MoMusings

Virus Bulletin have just informed me that my abstract entitled: ‘Rootkits: Risks, Issues and Prevention‘ has been selected for the Virus Bulletin 2006 international conference to be held from the 11th to the 13th October 2006 at the Fairmont The Queen Elizabeth, Montréal, Québec, Canada.

The abstract for the paper appears below:

Abstract:
Rootkits have been around almost since the start of computing, however over the last two years the threat has changed; no longer is it just a *NIX problem, corporate and academic computers running Microsoft Windows are now an increasing target.

We are now at a tipping point; rootkits are no longer a minor annoyance or threat, they are starting to become a major cause for concern.

Many corporate security staff have a rather vague understanding of rootkits, not just what they are but how they work. Furthermore many have little understanding of the risks to their company or their own home computer.

This paper will explain what rootkits are and how they work. It will also discuss ways to combat them using methods that range from simple security methodologies through to technical solutions.

If approved then this will be the ninth time I’ve written and presented a paper for Virus Bulletin. Thanks go to VB for allowing me the honour of presenting at ‘The Premier‘ anti-virus conference in the security conference calendar once more.

The value to me personally in attending this conference is the knowledge I gain, that in itself is priceless. It is also a chance to finally meet some of the people I converse with via e-mail, and catch up with like minded people I’ve met before, some of whom I would now consider to be friends.

If you have never been to a Virus Bulletin conference and you work in the information security field, then it is about time you did, you won’t regret it!

The full paper will be made available after the conference. I’ll post an announcement here shortly after the conference has finished.

February has come and gone and another interesting month on the malware front it has been, and I have finally managed to find a bit of time to write a review!

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1115 samples during February, which have been catalogued as 64 distinct families and variants. In comparison during January I captured 2645 samples which were catalogued as 86 distinct families/variants. As you can see the captures in February were below half of the January total. During February I captured and submitted 8 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The low haul in February is mainly due to the apparent slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005.

During February I reported 110 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during February. Not only that but is increased its share from 39 percent of all captured files during January to over 51 percent. This is a significant jump, however it is still not up to the 63 percent of all captured files it was responsible for in December 2005!

Although the Mytobs bounced back in January recovering significant ground lost during December 2005 they lost some more ground during February. MyWife which made a significant splash in Janaury disappeared from the top 10 during February.

It seems that the share-crawling worms recovered some ground they lost during January; in fact their share rose from two to five. Netsky.P managed to retain a top ten position, but Lovgate.X did not.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen Zafi.d lose its hold on the top spot, falling to third place. Its pole position has been stolen by Mytob.c and second place has been grabbed by Lovegate.w. The rest of the chart is made up of Netsky.t in fourth, another Netsky family member [b] takes fifth place followed by a Bagle variant [fj] in sixth spot. Mytob variants [u and q] in seventh and eighth place. Netsky.q breaks up the Mytob run by stealing ninth place. The final place is occupied by another Mytob variant [ t], just managing to keep a place in the top 10.

In the SOPHOS chart we see a different pattern, with Netsky.p has grabbed back the top position this month. Second place is filled by Nyxem.D[aka MyWife] with Bagle-Zip snapping at its heels in third. Zafi.b has been relegated to fourth place closely followed by two Mytob variants [ EX, FO] in fith and sixth place respectively. Another Bagle [CH] grabs seventh followed by a new malware family known as Clagger in eighth. The final two slots are occupied by Netsky.D and yet another Mytob [BE].

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has increased its share from 39 percent of all samples caught in January to over 51percent in February. Mytob managed to consolidate its hold on second place. Third place is occupied by Netsky once more which was stolen by MyWife [aka Nyxem] in January. Mydoom and Bagle complete the e-mail worms appearing in the top 10. The rest of the vacant spots are taken by share crawling worms and bots, these being: Opaserve, Sdbot, Ranky and the related multi-component dropper. The top ten is rounded off by Agobot making a re-entry in ninth.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of February] here. This clearly shows that February was significantly quieter than January; in fact it was only slightly busier than December 2005, which was the quietest month in the last two years!

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 181,608 [as at the end of February 2006]. That’s a growth of 12,801 in two months! In 2005 we saw 56,369 new malware strains compared to 28,327 in 2004, so we have seen an almost 200 percent increase in new malware strains during 2005. Using the first two months data to extrapolate possible numbers of new malware in 2006, we get a whopping 76,806. However, I suspect that the total at the end of 2006 will exceed 100,000.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in February 2006.

• Desktop to PDA Cross-infector Found
• Chain E-Mails, Hoaxes and Urban Legends, Oh My!

Links:

• Virus Top Twenty for February 2006 [Kaspersky]
• Top ten viruses and hoaxes for February 2006 [Sophos]

The phishers seem to be looking from new organisations to target. They no longer seem content to target customers of the usual suspects, such as:

• Banks
• Building societies
• eBay
• Paypal
• Amazon
• eGold

Their latest target is the Internal Revenue Service, yes the dreaded IRS! This is the US equivalent of the UK’s Tax Office, which those of us in the UK really admire, especially their ability to get blood out of stones, and extract every last penny that they can from us .

This morning I received a number of copies of the following e-mail [screenshot below]

This e-mail is a lovely example of social engineering. How many of us lie awake at night wishing for, or have fevered dreams where we get a refund from the tax office? Surely I’m not the only one?

So, not surprisingly lots of people are going to rush to the site and get money back from the government, wouldn’t you?

Clicking on the link takes you to this site [screenshot below]:

As you can see, the web site above asks for lots of personal data including, your social security number, your credit/debit card details, including the CVV [anti-fraud countermeasure] and your card’s PIN.

Guess what they will do with all that data?

• Make withdrawals from ATMs using the stolen card data via a ‘cloned’ card.
• Make online purchases.
• Make purchases over the telephone.
• And last but no least they could use this data to ’steal your identity’.

It could turn out to be a very expensive refund!

Oh, you do know that there is no refund, don’t you? This is just a scam.

However, there may be at least one silver lining to this cloud, if you gave them your credit card information then you might at least get the reward points or airmiles

The good news is that, although this site is still up and functioning as I write this, the Netcraft toolbar will warn you that this is a Phishing site. You do have the Necraft toolbar installed don’t you?

If you haven’t them why not, it’s FREE, does not contain any spyware or other malcode and most importantly it can stop you from making a very expensive mistake.

"Don’t browse the web without it."

Looks like the ‘Boys and Girls from Lagos‘ are back again, this time they are using the recent death of none other than King Fahd of Saudi Arabia.

‘Borrowing’ names of famous or infamous people or companies is a fairly common trick used by the 419ers. They believe that using a well known name will somehow make the scam more believable.

A recent addition has been to also include a link [URL] to a news item covering the company or person they use to try and add credibility to their story. The purpose of the story, the real name and the link to factual data, is purely to ‘hook‘ a potential victim.

The example below, which I received today clearly illustrates both of these tricks in use:

From: "Peter Edgware" <pedgware@saconsultgroup.com>
Subject: URGENT RESPONSE NEEDED
Reply-To: pedgware@saconsultgroup.com
Date: Mon, 6 Mar 2006 06:10:10 +0000

Dear Sir/Madam,

My name is Peter Edgware. I work at a well-known Security Company in the UK. I am writing with a financial proposal that I hope will interest you. As you are undoubtedly aware, King Fahd bin Abdel Aziz of Saudi Arabia died on the August 1 2005 at the age of 84.

Please do a search on the web for more information on him, or look at the BBC’s website:

http://news.bbc.co.uk/2/hi/middle_east/4734175.stm

As you will see from the BBC website (BBC being an independent state funded news broadcaster here, similar to CNN,) King Fahd was the ruler of one of the richest countries in the world for 23 years. His country exports over 40% of the world’s oil and it is well known that the royalty are amongst the richest men in the world.

We have a consignment containing money deposited here that was left years ago by an aide on King Fahd’s behalf. Now that he is dead, the consignment goes to the listed next of kin. My reason for contacting you is that the next of kin’s name was not listed. A ‘foreign business partner’ is the next of kin, which could be anyone. I would like to invite you to claim the consignment as the foreign partner, as is the next of kin’s legal right and then we would share the contents.

There is absolutely nothing illegal in this idea. This money belongs to the next of kin, who you would claim to be. What would happen would be this: you would apply as the ‘next of kin’ of the deposit. Upon completion of the collection of the consignment, we would arrange to share the money contained therein, leaving a percentage share for you, for your troubles. I re-iterate, this is not illegal and will not cause you any trouble. We have all the documents needed.

The depositor is dead. There is no one to claim this consignment. If you do not, the money will remain indefinitely in store. Wasted.

Thanks for taking the time to read this. Please reach me via my personal email address if you are interested: (peteredgware@saconsultgroup.com) so that I may validate your authenticity. If you are not, please could you also tell me so that I do wait needlessly and I may find another potential beneficiary.

Regards
Peter Edgware

I love the line: "There is absolutely nothing illegal in this idea. This money belongs to the next of kin, who you would claim to be." surely impersonation and fraud is illegal in all countries?

By taking part in this scam you would be breaking the law, that’s assuming it was a ‘real‘ deal and the money really did exist, which of course it doesn’t. As usual the only ones who will end up with anything out of this scam would be those that run it, and the money they would get would be ‘your money‘ if you were foolish enough to swallow the ‘bait‘.

I’m still waiting to see if they will go as far as this

I haven’t covered mobile malware for a while and although there have been quite a lot of activity most of it has been limited to new variants or uninteresting new malware. The last week has seen several significant developments. The first one was ‘crossover‘ a cross-infecting Windows desktop to Mobile OS or Windows CE infector which I covered in an earlier posting.

The second one is also rather interesting, and another first, in more ways than one. This new threat is known as Redbrowser and unlike the mobile malware we already have it doesn’t target Palm OS, Symbian OS or Windows CE, [or PocketPC, Mobile OS]. This one targets Java on mobile phones. It is also the first mobile malware that tries to steal money.

How many of you out there have phones that have Java support built-in, or have downloaded a Java VM for your smartphone or PDA?

Well, most if not all of you are potentially a target for Java based malware.

Redbrowser is a Java application in the form of a JAR format archive, sometimes called "redbrowser.jar", The files size is 54,482 bytes and it can get on your Java enabled device only one way, you download and install it. It is a Trojan, not a worm or virus.

This archive "redbrowser.jar" contains the following files:

• Manifest.mf - 321 bytes
• FS.class - 2,719 bytes
• FW.class - 2,664 bytes
• M.class - 5,339 bytes
• SM.class - 1,945 bytes
• icon.png - An image file 3,165 bytes long
• logo101.png - An image file 16,829 bytes long
• logo128.pnh - An image file 27,375 bytes long

This is what F-Secure has to say about Redbrowser.A:

"Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number.

The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries."

The above picture is from F-Secure

The so-called FREE SMS it uses is not free, the Trojan actually sends text messages to premium rate numbers, costing users between $5 and $6 per SMS. Luckily for most of us at the moment, Redbrowser currently targets subscribers of Russian mobile service providers; Beeline, MTS, and Megafon.

The other good news is that this threat is easy to remove.

However, don’t expect this to be the case with later versions, or new mobile malware which uses the same idea to extract money from you.

Some old Java viruses like Strangebrew; written back in 1998 which was the first virus to infect Java files, have been found to work on some Java phones, but RedBrowser is the first malware targeting Java phones on purpose.

Links:
http://www.f-secure.com/v-descs/redbrowser_a.shtml
http://www.f-secure.com/weblog/archives/archive-022006.html#00000823
http://www.sarc.com/avcenter/venc/data/trojan.redbrowser.a.html