August 2006 Malware Review
Finally, here is the Mothly Malware Review for August 2006, better late than never? OK, I own up, I wrote it and then forgot to post it here, happy now? 
August has come and you can feel the start of autumn in the air in the evenings and mornings. On the malware front it has been an interesting month with new techniques being used.
Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.
I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.
I have included four sources of information for the graphs and pie-charts, these are:
The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.
In total I captured 948 samples during August, which have been catalogued as 40 distinct families and variants. In comparison during July I captured 1358 samples which were catalogued as 42 distinct families/variants. As you can see the captures in August have fallen to the lowest since I started to record the samples I captured.
During August I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].
The main reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.
During August I reported 74 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.
The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:
W32/Tenga.3666 [Frisk] retained the pole position again during August. Its percentage jumped from 71 percent in July to 72 percent in August. It seems very intent in keeping pole position for itself.
Netsky.P jumped up from last month third place to second, replacing the Mytob variant that held it in July.
The Mytobs lost even more ground during August, completely dropping out of the chart.
The share-crawling worms increased their position from July gaining an extra slice of the pie, up from six to seven. The Opaserv family also increased its hold on the top ten accounting for six of the seven places taken by share-crawling worms and bots.
Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot. During August it fell two places to seventh.
We have a new entry this month, known as W32/Virtool.GL [Frisk]. This jumped into the chart in sixth place and is a collection of malware which uses social engineering to get users to download the malware from a website and infect their computer; in other words these are Trojans not viruses or worms. This underlines the move by the malware authors back towards using Trojans as their preferred malware type.
If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.
As you can see the top 10 from Kaspersky [below] this month has seen the the Mytob family once more grab six places out of the top ten, this is the same number it managed in June and July, up from five in May.
In pole position we still have Mytob.c, which was also number one for the last five months. Lovegate.w moves up one place from fifth to fourth place. Nyxem.E which was a new entry in Junes chart has consolidated its hold on second place. Netsky.b likewise retains its third slot it grabbed in July, and is joined by another member of its family, Netsky.y in eighth place which also featured in July’s chart. The rest of the chart is made up of Mytob variants [u, q, w, t, and cg] in fifth, sixth, seventh, ninth and tenth place respectively.
In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b slips three places from sixth place to ninth. Nyxem.D[aka MyWife] has consolidated it place in fourth. Mytob.AS consolidates its second place in the top ten, it stormed up the chart from fourth spot in June. Mytob FO slips from ninth to tenth and we see two other Mytob family members appear back in the top 10; these being C and E in sixth and seventh place respectively. Another Netsky [D] jumps from seventh place to fifth. We have only one member of the Mydoom family in the top ten this month, down from two in July; this being Mydoom.O which slips from fifth to eighth spot. To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart which consolidates its third place which it grabbed in July.
The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has climbed from 71 percent in July to over 72 percent in August. Mytob has disappeared from the chart altogether in August. Operserv has consolidated its grip on second place. Netsky is up one place from fourth to third. Mydoom consolidates its fifth place it managed to grab in July. Dupator is also static in eighth spot. New entries W32.VirTool, W32.Downloader, IRC Generic Flooder and Trojan.Downloader.Win32.Banload come in at fourth, sixth, seventh and tenth places respectively. Funlove has fallen out of the top ten this month.
If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].
Please feel free to ask questions if you need any clarification on the data, the setup or whatever.
Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of August] here. This clearly shows that August was the slowest month since I started to collate data on e-mail borne malware, even worse than July.
The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.
If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 208,517 [as at the end of August 2006]. That’s a growth of 39,710 new malware strains and/or variants in last eight months.
What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in August 2006.
- Is Anti-Virus Software ‘Past Its Sell By Date’?!
- A Lebanese Request To Liberate 24 Million US Dollars
Conclusions:
Malware slowed again during August; however spam and phishing scams have shown a further increase, with only 419 scams showing a small drop in numbers. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.
It is also clear that cyber-criminals are increasingly using Trojans as their preferred attack tool, rather than viruses. It also seems that phishers are increasingly looking at using malware to enable them to steal personal data as well as other technologies that may help them to fool their victims.
Spammers are increasingly moving to using graphical spam as it is harder for anti-spam tools to identify without the use of OCR technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped. We have also seen animated GIF files being used by spammers, including some that use so-called subliminal programming techniques. We also saw spam being sent in Word documents. I will cover both of these developments in September’s malware review, which I’m writing right now, and should be posted here by the end of the week.
Links:
- Virus Top Twenty for August 2006 [Kaspersky]
- Top ten viruses and hoaxes for August 2006 [Sophos]
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
