MoMusings

I’m on vacation as of the end of today for two whole weeks, yippee!

However, I suspect I’ll get called, or asked to come in at least once during my time off as August has frequently been a month when new malware breaks out and we are not talking minor outbreaks, but whoppers!

Remember, Nimda and Blaster, guess when they were causing misery to many, many people? Yep, that’s right in August!

However, first a bit of fun, Phishing fun to be exact:

Take a look at this Dilbert Cartoon on Phishing, it is amazingly accurate. ‘Nuff said

Now, onto more serious things.

New Bagles aka Beagle aka Tooso:

Yes we have seen lots of new variants being seeded over the last 24 hours, so be aware if you receive a strange e-mail with a .ZIP or .RAR attachment, then it is probably one of the new ones. If you haven’t guessed then the Bagle author(s) are back from their holidays.

Typical, as I’m about to take a few weeks off!

In the last 24 hours we have seen 11 new variants and we will almost certainly see more.

So, if you get an e-mail that contains an attachment called:

• Taxes.zip or Taxes.rar



• The_taxation.zip or The_taxation.rar
• The_reporting_of_taxes.zip or The_reporting_of_taxes.rar
• Work and taxes.zip or Work and taxes.rar
• Increase_in_the_tax.zip or Increase_in_the_tax.rar
• To_reduce_the_tax.zip or To_reduce_the_tax.rar

Then you have a copy of one of the new variants, just delete the e-mail, do NOT open the attachment.

New ISP:

I have just changed my ISP as they started to block ports which I needed for my WormCharmer. Now, don’t get me wrong I’m all for increased security but not when it is applied to those of us that know how to protect ourselves.

The ISPs that insist on putting in place a blanket port block policy should seriously think about allowing the more technically aware customers to opt out. That way most customers get protection and people like me get to catch new malware; which helps everyone one as well.

Well, July has come and gone, and another interesting [and very, very, busy] month it has been on the malware front! I can’t believe that seven months of the year have already gone and we’ve seen so much malware, almost as much as the whole of last year, by the end of July!

Like previous months, I will cover some statistics from my own sensors and compare those against some from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during July.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for July. Hope they are of some interest?

I have included four [I have added data from SOPHOS to the pot] sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2.5 years, Malware Bayesian Filter 1.5 years.

In total I captured 5868 samples during July, which have been catalogued as 98 distinct families and variants. In comparison during June 2005 I captured 5742 samples which were catalogued as 142 distinct families/variants. As you can see this is a small percent increase in samples captured but still around double my more usual numbers per month!

During July I captured and submitted 11 brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. However, these were just the ones I managed to capture and process before my ISP decided to block ports 137/udp, 139/tcp and 445/udp and tcp which are used by most of the share-crawling worms and bots. I’m now in the process of moving ISP. Unfortunately this will affect my August statistics too.

During July I started to report Phishing sites and actually reported 40 during the month which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

The e-mail worm, bot and share-crawling worm W32/Mytob.ce@MM [McAfee] was the sample with the highest number of captures [22% of all captured files] followed by seven others of the same malware family. Only two other malware families appears in the Top 10 in July; Mydoom [W32.Mydoom.o@MM and W32.Mydoom.bb@MM] and one TENGA variant [PE_TENGA.A] which is a new malware family. So, it seems that the Mytob World domination plan is working out all too well at the moment. If I go as far as looking at the Top 20; 9 of the places are occupied by a Mytob variant. If I extend this even further in the Top 100 there are 13 variants of Mytob.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky is dominated by Netsky.q and Mytob.c, followed by 2 Zafi variants [b and d], yet more Mytobs and finally Netsky.b.

In the SOPHOS chart we see a similar pattern, with Netsky.p as the leader of the pack with 3 Mytob variants [AS, BE and EP] hot on it’s heels. However in the SOPHOS data only one Zafi variant appears [D]. The rest of the chart is taken up by yet more Mytob variants and Netsky.D.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. As you may notice, the Mytob family account for 76 percent of all samples captured during July which is amazing for a malware family that didn’t exist until almost the end of February this year.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of July] here. This clearly shows that July was slightly busier than June, in fact as you can see the last time it was this busy was back in April and May 2004 [as far as e-mail based malware was concerned] which was when the Bagle, Netsky and Mydoom wars were raging.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 139,515 [as at the end of July 2005]. That’s a growth of 27,077 so far this year, and we are only seven months through the year! Last year in total we saw 28,327 new malware strains. Looks like we could see 45,000 new malware strains by the end of the year, sheesh!

In July we saw the following new malware appear:

A number of new Mytob variants. This is family of worms which first appeared in March’s results is based on the MyDoom e-mail worm, but with a twist! The source code was modified to also enable it to spread using the LSASS exploit [ala Sasser], as well as via the more common e-mail vector that MyDoom used. Some Mytob variants also spread in other ways, such as via Instant Messaging and Peer to Peer networks.

The malware authoring group behind Mytob call themselves HELLBOT. They are continuing to experiment with packers and compressors [PEX, UPX, etc.] to try and make their new variants more difficult to detect by many of the AV products. They have also been changing and adding to the bots functionality. Finally, they have modified the list of IRC channels used as command and control for the bot and the resulting botnets. This is being done because channels used by previous variants have been quickly closed by IRC server administrators as they start to fight back.

It seems that July was a busy month for malware authors who are interested in stealing data with many bots being created and released onto the Internet. Expect more of this as the move to a “for-profit” model continues to take over in the malware world.

Conclusions:

Well, as you can see the Mytobs are dominating the statistics and are causing increasing levels of pain; not just to those that are infected, but also to the AV companies. They seem to be unwilling to let any other malware in to the Top 10.

Would anyone be interested if I also included my own hoax, Phishing and SPAM statistics to this monthly report?

UPDATE: Looks like August is going to be busy too! My sample captures already this month [10th August] are slightly higher than usual [even allowing for the lack of certain malware samples being caught due to my ISP blocking ports], if it carries on like this then we could be looking at over 4,000 by the end of the month….

Links:
Virus Top Twenty for July 2005 [Kaspersky]
Top ten viruses and hoaxes for July 2005 [Sophos]

Well what do you know, Microsoft have now spoken about Vista and MSH [Monad], and guess what? They have ‘decided’ not to include MSH in the ‘first’ version of Vista after all. Of course this has absolutely nothing ‘what-so-ever’ to do with the discovery of MSH malware, of course not and NASA have just sent a cow to jump over the moon!

However, they go on to say that they will be including MSH in the next update of Exchange, currently code-named ‘Exchange 12′ will contain MSH as will future versions of Vista [nee Longhorn]. Don’t believe me? Well here are the words from their own mouths:

In an interview Friday, Microsoft Director of Product Management Eric Berg said Monad [MSH] will not be included in the first commercial version of Windows Vista, expected in the second half of 2006. But the product is expected to be included in Windows over the next “three to five years,” he said. “Our intention is to synchronize it with both client and server operating systems.”

The first Microsoft product to use Monad [MSH] will be the next release of Microsoft’s Exchange messaging server, code-named “Exchange 12,” which is due in 2006, Berg said.

On the operating system side of things, Monad is then expected to be included in the Windows Server “Longhorn,” expected in 2007, and then could be available in a future Windows Vista release, said Rob Helm, director of research with Directions on Microsoft. “Presumably, as time goes on, all of Microsoft’s products will have Monad scripting interfaces,” he said.

So, there you have it. And Microsoft went of to say that:

“These reports pose no risk for Microsoft customers,” said the firm’s Stephen Toulouse in a blog posting and he went on to state “The viruses do not attempt to exploit a software vulnerability and do not encompass a new method of attack”

Since when have malware depended on exploits? Most malware uses ‘features’ of the OS or application to function or ‘clueless’ users who fall for social engineering rather than vulnerabilities in the OS, scripting language or application.

Remember that when Word Macro Viruses first appeared Microsoft claimed it was a ‘Prank’ and was most certainly NOT a virus…..Yeah right, where’s my squadron of flying pigs?

By that flawed ‘logic’ we have thousands of ‘pranks’ still out there ‘infecting’ Office documents just like a macro virus does.

When asked if the emergence of MSH viruses had led to MSH being ‘pulled’ out of Vista he said:

“One had nothing to do with the other”

Give that man an inhaler…..It is his destiny! I can almost hear him saying “I find your lack of faith disturbing“…..Whilst wearing a black bucket on his head.

Links:
http://www.networkworld.com/news/2005/080505-vista-monad.html?fsrc=rss-virusworms
http://news.bbc.co.uk/1/hi/technology/4131080.stm

Well, this has to be a new record, less than a week after Microsoft’s new baby is released as a Beta and already some wag has created malware to take advantage of the Microsoft Shell, which is one of the new features of Vista [nee Longhorn].

According to F-Secure’s Research Weblog [always a good read], the wag responsible for this is from Austria. Now that’s quite unusual as Austria hasn’t been responsible for many malware authors.

Not content with just creating one he has created five, all targeting Microsoft MSH. The viruses were published in a virus writing zine.

Here’s a short description of MSH [borrowed from F-Secure]:

“MSH, or Microsoft Command Shell, is a command line interface and scripting language. It’s basically a replacement for shells such as CMD.EXE, COMMAND.COM or 4NT.EXE and will ship in 2006. As a command-line front end, MSH resembles many Unix shells quite a bit.

As MSH (codenamed ‘Monad’) was scheduled to ship as the default shell for Windows Vista (which went to first beta last week), you could argue that these are the first viruses for Windows Vista. However, it has lately been rumoured that MSH might not ship with Vista at all - instead might be part of Microsoft Exchange 2006 or something. We won’t know for sure until later.”

I wonder if there is any link between Arnie and the malware authors? No, I’m just kidding…But both are from Austria.

The interesting thing is that Eric Chien from Symantec raised the possibility of MSH viruses in his paper and presentation for the Virus Bulletin 2004 conference. The paper was entitled “The return of script viruses - an overview of Microsoft Shell”. I was sitting on the front row of tables listening to his presentation, as always Eric’s papers and presentations are very good, insightful and usually a good barometer of new threats.

Eric was the researcher who originally stated that we would see Instant Messaging malware…..right again Eric!

Just a warning, Eric “will be back” at the Virus Bulletin conference again this year…..and so will I, or should that be “I’ll be back”?