MoMusings

I’ve finally managed to find some time to create some graphs and perform some trend analysis from the raw data from my WormCharmer for February. Hope they are of some interest?

I have included three sources of information for the graphs and pie-charts, these are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2+ years, Malware Bayesian Filter 1+ year.

In total I captured 2234 samples during February, which have been catalogued as 166 distinct families and variants. In comparison in January 2005 I captured 2814 samples which were catalogued as 144 distinct families.

During February I captured 26 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The first pie chart below shows the Top 10 distinct malware by percentage. As you can see this includes not only mass-mailers but also five share-crawling worms [2 Opaserv variants and 3 Agobot variants]. The mass-mailing worm W32/Zafi.B@MM was the sample with the highest number of captures closely followed by W32/Netsky.P@MM

If you compare the above to the data from Kaspersky you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of February] here. This clearly shows that February was quieter than January as far as e-mail based malware was concerned. However, as mentioned previously other malware [bots, worms, multi-component malware] have been even more active during February.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.