MoMusings

Well, August has come and gone, and another interesting [and even more busy] month it has been on the malware front! Here we are at the end of Summer in the UK, autumn chill is evident in the air in the mornings and evenings now.

Like previous months, I will cover some statistics from my own sensors and compare those against some from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during August.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for August. Hope they are of some interest?

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 2.5 years, Malware Bayesian Filter 1.5 years.

Malware:
In total I captured 8315 samples during August, which have been catalogued as 82 distinct families and variants. In comparison during July 2005 I captured 5868 samples which were catalogued as 98 distinct families/variants. As you can see this is over a 41 percent increase in samples captured and around triple my more usual numbers per month!

During August I captured and submitted 15 brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. However, these were just the ones I managed to capture and process after moving to a new ISP that doesn’t block ports 137/udp, 139/tcp and 445/udp and tcp which are used by most of the share-crawling worms and bots. So, in all I lost eleven days of samples during August due to my old ISP putting port blocks in place.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

The e-mail worm, bot and share-crawling worm W32/Mytob.IA@MM [Frisk] was the sample with the highest number of captures [accounting for almost 23% of all captured files] followed by eight others of the same malware family. Only one other malware family appears in the Top 10 in August this being a TENGA variant [PE_TENGA.A] which is a fairly new malware family.

So, it seems that the Mytob World domination plan is working out all too well at the moment. If I go as far as looking at the Top 20; 14 of the places are occupied by a Mytob variant. If I extend this even further in the Top 100 there are 20 variants of Mytob.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why?

Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky is dominated by Mytob.c and Netsky.q, followed by 2 Zafi variants [b and d], another Mytob [Mytob.bk], two more Netsky variants [b and aa], Lovgate.w and finally two more Mytobs [be and bi].

In the SOPHOS chart we see a similar pattern, with Netsky.p as the leader of the pack with 2 Mytob variants [AS, BE ] hot on it’s heels. Just like in the data from Kaspersky we have two Zafi variants [D and B]. The rest of the chart is taken up by yet more Mytob variants and Netsky.D.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. As you may notice, the Mytob family have increased its share of the pie during August. Mytob family members account for over 81 percent of all samples captured during August which is amazing for a malware family that didn’t exist until almost the end of February this year.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net.

The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of August] here.

This clearly shows that August was significantly busier than July, in fact as you can see the last time it was this busy was back in April and May 2004 [as far as e-mail based malware was concerned] which was when the Bagle, Netsky and Mydoom wars were raging.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss. If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 146,234 [as at the end of August 2005]. That’s a growth of 33,796 so far this year!

Last year in total we saw 28,327 new malware strains. Looks like we could see 45,000 new malwarestrains by the end of the year, sheesh!

What’s New?

Zotob:
On Monday the 15th of August around 4pm [GMT] something started to spread quickly on the Internet which caused many computers running Windows 2000 to reboot themselves without human assistance. Next, system administrators saw the unexplained slowdown of internal networks….were these things related? You bet they were; we were once more under attack by a new network worm. The pattern was starting to repeat once more; a two year cycle between new, highly successful worms causing significant malware outbreaks.

MS05-039 or Bust!
On 9 August, Microsoft released critical security advisory MS05-039 which revealed a vulnerability in the Plug-and-Play component of Windows 2000. Code to patch the loophole was also made available. Ironically, Plug-and-Play was designed to make it easy to connect new devices to Windows machines.

Barely five days after the Microsoft warning, a worm called Zotob appeared which exploited the loophole. There are a number of variants of Zotob as well as other malware strains that use the exploit code from the hacking group known as ‘houseofdabus’. Interestingly other exploit code from the same group found its way into the Sasser worm writtenby Sven Jaschan.

Early variants of the Zotob worm just relied on the MS05-039 exploit to spread from system to system. Newer variant can also spread via e-mail too, not surprising as Zotob is based on Mytob.When the code for what became known as Zotob.A was analysed, the following chilling message was found:

"MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!"

Let’s see what the anti-virus companies have to say about it:

Sophos had this to say about Zotob:
"Mytob and Zotob may spread in different ways, but the source code is very similar," said Carole Theriault, security consultant at Sophos. " moreover, the Zotob author’s nickname, Diabl0, appears in more than twenty of the Mytob variants, suggesting that they may have been created by the same person. One thing is for sure - Mytob is still causing chaos in organisations that haven’t updated their virus protection and patched software vulnerabilities."

Kaspersky had this to say on Zotob:
"The case of the so-called Zotob is also worth some attention. We do not call these worms Zotob because this name has been used by other antivirus vendors to identify a range of worms and bots, some of which are often not even related. After in-depth analysis, Kaspersky Lab has classified the Zotob worms as new versions of Mytob with the following correlations with Zotob: Zotob.a - Mytob.cg, Zotob.b - Mytob.cf, Zotob.c - Mytob.ch. Only versions .ch and cg are capable of replicating via email, while version .cf spreads by exploiting the MS05-039 vulnerability. Even though Mytob.cg and .ch do have this ability [to spread via e-mail], they weren’t even in the top 40 viruses spreading via email this August."

Although Zotob can’t automatically infect Windows XP systems, the worm code can be installed manually or by clicking on an infected file, which will then infect the system running XP and Zotob will start scanning for new hosts to infect and exploit. Later variants can also spread in other ways, this means that other versions of Windows are also infectable. The good news is that two people thought to be responsible for writing and distributing Zotob have been arrested.

I will be writing an in-depth article on Zotob shortly, so stay tuned!

Mytob:
A number of new Mytob variants. This is family of worms which first appeared in March’s results is based on the MyDoom e-mail worm, but with a twist! The source code was modified to also enable it to spread using the LSASS exploit [ala Sasser], as well as via the more common e-mail vector that MyDoom used. Some Mytob variants also spread in other ways, such as via Instant Messaging and Peer to Peer networks.

It seems that August was another busy month for malware authors who are interested in stealing data with many bots being created and released onto the Internet.

Expect more of this as the move to a "for-profit" model continues to take over in the malware world.

Conclusions:
Well, as you can see the Mytobs are dominating the statistics and are causing increasing levels of pain; not just to those that are infected, but also to the AV companies. They seem to be unwilling to let any other malware in to the Top 10.

Links:
Virus Top Twenty for August 2005 [Kaspersky]
Top ten viruses and hoaxes for August 2005[Sophos]
http://singe.rucus.net/blog/archives/510-MS05-039-and-the-Zotob-summary.html

Outbreaks of Malware to follow?

Well, I’m back from my hols, although Zotob arrived and caused chaos for the first three days of the first week; I got involved with customer calls, threat calls and virus assessment calls, analysing samples and generally monitoring the situation….so much for the start of my holiday!

I’ll cover Zotob in another post shortly as the situation is still developing…..stay tuned!

The day before I came back I was discussing how long it would take the 419ers, Phishers, other Scamming groups and malware authors to latch onto the latest way of making money out of other peoples misery by taking advantage of the devastation caused in the US by Hurricane/Tropical Storm Katrina.

I said that we’d see one within 10 days. Sure enough they couldn’t resist using this catastrophe to try and fleece more people.

They have used other disasters and attacks as ways to extract money which should be going to the victims, to line their own pockets; these include: The Asian Tsunami, 9/11 and the London Bomb attacks on the 7/7.

On the 30th of August 2005, less than a day after Katrina had made landfall and caused widespread destruction and flooding across Louisiana and Missisippi SANS warned that they already have seen scammers starting to use this disaster, here’s some of their commentary:

“We updated yesterday’s diary with the information of fake emails and domains being used to get donations for the Katrina Hurricane and Brian Krebs just updated the Security Fix blog, with new informations about these fake domains.
Some that we strongly suspect so far are katrinahelp.com , katrinarelief.com and katrinacleanup.com.”

They go on to say:

“We got information that there are plenty of domains for sale at eBay, related the Hurricane. A quick look at whois services for Katrina name can show you some interesting names…”

Watch out for e-mails asking for donations, they may well be Phishing or 419 scams and any money donated will not go to the victims, worse still your credit/debit card may well end up on ‘carding’ lists and sold to thieves. They may [almost certainly will] use you card details to make purchases which you have not authorised.

Furthermore, be very suspicious of any e-mails that claim to have video footage or other data as an attachment as this will almost certainly contain nothing more than malware, and you may end up with an infected system.

I was in New Orleans in September 2002 for a conference just as a category 3 hurricane was about to make landfall. In fact I was on the last plane to land at the airport that day.

Luckily for me and New Orleans, Hurricane Isidore lost some of it’s power and was downgraded to a tropical storm before it made landfall. However, New Orleans was flooded with some parts under 12 feet of water. Many roads were unpassable, abandoned vehicles everywhere. It was a mess! Even the conference hotel was flooded! So, my sympathy goes to all those affected by this disaster, either directly or indirectly.

Please help!
If you want to help those affected by the US Katrina disaster, then please do not let these scammers put you off giving your much needed assistance. However, DO use one of the real charity organisations that are helping such as the American Red Cross, their website address is http://www.redcross.org/

Links:
http://www.vnunet.com/vnunet/news/2141705/scammers-jump-hurricane-katrina