MoMusings

Well, June has come and gone, and another interesting [and busy] month it has been on the malware front! I can’t believe that half the year has already gone and we’ve seen so much malware, but that’s another story which I will cover in another separate posting.

Like previous months, I will cover some statistics from my own sensors and compare those against some from a major anti-virus company, and finally I will cover new and interesting things that occurred during June.

I’ve created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for June. Hope they are of some interest?

I have included three sources of information for the graphs and pie-charts, these are:

• Kaspersky
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2.5 years, Malware Bayesian Filter 1.5 years.

In total I captured 5742 samples during June, which have been catalogued as 142 distinct families and variants. In comparison during May 2005 I captured 3631 samples which were catalogued as 148 distinct families/variants. As you can see this is a whopping 63 percent increase in samples captured!

During June I captured and submitted 11 brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. However, these were just the ones I had time to process, in all I probably caught 25+ other new malware which I didn’t get chance to submit, due to other commitments and high workload. I’m working my way through them now.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

The e-mail worm, bot and share-crawling worm W32/Mytob.u@MM [McAfee] was the sample with the highest number of captures followed by eight others of the same malware family. Only one other malware family appears in the Top 10 in June; Netsky [Netsky.p@mm], [we also only had 1 in the top 10 in May]. So, it seems that the Mytob World domination plan is working out all too well at the moment. If I go as far as looking at the Top 20; 13 of the places are occupied by an Mytob variant. If I extend this even further in the Top 100 there are 22 variants of Mytob.

If you compare the above to the data from Kaspersky you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties. As you can see the top 10 from Kaspersky is dominated by Mytob [c, ar, be and bk variants] and Netsky [b, q and aa variants], followed by 2 Zafi variants [b and d] and finally LovGate.w.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. As you may notice, the Mytob family account for 80 percent of all samples captured during June which is amazing for a malware family that didn’t exist until almost the end of February this year.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of June] here. This clearly shows that June was significantly busier than May, in fact as you can see the last time it was this busy was back in April and May 2004 [as far as e-mail based malware was concerned] which was when the Bagle, Netsky and Mydoom wars were raging.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 136,402 [as at the end of May 2005]. That’s a growth of 23,964 so far this year, and we are only half way through the year! Last year in total we saw 28,327 new malware strains. Looks like we could see 45,000 new malware strains by the end of the year, sheesh!

In June we saw the following new malware appear:

A number of new Mytob variants. This is family of worms which first appeared in March’s results is based on the MyDoom e-mail worm, but with a twist! The source code was modified to also enable it to spread using the LSASS exploit [ala Sasser], as well as via the more common e-mail vector that MyDoom used. Some Mytob variants also spread in other ways, such as via Instant Messaging and Peer to Peer networks.

I caught a sample of a brand new bot family that had not been seen previously and several other brand new malware that NO anti-virus detected at the time of capture; it has been a bit of a landmark month all round.

As mentioned in one of my blog postings Cabir; the first malware that could infect a mobile phone [via Bluetooth] celebrated it’s first birthday in June.

It seems that June was a busy month for malware authors who are interested in stealing data. Many keyloggers and password stealing trojans were released during June. If this doesn’t clearly show the swing towards writing malware to steal data and a general ‘for profit’ model then add in the massive growth of the number of bots and the picture is obvious.

Conclusions:

Well, as you can see the Mytobs are dominating the statistics and are causing increasing levels of pain; not just to those that are infected, but also to the AV companies.

UPDATE: Looks like July is going to be busy too! My sample captures already this month [6th June] are significantly higher than usual, if it carries on like this then we could be looking at over 4,000 by the end of the month….

Links:
Virus Top Twenty for June 2005 [Kaspersky]
Top ten viruses and hoaxes for June 2005 [Sophos]