MoMusings

I know we are almost two thirds the way through May, and that this posting is rather late, however, better late than never I always say

I’ve finally managed to find some time to create some graphs and perform some trend analysis from the raw data from my WormCharmer and Bayesian filter for April. Hope they are of some interest?

I have included three sources of information for the graphs and pie-charts, these are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2+ years, Malware Bayesian Filter 1+ year.

In total I captured 2327 samples during April, which have been catalogued as 159 distinct families and variants. In comparison in March 2005 I captured 2326 samples which were catalogued as 148 distinct families/variants.

During April I captured 24 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The first pie chart below shows the Top 10 distinct malware by percentage. As you can see this includes not only mass-mailers but also five share-crawling worms [1 Sdbot, 2 Opaserv and 2 Agobot variants]. The share-crawling worm and bot W32/Agobot.DAJ [Frisk] was the sample with the highest number of captures closely followed by W32.Mytob.ah [an e-mail worm that is also a share-crawling worm and bot] and another Agobot variant WORM_AGOBOT.ALV [Trend] and W32.Zafi.b@MM falling to 4th place. The Netsky family of e-mail worms are still represented; three members of the family appear in the top 10 for April, although they are showing signs of tailing off.

If you compare the above to the data from Kaspersky you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties. As you can see the top 10 from Kaspersky is dominated by e-mail worms. New entries include three Mytob variants.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of April] here. This clearly shows that April was very slightly busier than March but still quieter than February as far as e-mail based malware was concerned.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 125,4825 [as at the end of April 2005]. That’s a growth of 13,387 so far this year!

In April we saw the following new malware appear:

Mytob. This is family of worms which first appeared in March’s results is based on the MyDoom e-mail worm, but with a twist! The source code was modified to also enable it to spread using the LSASS exploit [ala Sasser], as well as via the more common e-mail vector that MyDoom used.

In April we saw many new variants of this family of e-mail worm/bot hybrid [25 since the 15th of April]. In fact I will write a full blog entry on it in the next few weeks, as this family has come from almost nowhere to being a major threat with a serious number of offspring to its name already.

We also saw new seven new Bagle variants along with new Kelvir [IM Worm] variants. The latter used a new technique in using links to the malware body/payload instead of using the more common approach of using attachments. What is more is that the sites hosting the malicious bodies/payload were running the PHP scripting engine which is extremely powerful and can easily be used to do rather nasty things.

Conclusions:

Well, as you can see the bots are on the march [in April] and they are taking lessons from root-kits, using techniques to make them almost invisible, even to many AV products. This is a very worrying trend, but it is not unexpected……In fact I’m surprised it has taken the scumware authors so long!

I also presented a paper at the EICAR 2005 conference which was held in Malta this year.