MoMusings

It’s a Microsoft themed posting today, I hope Bill is pleased

First we have a new Microsoft patch being sent via e-mail for a new vulnerability, or so you are led to believe. Details below:

Here is a screenshot of the e-mail:

Screenshot courtesy of SOPHOS.


If you are naive enough to believe that Microsoft send patches out via e-mail, then you are the sort of person that would also have infected your computer with Swen when it used the same trick to great effect.

The web link [URL] shown in the e-mail is not where you will go if you are gullible enough to click on the link and download the ‘alleged’ patch.

This uses the same phishing-like trick that I mentioned the other day.

It seems that once more the Bad Guys and Gals are trading tricks to help them get you to infect you computer or disclose person data. Once you have clicked on the link and executed [run] the downloaded file; which is a Trojan horse, the install will display the following bogus message:

“Microsoft WinLogon Service successfully patched.”

In reality the Trojan is now secretly logging all your keystrokes and sending them to an email address belonging to the Bad Guys and Gals that created it.

The good news is that the website being used to home the Trojan has been taken down, so if you haven’t yet infected yourself you’ve missed your chance with this one

Oh, and just in case you didn’t know, there is no such vulnerability and even if there were Microsoft don’t send patches to customers via e-mail like this, got it?

Oh yes I nearly forgot, here is a link to the description of the Trojan itself, known as BeastPWS-C.

Microsoft OneCare Launched Today:

The much vaunted [by Microsoft] ‘OneCare‘ service launches today. ‘OneCare’ is the new anti-malware offering from Microsoft which includes anit-virus and anti-spyware services for home users.

Not surprisingly existing anti-virus and security vendors are jumping on the bandwagon. Just to steal a bit of Microsoft’s thunder on launch day of ‘OneCare’, McAfee is launching their own similar service, named ‘Falcon‘.

Symantec are also planning a similar service which they were going to name ‘Genesis’, however their service is delayed and has also been renamed to ‘Norton 360′.

I was mentioning in my last post that this week has been rather busy, what with new malware, and again today we have another brand new one that is being seeded. This one also uses social engineering to get you [the potential victim] to infect your system. However, unlike the last one which used a link rather than an attachment, this new one uses the time honoured method of using an attachment.

So, what do we know about it so far?

Here’s a screenshot of what the e-mail looks like:

Here’s a link to a larger version for those of us that need it.

I have run the attachment, after unzipping it through a pile of scanners and the results were somewhat worrying, as you can see:

AntiVir 6.34.1.32/20060525 found [Heuristic/Trojan.Downloader]
Authentium 4.93.8/20060525 found nothing
Avast 4.6.695.0/20060524 found nothing
AVG 386/20060524 found nothing
BitDefender 7.2/20060525 found nothing
CAT-QuickHeal 8.00/20060525 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060525 found nothing
DrWeb 4.33/20060525 found nothing
eTrust-InoculateIT 23.72.17/20060525 found nothing
eTrust-Vet 12.6.2227/20060525 found nothing
Ewido 3.5/20060525 found nothing
Fortinet 2.77.0.0/20060524 found [suspicious]
F-Prot 3.16c/20060524 found nothing
Ikarus 0.2.65.0/20060524 found [Trojan-Downloader.Win32.Harnig.bl]
Kaspersky 4.0.2.24/20060525 found nothing
McAfee 4769/20060524 found nothing
Microsoft 1.1440/20060522 found nothing
NOD32v2 1.1557/20060525 found nothing
Norman 5.90.17/20060524 found nothing
Panda 9.0.0.4/20060524 found [Suspicious file]
Sophos 4.05.0/20060525 found nothing
Symantec 8.0/20060525 found nothing
TheHacker 5.9.8.147/20060524 found nothing
UNA 1.83/20060524 found nothing
VBA32 3.11.0/20060525 found nothing

Here’s the data on the ZIP file attached:

FileName: ref 7119606.zip
FileDateTime: 25/05/2006 11:38:23
Filesize: 5115
MD5: 32447beb481aad2a670093a75d7ae82e
CRC32: 5913500A
File Type: ZIP Archive File

This is the data on the file extracted from the ZIP attachment:

FileName: ref 7119606.exe
FileDateTime: 25/05/2006 09:19:04
Filesize: 6092
MD5: 9127f478235f98b6572bd3193918e473
CRC32: 6D0A8FD7
File Type: PE Executable
Packer: FSG

So, what can you do is you receive this e-mail? Simply this, delete it. Don’t open the attached zip and don’t run the file inside the zip and you won’t get infected.

More details as I get it…..

Hmmm….seems to have been a busy week so far, a new Bropia variant spreading yesterday and we have a new Mytob spreading today! [Insert deity of choice here] knows what the rest of the week will bring?

So, what do we know about the new Mytob variant so far?

Well the e-mail looks like this, with one of two known subject lines, these being either:

ACCOUNT ALERT

or

Account Alert

The body of the e-mail looks something like this, with a few variable items, such as the domain and phishing like url:

Dear Valued Member,

According to our terms of services, you will have to confirm your e-mail by the following link, or your account will be suspended within 24 hours for security reasons.

http://www.[Random or local domain name]/confirm.php?account=[e-mail address it was sent to]

After following the instructions in the sheet, your account will not be interrupted and will continue as normal.

Thanks for your attention to this request. We apologize for any inconvenience.

Sincerely, [Random] Abuse Department

There is NO attachment and the URL in the e-mail is bogus and goes to one of several IP addresses to attempt to download the malware [payload] itself.

The From address used for the e-mail is taken from the infected system which sent the e-mail and the address is FORGED.

As I write this detection is somewhat patchy with only SOPHOS, Kaspersky, Avast, AntiVir, e-Trust and Ikarus currently detecting it. However, I expect that by the end of the day all of the anti-virus vendors will have detection updates available.

If you are niave enough to click on the URL and unlucky enough for the file to be downloaded [file name is: “Confirmation_Sheet.pif”] and then execute the downloaded file your system will become infected and start spamming people with e-mails like you one you received.

Details on the downloaded file:

FileName: Confirmation_Sheet.pif
FileDateTime: 23/05/2006 15:22:26
Filesize: 105472
MD5: f86115cd2ade54cdcfdbeb9037f98c43
CRC32: 44742219
File Type: PE Executable

There seems to be a second variant out with another file of the same name from another IP address and with different properties:

FileName: Confirmation_Sheet.pif
FileDateTime: 23/05/2006 15:10:08
Filesize: 104448
MD5: 04c8947f68c3e9b616fb544a50fa2ffc
CRC32: B0B85EAA File
Type: PE Executable

So, you won’t get infected if you don’t download and run the file by clicking on the ‘phishing-like’ URL [web-link] in the e-mail. Just delete them instead as they are nothing more than spam with a link to a malware file.

More to follow as I get it…..stay tuned!

Links to descriptions:

• SOPHOS - Mytob-HW
• Symantec -Mytob.pp

According to the e-mail below I’m going to be at least £800,000 Pounds (UK) better off, and possibly as much as £12 Million may be mine! All I have to do is to respond to the e-mail and nominate myself for the award, simple huh?

Here is a link to a bigger version of the screenshot,for those of you who need it

Go on own up, how many of you reading this would have replied?

There is an old saying “There’s no such thing as a free lunch“.

There is also other one that seems spot on, in this case “If something seems too good to be true, then it probably is“. In other words, there is usually a catch to any offer that seems to be too good to be true.

What is the catch in this case? Let me tell you.

The catch is that there is no money and Barclays [or HSBC for that matter] have no such scheme, it is just the latest trick being used to bait the hook, to catch ‘wad’ [as the Nigerians that run the scam call them, in other words ‘greedy people’]. Yes, it is a 419 scam, nice try Boys and Girls from Lagos, but no cigar this time!

I just love the way that these big firms ‘penny-pinch’ by giving their staff or representatives free web mail accounts, such as those offered by Yahoo, Google, Microsoft or AOL amongst others. No wonder these banks make such large profits!

Oh yes, and by the way when did HSBC and Barclays become part of the same banking group? Answers on a postcard please

April has come and gone and spring has arrived. Another interesting month on the malware front it has been although as you will see the number of trapped malware is still low.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1657 samples during April, which have been catalogued as 54 distinct families and variants. In comparison during March I captured 1356 samples which were catalogued as 61 distinct families/variants. As you can see the captures in April are only slightly up on March and still below the high of January’s total.

During April I captured and submitted 5 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The low haul in April is mainly due to the apparent slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005. Part of the reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools.

During April I reported 157 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during April. Its percentage fell from 73 percent [in March] to 53 percent of the pie.

Netsky.P lost its second place slot from March falling down the chart to seventh place.

The Mytobs regained the ground lost during March when they accounted for just two slots in the top ten. In April they captured five out of ten places.

The share-crawling worms lost their hold they had on March’s table where they took six out of ten places. In April they are down to just three places, halving their presence.

The only other mass-mailing worm that made it into the top ten was W32/Mydoom.o@MM [McAfee].

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the Zafi family move out of the top ten.

In pole position we have Mytob.c, which was also number one for the last two months. Second place is occupied by Netsky.t [same as in March]. Lovegate.w makes a return [in third]. Netsky.q takes fourth place [up from seventh]. Lovegate.ad is a new entry at number five. The rest of the chart is made up of Netsky .b in sixth place [down from fourth. Mytob variants [y, t, u and q] in seventh, eighth, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has grabbed back its number one slot which it lost in March. Zafi.b slips from pole to second. Nyxem.D[aka MyWife] has consolidated its third place from March. Mydoom-AJ is stationary in fourth place [it was a new entry in March]. Another Netsky [D] grabs fifth place. The final places are made up of Mytob variants [ FO, C, Z and AS] in sixth, seventh, eighth and tenth respectively, broken up by the presence of a new entry Delebot.A in ninth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has dropped from 73 percent of all samples caught in March to just 53 percent in April. Mytob has grabbed back second place from Operserv which slips down to third. Fourth place is occupied by Mydoom, up from fifth in March. Netsky slips one place to sixth. Mytob.The rest of the vacant spots are almost all taken by share crawling worms and bots, these being: Sdbot, Ranky and the related multi-component dropper. The only e-mail based worms which appear in the lower five places of the chart are W32.Reatle and W32.Kapser [aka MyWife.D.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of April] here. This clearly shows that April was quieter than December 2005, which was the quietest month ever in the case of e-mail borne malware being trapped.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 188,252 [as at the end of April 2006]. That’s a growth of 19,445. Interestingly just like in March the growth of new malware slowed in April by almost 50 percent when compared to the first two months of the year

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in April 2006.

• E-mail Warning about Scams is a Scam
• Lost in MySpace
• WARNING:-Annual Internet Cleaning Day!

Conclusions:
Although malware growth slowed during April, you may have noticed that spam, phishing and 419 scams have been very aggressive during the same period and they show no sign of stopping. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

On this subject, I have been asked to present on ‘Rootkits’ at the Virus Bulletin 2006 conference to be held later this year. The paper will be made available for all to read once it has been presented.

Links:

• Virus Top Twenty for April2006 [Kaspersky]
• Top ten viruses and hoaxes for April 2006 [Sophos]

As previously mentioned on this blog I had a paper selected for the EICAR 2006 conference which was held at the Hotel Hafen in Hamburg, Germany between the 30th of April and the 3rd of May.

The hotel was quite interesting, made up of the ‘Classic’ part [left side of the picture with the hotel name on it]; which was the sailor’s mission [home] from 1864 until 1979, and the new ‘Residenz’ modern section [on the right side, includes the modern tower and you can just see part of the Ellipses]. The conference was held in the modern part of the hotel for the first two days, and then moved to the ‘Classic’, old part of the hotel for the final day.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 - Sunday 30th April:

The start of the day was used by many of the Working Groups and Task Forces that EICAR has. The conference ‘proper’ was kicked off by Sarah Gordon who gave her keynote speech. Sarah covered some interesting areas such as sociology, ethics and her being seen as a heretic when she originally published some of her research and ideas some years ago. These have now [for the main part] become considered as part of the mainstream. At the end of her keynote, Sarah challenged those in the room to dare to be the next heretic!

This was followed by a panel session about ‘groups’ in both the anti-malware and malware scenes.

After a break, I decided to stay in one of the two streams, this one being held in Ellipse I. The session room was smaller, but the number of people attending them meant that a number had to stand as there was not enough seating. The ones that I found most interesting were:

• Mystery Meat: Where does spam come from, and why does it matter? - Presented by Christopher Lueg.
• Spam Zombies from Outer Space. - Presented by John Aycock and Nathan Friess

Both of these caused a flurry of questions and the lively debate raged on after the sessions.

The end of day 1 was rounded off by the ‘Meet the Experts’ session which was a chance for many of us to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way.

Day 2 - Monday 1st May:

The first sessions of the day that I attended were held in Ellipse II and were all on Spyware; from very different perspectives. I was the second slot of the four to be given during the first half of the morning.

• Spyware: A risk model for business - Presented by Vanja Svajcer
• Spyware: Risks, Issues and Prevention - Presented by Martin Overton
• The Trials and Tribulations of Testing Spyware Solutions: Towards a Testing Methodology - Presented by Larry Bridwell
• A Testing Methodology for Anti-Spyware Product’s Removal Effectiveness - Presented by Josh Harriman

The next set of presentations which I found interesting were these:

• Behavioral Classification - Tony Lee
• TTAnalyze: A Tool for Analyzing Malware - Presented by Ulrich Bayer, Engin Kirda, Christopher Kruegel
• Enlisting the End-User - Education as a Defense Strategy - Presented by Jeannette Jarvis
• Pharming: a real threat? - Presented by David Sancho
• Evolution from a Honeypot to a distributed honey net - Presented by Oliver Auerbach

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied. The after dinner entertainment was supplied by a somewhat manic magician who spoke very fast and almost only in German which left about half to two-thirds of those assembled trying to work out the jokes, punchlines and the general patter that went along with the rather good magic.

Day 3 - Tuesday 2nd May:

On the last day of the main conference we moved from a two stream format to a single stream held in a conference room in the ‘Classic’ part of the hotel. This layout was significantly better than the first two days where it was somewhat cramped and there were no tables, only rows of chairs.

The day started off with another keynote, this time it was given by Professor Klaus Brunnstein. Although it was a very interesting talk he over ran by almost half an hour which put the rest of the days schedule off. Here are the presentations that I found most interesting druing the morning sessions:

• Inherent Technical Risks will lead Information and Knowledge Societies into a risk Society - Presented by Prof. Klaus Brunnstein
• Future Trends in the realm of malware - Presented by Guillaume Lovett
• Windows Rootkits - Presented by Mika Stahlberg

The rootkit one I found particularly interesting as I’m currently writing a paper for the Virus Bulletin conference on this very subject. Thanks go to Mika for helping me by writing and presenting his paper [and sending me his slides too] as this will help me no end in writing mine [with due credit of course].

The afternoon also proved to be eventful as several of the sessions planned had to be removed due to speakers not turning up to present. This meant that the schedule went from being half an hour late to almost an hour early. So, the panel session was moved forward to take up the slack. As usual with panel sessions this proved to be quite animated, especially when David Perry of TREND is part of the panel .

I didn’t stay for the last day [3rd of May] as it was a day just for Task Force meetings.

All in all, this was a very good EICAR conference, in fact it was the best attended ever with almost 100 attendees! I’m already looking forward to next years.

Just in case you didn’t spot the link to my paper, here it is again: Spyware: Risks, Issues and Prevention