MoMusings

As I didn’t get chance to post this last week, I decided to do it now, even though I’m on holiday…

November has come and gone and yet again it has been another very busy month for me, winter still hasn’t really arrived in the UK yet. Some farmers are still picking soft fruit as at the start or December, which is normally all over by the end of October at the very latest. On the malware and related security threats front it has been an interesting month with lots of phishing going on.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 1280 samples during November, which have been catalogued as 51 distinct families and variants. In comparison during October I captured 886 samples which were catalogued as 53 distinct families/variants. As you can see the captures in November are up, on both October and even September.

During November I captured and submitted just 1 brand new malware strain/variant [unknown to all or most AV companies at the time of submission].

Although November was significantly up on October, the general trend is still downwards. The main reason for this general downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During November I reported over 3,300 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] yet again retained the pole position during November. Unlike October, where it lost ground, its percentage has increased from 40.5 percent in October to over 75 percent in November. Yet again, Tenga.3666 seems very intent in keeping pole position for itself.

The Mytobs have once more completely dropped out of the chart, after making a short lived re-appearance in October.

This disappearance of Mytob from Octobers chart has allowed Netsky.P [aka Netsky.q] to regain the second place spot it gained in August. Another member of the Netsky family [Netsky.d] came into Novembers chart in seventh place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September have managed to halt this decline. They still account for four of the ten places in November. The four are: Tenga.3666 in pole, Opaserv.worm.ae in eighth, Opaserv.worm.ai in ninth and Opaserv.worm.ac in tenth.
Like the Mytobs, the Mydoom variants have completely dropped out of the top ten during November.

We have four new entries in Novembers chart, these being three variants of the Warezov family [fb, fh and ev], in third, fourth and fifth spots respectively, and Mechbot.d in to the top ten, at six.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] November has seen the Mytob family make a modest comeback in November, they completely disappeared from the top ten in October. The variants that managed to claw their way back into the top ten are: Mytob.c and Mytob.t, in sixth and tenth respectively.

Octobers pole position holder, Netsky.q, has slipped down to seventh and is joined by two other family members, these being: Netsky.t, in fourth and Netsky.aa in ninth place.

Pole position in November has been stormed by Warezov.gj, which is a new entry and this is joined by Warezov.ev in the runner-up spot [second], up from the fifth place it acquired in October when it entered the chart.

Nyxem.E is a re-entry in third place, back in after dropping out of the top ten in October.

Scano.gen, drops from fourth, to fifth and the final member of the top ten, is Zafi.b back in in eighth place.

There are no Bagles or Mydoom family members in November’s chart.

In the SOPHOS chart we see a different pattern; Netksy.p has slipped from pole in October to second spot in November. Its pole position has been stolen by W32/Stratio-Zip [aka Warezov] which was anew entry in October’s chart.

Zafi.b has made a significant climb up the chart in November from eighth up to fourth place and is joined by another member of the family, Zafi.D, in tenth. Nyxem.D [aka MyWife] has also climbed back up the chart from ninth to sixth place.

Only one member of the Mytob family has managed to stay in the top ten in November, this being Mytob.C dropping from sixth to eighth place. Netsky [D] has further consolidated its hold on fifth place.

Mydoom has made a re-entry, in this case it is Mydoom.O back in at seven.

There is only one new entry in November’s chart, this being W32/Sality.AA.

To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart, climbing back up the chart to third place which it originally grabbed in July.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has bounced back from its fall to just 40.5 percent in October, back up to account for over 75 percent of the November pie. Mytob has once more dropped out of the chart after making a brief appearance in Octobers chart. Operserv has regained the second place which it lost in October where it was in third spot. Netsky has further consolidated its hold on fourth. Mydoom also makes it back into November’s chart, in eighth place, after dropping out of the top ten in October. Dupator is up one space from seventh to sixth place.

Warezov jumps from fifth place up to third in November’s chart and is making its presence felt as part of the reason for the massive increase in spam we are all seeing.

Bagle slips down the chart from sixth to seventh and Downloader slips from eighth to tenth place.

New entries include Mechbot and Small, in at fifth and ninth places respectively.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of November] here. This clearly shows that November was significantly down from September’s relative high. The overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 220,091 [as at the end of November 2006]. That’s a growth of 51,284 new malware strains and/or variants so far this year. We could see over 55,000 by the end of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in October 2006.

• Barclays Phish Just Keep Coming
• Massive Jump in Spam
• PayPal Phish With a Sting in the Tail…

Conclusions:
Spam appeared to drop during November, with both 419s and Phishing scams recovering slightly from their fall in October. Malware [via e-mail] also continued to drop during November. However, the amount of ‘personal’ mail to my ‘personal’ mail server rose by over 10,000 during the same period. Could this rise be skewing the figures?

Spammers are still increasing their use of graphical based spam, which is harder for anti-spam tools to identify without the use of OCR or other technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots, colour maps and other graphical artefacts, such as geometric shapes and random borders.

Links:

• Virus Top Twenty for November 2006 [Kaspersky]
• Top ten viruses and hoaxes for November 2006 [Sophos]

Scammed, Spammed, or Both at the same time.

As it is the season for giving gifts and thinking of others less fortunate than ourselves, I was somewhat surprised when I received the following email:

However, I was even more surprised, when I looked at the e-mail in more depth, and the resulting website being linked to in the e-mail.

First off, the e-mail body was a graphic, not ASCII text. This immediately set off alarm bells in my mind, as this is the most widespread trick being used by spammers, especially those that send out spam using botnets.

Secondly, I was receiving dozens of copies of the e-mail, but they all had different forged from addresses and subject lines, another sure sign that it is either the work of a spammer, scammer or malware.

If you went to the site [which is now down], this is what you would have seen:

Very slick, very professional…Of course what they have done is merge the content of two other ‘real’ sites to make this ‘fake’ one.

Even the donation button goes to a ‘real’ payments handling service, who I’m sure had no idea that this was to be used to con people; getting them to part with their money by using a despicable social engineering trick; that of sick children who need help.

Talking of spam, I seem to remember that at the start of 2004, Bill Gates said that the spam problem would be solved within two years…Guess again Bill!

Jan. 24, 2004, Gates told a group at the World Economic Forum that “two years from now, spam will be solved.”

The spam problem will only be solved when two things happen:

1. People stop buying products being offered via spam.
2. The companies that use spammers to hawk their wares are prosecuted, fined or taken to court. Or are made to pay in some other way.

Anyone got any other suggestions what we should do to the spammers; I was thinking along the lines of cruel and unusual punishments, such as getting them to read every spam e-mail sent out by them over a year out loud, whilst being physically spammed, with real ‘SPAM‘

Don’t even ask what I’d like to happen to the scammers…

To all of you out there that are not spammers, scammers, malware authors, cyber-criminals [or normal criminals too] I would like to wish you a very Happy Christmas and a prosperous new year. If you don’t celebrate Christmas, then happy holidays.