MoMusings

IMPORTANT - UPDATED

Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/. A full RSS/ATOM feed can be found there.

All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home. ALL future postings will only be available at the new site.

Apologies if this causes you any problems.

As I didn’t get chance to post this last week, I decided to do it now, even though I’m on holiday…

November has come and gone and yet again it has been another very busy month for me, winter still hasn’t really arrived in the UK yet. Some farmers are still picking soft fruit as at the start or December, which is normally all over by the end of October at the very latest. On the malware and related security threats front it has been an interesting month with lots of phishing going on.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 1280 samples during November, which have been catalogued as 51 distinct families and variants. In comparison during October I captured 886 samples which were catalogued as 53 distinct families/variants. As you can see the captures in November are up, on both October and even September.

During November I captured and submitted just 1 brand new malware strain/variant [unknown to all or most AV companies at the time of submission].

Although November was significantly up on October, the general trend is still downwards. The main reason for this general downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During November I reported over 3,300 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] yet again retained the pole position during November. Unlike October, where it lost ground, its percentage has increased from 40.5 percent in October to over 75 percent in November. Yet again, Tenga.3666 seems very intent in keeping pole position for itself.

The Mytobs have once more completely dropped out of the chart, after making a short lived re-appearance in October.

This disappearance of Mytob from Octobers chart has allowed Netsky.P [aka Netsky.q] to regain the second place spot it gained in August. Another member of the Netsky family [Netsky.d] came into Novembers chart in seventh place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September have managed to halt this decline. They still account for four of the ten places in November. The four are: Tenga.3666 in pole, Opaserv.worm.ae in eighth, Opaserv.worm.ai in ninth and Opaserv.worm.ac in tenth.
Like the Mytobs, the Mydoom variants have completely dropped out of the top ten during November.

We have four new entries in Novembers chart, these being three variants of the Warezov family [fb, fh and ev], in third, fourth and fifth spots respectively, and Mechbot.d in to the top ten, at six.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] November has seen the Mytob family make a modest comeback in November, they completely disappeared from the top ten in October. The variants that managed to claw their way back into the top ten are: Mytob.c and Mytob.t, in sixth and tenth respectively.

Octobers pole position holder, Netsky.q, has slipped down to seventh and is joined by two other family members, these being: Netsky.t, in fourth and Netsky.aa in ninth place.

Pole position in November has been stormed by Warezov.gj, which is a new entry and this is joined by Warezov.ev in the runner-up spot [second], up from the fifth place it acquired in October when it entered the chart.

Nyxem.E is a re-entry in third place, back in after dropping out of the top ten in October.

Scano.gen, drops from fourth, to fifth and the final member of the top ten, is Zafi.b back in in eighth place.

There are no Bagles or Mydoom family members in November’s chart.

In the SOPHOS chart we see a different pattern; Netksy.p has slipped from pole in October to second spot in November. Its pole position has been stolen by W32/Stratio-Zip [aka Warezov] which was anew entry in October’s chart.

Zafi.b has made a significant climb up the chart in November from eighth up to fourth place and is joined by another member of the family, Zafi.D, in tenth. Nyxem.D [aka MyWife] has also climbed back up the chart from ninth to sixth place.

Only one member of the Mytob family has managed to stay in the top ten in November, this being Mytob.C dropping from sixth to eighth place. Netsky [D] has further consolidated its hold on fifth place.

Mydoom has made a re-entry, in this case it is Mydoom.O back in at seven.

There is only one new entry in November’s chart, this being W32/Sality.AA.

To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart, climbing back up the chart to third place which it originally grabbed in July.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has bounced back from its fall to just 40.5 percent in October, back up to account for over 75 percent of the November pie. Mytob has once more dropped out of the chart after making a brief appearance in Octobers chart. Operserv has regained the second place which it lost in October where it was in third spot. Netsky has further consolidated its hold on fourth. Mydoom also makes it back into November’s chart, in eighth place, after dropping out of the top ten in October. Dupator is up one space from seventh to sixth place.

Warezov jumps from fifth place up to third in November’s chart and is making its presence felt as part of the reason for the massive increase in spam we are all seeing.

Bagle slips down the chart from sixth to seventh and Downloader slips from eighth to tenth place.

New entries include Mechbot and Small, in at fifth and ninth places respectively.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of November] here. This clearly shows that November was significantly down from September’s relative high. The overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 220,091 [as at the end of November 2006]. That’s a growth of 51,284 new malware strains and/or variants so far this year. We could see over 55,000 by the end of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in October 2006.

• Barclays Phish Just Keep Coming
• Massive Jump in Spam
• PayPal Phish With a Sting in the Tail…

Conclusions:
Spam appeared to drop during November, with both 419s and Phishing scams recovering slightly from their fall in October. Malware [via e-mail] also continued to drop during November. However, the amount of ‘personal’ mail to my ‘personal’ mail server rose by over 10,000 during the same period. Could this rise be skewing the figures?

Spammers are still increasing their use of graphical based spam, which is harder for anti-spam tools to identify without the use of OCR or other technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots, colour maps and other graphical artefacts, such as geometric shapes and random borders.

Links:

• Virus Top Twenty for November 2006 [Kaspersky]
• Top ten viruses and hoaxes for November 2006 [Sophos]

Scammed, Spammed, or Both at the same time.

As it is the season for giving gifts and thinking of others less fortunate than ourselves, I was somewhat surprised when I received the following email:

However, I was even more surprised, when I looked at the e-mail in more depth, and the resulting website being linked to in the e-mail.

First off, the e-mail body was a graphic, not ASCII text. This immediately set off alarm bells in my mind, as this is the most widespread trick being used by spammers, especially those that send out spam using botnets.

Secondly, I was receiving dozens of copies of the e-mail, but they all had different forged from addresses and subject lines, another sure sign that it is either the work of a spammer, scammer or malware.

If you went to the site [which is now down], this is what you would have seen:

Very slick, very professional…Of course what they have done is merge the content of two other ‘real’ sites to make this ‘fake’ one.

Even the donation button goes to a ‘real’ payments handling service, who I’m sure had no idea that this was to be used to con people; getting them to part with their money by using a despicable social engineering trick; that of sick children who need help.

Talking of spam, I seem to remember that at the start of 2004, Bill Gates said that the spam problem would be solved within two years…Guess again Bill!

Jan. 24, 2004, Gates told a group at the World Economic Forum that “two years from now, spam will be solved.”

The spam problem will only be solved when two things happen:

1. People stop buying products being offered via spam.
2. The companies that use spammers to hawk their wares are prosecuted, fined or taken to court. Or are made to pay in some other way.

Anyone got any other suggestions what we should do to the spammers; I was thinking along the lines of cruel and unusual punishments, such as getting them to read every spam e-mail sent out by them over a year out loud, whilst being physically spammed, with real ‘SPAM‘

Don’t even ask what I’d like to happen to the scammers…

To all of you out there that are not spammers, scammers, malware authors, cyber-criminals [or normal criminals too] I would like to wish you a very Happy Christmas and a prosperous new year. If you don’t celebrate Christmas, then happy holidays.

Here’s an article of a differnt nature, no malware, no spam, no scams or any of the other usual stuff I write about, this ones about us all making a difference…

Now, don’t get me wrong I’m not a tree hugger, an environmentalist or at the other end of the scale, an anarchist, I’m just an average ‘geek’ that uses too many computers for too many hours of the day. And to help with the guilt of my using all this power and the resulting impact on the environment, I did a little digging and found a little tool yesterday which could well make a massive difference to the amount of carbon and CO2 emissions that I am responsible for; no it doesn’t mean I have to stop being full of hot air, or even stop breathing….Although that probably might help

All of us that use computers, either for work or at home are guilty of leaving them running when we are not always actually using them; this generates significant waste and emissions. To help reduce this you can tweak the power settings on your computer to turn off the display after so many minutes and power down the hard disks when they are not in use. But, how many of us actually do that?

To help make this easier, a useful tool has been released which can help you to save energy and therefore reduce emissions such as CO2 and if enough of us do this we can make a significant impact. So, instead of being part of the problem, we can be come part of the solution.

So, what is it?

It is simply a software tool that you install, and it looks a bit like one of those grid computing type of applications, such as Seti@home, BOINC, World Community Grid, etc. Here’s a picture of what it looks like when it is running:

So, instead of looking for alien signals you can actual do something that will help all of mankind, right here and right now.

I already have it installed on all my computers at home, and have already saved some energy, and I only installed it earlier today.

It is fully customisable, as you can see from these screenshots:

Imagine the impact if all large companies installed this on all their computersll as all home computer users! Not only would they save money [which the bean-counters/bill-payers would approve of], but they could also help to minimise the impact on the environment that their business and/or gaming, chatting, e-mailing or blogging makes too!

Go on you know it makes sense…

It is FREE and doesn’t contain any spyware or other malicious code. You can download it via this banner.

as we

Is this the first case of an honest spammer, or is it just a case of incredible cosmic irony? You decide…

Here is a screenshot of a typical ‘pump-and-dump-scam‘ spam e-mail spotted by my colleague Darren, today:

A larger version can be found here.

As you can see it is a typical spam e-mail offering stocks that the spammers/scammers have bought and are trying to inflate before they dump them and make a profit, leaving all the other new investors out of pocket as a result of their actions.

However, that is not what is important in this case.

Did you notice the chunk of text below the ‘—’?

This is taken from news sites, so should be topical news at the time the spam e-mail is being created. This type of text is added to try and get the spam past anti-spam filters, but in most cases it doesn’t work. But, in this case the final news piece added is just so ironic, that you almost think it had to be added on purpose, just to raise a smile, if nothing else.

I have highlighted the pertinent section of the e-mail to make it clear which news item I’m on about.

So, what do you think, is it a case of cosmic irony, karma, fate, etc. Or, is it a case of a spammer honestly trying to warn the recipient? Nah, scratch that, there are no spammers with that level of concern for their victims, they are only interested in how much money they can make for themselves; worrying about swamping the internet and users mailboxes with the ‘crud‘ they are peddling just doesn’t come into the equation.

Over the last month the amount of phishing scams I see has risen. In fact, since the beginning of November I have reported over 3,000 new phishing URLs. This is a significant increase for me, as I usually only report around 100 to 150.

Each phishing e-mail is checked, all links are tested against the Netcraft toolbar, and any new ones, that the Netcraft toolbar doesn’t yet know about are submitted for inclusion in their database. Nothing too unusual there. However, once in a while I spot something that makes a new phish stand out from the crowd. One of these events happened last week, and this post will explain why I considered it not one of the run-of-the-mill phishing scams.

For starters here’s a screenshot of the e-mail I received:

A larger version can be found here.

Nothing too unusual here, this looks like a typical PayPal phishing e-mail, complete with the fake URL. The one you go to, is not the one shown in the e-mail!

For starters here’s a screenshot of the phishing website you saw [yes, past tense as it has now been closed down] when the link in the e-mail was clicked on:

A larger version can be found here.

You can also clearly see at the time I took this screenshot that it was not detected by the Netcraft toolbar, or even the Firefox anti-phishing functions which are now built into the browser.

As with the original phishing e-mail, nothing too surprising here, a typical PayPal phishing site.

So, I logged in [using false credentials, of course] and filled out the required forms with my name, address, social security number, date of birth, credit card details [including CVV and PIN]. Everything was just like most other PayPal phishing sites, that is until the confirmation page…

This is what I saw:

A larger version can be found here.

Oh goody, I thought, they are offering me a free download of an ‘eBay Toolbar‘ called VGuard, and it is at version 10, yippee! Of course, I immediately downloaded it and installed it, as most users do, don’t they? [Don’t panic, I did download it, but I didn’t install it].

What I did do, once I had downloaded it was to analyse it, here’s the file information:

FileName: Guardv10.exe.1
FileDateTime: 16/11/2006 17:44:35
Filesize: 149254
MD5: 2fadb5a4f3c80e78197d733255136ba7
CRC32: 7B3A6C60
File Type: PE Executable
Packer: Standard PE File

Interesting is wasn’t even packed using the usual malware authors tools, such as UPX, ACE, and so on.

I had a quick peek at the internals of the file and saw it would create some files and execute them, not just any files, a DOS batch [.BAT] file, very suspicious! So I sent it of to be run in a sandbox, and here are the results:

Guardv10.exe : Not detected by Sandbox (Signature: NO_VIRUS)

[ General information ]
* File length: 149254 bytes.
* MD5 hash: 2fadb5a4f3c80e78197d733255136ba7.

[ Changes to filesystem ]
* Creates file C:\TEMP\bt8323.bat.
* Deletes file C:\TEMP\bt8323.bat.

[ Process/window information ]
* Creates an event called .

The results from the sandbox did indeed show that it created a batch file. So, what anti-malware tools detect it. To find out I scanned it using over 30 ‘up-to-the-minute‘ updated anti-malware tools, here are the results:

============================================================

Scan report of: Guardv10.exe

@Proventia-VPS Malicious (Cancelled)
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus -
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal -
Rising -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
UNA Trojan.BAT.Small.BC0B
VBA32 -
VirusBuster -
WebWasher -
YY_Spybot Jupilites,,Installer

============================================================

As you can clearly see, hardly any of them detected anything at all, even the mighty Kaspersky failed to find anything in the file. So, what did I do, the same thing I always do when I find a new malware, I sent it off to all the anti-malware companies to add detection for it to their products.

Sorry, you want to know what it [the mawlare] does? OK.

The sting in the tail mentioned in the title of this posting, is not that the phishers have used a bit of extra social engineering to get a ‘phished‘ target to not only give away their personal and financial data, but they have also got them to download and run, what the end user thinks is a ‘useful‘ toolbar…when in fact what it does is:

Attempts to remove the first four boot configurations from the ‘boot.ini‘ file and then delete the ‘hal.dll‘ file in the Windows ‘System‘ directory. It then copies itself to the Windows ‘Startup‘ folder and proceeds to shutdown [reboot] the computer.

If it is successful this will make the infected computer unbootable and it may also show a rude message in Romanian on the screen.

Now, is that a sting in the tail or not?

Not only have the phishers made off with the users data, but they are also trying to cover their tracks by making the system unusable……any half decent ‘geek‘ could of course resolve the matter fairly easily, but most users would be completely stumped as how to proceed at this point. I suppose they would take it to their local PC expert or repair center?

October has come and it has been another very busy month for me. On the malware front it has been an interesting month with new techniques being used.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 886 samples during October, which have been catalogued as 54 distinct families and variants. In comparison during September I captured 1226 samples which were catalogued as 43 distinct families/variants. As you can see the captures in October are down from those of September.

During October I captured and submitted 3 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this general downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During October I reported 140 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] yet again retained the pole position during October. However, its percentage dropped, yet again, down from 57 percent in September to only 40.5 percent in October. Even allowing for this drop it seems very intent in keeping pole position for itself.

The Mytobs are definitely back. In August they completely dropped out of the chart, but one member of the family managed to storm back into the chart in September, grabbing second place. In October, Mytob.AC managed to keep hold of second spot, despite a number of challengers.

This reappearance of Mytob knocked Netsky.P from the second place it gained in August, back to third in September, and like Mytob.AC, is has consolidated its hold on this spot. Another member of the Netsky family [Netsky.AB] came into Octobers chart in fifth place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September have managed to halt this decline. They still account for four of the ten places in October. The four are: Tenga.3666 in pole, Opaserv.worm.d in sixth, Opaserv.worm.ae in eighth and Dupator.1503 in ninth.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot. During October it regained one more spot from September, up from eighth to seventh.

The two new entries from September, known as IRC.Flood.b and ev [McAfee] have fallen back out of the top ten during October. They have been replaced by Warzov.gen3!W32DL and Bagle.fc!pwdzip in fourth and tenth places respectively.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] October has seen the Mytob family completely disappear from the top ten. In September held four places out of the top ten.

Lovegate.w also falls out of the top ten in October along with Nyxem.E which was a new entry in Junes chart and has been in the top ten until now. Only one Netsky family member has survived the top ten shake-up that occurred in October, this being Netsky.q, which grabs pole.

Only one of the two new entries from September, both from the Scano family, have managed to stay in the top ten in October, this being Scano.gen, in fourth,with the aq variant replaced by another family member, this being the e variant, in tenth. Both of these variant arrive attached to a spammed e-mail message, the attachment is the virus. Scano does not spread on its own.

New entries this month include, three members of the Warezov family, these being, Warezov.dn in third spot, Warezov.ev in fifth, and Warezov.dc in seventh.

The rest of the chart is made up of Bagles; Bagle.gen in third and Bagle.mail in sixth, and Mydooms, Mydoom.l in eighth and Mydoom.m in ninth.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b consolidated its place in eighth. Nyxem.D [aka MyWife] has slid down the chart from fourth to ninth. Mytob.AS has further consolidated its second place in the top ten, it stormed up the chart from fourth spot in June and we see two other Mytob family members in the top 10; this being C in sixth and E in tenth place. Another Netsky [D] consolidates its hold on fifth place. All members of the Mydoom family have fallen out of the top ten this month.

As with both my own top ten, and the top ten from Kaspersky, we have a couple of new entries, these being Stratio-Zip and Stratio-AY. Stratio is SOPHOS’s name for the warezov family, which is at least partially responsible for the recent jump in the amount of spam, but more on that next month.
To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart which slides down the chart from the third place which it grabbed in July, to fourth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has finally dropped from 57 percent in September 2006 to just 40.5 percent in October. Mytob is up one place to second after disappearing altogether from the chart in August and coming back in September in third. Operserv has slipped down one place from second to third place. Netsky has consolidated its hold on fourth. Mydoom drops out of the top ten. Dupator is up one space from eighth to seventh spot. Warezov is static in fifth place.

New entries include Downloader, Zapchat and Agent, in at eighth, ninth and tenth places respectively.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of October] here. This clearly shows that October was significantly down from September’s relative high. The overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 217,151 [as at the end of October 2006]. That’s a growth of 52,362 new malware strains and/or variants so far this year. We could see over 60,000 by the end of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in October 2006.

• An Orange Phish, not a Gold One
• Italian ex-Prime Minister Needs Your Help
• Do People Ever Learn From History?

Conclusions:
Malware, 419s and phishing scams have shown a significant drop in numbers during October, however this may not be all it seems as the amount of spam has grown almost fourfold in the same period.

Spammers are still increasing their use of graphical based spam, which is harder for anti-spam tools to identify without the use of OCR or other technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped. We have also seen animated GIF files being used by spammers, including some that use so-called subliminal programming techniques. We also saw spam being sent in Word documents. The latest trick is to use PNG files, instead of GIFs and also to use a graphic for each letter of the alphabet, sort of like a digital version of a ransom note cut from newspapers, but more on that next month.

Links:

• Virus Top Twenty for October 2006 [Kaspersky]
• Top ten viruses and hoaxes for October 2006 [Sophos]

Wow, must be my lucky day, according to an e-mail I’ve just received, I’ve won ‘1 Million US Dollars‘ and those of you that read my blog, will know that I’ve already been informed by another e-mail that I’ve already won ‘800,000 Euros‘ today!

Hang on, this is another lottery that is allegedly sponsored by Microsoft, and yet again I don’t remember entering any lottery!

Here are a couple of screenshots, showing the whole e-mail in all its glory:

Once more Bill Gates gets a mention, and the following line just makes me chuckle:

“DO NOT REPLY ANY OTHER MAILS LIKE THIS ON NET, AS THEY ARE LOT OF SCAM ARTIST OUT THERE PRETENDING TO BE US…”

Tell me about it, what a bunch of scammers!

Just to make it crystal clear, yet again, this is a scam, there is no money, and I haven’t really won anything…Damn, I suppose I better cancel that order for the Ferrari and the new guitars now?

Blimey, there’s that woman again [but she’s changed her name], from the 800,000 Euros wining e-mail, but now she has a friend with her. Anyone know who the women in the picture are, I’m sure they will be delighted to know that they are being used to help make a scam more believable?

Whoopee! I won 800,000 Euros in the latest lottery being run by Microsoft…..Imagine what I can do with that much money; buy a Ferrari [but I don’t drive, maybe I could learn?], pay off my mortgage, do a round-the-world trip, buy lots more spiders, snakes and guitars….Oh, and let my wife have some too!

Hang on, I don’t remember entering any lottery!

OK, calm down, this isn’t all it seems to be, as usual.

Yes, hopefully by now you’ve realised that it is the latest incarnation of the infamous lottery scam from those wonderful 419ers. The boys and girls from Lagos have excelled themselves once more. Yes, as usual they are using the name of a large company; Microsoft [in this case] but are also using another company name, that of the F. P. S. which they claim is the ‘Foundation for the Promotion of Software products’ [which doesn’t seem to exist outside these scams]. They even go on to use ‘Bill Gates‘ name as if that will give it more credence.

Here are a couple of screenshots, showing the whole e-mail in all its glory:

Just to make it crystal clear, this is a scam, there is no money, and I haven’t really won anything, well, apart from the right to read the latest ‘fiction‘ from those running these scams.

Anyone know who the woman in the picture ‘really‘ is?

By the way, I think that F.P.S really stands for ‘Foolish People Scammers‘? Any better suggestions?

P.S. I have a number of postings planned already for next week, including the ‘Monthly Malware Review’ for October, an interesting case of a Phishing Scam, with an extra sting in its tail, and another update on the latest tricks being employed by the spammers. If anything else interesting or newworthy crops up I’ll try and post that too.

In my never-ending search for the perfect RSS/Atom reader and/or aggregator, I have been testing the web based one offered by ‘Google‘ known as ‘Google Reader‘, and to be be honest I’m very impressed.

Apart from being browser based, it is similar to many of the other RSS readers out there, but there are some unusual, but useful things that ‘Google Reader‘ does that I don’t think any of the others offer.

One of the great features is the ability to ‘share‘ items that you have received, and think may be of interest to like-minded individuals. So, I have started sharing interesting posts from blogs that I subscribe to here: http://www.google.com/reader/shared/01333213474642457866

You can even get it as a RSS/Atom feed via this link: http://www.google.com/reader/public/atom/user/01333213474642457866/state/com.google/broadcast.

‘Google Reader‘ works well in Internet Explorer, but also works in Firefox too.

If you are also using ‘Google Reader‘, and have a share, then let me know and I’ll take a look. Also, let me know what you think of ‘Google Reader‘, if you use it.

Just for interest, here are just some of the other RSS/Atom readers and/or aggregators I’ve used so far [in no particular order]::

• Awasu
• Firefox, Live bookmarks, Sage and various other plug-ins/add-ons
• RSS Bandit
• Greatnews
• KlipFolio
• Newzie
• Omea reader
• Opera
• SharpReader

If you are also using ‘Google Reader‘, and have a share, then let me know and I’ll take a look. Also, let me know what you think of ‘Google Reader‘, if you use it.