number of viruses aimed at PDAs or mobile phones were discovered, this is a real change and I suspect that this will fast become the new battleground. The source code for the Cabir worm has now been released so expect a flurry of copycats using this as the basis for new PDA/Mobile Phone worms which infect via Bluetooth or other mechanisms.

During the last few weeks in December we saw the rise of PHP worms, originally just targeted at a specific Bulletin Board package, but then extended to try and attack all PHP based websites. In all cases the worm uses a search engine to find new hosts to attack.

The number of known viruses grew by 28,327 in 2004 to bring the known virus running total to 112,438 by the end of the year. This compares to 2003 with growth of 20,077 to bring the running total to 84,111 and 2002 when known viruses grew by only 4,551 to bring the running total as the end of 2002 to 64,034. That is an overall increase of 25% in 2004 over 2003 compared to a 23% increase in 2003 over 2002…..So you can see that the bad guys are still going full tilt on producing new malware.

So let us look at my own statistics for 2004 from my ‘personal’ early-warning systems running on an aDSL link from my home; first the Top 10 malware trapped by my WormCharmer:

As you can see from the pie chart above, e-mail worms took seven of the ten slots overall for 2004. The other very active malware that didn’t spread via e-mail were three of the many, many, Opaserve share-crawling worms.

Overall during 2004 my WormCharmer trapped 437 distinct malware [and variants], 56,478 samples were caught in total.

Below are my statistics from my Bayesian Filtering tool. Bayesian filtering is mainly used for filtering SPAM, however I trained mine to classify not only SPAM but also Malware, 419s and Phishing scams too.

The first graph [above] shows the percentage of malware trapped each month of 2004. You can clearly see the effect of the malware wars of the first half of the year.

Below is the graph that shows the data for Phishing scams which I trained the system to classify during June of 2004. As you can see the growth has been pretty amazing.

The next graph shows the percentage of 419 scams each month of 2004. If you don’t know what 419s are then I suggest you read some of my earlier postings to this blog. In a nutshell they are scams; advance fee fraud.

The final graph shows all the classifications I currently use on my Bayesian Filtering project for all my personal e-mail accounts:

This shows the overall percentages for each classification compared the all the others. Phishing is a tiny proportion at the moment however the growth is almost double every month. Spam is currently running at around 39 percent [January 2005], but if I add in the other ‘rubbish’ then that figure jumps to 57 percent! Now, compare that to last year and in February 2004 over 70 percent of all my incoming mail was ‘rubbish’ [Spam, 419s or Malware]

So, what of 2005? What will we see when I scrutinise the intestines of sacrificed malware whilst chanting incantations in hex…….That’s another installment….Stay tuned!