MoMusings

Gosh, I am so lucky, not only winning 2 Million US Dollars yesterday from the World Cup Lottery, but today I am informed that I’ve won 705,253 Euros in another lottery that is supposedly run by no other than the company responsible for Coca Cola!

A screenshot of the e-mail informing me of my winnings appear below:

A larger version of the above screenshot can be found here.

I wouldn’t mind so much if there really was any money, but just like the World Cup Lottery e-mail I received yesterday, there isn’t any money at all. The people responsible for these lottery e-mails are nothing more than scam artists, shucksters and crooks. They are trying to get money from you, not give it to you.

In this one they are trying to not only get money from you, although you won’t know that until you have contacted them, but they are also after personal details which they will then add to a ’suckers’ list to send you similar lottery scams via the postal service. I blogged about these postal lottery scams recently.

Update: There seems to another version of this scam running at the same time, however in the other version the address is a UK one rather than a Spanish one. The value of the prize [which still doesn’t exist] is also larger in the UK one, stating that the recipient has won 2.5 Million US Dollars.

More details on this one can be found here: http://www.sophos.com/pressoffice/news/articles/2006/06/colascam.html?pl_id=9&lang_id=1&lp_keyword=colascam

Although I’m not a football fan [soccer for you Americans and Australians], obviously I am aware that there is this thing called the ‘World Cup’ in progress, which, to my wife’s annoyance is playing havoc with her regular TV viewing; soap operas, game shows and so on.

Today I received this e-mail that claims that I’ve won Two Million US Dollars in a World Cup lottery! Hang on, I didn’t enter any lotteries, least of all one in South Africa!

So, what is going on?

This is a new [topical] twist on the Lottery scam that the boys and girls from Lagos seem to favour at the moment as their best way to find new suckers…..er I mean victims, to con.

Below are two screenshots of this new variant:

For those that need it, larger versions of the screenshots can be found here [screenshot1] and here [screenshot2]

As usual, this is a scam, there is NO MONEY, you haven’t won anything apart from the chance of being scammed out of your own money, other than that all you have won is a place on the scammers ’sucker’ list, lucky, lucky you!

Enjoy the World Cup, even if England get knocked out. For me, I’d rather watch any motorsport or even snooker than watch football

So, who do you think will win the ‘World Cup’ this time?

May has come and gone and we are almost halfway through the year already. Another interesting month on the malware front it has been although as you will see the number of trapped malware is still low.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1115 samples during May, which have been catalogued as 51 distinct families and variants. In comparison during April I captured 1657 samples which were catalogued as 54 distinct families/variants. As you can see the captures in May are down on both April and March and still below the high of January’s total.

During May I captured and submitted 6 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The low haul in May is mainly due to the apparent slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005. Part of the reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools.

During May I reported 153 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during April. Its percentage fell from 73 percent [in March] to 53 percent [in April] to 51 percent of the pie.
Netsky.P lost its second place slot from March falling down the chart to seventh place but regained some ground in May grabbing back fifth place.

The Mytobs lost the ground they regained during April when they accounted for five slots in the top ten. In May they captured just two out of ten places, the same as they had in March.

The share-crawling worms regained their hold they had on March’s table where they took six out of ten places. In April they they were down to just three places, halving their presence. In May they are back, grabbing six of the ten places.

The only other mass-mailing worm that made it into the top ten was W32/Kapser.A@mm [FRISK] aka W32/MyWife.D@MM [McAfee] grabbing fourth spot after falling out of the top ten in April.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the the Mytob family grab five places out of the top ten.

In pole position we have Mytob.c, which was also number one for the last three months. Lovegate.w moves from third place in April to second in May, stealing the spot from Netsky.t which held it for the last two months. Netsky.q likewise climbs one spot from takes fourth place to third in May. Lovegate.ad which was a new entry at number five in April has also climbed one place to fourth. The rest of the chart is made up of Mytob variants [u, t, a and q] in seventh, eighth, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b consolidates its grip second place. Nyxem.D[aka MyWife] has further consolidated its third place from March. Mytob.AS storms up the chart from tenth to fourth. Mytob variants P and M are new entries this month, in fifth and sixth place respectively. Another Netsky [D] falls from fifth place to seventh. Mydoom.O sneaks in to grab eighth place. The final places are made up of Mytob variants [ FO and C] in ninth and tenth respectively.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has dropped from 73 percent of all samples caught in March to just 51 percent in May. Mytob has consolidated its second place, closely followed by Operserv in third, again. Netsky climbs two places from sixth to fourth. W32.Kapser [aka MyWife.D climbs back up to fifth place in May. Mydoom, slips from fifth in March to eighth in May’s chart. Dupator climbs back in to the chart in sixth spot. A new entry at seven is the Zapchast Trojan. More new entries capture the last two spots; Tirbot in ninth and Lebreat in tenth.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of May] here. This clearly shows that May was quieter than April, which was the quietest month ever in the case of e-mail borne malware being trapped.

An interesting quote from SOPHOS highlights the drop-off in malware being spread or seeded via e-mail:

“The proportion of email which is virus infected has dropped considerably over the last year as hackers have turned from mass-mailing attacks to targeted Trojan horses. In May 2005, one in every 38 emails was infected, now [in May 2006] this number is just one in 141.”

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 194,799 [as at the end of May 2006]. That’s a growth of 25,992 new malware strains and/or variants in the first five months of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in May 2006.

• Microsoft Malware and Anti-Malware
• New Mytob Spamming!
• Merit Award Nomination

Conclusions:
Malware growth picked up once more during May and apart from spam growing, both phishing and 419 scams have shown a slight drop since April. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure. This trend for hiding or obfuscating code is not only limited to using ‘rootkit-like’ stealthing techniques but also include the current move by many malware authors towards making their code polymorphic.

Another interesting quote from SOPHOS clearly shows the change in the threat landscape in respect to malware:

“Sophos identified 1,538 new threats in May, bringing the total of malware protected against to 122,634. The majority of the new threats (85.1%) were Trojan horses, while just 12.3% were worms or viruses.”

Kaspesrsky have gone one step further and claim: “global email worm epidemics are already a thing of the past.”

I suspect that they are generally correct, but I believe that we will see the occasional one ‘get lucky’ as firms start to lower their defences in response to this apparent trend in mass-mailing worms.

Links:

• Virus Top Twenty for April2006 [Kaspersky]
• Top ten viruses and hoaxes for April 2006 [Sophos]

There seems to be a new ‘virus warning’ being sent around, clogging up mailboxes and generally causing lots of FUD [Fear, Uncertainty and Doubt].

So, is it a case of ‘yet-another-virus-hoax’ chain e-mail type of warning or is this a real threat? Should you worry, pass it on, put it in the bit-bucket, or what?

Read on and find out.

So you get an e-mail from someone you know, or even a complete stranger that looks like this:

“There is an email going around with the subject “New Graphics Site”. It is spreading fast as about 100 people I know have gotten it just today. If you get an email with that in the subject line delete it quickly and DO NOT OPEN IT! This is a new virus I have been told.”

The Facts:

• There is a new mass-mailing worm that has the subject of “New Graphics Site”.
• Opening it and or viewing the e-mail does make it spread.
• There is no attachment, the viral code is part of the e-mail body.
• This only [at this time] affects those that use Yahoo web-mail via a web browser.
• Turning off JavaScript support in your browser should stop it functioning.
• Most anti-virus products now detect this.
• The worm cannot run on the newest version of Yahoo Mail Beta.

F-Secure state that:
“The Yamanner worm does not send itself as an attachment, it resides inside the e-mail body. The worm activates automatically by just opening an infected e-mail message with Internet Explorer. It uses a 0-day vulnerability in Yahoo! webmail system.”

And according to McAfee:
“There are reportedly two known variants of this threat. It appears to be under development/refinement and the initial variant contains a typo in the code”.

Furthermore, the worm targets e-mail addresses that are in the yahoo.com and yahoogroups.com domains only at this time. It replicates by running a JavaScript which sends copies of itself to other e-mail addresses harvested from infected users Yahoo Mail folders. It also, as part of its routine sends these harvested e-mail addresses to a remote server which is obviously collecting them for other nefarious purposes, such as to sell as a spam list.

I suspect this attack on the web mail service of Yahoo is the start of a trend in attacking web-based e-mail services. The Internet Storm Center had this to say on the current state of many web based applications: “After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit.”

Links:

• http://www.f-secure.com/v-descs/yamanner_a.shtml
• http://securityresponse.symantec.com/avcenter/venc/data/js.yamanner@m.html
• http://vil.nai.com/vil/content/v_139913.htm
• http://www.sophos.com/security/analyses/jsyamanna.html
• http://secunia.com/virus_information/29782/js.yamanner/

Back to my question I asked at the start of this posting “Should you worry, pass it on, put it in the bit-bucket, or what?” The correct answer is firstly to confirm that such a problem/threat exists via ‘reliable sources’, and if real just be aware of the problem and how to avoid it or protect against it, apply this knowledge and any required patches or security updates [Anti-Virus, Anti-Spyware, Windows Update, etc.], then send the warning e-mail to the bit-bucket.

I’m not much of a TV watcher, however I was watching some TV with my wife last night and she was ‘channel surfing’ trying to work out what she was supposed to be watching next when she came across the start of ‘Tonight with Trevor McDonald‘ [for those of you outside the UK, Trevor is one of our oldest and most respected news readers and investigative journalists]. The program was on at 20:00 on Monday the 12th of June on ITV1, not sure if it gets repeated on ITV2 or one of the other ITV channels later in the week.

I thought it would be his usual fare, latest government shenanigans, latest terrorist outrages, latest social commentary; such as drugs, guns, anti-social behaviour, and so on, but it wasn’t. This time it was on something close to my heart; scams, or to be more precise postal lottery scams.

The actual report and investigation results were presented by Fiona Foster and included interviews with victims and their families and also a representative from the UK Office of Fair Trading.

These scams are the ones that literally drop through your letter box or into your physical mailbox where you use them instead. These scams are also worked by cold-calling via your telephone when you get on to a so-called ’sucker-list’.

The postal lottery scam is the older sibling to the e-mail based lottery and other 419 [aka Nigerian or Advance-Fee-Fraud] scams that many of use see from time to time. However, I get around 50 or more of these types of e-mail scams each and every day; I guess I’m just lucky like that

They work the same way irrespective of how you get contacted, the first thing you will get asked for is to pay some sort of release fee [often called a tax, insurance or shipping fee]. Later you may be asked for personal data, such as a photocopy of your passport or your bank details. Later still you’ll be asked for yet more money to pay for some other tax or to bribe a nonexistent official. You may even be asked to travel to the country to collect your winnings; don’t as at the very least you’ll waste even more money and you could end up getting a beating, thrown in jail or in some rare cases killed, just for the nonexistent prize money.

My only criticism of the program was that it failed to mention that this scam is even more widespread on the internet and not just limited to Lottery based scams.

On this subject I received my first Japanese Lottery scam e-mail today, here is a screenshot of it below:

A larger version of the screenshot, for those that need it, can be found here.

So, next time you receive a letter, phone call or e-mail claiming that you have won a lottery you didn’t even enter, remember the old adage “if something seems too good to be true, it probably is” or if you prefer “there is no such thing as a free lunch“.

If anyone else out there saw it, what did you think of his coverage?