MoMusings

Finally, here is the Mothly Malware Review for July 2006, better late than never? I will also be posting some extracts from my Half-year Malware Review in the next few days, so as you can see I have been busy as well as being on vacation for the last 2 weeks.

July has come and gone and the nights are already starting to draw in. On the malware front it has been an interesting month and it seems that the malware authors are enjoying the sun as the number of trapped malware samples has started to drop once more.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1358 samples during July, which have been catalogued as 42 distinct families and variants. In comparison during June I captured 1850 samples which were catalogued as 48 distinct families/variants. As you can see the captures in July have fallen back from June’s high which was the highest point since January’s total.

During July I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools.

During July I reported 114 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during June. Its percentage jumped from 54 percent in June to 71 percent in July. It seems very intent in keeping pole position for itself.

Netsky.P consolidated its third place which it gained in June, up from the lowly fifth place it managed in May’s chart.

The Mytobs which lost even more ground during June, just managing a single entry [at number 2], have managed to get a second member of the family in to the top 10. This is a similar situation to that of May 2006 where they were only able to capture just two out of top ten places.

The share-crawling worms lost some of the ground they captured in June where they have managed to take eight of the top ten places, they have now fallen back two slots to six. The Opaserv family consolidated its hold on the top ten accounting for five of the six places taken by share-crawling worms and bots.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the the Mytob family grab six places out of the top ten, this is the same number it managed in June, up from five in May.

In pole position we have Mytob.c, which was also number one for the last five months. Lovegate.w moves down two places from third to fifth place. Nyxem.E which was a new entry in Junes chart has consolidated its hold on second place. Netsky.b likewise climbs one place from fourth to third and is joined by another member of its family, Netsky.y in sixth place. The rest of the chart is made up of Mytob variants [q, u, t, w and r] in fifth, seventh, eighth, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b consolidates its sixth place where it slipped down to in June. Nyxem.D[aka MyWife] has slipped one place to fourth. Mytob.AS consolidates its second place in the top ten, it stormed up the chart from fourth spot in June. Mytob variant FO is the only other member of its family in the top ten in July, coming back in at number nine. Another Netsky [D] grabs back the seventh place it lost in June. Mydoom has two members of its family in the top ten this month; O climbs from tenth to fifth and AJ is a re-entry in joint ninth. To complete this month’s top ten we W32.Bagle-Zip which was a new entry in Junes chart, up from seventh to third.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which dropped from 73 percent of all samples caught in March to just 54 percent in June and is now back at 71 percent in July. Mytob has dropped one place from third to second place swapping places with Operserv, up from third to second. Netsky consolidates its fourth place spot which it rose to in May. Mydoom, creeps up two places from seventh to fifth. Dupator slides down from sixth to eighth. New entries IRC/Flood, W32/Downloader and Lebreat come in at sixth, seventh and ninth places respectively. Funlove once more brings up the rear in tenth.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of July] here. This clearly shows that July was the slowest month since I started to collate data on e-mail borne malware. My findings are backed up by analysis from SOPHOS:

“…the actual proportion of infected email has dropped to a low of just one in 222 (0.45 percent). This compares to the first six months of 2006 when, on average, one in 91 emails (1.1 percent) carried malicious attachments.”

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 203,273 [as at the end of July 2006]. That’s a growth of 34,466 new malware strains and/or variants in last seven months. Further analysis from SOPHOS shows that:

“The majority of the new threats (87 percent) were Trojan horses, while just 13 percent were worms or viruses.”

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in July 2006.

• Warning! New Virus On The Internet! Update Now!
• Phishing by Phone
• Charged For Software You Didn’t Buy?

Conclusions:
Malware slowed again during July; however spam, phishing and 419 scams have shown a further increase. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

It is also clear that cyber-criminals are increasingly using Trojans as their preferred attack tool, rather than viruses. It also seems that phishers are increasingly looking at using malware to enable them to steal personal data as well as other technologies that may help them to fool their victims.

The newest threat from the phishers is hybrid phishing scams using e-mail and VoIP [Voice over IP] to get users to divulge personal or financial data to the cyber-criminals behind these scam. This new technique has been dubbed ‘Vishing‘.

Spammers are increasingly moving to using graphical spam as it is harder for anti-spam tools to identify without the use of OCR technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped.

Links:

• Virus Top Twenty for July 2006 [Kaspersky]
• Top ten viruses and hoaxes for July 2006 [Sophos]