Somewhat late I know, but I am finally going to post selected parts and snippets from the 2006 half-year malware review I finished in July as I promised, and I do try and keep my promises. So better late than never, here we go…

Malware Review of 2006 [January - June]

Below is a summary of the state of malware and related ‘things-that-go-bump-in-the-net’ for the first six months of 2006. If you need further details on any issue you will find a list of references throughout and can always search my blog for more details on a specific topic. All feedback and questions are welcome.

Overview

The beginning of 2006 was also the 20th anniversary of the first PC virus, Brain.

For anyone outside the security industry the first six months of 2006 were pretty uneventful; however this is just a case of the ‘Swan Principal‘ - All serene and smooth on top but furious activity going on beneath the surface - both in the malware and anti-malware camps.

E-mail borne malware is fast becoming extinct as malware authors move to using other infection vectors or links instead of attaching malware. The other trend that is occurring is the move back towards Trojans and using social engineering to get users to infect their own computers. SOPHOS found that only 1 in 91 e-mail were viral compared to 1 in 35 for the same period last year.

Phishing has grown from a minor inconvenience to a widespread and growing problem which currently shows no sign of a slowdown. However, there is somewhat of a change happening in that phishing scams are no longer just targeting customers of online payment systems [paypal], banks, building societies and ISPs. They are increasingly turning their attention to smaller firms and more targeted attacks. Increasingly we are seeing botnets being used to Spam out phishing e-mails and also bot infected computers used to host the bogus ‘phishing’ site itself.

Bots and Botnets have become big business with many ‘botnet owners’ making serious money renting out their ‘army’ of ‘drones’ to be used for DDoS attacks or pushing Spam, Phishing e-mails or other scams through. Botnets are also being used to seed new malware and adware/spyware; effectively giving it a head start which allows it to appear almost instantaneously all over the world.

Malicious software aimed at mobile devices, such as PDAs and SmartPhones have grown quickly so far this year. This is not surprising as more and more of us now have SmartPhones with more computer power in our hands than a desktop computer offered a mere 10 years ago. During the review period the number of malware targeting mobile devices exceeded the 200 mark.

Ransomware
Data or disks being encrypted by malware is nothing new, however we seem to be seeing a increase in the use of this technique to extort money from those that get infected. In some cases it has almost become a hostage shooting scenario as if infected users do not pay-up within a specified period files get deleted and this is repeated until the user gives in and pays up.

Multi-stage malware is malware that arrives in parts, sections. This is not a new technique but it is one that is increasingly being used by the malware authors.

As this blog posting is ’selected highlights‘ of the full 16 page report, let us look at some of the areas mentioned above in more detail:

Malware Growth

Almost at 200,000 malware strains/variants

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 199,255 [as at the end of June 2006]. That’s a growth of 30,448 new malware strains and/or variants in the first half of the year. If we extrapolate that out we are looking at least 60,000 new malware strains and/or variants by the end of this year.

I have already written a blog entry on this, so to save space, and my fingers, you can the original posting here.

The following chart shows the actual growth of malware each month for the first half of 2005 and the first half 2006. You can clearly see the same trends at work; however the numbers are much larger.

The average per month for the first half of 2005 was 4494 new malware variants, whereas the average per month for the first half of 2006 was 5075 new malware variants. This equates to 28 new malware found on average each and every day during the first six months of 2006, for the same period last year the figure was just 25.

Now, let us look at the growth and trends from actual data from my own internet facing malware sensors. The first graph shows data from January 2004 until June 2006 and only shows malware samples captured which travel via e-mail.

Let us now look at the whole six month period with respect to individual malware variants and families. The first pie chart shows the top 10 malware variants. This data is from my WormCharmer and includes not only e-mail based malware but also share-crawling worms and bots too.

As you can see there are a number of Mytob variants in the top 10, in fact they take 4 of the 10 slots; the other 6 are taken by W32/Tenga.3666 which accounts for over 65 percent of the top 10 pie, and over 50 percent of all samples captured in the first six months of 2006. Tenga is a ‘blast from the past’ as it had been suggested by some anti-virus vendors that ‘viruses’ were now extinct, apart from those already known and catalogued. The rest of the pie is made up of W32/MyWife.d@MM, W32/Netsky.p@MM, W32/Opaserve.ae and finally W32/Opaserv.d [in 5th, 6th, 7th and 10th respectively].

The above pie-chart shows the data for the same period but grouped by malware ‘families’. As you can clearly see the Tenga family [which is only made up of the initial version] account for the largest slice, almost 55 percent. Mytob are forced into second place, accounting for just 23 percent of the pie. These top two are followed by the ‘Opaserv’ family and the ‘Netsky’ family. Next come MyWife, Sdbot, Mydoom, Sdbot and Ranky Dropper and in ninth spot is Ranky. Bringing up the rear is the ‘Agobot’ family.

Right, now we have covered some of the statistics of the first half of 2006, let us now look at some of the trends reported in the review:

Trends

Ransomware

Data or disks being encrypted by malware is nothing new, however we seem to be seeing a rebirth of this technique to extort money from those that get infected.

One of the first ransomware found was Virus.Win32.Gpcode.a [Kaspersky] which was found in December of 2004, a second variant appeared later that month. We are now seeing versions of this ransomware using strong encryption. In January variant ac was found and it used a RSA algorithm with a 56 bit key-length. Next we saw a version using a 260 bit key, then a 330 bit key, each of these were cracked by the anti-virus firms. To top it all in June the author released a new version using a 660 bit key, this should have taken around 30 years to crack, but Kaspersky managed to crack it within 24 hours. It is expected that we will see more of these Gpcode variants using larger and larger keys along with new malware that uses strong encryption techniques to hide or steal data.

If we see this technique added to bots we may well have to add a new entry to the definition of DDoS attacks, as encrypting files or whole disks without the owners knowledge is definitely a denial of service as they won’t be able to use the data or disk that has been encrypted.

In one case a ransomware malware known as Ransom-A [Sophos] prevented users from accessing their computer until the ransom was paid via Western Union. The fee demanded was a measly 10.99 [US Dollars]. The amount may be small, but to try and ensure that the victim paid up, for every thirty minutes which passed it claimed it would delete a file. Furthermore, Ransom-A displayed pornographic images and messages on the infected systems screen which added to the pressure to pay up, especially if you were in an office or public place where your screen could be seen.

Along similar lines is the data-stealing malware, more often than not these are Trojans specialising in stealing passwords and other sensitive data. There have been cases where Phishers have used these tools by using known vulnerabilities in Microsoft Internet Explorer to automatically download an install the Trojan as the phishing e-mail is being read.

Script Malware Returns

Script viruses and other malware have been around for many years, but interest in them has waned over the last few years, or so it seemed. This year we have seen a number of script based malware, these include:

• Yamanner
• Stardust
• Feebs
• Scano

It seems that we are seeing the rebirth of script-based malware, this time the target is web-based applications and the servers running these applications and sites. What is more worrying is that some of these, such as Feebs and Scano are polymorphic and therefore are harder to reliably detect as they mutate each time they infect.

A Half-Year Packed with PoCs

It seems to have been rather manic on the ‘proof of concept’ front with regard to malware, so far this year we have seen the following new targets attacked:

• Matlab
• Microsoft Project
• Open Office
• Mac OSX
• J2ME

This year may have been short on major outbreaks, so far. This is partially because the malware authors are spending the time in investigating new attack vectors and methods. I suspect that the second half of 2006 will see a similar increase in PoCs.

Right, finally let me cover some of the things I see in my crystal ball…

Expectations for the rest of 2006

Let us look into our virtual crystal-ball and see what the last half of 2006 may hold.

Actually this is more scientific than merely guessing as it uses all the data from 2006 so far and the other twenty years of malware activity to come up with the most likely scenarios. However, something new and unexpected can always turn up to turn everything on its head.

Phishing to continue to grow.
More scams using social engineering to dupe users into disclosing private or confidential information or getting them to perform a task, such as running an attachment or deleting system files (user initiated malware). More phishing scams to use malware such as key-loggers and backdoors to compromise/further exploit a victims system. Man-in-the-middle scams to become more widespread.

Increased social-engineering use in malware.
Malware authors are well aware that most often the weakest link in a company’s security is the person behind the keyboard. Until users gain a healthy level of paranoia then the problem will continue and may be used more often to defeat a company’s anti-malware defence.

SPAM will continue to grow, despite the recent legislation passed in both the UK/EU and the US and even allowing for the arrests/prosecutions of spammers in 2004, the growth in risk of being caught will be offset by the increasing use of bot nets as spam proxies. Not only will we see and increase in e-mail spam, but also instant messaging spam [known as spim] and VoIP spam [known as spit].

Bots and botnets will continue to be the tool of choice for cyber-criminals. What we will continue to see during the rest of 2006 is a further move from using IRC for command and control, to other methods such as web servers running SSL [encrypted] command and control systems. We may also see encrypted peer-to-peer [P2P] networks created by bot/botnet creators as IRC server owner’s crackdown on misuse of their servers. Furthermore the increasing use of IPS/IDS to detect botnet IRC traffic will force the bad guys to move to encrypted protocols as an attempt to try and defeat the use of these technologies.

It has become clear over the last few years that malware authors are increasingly looking at operating systems other than Windows. The number of Linux malware is increasing steadily as they search for effective ways to target it. The same has been happening on the Apple Mac platform. We will see more, and increasingly complex and successful malware for Linux and Mac operating systems during the rest of 2006.

So, there you have it, a quick peek at some of the facts, findings, trend analysis and a bit of crystal ball gazing to round it all off.

Other Malware Reviews

• http://www.viruslist.com/en/viruses/analysis?pubid=184012401
• http://www.viruslist.com/en/viruses/analysis?pubid=191951869
• http://www.f-secure.com/2006/1/
• http://www.sophos.com/pressoffice/news/articles/2006/07/securityreportmid2006.html

Quite a number of people have asked me why they are suddenly seeing Spam, or more Spam than they are used to. To answer this I decided to put together this blog entry to try and explain why more Spam appears to be turning up on our computers, and how they bypass the anti-spam tools and filters most companies have in place. I covered a number of the tricks and techniques in a presentation I gave back in July. For those that saw the presentation this can be considered an update.

I have covered spam on this blog a number of times and to be honest apart from the constantly increasing amount and the subject matter used in spam constantly changing not much has changed in the way that spam is created. This has predominantly been either plain ASCII text or HTML based. These are sometimes disguised by using encoding methods or other obfuscation techniques to try and fool anti-spam tools and bypass filters.

However, since the move by the spammers in sending nearly all their spam via botnets; it is believed that over 80 percent of all spam is sent via bots and botnets now, other new techniques have been seen. This blog entry will discuss some of these new techniques and why the spammers are using them.

Graphical Spam
This was the first major change made by the spammers, instead of just using graphics for pictures they decided to make the whole spam message into a graphical one. This they believed would allow them to fool or bypass anti-spam filters. To improve the likelihood of their message getting through they often would include random text or text stolen from news or other articles and even books in the body of the e-mail. You can see an example of this type of spam message below:

A larger version of this screenshot can be found here.

The next step was to add random dots to the graphical spam; this means that you can no longer just filter graphical spam out by using a checksum or hash value as a temporary fix, as now the checksum or hash will be different each time the spammers produce an image spam using a new microdot pattern or position. If you look carefully at the example above you may notice little black dots where this technique has been used on this graphical spam.

This type of graphical spam using micro-dots is allowing spam to bypass many anti-spam tools which is why many people are seeing more spam than they had before. However, this is not the end of the development cycle of the spammers. Next they decided to animate them…

Animated GIF Spam
So, why do the spammers want to use animated gifs for spam? I mentioned above that the spammers are increasingly using microdots to effectively make hashing or checksumming techniques for detecting graphical spam almost useless, however they make the spam look messy. So, to solve this problem the spammers move the microdots to a separate GIF or in some cases more than one. This allows them to place these before and after their clean and tidy graphical spam image. To make this work well the microdot image frames of the animated GIF are set to only appear for a fraction of a second. You can see an example of this type below:

I have modified the above animated GIF to allow you to see the other frames which contain the microdots or other graphical data. This animated GIF originally only animated once, I have changed it to animate forever.

Subliminal Spam
The next step taken by the spammers was to think “Well we are now using animated gifs, why not use the microdot frames another way? How about we put subliminal messages in them?” So that’s what they did. You can see a modified example below:

I have modified the above animated GIF to allow you to see the other frames which contain the subliminal message data. This GIF animates forever, all I have done is change the interval that the so-called subliminal data shows.

Please note these are not only spam, but also what is known as ‘pump-and-dump’ stock scams, do not use the data that the spammers supply to buy any of the stock, as unless you are very quick and manage to sell the stocks you buy from them, before they dump theirs, you will end up losing lots of money.
Don’t do it.

These types of scams are now being investigated and I expect that at least a few of those responsible will start to get arrested, charged, tried, and then sent to prison where they belong.

Word Document Spam
The next change appeared a couple of weeks ago. All of a sudden I started getting lots of e-mails with Word documents attached. These came attached to e-mails with subject line like:

• Hospital Office Billing Update #57769
• Confirm amount of charges fro Claim #86774
• Filed under your account via Claim #91023
• Records confirmation. See claim #94801
• Your receipt for Statement #95775
• Billing Update, Form #33128
• Billing Summary - Invoice #62633
• …and so on…

They also only contained a single line of ASCII text urging me to open the attachment to check certain details.

To say I was suspicious of these e-mails is an understatement. These Word documents may have contained malware or used one of the many recent known vulnerabilities in Word, so I only opened them in OpenOffice, and only then after I had tested them against numerous anti-virus and anti-spyware tools. What did I find?

Well, you can see for yourself, nothing malicious, no exploit code, no dangerous embedded files, scripts or links, only Spam!

Here is a second example of Word document based Spam.

The use of Word documents as a method of sending out spam is both interesting and worrying; interesting in that the spammers seem to be be trying out file formats which they believe will allow them to bypass anti-spam tools and get their message through to you. This will mean that to counter this move to graphical spam we are probably going to have to use anti-spam tools that use OCR [Optical Character Recognition] to extract the text from the spam and then analyse it as before. As for the move to Word documents, we may have to update anti-spam tools to use content filtering and/or file extension filtering, much as we already do for dealing with malware.

So what’s next from the spammers?
Unfortunately, we are seeing a similar ‘arms-race’ in the spam and anti-spam arena that we have been living with in the malware and anti-malware arena for the last two decades. You can bet that we will see other file formats being used by spammers, and we may also see them starting to use some of these file formats to not only get their spam through our defences, but also, I fear, to use them to drop malware/spyware onto unsuspecting users systems. We may also see the spammers start to use exploit code to infiltrate systems and turn them into spam relays or to install keyloggers to steal financial or other personal or commercial data.

Hold on tight, I think we are in for a bumpy ride! Anyone got any good recipes for Spam, apart from Spam fritters?