MoMusings

November has come and gone and another interesting and busy month, on the malware front at least, it has been. We saw the return of Sober; but more on that later!

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter for November.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 2489 samples during November, which have been catalogued as 59 distinct families and variants. In comparison during October 2005 I captured 4484 samples [above average for this year] which were catalogued as 78 distinct families/variants. As you can see November was slightly below the average malware haul for 2005 and is almost 2,000 captured samples less than October. As a guide, an average month’s captures for 2005 is around 3,000 samples.

During November I captured and submitted 5 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].
The low haul in November is partly due to an apparent drop-off in new samples being spread via SMB [Windows shares], the relatively low impact of the latest Sober strains [via E-mail], and finally but not least; I was presenting at a conference which meant that it was difficult for me to process any new samples that were captured while I was out of the country.

During November I reported 15 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] stormed back into pole position during November, stealing the crown back from last month’s winner; W32/Mytob.u@MM [McAfee]. Tenga accounted for over 38 percent of all captured files during November. Although the Mytobs were ejected from pole position they are still making their presence felt; 6 Mytob variants appear in the top 10 [LY, AT, NA, IC, BH and AA] which accounts for a massive 34 percent of all samples captured during November. The Sober family has reappeared in the top 10 after a noticeable absence; in this case it is W32/Sober.Z@mm [Frisk].

The reappearance of Sober during November caused a certain amount of concern as this family has been responsible for a number of serious outbreaks. However, in the case of W32.Sober.Z@mm which appeared during November, it appears that a proportion of end-users have learnt from their past encounters with earlier Sober family members. Let us hope that this is a trend that continues.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month is yet again dominated by Mytob.c, Doombot.b [most other vendors have included this as a member of the Mytob family] and Zafi.d. Between these three malware variants they account for over a third of all reported samples to Kaspersky. The rest of the chart is made up of more Mytobs [bi, bk, u and t], two Netsky variants [q and b] and Lovgate.w. Doombot [d] has fallen out of the top 10.

In the SOPHOS chart we see a different pattern, with Netsky.p knocked off the pole position by none other than Sober-Z. Netsky.p has to make do with second place this month. 5 Mytob variants [GH, EX, AS, BE and C] appear in the top 10. Just like in the data from Kaspersky we have the Zafi.D variant too, however the B variant appear in the Sophos top 10 but is missing from the Kaspersky chart. Netsky.D gets a look in once more coming in ninth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up [only just] by Mytob accounting for over 38 percent of all samples caught. This just kept Septembers leader [Tenga] down in the runner-up spot for the second month running.

The Sdbot family has lost more of its share over the last month accounting for a mere 2.1 percent of all captured samples. The new entry this month is the Sober family making a comeback and grabbing 5th place and beating Sdbot into sixth place.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004 and 2005 [up to the end of November] here. This clearly shows that November was significantly quieter than October; in fact it was only slightly busier than September. This data includes Sober.Z.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 112,438 [as at the end of December 2004] to 162,987 [as at the end of November 2005]. That’s a growth of 50,549 so far this year! Last year in total we saw 28,327 new malware strains, so we have already eclipsed last year.

Looks like we could see 60,000 new malware strains by the end of the year, which is significantly more than I expected when I started the year with my first estimate!

What’s New?

Sober Again?
Yes, Sober is back again: We first saw it in October 2003 where it caused a mild splash. However two of the members of the Sober family were responsible for ’significant’ outbreaks; these being variants c and e.

Sober seems to be targeting Internet users in Western Europe and the author uses tends to focus on political views and combines that with very effective social engineering tricks; this double-whammy seems to lower the defences of most users.

Sober.Z [aka Sober.y, Sober@MM!M681, SOBER.AG, etc.] used a trick which worked well for an earlier version of the family; it sent forged e-mail messages which claimed to have come from the FBI which claimed that the recipient had violated copyright by downloading music from filesharing networks. The e-mail message instructs the recipient to open the attachment, which, the e-mail claims, contains data relating to the alleged offence.

Carole Theriault from Sophos had this to say about the latest version of Sober:

“Since we saw the first Sober worm back in October 2003, its author has tried to improve upon tried-and-tested tricks to dupe computer users into launching infected attachments“

“This latest worm purports to be a warning from CIA and FBI agents, accusing recipients of visiting illegal websites. Mocking the feds is a sure-fire way of goading the authorities, and you can’t help but wonder whether the author is desperate to be caught.”

Sober variants are often bilingual [not many malware strains have used this trick] to enable them to spread in both English and German, and infect both English and German speaker/readers as well as anyone else that is naive enough to run the attachment.

An interesting side note, with the latest version is that the message included a genuine telephone number for the FBI! It appears that a number of recipients who received the Sober .Z generated e-mails actually rang the FBI on the number supplied. This caused the FBI number being spammed by Sober.Z to effectively be under a ‘telephone’ DoS [Denial of Service] attack.

Not only did it claim to have come from an FBI or CIA agent, Sober.Z also uses the German version of ‘Who Wants to be a Millionaire’ and uses the old ’sex’ sells trick by using Paris Hilton as bait.

Furthermore, in a rather odd ‘Twilight Zone’ type occurrence; the Bavarian police issued a warning about a new variant [of Sober] being launched in the next 48 hours; lo and behold they got it right as the warning appeared before the latest family member was unleashed, and allowed to cause havoc on the internet. This would suggest that the Bavarian police may know who the author is and are keeping a close eye on them. This may be a simple case of allowing them to effectively incriminate themselves further. Hopefully, this will lead to an arrest at some point, and another malware author will be re-educated.

I also attended the EMEA SecureWorld Conference and I have blogged about that as a seperate entry.

Conclusions:
As you may have noticed SPAM and Phishing scams have been very aggressive during November and I expect that this trend will escalate during December. On that note; not only will I be writing a review for December but I will also be putting together a ‘Malware Review for 2005′ which will cover the whole year and make some predictions on the probable threats and trends for 2006.

Links:
Virus Top Twenty for November 2005 [Kaspersky]
Top ten viruses and hoaxes for November 2005 [Sophos]