MoMusings

Here’s an interesting e-mail I received this morning, claiming to be sent from ‘update@microsoft.com‘ with the subject line of ‘Warning! New Virus On The Internet! Update Now!‘.

Sheesh, three exclamation marks in just one line of text; a sure sign of a disturbed mind. Luckily it isn’t mine.

And what is the e-mail about apart from trying to make me believe that it’s ‘TEOTWAWKI‘ time [The End Of The World As We Know It] again, however this time it isn’t a song by R.E.M.

Here’s a screenshot of the e-mail in all it’s glorious HTML rendering:

You can find a larger version of the screenshot here.

The e-mail looks quite good and very believable, even the link [there is no attachment to the e-mail] uses a spoofed, but believable address to maximise the chances that the intended victim will click on the link and allow the downloaded file to execute, which, according to the e-mail will protect them from a new virus.

Of course what the victim is really doing rather than getting a security update, is getting infected by a new malware. The file is actually a self-extracting RAR file [1], which unpacks itself when run and drops a number of files [13 in this case] onto the system.

Once successfully infected the system will login to an IRC channel on one of several ‘undernet.org‘ servers; effectively reporting in for duty as part of a botnet.

At the time of writing this, most anti-virus products do NOT detect this. A sample has been sent to them, so most of them should have detection within the next 48 hours.

Right, back to the subject line of the e-mail and the title of this posting: ‘Warning! New Virus On The Internet! Update Now!’ Yes, the sender is correct, there is a new virus [actually a trojan] on the internet, and by following the instructions in the e-mail, you get it [for FREE], yes you infect your computer, you do the dirty work for the bad guys and girls who were too lazy or stupid to do it themselves.

On the subject of new viruses on the internet; there are around 28 new ones each and every day. So, yes PLEASE update [2], update Windows, update your anti-virus, update your anti-spyware and update your brain by practising safe-hex and please stop using anti-virus as an authorisation or file access control solution.

So, just in case you didn’t understand; this e-mail does NOT come from Microsoft and the so-called update is actually malicious, do NOT click on the link and run the file, you will regret it if you do. Clear enough?

[1] Full details of the file and the contents of it can be found here.
[2] But please use the correct ‘official’ site or update method rather than clicking on links in e-mails.

The results of a recent survey confirms my own worst fears in regard to why we are still seeing machines getting infected with malware that has been detectable for weeks, months and even years! This is despite the fact that most of these machines that get infected have anti-virus software installed and enabled to perform on-access [real-time] scanning of all files that can act as a infection vector.

According to the survey conducted by Harris Interactive on behalf of ESET:

• 88 percent of computer users have anti-virus software on their machines.
• Almost two-thirds (65 percent) of those users are reluctant to upgrade the software after it’s installed.

Why? Well, below are just some of the reasons that consumers gave to explain their reticence for upgrading their antivirus protection:

• 38 percent claimed that the updates were too disruptive.
• 32 percent felt it was something that could wait.
• 27 percent believed the update would take too long.
• 14 percent were unsure how to do it.

This is despite the survey finding that 42 percent of the survey sample admitted their machines had been affected by malware. Even more surprising is that of those who failed to update their protection and subsequently had their system infected, 55 percent of them still felt very confident or confident in the protection offered by the antivirus programs on their computers.

A couple of interesting quotes from this story are included below:

“Overall, the research shows that many consumers have a false sense of security while online,” ESET Chief Research Officer Andrew Lee said in a statement. “With the number of zero-day threats rapidly increasing, users need to be even more cautious and proactive in their own protection.”

Andrew is correct that the window between a vulnerability being found and it being used is almost non-existent now, users do need to ensure that their AV is up to date more often, unless they are using other tools/technologies or methodologies to mitigate the threat.

However, this is only one facet of the problem, the real problem is that most of those getting infected are being infected by malware that is months or years old and known to all anti-virus tools. There is a failure here, both from the vendors who should make their updating features more difficult to turn off, easier to use, and switched on by default, and by the user who believe that they are protected because they have AV installed and that this ‘magically’ protects their PCs from all malware even if they never update it. The following quote from Ron O’Brien supports my own findings.

Ron O’Brien, a senior security analyst with Sophos in Lynnfield, Mass., noted that the survey findings gel with findings in his company’s mid-year report. “All the malware listed in our report is malware that’s been around for a year or two, which means that there are large numbers of users who do not have any antivirus software or outdated software on their PCs,” he told the E-Commerce Times.

Is he right? Yes, of course he is, if you need more proof then take a look at my Monthly Malware reviews [posted on this blog] and see for yourself, it ain’t rocket science folks!

This survey is not the only one that fails to surprise as there has been one that claimed that users were buying new PCs to solve malware problems instead of getting the old [infected PC] dis-infected. Talk about overkill, this is like using a ‘Thermonuclear Warhead to kill a bug‘! Want to know more?[1]

So, what do you need to do to minimise your computer becoming just another survey statistic?

• Install anti-virus; enable real-time [on-access] scanning.
• Update your anti-virus; if it doesn’t do it for you, manually check for updates each and every day.
• Install a personal firewall; and check all the programs that request internet access.
• Install anti-spyware; some of these have real-time protection, use it!
• Update anti-spyware; same as the AV.
• Practise Safe Hex!

I’m not going to go into the above suggestions in depth as I’ve already covered this in earlier postings and a number of my published papers and magazine articles.

Links:

• http://www.technewsworld.com/rsstory/51850.html
• http://www.sophos.com/pressoffice/news/articles/2006/07/securityreportmid2006.html
• http://www.eset.com/company/article.php?contentID=1553
• Links to FREE AV, Personal Firewalls, Anti-Spyware, etc.

I always look forward to ploughing through all my e-mail, both personal, to my own domains, and work ones to my work e-mail address, especially as I receive around 300-400 a day (on average). Of these around 85-90 percent are Spam, Malware or Scams of one sort or another.

One of the e-mails I received to my work e-mail address this morning caught my eye with the subject of ‘Order Approval Notification‘ and the following in the body of the e-mail:

Dear Madame/Sir,

Thank you for your order. Spysoftcentral processes orders and collects payments
on behalf of PC Tools.

Your credit card (VISA) has been debited with GBP 79.39 and the level of credit
card authorization has been changed.
Please note that “WWW.SPYSOFTCENTRAL.COM” will appear on your credit card
statement, and not the name of the publisher (PC Tools).

Here is a screenshot of the full e-mail:

A larger version of the screenshot can be found here.

Did you notice the attached ZIP file which the e-mail body text states contains ‘...an invoice for your order‘, how many of you would have opened this to check the invoice? Go on, own up!

Here’s the details on the ZIP file and it’s contents:

Details:

FileName: DD269901.zip
FileDateTime: 20/07/2006 10:49:40
Filesize: 4308
MD5: c1aa725f9b6eedd79b99491e014e258c
CRC32: 90F66E21
File Type: ZIP Archive File

Contains:-

FileName: DD269901.exe
FileDateTime: 19/07/2006 17:09:00
Filesize: 5244
MD5: eb6aa621d168bf53a204141d0ace119e
CRC32: 1CDC43AE
File Type: PE Executable
Packer: FSG

Aha! The ZIP file contains not a text file but a binary [EXE] file, that’s suspicious in itself. Furthermore, the file is packed using one of the packers/compressors favoured by malware authors; FSG.

So, this e-mail is an attempt by the sender to get the recipient to open the ZIP and run the file inside, helped along by some fairly straightforward but effective social engineering; the thought that you have been charged for something you didn’t buy.

I have submitted this to the anti-virus vendors [about 30 of them] as the attachment (and the file inside it) is not detected by most anti-virus products at the time I received it[1]. The responses I have had back so far support my analysis that this is malicious and probably a downloader; used to breach defences and then download other malware components from one or more web sites.

This is a method that is increasingly being used as it is easier to code a small file that is reasonably innocuous [non-viral], to bypass anti-virus and other security tools. This, when run will often try and disable security tools, such as a personal firewall and anti-malware tools, and next it will download other malware or malware components. By this time you no longer own your PC; it is probably part of a botnet and it [or other dowloaded malware components] may have found all your personal details and sent them off to the malware author to misuse.

What does this example tell you?

1. Never take action while in a panic, yes DON’T PANIC!
2. Take a deep breath, and think things through logically, plan your course of action.
3. If there is a link or an attachment, treat it with suspicion. If in doubt seek assistance from the person/company that allegedly sent it, or find an anti-malware expert and get them to examine it for you [in a controlled and secure environment].
4. Just because your virus scanner doesn’t recognise it doesn’t mean it is OK to run it; anti-virus software should not be seen as an authorisation or access control solution.
5. If in doubt about the advice you have been given, seek a second opinion.
6. If it is an alleged credit/debit card charge then contact them [your bank or credit card company directly] to see if the alleged sale/purchase has really been made, you can always get a charge-back if it is a fraudulent sale which you did not authorise.

So, to sum up:

Currently this malware is not detected by most anti-virus [at the time of posting], but will be within the next 24-48 hours.
This sort of credit/debit card charge [or charge-back] social-engineering is becoming more commonly used by malware authors.

Be careful out there. Do you believe everything you see on the TV or read in the news? I hope not! As a rule of thumb: don’t believe everything you see or read, not everything is what it may seem, or even be real. It is OK to be a skeptic.

Now, where’s that news article that claims they have proof that ‘Alien Spacecraft Lands on Whitehouse Lawn‘ and goes on to state that a ‘reliable‘ member of the public says they “…saw an alien get out and change in to President Bush“[2]?

[1] Full scan details can be found here.
[2] Yes, I’m making it up, no way could he be an alien, they are supposed to be more advanced than us ‘puny‘ humans

June has come and gone and half the year has already passed us by. On the malware front it has been an interesting month and it seems that the malware authors are back at work as the number of trapped malware samples has started to rise once more.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1850 samples during June, which have been catalogued as 48 distinct families and variants. In comparison during May I captured 1115 samples which were catalogued as 51 distinct families/variants. As you can see the captures in June have risen and this is the highest since January’s total.

During June I captured and submitted just 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This low number is partly due to other work being a higher priority; otherwise more samples would have been submitted.

The improved haul in June is mainly due to the appearance of several new e-mail worms. This should be compared against the current slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005. Part of the reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools.

During June I reported 108 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during June. Its percentage fell from 73 percent [in March] to 53 percent [in April] to 51 percent [in May] and has climed back to account for 54 percent of the pie in June.

Netsky.P managed to climb back up to third place from the fifth place it had attained in May’s chart.

The Mytobs lost even more ground during June, just managing a single entry [at number 2]. This is down from April when they accounted for five of the top ten slots and by May they were only able to capture just two out of top ten places.

The share-crawling worms have increased their hold from six places in May they have managed to take eight of the top ten places. The Opaserv family showed the largest comeback by accounting for five of the eight places taken by share-crawling worms and bots.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the the Mytob family grab six places out of the top ten, up from five in May.

In pole position we have Mytob.c, which was also number one for the last four months. Lovegate.w moves down one place from second to third place losing the spot to Nyxem.E which is a new entry. Netsky.b likewise climbs two places from sixth to fourth. Lovegate.ad which was a new entry at number five in April has dropped one place from fourth back to fifth. The rest of the chart is made up of Mytob variants [t, q, u, x and a] in sixth, seventh, eighth, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b lost its grip on second place and slides down to sixth. Nyxem.D[aka MyWife] has further consolidated its third place from March. Mytob.AS storms up the chart from last months fourth spot to second. Mytob variants P and M are up from fifth and sixth place respectively to fourth and fifth respectively. Another Netsky [D] falls from seventh place to eighth. Mydoom.O slides down from eighth place to tenth. To complete this months top ten we have a new entry, W32/Bagle-Zip in at seven.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has dropped from 73 percent of all samples caught in March to just 54 percent in June, but increasing its percentage from 51 percent in May. Mytob has consolidated its second place, closely followed by Operserv in third, again. Netsky consolidates its fourth place spot which it rose to in May. W32.Kapser [aka MyWife.D] drops back from fifth place in May to eighth. Mydoom, creeps up just one place to seventh. Dupator consolidates its place in sixth. A re-entry at fifth is Agobot. More new entries capture the last two spots; TROJ_DROPPER in ninth and Funlove in tenth.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of June] here. This clearly shows that June was the busiest month since the high of January.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 199,255 [as at the end of June 2006]. That’s a growth of 30,448 new malware strains and/or variants in the half of the year. If we extrapolate that out we are looking at over 60,000 new malware strains and/or variants by the end of this year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in June 2006.

• Coca Cola Lottery
• World Cup Lottery
• Truth or Scare?

Conclusions:
Malware growth picked up once more during June and apart from spam dropping slightly, both phishing and 419 scams have shown an increase since May. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

It is also clear that cyber-criminals are using Trojans as their preferred attack tool, rather than viruses. It also seems that phishers are increasingly looking at using malware to enable them to steal personal data. More on the trends and techniques that we have seen in the first half of 2006 in my half-year malware review which should be completed by the end of July.

Links:

• Virus Top Twenty for June 2006 [Kaspersky]
• Top ten viruses and hoaxes for June 2006 [Sophos]

I received a nice e-mail today stating:

“Dear Chase valued customer ,

You have been chosen by the Chase Bank online department to take part in our quick and easy 5 question survey. In return we will credit $40 to your account . Just for your time!”

Here’s a screenshot of the full e-mail:

A larger version of the screenshot can be found here.

That’s awfully nice of Chase to offer me this opportunity to comment on their business, especially as I have no account with them, or indeed any of their subsidiaries. Why can’t I get this type of e-mail from my own bank, ISP or other service provider? Hang on, I do, or should I say I don’t……as the ones I receive are more often than not, not from who they claim to be from!

Yes, this is another scam, in this case a Phishing Scam. The link in the e-mail actually goes to a dynamic IP addressed DSL connected computer somewhere in Italy. I don’t think that Chase is that short of cash to run a web server from such a machine on a DSL line!

I have reported this to Netcraft, so anyone using the Netcraft Anti-Phishing Toolbar should be alerted that the site is a fake if they receive the e-mail and click on the link.

The only question I have to ask now is: “Why don’t I get nice e-mails like this from those companies I actually do business with?”

At times like this I always remind myself and tell other people to remember the old saying: “There ain’t no such thing as a free lunch“.

Back in the days of the start of the malware threat; that’s 1986 for those of you too young or too disinterested to remember, we had a grand total of ‘three‘ computer viruses. So few you could count them all on one hand and have change to spare. Oh, those were the days!

Even in 1990s I knew most [if not all] the names and behaviours of all the viruses and other malware known. In comparison, I’m lucky if I can do the same for more than around 5 percent of all known malware today; there are just too many, and lots of them are very similar.

The ones I do remember are often those that do something interesting; such as have an unusual payload, use a new social engineering trick or target a previously safe file format or device as an infection vector.

So, why am I waffling on about the ‘old-days‘, am I just getting old and harking back to what I thought were better days?

No, of course not, things weren’t always better in the past, and anyone that says they were has a very selective memory.

The reason for this post is to highlight the fact that we’ve just broken through the 200,000 malware ceiling!

That’s right, there are over 200,000 pieces of nasty software which have been written by individuals for a variety of reasons, these include:

• The challenge
• Peer pressure
• The fun of it
• To hit back at society
• For political or religious gain
• For money
• For fame
• To get a job

There are lots of others and I’m not going to list them all here.

What is even more remarkable is that it took almost eighteen years for the number of malware to get to just half the current total. Yes, that’s right in the last two years the malware numbers have doubled!

Here’s a quote from McAfee about the growth:

“It’s remarkable that it took 18 years for our database to reach 100,000 malicious threats, and just under two years to double to 200,000,” said Stuart McClure, senior vice president of research and threats, in a statement. “Hackers are releasing threats faster than ever before, with 200 percent more malicious threats per day than two years ago.” McAfee added the 100,000th threat to its database in September 2004.”

At the current pace — 2006 should see more than 60,000 new threats, up from the 56,000 during 2005 — the 400,000 barrier should be broken in under two years, McAfee said.

My own statistics which I’ve maintained since 1986 show that McAfee had 100,191 malware detection signatures in their product by the end of August 2004, so who is right? Please bear in mind that McAfee asked me to supply some virus growth data as they didn’t have data for some months and years in their database.

Below are a couple of graphs created from my own database showing the growth over the years:

The first one shows the ‘running total‘ of malware:

The second one shows the ‘actual growth per year‘ of malware:

The worrying thing is that the pace of malware development and release is still accelerating, and we could see almost the ‘half-a-million‘ mark breached within 24-30 months from now. I no longer consider the phenomenal growth of these threats a milestone, I see it for what it really is a ‘millstone‘ round all of our necks.

This threat is holding computers and the internet back, threatening their very use, and potentially causing may to shun not only e-mail but the internet as a whole. If the bad guys and girls[1] get their way we will lose one of the greatest tools ever devised by human kind. It is time to stop glamorising these ‘criminals’, punish them don’t worship them. They are not Gods but those who would rather pervert or destroy instead, and what for? Their own petty egos or money of course; for glory or wealth, how selfish!

What do you think should be done to address the problem with those that create malware, run scams or spam us all?

[1] I include not only malware authors in this group but also the scammers and spammers.

I have covered phishing in depth in a number of postings to this blog. Usually I now only cover phishing scams when something new or interesting surfaces, and so it is with this post.

Yes, the bad guys and girls are changing tactics again. In this case it is a hybridised phish, more details below after the screenshot:

A larger version of the above screenshot can be found here.

The phishing e-mail appears to be a typical one targeting PayPal users, however that is where the similarity ends. Did you notice that there was no link or button to click on?

The new part of this phish is that it tries to get the recipient to call a telephone number in the US. I have no idea at this time where that number is pointed to or whether it is a ‘premium-rate’ number [I expect it isn’t], however I do expect that there are people or an automated system sitting at the other end pretending to represent PayPal so that they can steal account details.

If anyone has more data that they can supply on the number, then please drop me a line.

So, heads-up everyone as it looks like we will be seeing more hybridised phish in the future. I was really starting to hope that the phishers had had their chips, oh well maybe some day?