MoMusings

It never fails to surprise me when the 419ers [the Boys and Girls from Lagos who run the Advance-Fee-Frauds, aka Nigerian scams] try and get a potential mark [victim] to trust that the e-mail, letter or fax is genuine, by either using well known company names, grand sounding personal titles, such as Queen this, Princess that, General other, or trying to pass themselves off as professionals, such as Doctors, Lawyers, government officials, bank staff or ministers of religion. They have also been known to ‘borrow’ names of famous or infamous people.

Occasionally they change tactics, such as trying to make you believe that the deal being offered is not a scam, by stating that it is ‘100 percent legal‘ or stating ‘this is not a scam‘.

The latest twist in their tactics is ‘borrowed’ from the malware authors, in that the scam e-mail itself warns against scams, rather ironic I would say!

Here’s a screenshot of the e-mail:

Probably the best know case of malware using this tactic is Swen [screenshot below] which arrived as an e-mail claiming to come from Microsoft warning you about the holes which it warns could be used by malicious code. The beautifully formated HTML e-mail had the required ‘patch’ attached, which was in fact the malware itself. The e-mail was very believable, so it was not surprise that lots of people ran the attachment and infected their computers.

This latest twist just reinforces that the ‘bad guys and girls’ are learning from each other. Phishers are learning from the 419ers, who are learning from the malware authors, who are learning from spyware authors, who are learning from the phishers…..round and round we go!

Let’s hope some of them get dizzy and fall off into the waiting arms law enforcement, who will sit them down, read them their rights and then let have their day in court.

Hopefully they will get ‘a real sentence’ that will finally send out the right message that cyber-crime does not pay, rather than the more common ’slap-on-the-wrist’ being handed out that we have seen in the vast majority of cases so far.

I know, I can dream…

According to the blurb posted on their site:

“MySpace.com is an online community that lets you meet your friends’ friends. Create a private community on MySpace and you can share photos, journals and interests with your growing network of mutual friends!”

Some of the features of MySpace include:

• Upload Pictures
• Send Mail and IM’s
• Write Blogs & Comments
• Participate in forums and groups

It is all really about social networking.

However, all is not rosy in the MySpace virtual garden.

Firstly, MySpace was targeted by malware back in October 2005:-

Here’s a snippet from a news article that covered it:

“One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, “Samy” had amassed over 1 million friends on the popular online community.”

Not bad for a bit of JavaScript and XSS [Cross-site-scripting]. At the time of writing the worm had been removed and the holes it used patched. However, there have been other MySpace worms created using Samy’s code as a starting point, some of these were able to spread.

Secondly, some kind soul has been circulating a warning about a virus that is allegedly spread via MySpace.com Instant Messaging, here’s the warning:

“If someone by the name of j_neutron07 wants to add you to their list dont accept it. Its a virus. Tell everyone on your hits because if somebody on your list adds them you will get it too. It is a hard drive killer and a very horrible virus.

PLEASE COPY/PASTE AND REPOST THIS”

However, this is not a real threat, as there is no such malware and as I write there is no way for this so-called virus to spread by just adding someone to your buddy list. Yes, this so-called virus is a HOAX.

And thirdly, it seems that MySpace has also been used to find ‘Rape Suspects‘, and has recently removed 200,000 ‘rude‘ profiles. According to the ‘Register’ the site has also been used by school bullies who post bogus profiles aimed at attacking or humiliating their victims.

As if the above issues are not worrying enough, then the recent sexual assaults on ‘young’ MySpace.com members appears to show that the service is being actively used by paedophiles to find victims to groom, meet and abuse.

The above issues once more make it abundantly clear [if you needed reminding] that you should not give out personal details via these types of services as a small minority will take advantage. Kids [and adults too] should remember that on the internet the person you think you are chatting or e-mailing may not be what they seem. You may think that they are a 12 year old girl from London, but it may well be that it is a 45 year old man from the other side of the world, or next door!

To steal the punch line from this cartoon “On the Internet, nobody knows you’re a dog”

Be careful out there on the ‘Wicked Wild Web’.

March has come and gone taking the first quarter of the year with it. Another interesting month on the malware front it has been although as you will see the number of trapped malware is still low.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1356 samples during March, which have been catalogued as 61 distinct families and variants. In comparison during February I captured 1115 samples which were catalogued as 64 distinct families/variants. As you can see the captures in March are only slightly up on February and still below the high of January’s total.

During March I captured and submitted 10 brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. Details on these new malware can be found on my VSUB blog.

The low haul in March is mainly due to the apparent slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005, although there has been a slight increase noticed during March.

Furthermore I reported 135 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during March. Not only that but is increased its share from 51 percent of all captured files during February to over 73 percent. This is a significant jump, and eclipses its own record of 63 percent it achieved in December 2005!

Netsky.P managed to grab the second place slot during March, however it only managed 3 percent of the total captures.

The Mytobs lost more ground during March barely managing to capture just 2 of the top 10 places; sixth and seventh.

It seems that the share-crawling worms consolidated their hold on the ground they won back in February taking six out of ten places.

The only other mass-mailing worm that made it into the top ten was W32/Mydoom.bb@MM [McAfee].

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen Zafi.d move out of the top ten, however Zafi.b has managed to retain a spot in the top 10, in this case it is 6th.

In pole position we have Mytob.c, which was also number one last month. Second place has been grabbed from Lovegate.w [down to third] by Netsky.t [up from fourth]. The rest of the chart is made up of Netsky .b takes fourth place [up from fifth] followed by Mytob.u in fifth, Netsky.q breaks up the Mytob run by stealing seventh place. Mytob variants [q and t] in eighth and ninth place. The final place is occupied by Lovegate.ae just managing to keep a place in the top 10.

In the SOPHOS chart we see a different pattern, with Zafi.b back in pole [up from fourth], Netsky.p has slipped a place from pole to second. Likewise Nyxem.D[aka MyWife] has slipped one place down from second to third with Mydoom-AJ stealing fourth place [new entry]. Mytob-EX takes the highest spot for its family, in fifth, followed by last months new entry Clagger-I in sixth. The final places are made up of three Mytob variants [BE, FO and Z] in seventh, ninth and tenth respectively, broken up by the presence of another Netsky family member, in this case D in eighth.

Did you notice the lack of Bagles seen in March?

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has increased its share from 51 percent of all samples caught in February to over 73 percent in March. Mytob lost the second spot it held in February to Operserv, slipping down to fourth. Third place is occupied by Netsky once more consolidating its position here. Mytob has slipped to fourth with Mydoom in fifth. The rest of the vacant spots are almost all taken by share crawling worms and bots, these being: Sdbot, Ranky and the related multi-component dropper and Dupator. The only e-mail based worm that appears in the lower five places in the chart is WORM_REATLE which is a new entry, in at ninth.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of March] here. This clearly shows that March was significantly quieter than January; however it was slightly busier than February.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 185,252 [as at the end of March 2006]. That’s a growth of 16,445 in the first quarter of the year! Using the first quarters data to extrapolate possible numbers of new malware in 2006, we get a whopping 65,780. However, I suspect that the total at the end of 2006 will exceed 100,000 as the growth of new malware slowed in March by almost 50 percent.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in March 2006.

• IRS Refund
• New Mobile Malware Steals

Conclusions:
Although malware growth slowed during March, you may have noticed phishing and 419 scams have been very aggressive during March and they show no sign of stopping. The growth in malware that uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

On this subject, I have been asked to present on ‘Rootkits’ at the Virus Bulletin 2006 conference to be held later this year. The paper will be made available for all to read once it has been presented.

Links:

• Virus Top Twenty for March 2006 [Kaspersky]
• Top ten viruses and hoaxes for March 2006 [Sophos]

I’ve covered social engineering techniques in the past, especially those used in Internet scams and by malware authors to get you to either install, run or click on something you shouldn’t or to give away personal details, such as bank details, social-security numbers, etc.

I came across a video [Quicktime format] showing a policeman being ‘hoodwinked‘ by a fast talking escaped prisoner. This is a perfect example of real-world social engineering.

According to the latest details, the escaped prisoner, Richard Lee McNair, 47 who was given a life sentence for killing a trucker at a grain elevator in Minot, N.D., in 1987 is still at large.

Did you notice that his story changed and that he used two different names?

Don’t get me wrong I do not applaud the fact that this individual evaded capture, but I am somewhat surprised that he was allowed to, as he matched the description of the escapee, had no ID on him, looked like he’d been through a ‘briar-patch’ and if the policeman was a little sharper he would have noticed that he gave two completely different names and his story was constantly evolving and changing.

What’s more he [the Policeman] failed to follow up and check on the ‘motel’ that McNair said he and his ‘fictitious’ brother were staying at.

Link to video [8 minutes long].

Links:
Reward Offered for Information on McNair
Prison Escapee Could Be Hiding Out In Ark-La-Tex

Yes it’s that time of the year again when the Internet gets the equivalent of a ’spring-clean’.

So, as a Public Service I’m getting the word out on this important topic via my blog.

Annual Internet Cleaning Day!

As many of you know, each year the Internet must be shut down for 24 hours in order to allow us to clean it. The cleaning process, which eliminates dead email, inactive ftp and www sites, dead blogs and empty USENET groups, makes for a better working and quicker Internet.

This year we’ve added a new service; electromagnetic fumigation. This new service will hopefully eliminate all software and hardware bugs as well as eliminating all malicious software; viruses, trojans, worms and bots. Not only that but our improved cleaning techniques which uses high level electromagnetic wave generators will also remove all adware and spyware.

As usual the cleaning process will take place from 12:01 a.m. GMT on April 1 until 12:01 a.m. GMT on April 2 (the time least likely to interfere with ongoing work). During that 24-hour period, powerful Internet search engines situated around the world will search the Internet and delete any data that they find and our electromagnetic fumigators will delete all bugs, malware, spyware and adware.

In order to protect your valuable data from deletion we ask that you do the following:

1. Disconnect all terminals and local area networks from their Internet connections.
2. Shut down all Internet servers, or disconnect them from the Internet.
3. Disconnect all disks and hard drives from any connections to the Internet.
4. Refrain from connecting any computer to the Internet in any way, even via your mobile phone or PDAs.
5. Keep all storage devices including tapes and disks at least 100 feet from any Internet connection, such as phone sockets or network ports.

We understand the inconvenience that this may cause some Internet users, and we apologise. However, we are certain that any inconveniences will be more than made up for by the increased speed and efficiency of the Internet, once it has been cleared of electronic flotsam and jetsam as well as all the bugs and malware that have been clogging it up since last years spring-clean.

In the unlikely event that you get too near a network or Internet connection point whilst cleaning is in progress, then please immediately report any of the following occurrences and we will do our utmost to resolve the situation:

1. Reality seems slightly distorted or clocks run slower, stop or run backwards.
2. Loss of hair, teeth, memory or limbs.
3. Temporal displacement (you find yourself hurled back or forwards in time).
4. You find yourself in an alternate universe.
5. Your heart stops or you cease to exist.

We thank you for your cooperation.

Pia Lorolf
Internet Cleaning Services
Tel: 27745 3665
“We Clean-Up The ‘Net”

So, do your part - make sure that your computer and all other Internet connecting devices are not used during this cleaning period.

If you are reading this while the Internet is being cleaned then log off now, quickly, otherwise all you data will be deleted!!!

Oh, all right, no it won’t.

— Yes, this is a joke, just in case you didn’t get the significance of the date it was posted on