MoMusings

Finally, here is the Mothly Malware Review for July 2006, better late than never? I will also be posting some extracts from my Half-year Malware Review in the next few days, so as you can see I have been busy as well as being on vacation for the last 2 weeks.

July has come and gone and the nights are already starting to draw in. On the malware front it has been an interesting month and it seems that the malware authors are enjoying the sun as the number of trapped malware samples has started to drop once more.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1358 samples during July, which have been catalogued as 42 distinct families and variants. In comparison during June I captured 1850 samples which were catalogued as 48 distinct families/variants. As you can see the captures in July have fallen back from June’s high which was the highest point since January’s total.

During July I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools.

During July I reported 114 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during June. Its percentage jumped from 54 percent in June to 71 percent in July. It seems very intent in keeping pole position for itself.

Netsky.P consolidated its third place which it gained in June, up from the lowly fifth place it managed in May’s chart.

The Mytobs which lost even more ground during June, just managing a single entry [at number 2], have managed to get a second member of the family in to the top 10. This is a similar situation to that of May 2006 where they were only able to capture just two out of top ten places.

The share-crawling worms lost some of the ground they captured in June where they have managed to take eight of the top ten places, they have now fallen back two slots to six. The Opaserv family consolidated its hold on the top ten accounting for five of the six places taken by share-crawling worms and bots.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the the Mytob family grab six places out of the top ten, this is the same number it managed in June, up from five in May.

In pole position we have Mytob.c, which was also number one for the last five months. Lovegate.w moves down two places from third to fifth place. Nyxem.E which was a new entry in Junes chart has consolidated its hold on second place. Netsky.b likewise climbs one place from fourth to third and is joined by another member of its family, Netsky.y in sixth place. The rest of the chart is made up of Mytob variants [q, u, t, w and r] in fifth, seventh, eighth, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b consolidates its sixth place where it slipped down to in June. Nyxem.D[aka MyWife] has slipped one place to fourth. Mytob.AS consolidates its second place in the top ten, it stormed up the chart from fourth spot in June. Mytob variant FO is the only other member of its family in the top ten in July, coming back in at number nine. Another Netsky [D] grabs back the seventh place it lost in June. Mydoom has two members of its family in the top ten this month; O climbs from tenth to fifth and AJ is a re-entry in joint ninth. To complete this month’s top ten we W32.Bagle-Zip which was a new entry in Junes chart, up from seventh to third.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which dropped from 73 percent of all samples caught in March to just 54 percent in June and is now back at 71 percent in July. Mytob has dropped one place from third to second place swapping places with Operserv, up from third to second. Netsky consolidates its fourth place spot which it rose to in May. Mydoom, creeps up two places from seventh to fifth. Dupator slides down from sixth to eighth. New entries IRC/Flood, W32/Downloader and Lebreat come in at sixth, seventh and ninth places respectively. Funlove once more brings up the rear in tenth.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of July] here. This clearly shows that July was the slowest month since I started to collate data on e-mail borne malware. My findings are backed up by analysis from SOPHOS:

“…the actual proportion of infected email has dropped to a low of just one in 222 (0.45 percent). This compares to the first six months of 2006 when, on average, one in 91 emails (1.1 percent) carried malicious attachments.”

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 203,273 [as at the end of July 2006]. That’s a growth of 34,466 new malware strains and/or variants in last seven months. Further analysis from SOPHOS shows that:

“The majority of the new threats (87 percent) were Trojan horses, while just 13 percent were worms or viruses.”

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in July 2006.

• Warning! New Virus On The Internet! Update Now!
• Phishing by Phone
• Charged For Software You Didn’t Buy?

Conclusions:
Malware slowed again during July; however spam, phishing and 419 scams have shown a further increase. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

It is also clear that cyber-criminals are increasingly using Trojans as their preferred attack tool, rather than viruses. It also seems that phishers are increasingly looking at using malware to enable them to steal personal data as well as other technologies that may help them to fool their victims.

The newest threat from the phishers is hybrid phishing scams using e-mail and VoIP [Voice over IP] to get users to divulge personal or financial data to the cyber-criminals behind these scam. This new technique has been dubbed ‘Vishing‘.

Spammers are increasingly moving to using graphical spam as it is harder for anti-spam tools to identify without the use of OCR technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped.

Links:

• Virus Top Twenty for July 2006 [Kaspersky]
• Top ten viruses and hoaxes for July 2006 [Sophos]

I decided to write this entry after watching the fall-out from a statement made by Graham Ingram [the general manager of the Australian Computer Emergency Response Team (AusCERT)] on the 19th of July 2006 at a security event hosted by MessageLabs.

To say that his statement that anti-virus products “don’t work” and his claims that if you are running anti-virus then “eight out of 10 pieces of malicious code are going to get in” is somewhat dramatic, is an understatement.

His reasoning for this last statistic is “What is happening is that the bad guys, the criminals, are testing their malicious code against the antivirus products to make sure they are undetectable. ” Part of his defence for his view is that, in his own words, “We are getting code of a quality that is probably worthy of software engineers. Not application developers but software engineers“.

So, how many of you out there are wondering, is he right and, if so what can we do about it?

Now I’m sure that some of these quotes from Mr Ingram have been taken out of context by the various articles published since the security event, such as the following quote “eight out of 10 pieces of malicious code are going to get in“. Does he really mean that 80 percent of malware is not being detected by anti-virus software? I hope not and I seriously doubt it as other more reliable sources claim that the quote is in relation to new [unknown] malware rather than existing malware which has been around weeks, months or years and is detected by anti-virus software.

However, if you look at the statistics from a number of surveys and my own sample capture statistics you might be forgiven for thinking that ‘Anti-Virus’ is past its sell by date and useless, that is until you are made aware that the core reason for lots of computers being infected by malware that is already detected by anti-virus software is down to ‘WetWare‘ failures [the human behind the keyboard]. What they are not doing is updating their protection, sometimes for 2 or more years, or they have disabled the anti-virus to stop it slowing down their computer. I’ve blogged about this issue before.

So, is 80 percent of new malware getting past anti-virus products? To best answer this let me state the following:

• Traditional anti-virus is a mostly reactive solution; in other words in most cases if the anti-virus doesn’t yet know about the malware then it can’t detect it.
• Modern anti-virus use lots of techniques to augment the traditional methods, such as Heuristics, Behaviour Blocking, Hashing, Sandboxing, Emulation and so on, these help to make modern anti-virus solutions more pro-active and able to detect some new malware without an update [signature or engine].
• Now add in anti-spyware, anti-rootkit, anti-stealth, personal firewall, buffer-overflow, personal IDS/IPS and anti-tamper features and the level of pro-active protection increases.
• However, there is NO 100 percent solution to the malware problem, not even if you use a Mac or a*NIX based system.

OK, on to the answer; let me use a modified version of the quote often attributed to P.T. Barnum:

“You can fool some anti-virus all of the time, all anti-virus some of the time, but you can’t fool all anti-virus all of the time.”

In other words, if you use a multi-layered, multi-vendor, defence in depth approach to the problem [including practising Safe-Hex], then the window of opportunity for new malware is pretty small, not quite closed, but almost so.

Ingram’s quote regarding the quality of malware is interesting, although hardly breaking news, as the creation of malware has moved from the hobbyist to professional programmers and is now almost solely driven by professional criminal gangs; this has been going on for at least two years.

Malware writing is now a business; not a game for the stereo-typical spotty, socially awkward youths. They used to be interested in infamy, peer recognition and the intellectual challenge[1], or so they tried to convince us that these were their motives. In fact the vast majority were no better than the electronic equivalent of vandals, bullies and cowards hiding behind their ‘l33t‘ handles and pseudonyms.

So, is the sky really falling? No, this is just the latest twist in the arms race that has gone on between malware authors and anti-malware researchers since the beginning of the problem; the difference is that the good guys who have always been professional programers are now facing a foe which is no longer, to a large extent, hobbyists and wannabes, with the occasional semi-professional developer thrown into the mix. They are now facing a level playing field, as the new breed of malware authors are better programmers and are being paid by organised crime gangs to produce their wares. In other words malware authorship has now come of age and found a career waiting for it with open arms and piles of cash.

As to the vast quantities of new malware, well the truth is that for the first six months of 2005 we saw 25 new ones each and every day, for the same period in 2006 we saw 28 new ones, hardly a massive growth!

And on the level of complexity of malware, yes they are getting more complex, it has always been easier to create malware than anti-malware; the bad guys only have to get lucky once to infect your system, whereas the anti-malware has to get lucky every time. In other words a targeted attack is quite likely to succeed unless your protection can mitigate every possible attack vector and methodology and this will be very expensive at least computationally. Remember your security is only as good as your weakest link, and unfortunately that is usually the person behind the keyboard.

Likewise, Ingram’s statement that the bad guys are testing their creations against anti-virus software to make sure they are not detected is also not breaking news. If he had been involved in this arena as long as some of us, he would know that this has been going on almost since the start of the malware problem.

This move from ‘for-fun‘ to ‘for-profit‘ malware authorship, means that the anti-malware researchers and developers we have, have to work harder and longer and think even more ‘outside-the-box‘ than they do now. We also need to find and train more good guys to help in the fight before those we already have are outnumbered, surrounded and down to their last bullet! Hopefully this scenario will never come to pass.

Links:

• Eighty percent of new malware defeats antivirus [ZDNet]
• Why popular antivirus apps do not work [ZDNet]
• 80 Percent of new malware does what to anti-virus? [anti-virus-rants]

[1] in reality malware authors come from all age-groups, females also wrote malware, not just males and some were also socially adept.

I was wondering why the 419ers hadn’t yet jumped on the latest news-worthy disaster; this being the ongoing conflict between Israel and Lebanon, or more specifically the Israeli army and Hezbollah. As usual many innocent people (on both sides) are getting injured, maimed or killed.

Those carrying out these attacks just see this as ‘collateral damage‘ and part of war, I see it for what it is, a lowering of the value of human life; everyone is expendable and a commodity in the eyes of those carrying out these acts.

Anyway, back to the 419 angle. Late last night I received the following e-mail [screenshot below]:

A larger version of the screenshot can be found here.

It is the usual stuff. “I have lots of money stuck somewhere, help me out and some of it is yours“, of course there is no money, it is a scam which in this case is playing on the real suffering of real people, the boys and girls from Lagos should be thoroughly ashamed of themselves!

If you don’t understand how these scams work, then I’d suggest you take a look at the following links:

• A 419 By Any Other Name… [Elsewhere on this Blog]
• Out of Africa [Article written by me and published in Virus Bulletin]