MoMusings

Following hot on the heals of the August Malware Review, here is the Monthly Malware Review for September 2006, just in time for me to think about starting the process all over again for the October Malware Review!

September has come and it has been a very busy month for me, writing and updating a number of presentations, one for the Virus Bulletin conference, one for the University of Warwick and one for a customer visit. This is on top of my usual work! On the malware front it has been an interesting month with new techniques being used.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 1226 samples during September, which have been catalogued as 43 distinct families and variants. In comparison during August I captured 948 samples which were catalogued as 40 distinct families/variants. As you can see the captures in September are back up, a bit.

During September I captured and submitted just 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this general downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During September I reported 85 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during September. However, its percentage dropped from 72 percent in August to only 57 percent in September. Even allowing for this drop it seems very intent in keeping pole position for itself.

The Mytobs are back. In August they completely dropped out of the chart, but one member of the family has managed to storm back into the chart in September, grabbing second place.

This reappearance of Mytob knocked Netsky.P from last month second place, back to third. Another member of the Netsky family [Netsky.c] came into Septembers chart in fourth place.

Interestingly, the share-crawling worms suffered a decrease in their numbers; down from seven of the ten slots in August to just four in September.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot. During September it fell down the chart again, to eighth.

We have two new entries this month, known as IRC.Flood.b and ev [McAfee]. These jumped into the chart in fifth and sixth places respectively. These IRC flooders are included as part of a multi-component self-extracting archive [using RAR]. These are commonly being disguised as links to ‘e-cards’. However, when the link is clicked on and the alleged ‘e-card’ is launched, instead of seeing a electronic greeting card, the downloaded file un-archives the files contained inside it and installs a number of malware, including bot components, rootkit files and IRC flooders. This underlines the move by the malware authors back towards using Trojans as their preferred malware type.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the Mytob family once more grab four places out of the top ten, this is down from six in August.

In pole position we still have Mytob.c, which was also number one for the last six months. Lovegate.w moves up one place from fourth to third place. Nyxem.E which was a new entry in Junes chart has consolidated its hold on second place. Netsky.b drops from its third slot it grabbed in July and August to fifth, and is joined by another member of its family, Netsky.t in ninth place.

We have two new entries in September, both from the Scano family, both of these [gen and aq in fourth and eight respectively] arrive attached to a spammed e-mail message, the attachment is the virus. Scano does not spread on its own.

The rest of the chart is made up of Mytob variants [t, u, and w] in sixth, seventh and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b slides back up one place from ninth to eighth. Nyxem.D[aka MyWife] has further consolidated it place in fourth. Mytob.AS has further consolidated its second place in the top ten, it stormed up the chart from fourth spot in June and we see two other Mytob family members appear in the top 10; these being E and C in sixth and seventh place respectively. Another Netsky [D] consolidates its hold on fifth place. We have two members of the Mydoom family in the top ten again this month, this being Mydoom.O which slips from eighth to ninth spot and Mydoom.AJ which just gets in to the chart in tenth. To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart which consolidates its third place which it grabbed in July.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has finally dropped from 72 percent in August to just 57 percent in September. Mytob is back in the chart at third place after disappearing altogether from the chart in August. Operserv has further consolidated its grip on second place. Netsky is down one place from third to fourth. Mydoom slips from the fifth place it managed to grab in July and August to sixth. Dupator is static in eighth spot. IRC Generic Flooder slips from fourth to seventh. New entries IRC Flood and Warezov come in at fifth and tenth places respectively. Kapser aka Mywife.D has re-entered the top ten this month in ninth place.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of September] here. This clearly shows that September was the busiest month since June. The overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 213,407 [as at the end of August 2006]. That’s a growth of 48,616 new malware strains and/or variants so far this year. We could see over 60,000 by the end of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in September 2006.

• Developments in Spam and Spamming

Conclusions:
Malware picked up slightly in September along with spam, however both 419 and phishing scams have shown a small drop in numbers. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

Rootkits will be covered in more depth in next months report, including a link to a paper I will present at the Virus Bulletin 2006 conference in October.

As shown elsewhere in this report spammers are increasingly moving to using graphical spam as it is harder for anti-spam tools to identify without the use of OCR technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped. We have also seen animated GIF files being used by spammers, including some that use so-called subliminal programming techniques. We also saw spam being sent in Word documents. The latest trick is to use PNG files, instead of GIFs.

Links:

• Virus Top Twenty for September 2006 [Kaspersky]
• Top ten viruses and hoaxes for September 2006 [Sophos]