MoMusings

Orange, a rather large UK mobile phone operator, are running a promotion and offering £20 [UK Pounds] of free credit if you use their new e-topup service….or so the following e-mail [screenshot below] which arrived in my e-mail box the other day would have me believe.

If an ‘Orange’ customer clicks on the link in the e-mail, they will see the following page in their browser:

A larger version of the above screenshot can be found here.

Yes, the bad guys and girls are changing tactics again. In this case it is a phish which is targeting one of the big mobile phone operators in the UK, more accurately, they are targeting their customers.

The phishing e-mail appears to be a typical one except that it is targeting ‘Orange’ customers instead of the usual bank, building society, ISP, Paypal or eBay ones that are the more normal phish food.

As you can see, apart from the usual data, such as name address, etc. They also want your credit card details, including the CVV!

So, heads-up everyone as it looks like we will be seeing more unusual phish in the future.

Anyway, I have other ‘phish to phry‘, back later!

Following hot on the heals of the August Malware Review, here is the Monthly Malware Review for September 2006, just in time for me to think about starting the process all over again for the October Malware Review!

September has come and it has been a very busy month for me, writing and updating a number of presentations, one for the Virus Bulletin conference, one for the University of Warwick and one for a customer visit. This is on top of my usual work! On the malware front it has been an interesting month with new techniques being used.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 1226 samples during September, which have been catalogued as 43 distinct families and variants. In comparison during August I captured 948 samples which were catalogued as 40 distinct families/variants. As you can see the captures in September are back up, a bit.

During September I captured and submitted just 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this general downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During September I reported 85 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during September. However, its percentage dropped from 72 percent in August to only 57 percent in September. Even allowing for this drop it seems very intent in keeping pole position for itself.

The Mytobs are back. In August they completely dropped out of the chart, but one member of the family has managed to storm back into the chart in September, grabbing second place.

This reappearance of Mytob knocked Netsky.P from last month second place, back to third. Another member of the Netsky family [Netsky.c] came into Septembers chart in fourth place.

Interestingly, the share-crawling worms suffered a decrease in their numbers; down from seven of the ten slots in August to just four in September.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot. During September it fell down the chart again, to eighth.

We have two new entries this month, known as IRC.Flood.b and ev [McAfee]. These jumped into the chart in fifth and sixth places respectively. These IRC flooders are included as part of a multi-component self-extracting archive [using RAR]. These are commonly being disguised as links to ‘e-cards’. However, when the link is clicked on and the alleged ‘e-card’ is launched, instead of seeing a electronic greeting card, the downloaded file un-archives the files contained inside it and installs a number of malware, including bot components, rootkit files and IRC flooders. This underlines the move by the malware authors back towards using Trojans as their preferred malware type.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the Mytob family once more grab four places out of the top ten, this is down from six in August.

In pole position we still have Mytob.c, which was also number one for the last six months. Lovegate.w moves up one place from fourth to third place. Nyxem.E which was a new entry in Junes chart has consolidated its hold on second place. Netsky.b drops from its third slot it grabbed in July and August to fifth, and is joined by another member of its family, Netsky.t in ninth place.

We have two new entries in September, both from the Scano family, both of these [gen and aq in fourth and eight respectively] arrive attached to a spammed e-mail message, the attachment is the virus. Scano does not spread on its own.

The rest of the chart is made up of Mytob variants [t, u, and w] in sixth, seventh and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b slides back up one place from ninth to eighth. Nyxem.D[aka MyWife] has further consolidated it place in fourth. Mytob.AS has further consolidated its second place in the top ten, it stormed up the chart from fourth spot in June and we see two other Mytob family members appear in the top 10; these being E and C in sixth and seventh place respectively. Another Netsky [D] consolidates its hold on fifth place. We have two members of the Mydoom family in the top ten again this month, this being Mydoom.O which slips from eighth to ninth spot and Mydoom.AJ which just gets in to the chart in tenth. To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart which consolidates its third place which it grabbed in July.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has finally dropped from 72 percent in August to just 57 percent in September. Mytob is back in the chart at third place after disappearing altogether from the chart in August. Operserv has further consolidated its grip on second place. Netsky is down one place from third to fourth. Mydoom slips from the fifth place it managed to grab in July and August to sixth. Dupator is static in eighth spot. IRC Generic Flooder slips from fourth to seventh. New entries IRC Flood and Warezov come in at fifth and tenth places respectively. Kapser aka Mywife.D has re-entered the top ten this month in ninth place.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of September] here. This clearly shows that September was the busiest month since June. The overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 213,407 [as at the end of August 2006]. That’s a growth of 48,616 new malware strains and/or variants so far this year. We could see over 60,000 by the end of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in September 2006.

• Developments in Spam and Spamming

Conclusions:
Malware picked up slightly in September along with spam, however both 419 and phishing scams have shown a small drop in numbers. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

Rootkits will be covered in more depth in next months report, including a link to a paper I will present at the Virus Bulletin 2006 conference in October.

As shown elsewhere in this report spammers are increasingly moving to using graphical spam as it is harder for anti-spam tools to identify without the use of OCR technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped. We have also seen animated GIF files being used by spammers, including some that use so-called subliminal programming techniques. We also saw spam being sent in Word documents. The latest trick is to use PNG files, instead of GIFs.

Links:

• Virus Top Twenty for September 2006 [Kaspersky]
• Top ten viruses and hoaxes for September 2006 [Sophos]

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2006 conference, which was held at the Fairmont Queen Elizabeth Hotel in Montreal, Canada, between the 11th and 13th of October [Yes, that was a Friday; Friday the 13th, and knowing the recent spate of problems that the VB Conference has experienced since 2001, it seemed that they were tempting fate once more!]

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 - Wednesday the 11th of October:

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by Mikko Hypponen who gave his keynote speech, which was entitled ‘Case: Virus X‘, which he informed us he couldn’t now talk about due to legal restrictions. So, instead he did a presentation covering the major developments of malware since the start of the problem, almost exactly 20 years ago. It was a very interesting presentation, given in an unusual but very effective style. He used 164 slides in just 40 minutes!

The next session was also interesting, a presentation by Rob Murawski of the CERT Coordination Centre on ‘Data exfiltration techniques: how attackers steal your sensitive data‘. This talk sort of set the tone of the rest of the conference, as it covered cyber-crime, of which we would hear a number of talks about - from different perspectives.

After lunch, the conference split into its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, but for a number of reasons I spent the rest of the first day in the corporate stream instead.

The first talk in the afternoon that I attended was a slightly controversial one to say the least, on user education, given by Stefan Gorling. His talk was entitled: ‘The myth of user education‘. The focus of his talk was on how it was “pointless” to try and educate end users.

The very next presentation was also on user education, given by Peter Cooper and entitled: ‘User education: teaching techniques and learning styles for damage limitation‘. This very ‘memorable‘ presentation approached user education from the opposite side, saying that anyone can be trained, given the right approach. The presentation was memorable for two reasons, it used a new technique that I hadn’t seen used before, the 10/20/30 method which Peter assured us would make it a memorable presentation, and secondly because just as he mentioned about his presentation being memorable his MAC laptop shut down! This lead many of the audience to ask Peter after his talk whether this was purely coincidental or part of his presentation.

Then it was time for a tea break, which I used to setup my laptop for my presentation, which was the next one on the ‘Corporate stream‘. While I was setting up, I was asked for my opinion on ‘user education’ by a delegate, and I mentioned that I agreed with both of the previous speakers. I continued to say that I, like Stefan, thought that generally trying to educate end users on the technical side of malware was a waste of time; for most end-users anyway. But, that with infinite time and resources then they should be educated, but mainly on simple policies and procedures, rather than the specific details of a specific threat, which most of them are not interested in, or even want to know about. Only a few days later did I find out that the ‘delegate’ was a journalist; he never introduced himself and his badge was obscured, and I was distracted in setting up my laptop - slightly sneaky of him!

So, as you may have guessed by now, my presentation [’Rootkits: risks, issues and prevention‘] was next, however we started 5 minutes late. This meant I never got to use my last 3-4 slides. Overall, I think the presentation went well as I had a number of people approach me and tell me they had enjoyed it and/or discuss some aspects in more detail. I also received very positive feedback on the actual paper too.

My presentation was followed by Matthew Braverman, who spoke about ‘Behavioural modelling of social engineering based malicious software‘. This was another excellent presentation and rounded off the end of the first day in the ‘Corporate stream‘.

Later in the evening we had a welcome drinks reception, which gave us a chance to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way. Oh, and enjoy a drink or two to help keep the brain lubricated.

Day 2 - Thursday the 12th of October:

For the first three sessions of the second day, I decided to stay in the ‘Technical Stream‘, these were:

• Full potential of dynamic binary translation for AV emulation engine - Presented by Jim Wu
• Anti-rootkit safeguards and methods of their bypassing - Presented by Aleksander Czarnowski
• Botnet tracking techniques and tools - Presented by Jose Nazario

The last two of these presentations caused quite a bit of discussion, especially Aleksanders, which was picked up by the press and numerous articles appeared on specific points he raised about fooling Vista. His paper was also a really good technical look at rootkits, which sort of complimented my own one on the same subject.

For the next two sessions of the second day, I decided to switch back to the ‘Corporate Stream‘, these were:

• The challenge of detecting and removing installed threats - Presented by Jason Bruce
• Dirty money on the wires: the business models of cyber criminals - Presented by Guillaume Lovet

The last of these presentations caused quite a bit of discussion as Guillaume had a quote that claimed that cyber-crime was more profitable now to the ‘Mob‘ than drugs! I’ll post more on this when I get a copy of his slides.

After lunch, I decided to stay in the ‘Corporate stream‘, partly because I was chairing the first two sessions, and then the final two presentations on the ‘Corporate stream‘ were the most interesting. Oh, and then there was a panel discussion.

• The game goes on: an analysis of modern spam techniques - Presented by Rob Thomas and Dmitry Samosseiko
• Containing spam - the local challenge - Presented by Jay Goldin
• Spy-phishing - a new breed of blended threats - Presented by Jamz Yaneza
• Phishing trojan creation toolkits: an analysis of the technical capabilities and the criminal organizations behind them - Presented by Dmitri Alperovitch
• Panel discussion: Anti-Spyware Coalition - working together to combat spyware - Chaired by Richard Baldry

As you can see the afternoon was full of spam and phish, and we’d already had lunch!

After this there was a special ‘Birds of a feather‘ session on tackling graphical spam, which was lively and very interesting.

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied, and more nerdy/geeky chat too. The after dinner entertainment was supplied by jugglers and acrobats and rounded off by a good band.

Day 3 - Friday the 13th of October:

The last day of the conference was ahead of us, the first two days had gone past so quickly, so much to digest, both physically and mentally! On the final day I was in the ‘‘ for the first three presentations and then switched back to the ‘Technical stream‘ for the rest of the day. The ones I attended on the the corporate stream were:

• Applying collaborative anti-spam techniques to anti-virus - Presented by Adam J. O’Donnell
• The inspector: automating the forensic investigation of infected computers - Presented by John Morris and Eric Kedrosky
• Can strong authentication sort out phishing and fraud? - Presented by Paul Ducklin

The last two were the most interesting with John and Eric showing how they had used free scanning/forensic tools to remotely inspect systems that were suspected of being infected. These tools were scripted and for the most part automated, nice work guys, and no I won’t be writing a paper on how to improve the system, this time!

Paul’s presentation was great and informative, as we have all come to expect from such a knowledgeable guy who is also a very animated presenter.

Switching back to the ‘Technical stream‘ for the final talk before lunch, I sat in on:

• Macintosh OSX binary malware - Presented by Marius van Oers

During lunch the speakers photo was taken, here it is:

I’m right in the center of the front row [blue checked shirt and white trainers], next to me in the red sleeveless top is Michael Morgan and next to him is Morton Swimmer. The other side of me is Paul Ducklin and then Dr. Richard Ford. A full version of this picture, naming all of those in it, will be available on the Virus Bulletin site as soon as they have collated all commented all the pictures they have from the conference and of Montreal itself.

After lunch I stayed on the ‘Technical stream‘, the presentations I saw were:

• SymbOS malware classification problems - Presented by Dr Vesselin Bontchev
• A deep look into Symbian threats - Presented by Robert X. Wang
• Me code write good - the l33t skillz of the virus writer - Presented by John Canavan
• Panel discussion: Fighting cybercrime: one size does NOT fit all!. - ‘The Internet Strike Force’, led by David Perry

Although the presentations on Symbian were interesting there was little new information in them. The best of the afternoon session was the panel on Cybercrime led by the animated and funny Dave Perry in his ‘Internet Strike Force‘ bowling shirt.

And then it was the final session of the day, and of the whole conference:

• Conference closing session - Presented by Helen Martin

All in all, this was a very good Virus Bulletin conference, although I felt that the ‘technical stream‘ was the poorest I had ever seen, with only a small number of interesting papers and presenters this year. However, this was offset by the number of excellent papers and presentations given on the ‘Corporate stream‘, and I’ve been at nine of the last eleven VB conferences. Even allowing for this, there is still nothing quite like a VB conference, and long may it continue! I’m already looking forward to next years and thinking up possible papers to submit abstracts for possible selection for VB2007, which will be held in Vienna, Austria!

And even though the conference ran on Friday the 13th, there were no problems, no disasters, outbreaks of diseases, hurricanes, confiscated mugs, and so on, it all went very smoothly - well apart from Peter Cooper’s MAC laptop that crashed on the first day; Wednesday the 11th, so it doesn’t count. And, there were no major virus/malware outbreaks either during VB, that in itself is rather spooky!

Just in case you didn’t spot the link to my paper, here it is again: Rootkits: Risks, Issues and Prevention

I would be keen to hear from others who attended VB2006, at least to find out what they thought of the conference content this year.

Here’s a new one I received today, and I just had to post it; screenshot below - don’t tell anyone, it is supposed to be a secret:

A larger screenshot, for those of us that need it, can be found here.

Poor old Mr Berlusconi needs your help in moving some ‘funds’ before they all get frozen by the authorities investigating him for alleged ‘fraud’. Poor man, don’t you feel sorry for him?

Well, whether he is innocent or guilty is irrelevant, as far as it has to do with this request anyway. Why? Well, guess what, the e-mail isn’t from Mr Berlusconi, or indeed anyone acting on his behalf. Are you surprised? Well, you shouldn’t be…Shame on you!

The e-mail is just the latest use of a well known person [well, at least in Europe], to use as bait by those inventive boys and girls from Lagos, also known as the 419ers. This is just their later scam e-mail. There is no money, if you get involved with this, then the money will only be flowing one way, from you to them.

Don’t you just love the wording “…rest assured that this transaction would be done legally…“, yeah right, and since when has it been legal to launder money, even if it really existed?

Finally, here is the Mothly Malware Review for August 2006, better late than never? OK, I own up, I wrote it and then forgot to post it here, happy now?

August has come and you can feel the start of autumn in the air in the evenings and mornings. On the malware front it has been an interesting month with new techniques being used.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 948 samples during August, which have been catalogued as 40 distinct families and variants. In comparison during July I captured 1358 samples which were catalogued as 42 distinct families/variants. As you can see the captures in August have fallen to the lowest since I started to record the samples I captured.

During August I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During August I reported 74 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during August. Its percentage jumped from 71 percent in July to 72 percent in August. It seems very intent in keeping pole position for itself.

Netsky.P jumped up from last month third place to second, replacing the Mytob variant that held it in July.

The Mytobs lost even more ground during August, completely dropping out of the chart.

The share-crawling worms increased their position from July gaining an extra slice of the pie, up from six to seven. The Opaserv family also increased its hold on the top ten accounting for six of the seven places taken by share-crawling worms and bots.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot. During August it fell two places to seventh.

We have a new entry this month, known as W32/Virtool.GL [Frisk]. This jumped into the chart in sixth place and is a collection of malware which uses social engineering to get users to download the malware from a website and infect their computer; in other words these are Trojans not viruses or worms. This underlines the move by the malware authors back towards using Trojans as their preferred malware type.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the the Mytob family once more grab six places out of the top ten, this is the same number it managed in June and July, up from five in May.

In pole position we still have Mytob.c, which was also number one for the last five months. Lovegate.w moves up one place from fifth to fourth place. Nyxem.E which was a new entry in Junes chart has consolidated its hold on second place. Netsky.b likewise retains its third slot it grabbed in July, and is joined by another member of its family, Netsky.y in eighth place which also featured in July’s chart. The rest of the chart is made up of Mytob variants [u, q, w, t, and cg] in fifth, sixth, seventh, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b slips three places from sixth place to ninth. Nyxem.D[aka MyWife] has consolidated it place in fourth. Mytob.AS consolidates its second place in the top ten, it stormed up the chart from fourth spot in June. Mytob FO slips from ninth to tenth and we see two other Mytob family members appear back in the top 10; these being C and E in sixth and seventh place respectively. Another Netsky [D] jumps from seventh place to fifth. We have only one member of the Mydoom family in the top ten this month, down from two in July; this being Mydoom.O which slips from fifth to eighth spot. To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart which consolidates its third place which it grabbed in July.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has climbed from 71 percent in July to over 72 percent in August. Mytob has disappeared from the chart altogether in August. Operserv has consolidated its grip on second place. Netsky is up one place from fourth to third. Mydoom consolidates its fifth place it managed to grab in July. Dupator is also static in eighth spot. New entries W32.VirTool, W32.Downloader, IRC Generic Flooder and Trojan.Downloader.Win32.Banload come in at fourth, sixth, seventh and tenth places respectively. Funlove has fallen out of the top ten this month.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of August] here. This clearly shows that August was the slowest month since I started to collate data on e-mail borne malware, even worse than July.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 208,517 [as at the end of August 2006]. That’s a growth of 39,710 new malware strains and/or variants in last eight months.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in August 2006.

• Is Anti-Virus Software ‘Past Its Sell By Date’?!
• A Lebanese Request To Liberate 24 Million US Dollars

Conclusions:
Malware slowed again during August; however spam and phishing scams have shown a further increase, with only 419 scams showing a small drop in numbers. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

It is also clear that cyber-criminals are increasingly using Trojans as their preferred attack tool, rather than viruses. It also seems that phishers are increasingly looking at using malware to enable them to steal personal data as well as other technologies that may help them to fool their victims.

Spammers are increasingly moving to using graphical spam as it is harder for anti-spam tools to identify without the use of OCR technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped. We have also seen animated GIF files being used by spammers, including some that use so-called subliminal programming techniques. We also saw spam being sent in Word documents. I will cover both of these developments in September’s malware review, which I’m writing right now, and should be posted here by the end of the week.

Links:

• Virus Top Twenty for August 2006 [Kaspersky]
• Top ten viruses and hoaxes for August 2006 [Sophos]

When I guest lecture at a University, give a presentation to customers, or at conferences I often mention the need to understand what has already happened in the field of malware and anti-malware to understand what has or has not worked in the past.

I often state “why is it that many people never use history as a tool to stop them, or others [their organisation, society, nation, and so on] from repeating the same mistakes that have already been made at least once, and sometimes, many times over?“.

At this point, I often get quizzical looks from between 10 and 50 percent of the audience, it seems that they don’t get it.

When I get to ‘Trojan Horses’ I quickly cover the pertinent facts of how the Greeks finally took the city of Troy, and then you can see the same people, who possibly thought I was mad or slightly deranged, suddenly get it……

Modern ‘Trojan Horses’ are not large wooden sculptures, or lawn ornaments, but computer programs that claim to do one thing [something useful or wanted], but when run they do something the user is not expecting, such as lowering or removing your digital defences [Anti-Virus, Personal firewall, anti-spyware], stealing data, deleting files, installing other malware, and so on…Effectively raping and pillaging your computer or network.

Just like the people of Troy, users of computers are inviting in, something that will lead to their defences being breached [or at least their computers]. Hence the saying, “Beware Greeks Bearing Gifts“, or in the case of the digital world “Beware ‘Geeks’ Bearing Gifts“.

So, what would happen if someone made a replica wooden ‘Trojan Horse‘, complete with a cargo of Greek soldiers inside it, and tried to get it into secure sites, or even somewhere that should know better, because of history?

Well, someone did just this, and the hilarious results can be seen in the video that can be found here: http://dotfuturemanifesto.blogspot.com/2006/10/move-showing-dangers-of-trojan-horse.html

What does this have to do with what we are seeing now in the malware scene? Well, we have seen a massive move from viruses and worms [back] to Trojan Horses as the preferred way to package malware. Why? Because most malware authors know that the easiest way to bypass the defences is to get the person using the keyboard and mouse to invite their malware in using social engineering techniques, just like the Greeks did to the people of Troy!

Also, my recent paper or ‘rootkits’ covers the situation where lots of Windows malware is now using so-called ‘rootkit’ techniques*, but in most cases these malware are actually using ’stealth’ techniques to hide their presence from the operating system, and ALL applications that run on it, including anti-virus, personal firewalls and anti-spyware tools. Stealth techniques have been in malware since the Brain virus first showed up in 1986, yes two decades ago! Talk about re-inventing the wheel!

So, next time remember that history is useful, it can stop people from repeating the same mistakes over and over again……Well, I can hope, can’t I?

[*] For the pedantic readers out there, you know who you are! Yes, I know there are real rootkits, this is also covered in my paper.

No I haven’t fallen off the edge of the world, been kidnapped by aliens, or been hibernating. I’ve been preparing for the Virus Bulletin 2006 conference which was held last week in Montreal, Canada. Before that I was in France for 4 days at a customer site, I have also been updating a presentation for a guest lecture that I will give tomorrow at the University of Warwick, so, I’ve been busy creating and giving presentations. Oh, and that’s on top of my ‘usual‘ workload.

I will post a review of the conference in a week or so, covering my own personal thoughst on the conference and the content. This will include my thoughts on some of the presentations I attended on both the technical and corporate streams.

So, now the conference is over, I can make the paper I presented available to anyone that wants a copy.

Here’s the abstract that I submitted, and was selected back in March:

“Rootkits have been around almost since the start of computing, however over the last two years the threat has changed; no longer is it just a *NIX [Unix/Linux] problem, corporate and academic computers running Microsoft Windows are now an increasing target. We are now at a tipping point; rootkits are no longer a minor annoyance or threat, they are starting to become a major cause for concern.

Many corporate security staff have a rather vague understanding of rootkits, not just what they are, but how they work. Furthermore many have little understanding of the risks to their company or their own home computer.

This paper will explain what rootkits are and how they work. It will also discuss ways to combat them using methods that range from simple security methodologies through to technical solutions. ”

The full paper [in Adobe Acrobat format (PDF)] can be found here: http://arachnid.homeip.net/papers*

All feedback, comments, flames, suggestions, etc. are most welcome.

Normal service will be resumed as soon as I’ve caught up with the backlog of work I have piling up around me. So, if you see a news article saying: “A computer geek was found today buried under piles of work… he was finally extracted, alive, by teams of rescuers digging him out 48 hours after they were alerted to the disaster…” then you know it was probably me.

[*] All my other conference papers and magazine articles I’ve written can also be found there.