Somewhat late I know, but I am finally going to post selected parts and snippets from the 2006 half-year malware review I finished in July as I promised, and I do try and keep my promises. So better late than never, here we go…

Malware Review of 2006 [January - June]

Below is a summary of the state of malware and related ‘things-that-go-bump-in-the-net’ for the first six months of 2006. If you need further details on any issue you will find a list of references throughout and can always search my blog for more details on a specific topic. All feedback and questions are welcome.

Overview

The beginning of 2006 was also the 20th anniversary of the first PC virus, Brain.

For anyone outside the security industry the first six months of 2006 were pretty uneventful; however this is just a case of the ‘Swan Principal‘ - All serene and smooth on top but furious activity going on beneath the surface - both in the malware and anti-malware camps.

E-mail borne malware is fast becoming extinct as malware authors move to using other infection vectors or links instead of attaching malware. The other trend that is occurring is the move back towards Trojans and using social engineering to get users to infect their own computers. SOPHOS found that only 1 in 91 e-mail were viral compared to 1 in 35 for the same period last year.

Phishing has grown from a minor inconvenience to a widespread and growing problem which currently shows no sign of a slowdown. However, there is somewhat of a change happening in that phishing scams are no longer just targeting customers of online payment systems [paypal], banks, building societies and ISPs. They are increasingly turning their attention to smaller firms and more targeted attacks. Increasingly we are seeing botnets being used to Spam out phishing e-mails and also bot infected computers used to host the bogus ‘phishing’ site itself.

Bots and Botnets have become big business with many ‘botnet owners’ making serious money renting out their ‘army’ of ‘drones’ to be used for DDoS attacks or pushing Spam, Phishing e-mails or other scams through. Botnets are also being used to seed new malware and adware/spyware; effectively giving it a head start which allows it to appear almost instantaneously all over the world.

Malicious software aimed at mobile devices, such as PDAs and SmartPhones have grown quickly so far this year. This is not surprising as more and more of us now have SmartPhones with more computer power in our hands than a desktop computer offered a mere 10 years ago. During the review period the number of malware targeting mobile devices exceeded the 200 mark.

Ransomware
Data or disks being encrypted by malware is nothing new, however we seem to be seeing a increase in the use of this technique to extort money from those that get infected. In some cases it has almost become a hostage shooting scenario as if infected users do not pay-up within a specified period files get deleted and this is repeated until the user gives in and pays up.

Multi-stage malware is malware that arrives in parts, sections. This is not a new technique but it is one that is increasingly being used by the malware authors.

As this blog posting is ’selected highlights‘ of the full 16 page report, let us look at some of the areas mentioned above in more detail:

Malware Growth

Almost at 200,000 malware strains/variants

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 199,255 [as at the end of June 2006]. That’s a growth of 30,448 new malware strains and/or variants in the first half of the year. If we extrapolate that out we are looking at least 60,000 new malware strains and/or variants by the end of this year.

I have already written a blog entry on this, so to save space, and my fingers, you can the original posting here.

The following chart shows the actual growth of malware each month for the first half of 2005 and the first half 2006. You can clearly see the same trends at work; however the numbers are much larger.

The average per month for the first half of 2005 was 4494 new malware variants, whereas the average per month for the first half of 2006 was 5075 new malware variants. This equates to 28 new malware found on average each and every day during the first six months of 2006, for the same period last year the figure was just 25.

Now, let us look at the growth and trends from actual data from my own internet facing malware sensors. The first graph shows data from January 2004 until June 2006 and only shows malware samples captured which travel via e-mail.

Let us now look at the whole six month period with respect to individual malware variants and families. The first pie chart shows the top 10 malware variants. This data is from my WormCharmer and includes not only e-mail based malware but also share-crawling worms and bots too.

As you can see there are a number of Mytob variants in the top 10, in fact they take 4 of the 10 slots; the other 6 are taken by W32/Tenga.3666 which accounts for over 65 percent of the top 10 pie, and over 50 percent of all samples captured in the first six months of 2006. Tenga is a ‘blast from the past’ as it had been suggested by some anti-virus vendors that ‘viruses’ were now extinct, apart from those already known and catalogued. The rest of the pie is made up of W32/MyWife.d@MM, W32/Netsky.p@MM, W32/Opaserve.ae and finally W32/Opaserv.d [in 5th, 6th, 7th and 10th respectively].

The above pie-chart shows the data for the same period but grouped by malware ‘families’. As you can clearly see the Tenga family [which is only made up of the initial version] account for the largest slice, almost 55 percent. Mytob are forced into second place, accounting for just 23 percent of the pie. These top two are followed by the ‘Opaserv’ family and the ‘Netsky’ family. Next come MyWife, Sdbot, Mydoom, Sdbot and Ranky Dropper and in ninth spot is Ranky. Bringing up the rear is the ‘Agobot’ family.

Right, now we have covered some of the statistics of the first half of 2006, let us now look at some of the trends reported in the review:

Trends

Ransomware

Data or disks being encrypted by malware is nothing new, however we seem to be seeing a rebirth of this technique to extort money from those that get infected.

One of the first ransomware found was Virus.Win32.Gpcode.a [Kaspersky] which was found in December of 2004, a second variant appeared later that month. We are now seeing versions of this ransomware using strong encryption. In January variant ac was found and it used a RSA algorithm with a 56 bit key-length. Next we saw a version using a 260 bit key, then a 330 bit key, each of these were cracked by the anti-virus firms. To top it all in June the author released a new version using a 660 bit key, this should have taken around 30 years to crack, but Kaspersky managed to crack it within 24 hours. It is expected that we will see more of these Gpcode variants using larger and larger keys along with new malware that uses strong encryption techniques to hide or steal data.

If we see this technique added to bots we may well have to add a new entry to the definition of DDoS attacks, as encrypting files or whole disks without the owners knowledge is definitely a denial of service as they won’t be able to use the data or disk that has been encrypted.

In one case a ransomware malware known as Ransom-A [Sophos] prevented users from accessing their computer until the ransom was paid via Western Union. The fee demanded was a measly 10.99 [US Dollars]. The amount may be small, but to try and ensure that the victim paid up, for every thirty minutes which passed it claimed it would delete a file. Furthermore, Ransom-A displayed pornographic images and messages on the infected systems screen which added to the pressure to pay up, especially if you were in an office or public place where your screen could be seen.

Along similar lines is the data-stealing malware, more often than not these are Trojans specialising in stealing passwords and other sensitive data. There have been cases where Phishers have used these tools by using known vulnerabilities in Microsoft Internet Explorer to automatically download an install the Trojan as the phishing e-mail is being read.

Script Malware Returns

Script viruses and other malware have been around for many years, but interest in them has waned over the last few years, or so it seemed. This year we have seen a number of script based malware, these include:

• Yamanner
• Stardust
• Feebs
• Scano

It seems that we are seeing the rebirth of script-based malware, this time the target is web-based applications and the servers running these applications and sites. What is more worrying is that some of these, such as Feebs and Scano are polymorphic and therefore are harder to reliably detect as they mutate each time they infect.

A Half-Year Packed with PoCs

It seems to have been rather manic on the ‘proof of concept’ front with regard to malware, so far this year we have seen the following new targets attacked:

• Matlab
• Microsoft Project
• Open Office
• Mac OSX
• J2ME

This year may have been short on major outbreaks, so far. This is partially because the malware authors are spending the time in investigating new attack vectors and methods. I suspect that the second half of 2006 will see a similar increase in PoCs.

Right, finally let me cover some of the things I see in my crystal ball…

Expectations for the rest of 2006

Let us look into our virtual crystal-ball and see what the last half of 2006 may hold.

Actually this is more scientific than merely guessing as it uses all the data from 2006 so far and the other twenty years of malware activity to come up with the most likely scenarios. However, something new and unexpected can always turn up to turn everything on its head.

Phishing to continue to grow.
More scams using social engineering to dupe users into disclosing private or confidential information or getting them to perform a task, such as running an attachment or deleting system files (user initiated malware). More phishing scams to use malware such as key-loggers and backdoors to compromise/further exploit a victims system. Man-in-the-middle scams to become more widespread.

Increased social-engineering use in malware.
Malware authors are well aware that most often the weakest link in a company’s security is the person behind the keyboard. Until users gain a healthy level of paranoia then the problem will continue and may be used more often to defeat a company’s anti-malware defence.

SPAM will continue to grow, despite the recent legislation passed in both the UK/EU and the US and even allowing for the arrests/prosecutions of spammers in 2004, the growth in risk of being caught will be offset by the increasing use of bot nets as spam proxies. Not only will we see and increase in e-mail spam, but also instant messaging spam [known as spim] and VoIP spam [known as spit].

Bots and botnets will continue to be the tool of choice for cyber-criminals. What we will continue to see during the rest of 2006 is a further move from using IRC for command and control, to other methods such as web servers running SSL [encrypted] command and control systems. We may also see encrypted peer-to-peer [P2P] networks created by bot/botnet creators as IRC server owner’s crackdown on misuse of their servers. Furthermore the increasing use of IPS/IDS to detect botnet IRC traffic will force the bad guys to move to encrypted protocols as an attempt to try and defeat the use of these technologies.

It has become clear over the last few years that malware authors are increasingly looking at operating systems other than Windows. The number of Linux malware is increasing steadily as they search for effective ways to target it. The same has been happening on the Apple Mac platform. We will see more, and increasingly complex and successful malware for Linux and Mac operating systems during the rest of 2006.

So, there you have it, a quick peek at some of the facts, findings, trend analysis and a bit of crystal ball gazing to round it all off.

Other Malware Reviews

• http://www.viruslist.com/en/viruses/analysis?pubid=184012401
• http://www.viruslist.com/en/viruses/analysis?pubid=191951869
• http://www.f-secure.com/2006/1/
• http://www.sophos.com/pressoffice/news/articles/2006/07/securityreportmid2006.html

The results of a recent survey confirms my own worst fears in regard to why we are still seeing machines getting infected with malware that has been detectable for weeks, months and even years! This is despite the fact that most of these machines that get infected have anti-virus software installed and enabled to perform on-access [real-time] scanning of all files that can act as a infection vector.

According to the survey conducted by Harris Interactive on behalf of ESET:

• 88 percent of computer users have anti-virus software on their machines.
• Almost two-thirds (65 percent) of those users are reluctant to upgrade the software after it’s installed.

Why? Well, below are just some of the reasons that consumers gave to explain their reticence for upgrading their antivirus protection:

• 38 percent claimed that the updates were too disruptive.
• 32 percent felt it was something that could wait.
• 27 percent believed the update would take too long.
• 14 percent were unsure how to do it.

This is despite the survey finding that 42 percent of the survey sample admitted their machines had been affected by malware. Even more surprising is that of those who failed to update their protection and subsequently had their system infected, 55 percent of them still felt very confident or confident in the protection offered by the antivirus programs on their computers.

A couple of interesting quotes from this story are included below:

“Overall, the research shows that many consumers have a false sense of security while online,” ESET Chief Research Officer Andrew Lee said in a statement. “With the number of zero-day threats rapidly increasing, users need to be even more cautious and proactive in their own protection.”

Andrew is correct that the window between a vulnerability being found and it being used is almost non-existent now, users do need to ensure that their AV is up to date more often, unless they are using other tools/technologies or methodologies to mitigate the threat.

However, this is only one facet of the problem, the real problem is that most of those getting infected are being infected by malware that is months or years old and known to all anti-virus tools. There is a failure here, both from the vendors who should make their updating features more difficult to turn off, easier to use, and switched on by default, and by the user who believe that they are protected because they have AV installed and that this ‘magically’ protects their PCs from all malware even if they never update it. The following quote from Ron O’Brien supports my own findings.

Ron O’Brien, a senior security analyst with Sophos in Lynnfield, Mass., noted that the survey findings gel with findings in his company’s mid-year report. “All the malware listed in our report is malware that’s been around for a year or two, which means that there are large numbers of users who do not have any antivirus software or outdated software on their PCs,” he told the E-Commerce Times.

Is he right? Yes, of course he is, if you need more proof then take a look at my Monthly Malware reviews [posted on this blog] and see for yourself, it ain’t rocket science folks!

This survey is not the only one that fails to surprise as there has been one that claimed that users were buying new PCs to solve malware problems instead of getting the old [infected PC] dis-infected. Talk about overkill, this is like using a ‘Thermonuclear Warhead to kill a bug‘! Want to know more?[1]

So, what do you need to do to minimise your computer becoming just another survey statistic?

• Install anti-virus; enable real-time [on-access] scanning.
• Update your anti-virus; if it doesn’t do it for you, manually check for updates each and every day.
• Install a personal firewall; and check all the programs that request internet access.
• Install anti-spyware; some of these have real-time protection, use it!
• Update anti-spyware; same as the AV.
• Practise Safe Hex!

I’m not going to go into the above suggestions in depth as I’ve already covered this in earlier postings and a number of my published papers and magazine articles.

Links:

• http://www.technewsworld.com/rsstory/51850.html
• http://www.sophos.com/pressoffice/news/articles/2006/07/securityreportmid2006.html
• http://www.eset.com/company/article.php?contentID=1553
• Links to FREE AV, Personal Firewalls, Anti-Spyware, etc.

[1] Shameless use of dialogue from the ‘Starship Troopers’ film.

There seems to be a new ‘virus warning’ being sent around, clogging up mailboxes and generally causing lots of FUD [Fear, Uncertainty and Doubt].

So, is it a case of ‘yet-another-virus-hoax’ chain e-mail type of warning or is this a real threat? Should you worry, pass it on, put it in the bit-bucket, or what?

Read on and find out.

So you get an e-mail from someone you know, or even a complete stranger that looks like this:

“There is an email going around with the subject “New Graphics Site”. It is spreading fast as about 100 people I know have gotten it just today. If you get an email with that in the subject line delete it quickly and DO NOT OPEN IT! This is a new virus I have been told.”

The Facts:

• There is a new mass-mailing worm that has the subject of “New Graphics Site”.
• Opening it and or viewing the e-mail does make it spread.
• There is no attachment, the viral code is part of the e-mail body.
• This only [at this time] affects those that use Yahoo web-mail via a web browser.
• Turning off JavaScript support in your browser should stop it functioning.
• Most anti-virus products now detect this.
• The worm cannot run on the newest version of Yahoo Mail Beta.

F-Secure state that:
“The Yamanner worm does not send itself as an attachment, it resides inside the e-mail body. The worm activates automatically by just opening an infected e-mail message with Internet Explorer. It uses a 0-day vulnerability in Yahoo! webmail system.”

And according to McAfee:
“There are reportedly two known variants of this threat. It appears to be under development/refinement and the initial variant contains a typo in the code”.

Furthermore, the worm targets e-mail addresses that are in the yahoo.com and yahoogroups.com domains only at this time. It replicates by running a JavaScript which sends copies of itself to other e-mail addresses harvested from infected users Yahoo Mail folders. It also, as part of its routine sends these harvested e-mail addresses to a remote server which is obviously collecting them for other nefarious purposes, such as to sell as a spam list.

I suspect this attack on the web mail service of Yahoo is the start of a trend in attacking web-based e-mail services. The Internet Storm Center had this to say on the current state of many web based applications: “After testing several popular web applications, we have found that several are in fact vulnerable to the very same type of exploit.”

Links:

• http://www.f-secure.com/v-descs/yamanner_a.shtml
• http://securityresponse.symantec.com/avcenter/venc/data/js.yamanner@m.html
• http://vil.nai.com/vil/content/v_139913.htm
• http://www.sophos.com/security/analyses/jsyamanna.html
• http://secunia.com/virus_information/29782/js.yamanner/

Back to my question I asked at the start of this posting “Should you worry, pass it on, put it in the bit-bucket, or what?” The correct answer is firstly to confirm that such a problem/threat exists via ‘reliable sources’, and if real just be aware of the problem and how to avoid it or protect against it, apply this knowledge and any required patches or security updates [Anti-Virus, Anti-Spyware, Windows Update, etc.], then send the warning e-mail to the bit-bucket.

It’s a Microsoft themed posting today, I hope Bill is pleased

First we have a new Microsoft patch being sent via e-mail for a new vulnerability, or so you are led to believe. Details below:

Here is a screenshot of the e-mail:

Screenshot courtesy of SOPHOS.


If you are naive enough to believe that Microsoft send patches out via e-mail, then you are the sort of person that would also have infected your computer with Swen when it used the same trick to great effect.

The web link [URL] shown in the e-mail is not where you will go if you are gullible enough to click on the link and download the ‘alleged’ patch.

This uses the same phishing-like trick that I mentioned the other day.

It seems that once more the Bad Guys and Gals are trading tricks to help them get you to infect you computer or disclose person data. Once you have clicked on the link and executed [run] the downloaded file; which is a Trojan horse, the install will display the following bogus message:

“Microsoft WinLogon Service successfully patched.”

In reality the Trojan is now secretly logging all your keystrokes and sending them to an email address belonging to the Bad Guys and Gals that created it.

The good news is that the website being used to home the Trojan has been taken down, so if you haven’t yet infected yourself you’ve missed your chance with this one

Oh, and just in case you didn’t know, there is no such vulnerability and even if there were Microsoft don’t send patches to customers via e-mail like this, got it?

Oh yes I nearly forgot, here is a link to the description of the Trojan itself, known as BeastPWS-C.

Microsoft OneCare Launched Today:

The much vaunted [by Microsoft] ‘OneCare‘ service launches today. ‘OneCare’ is the new anti-malware offering from Microsoft which includes anit-virus and anti-spyware services for home users.

Not surprisingly existing anti-virus and security vendors are jumping on the bandwagon. Just to steal a bit of Microsoft’s thunder on launch day of ‘OneCare’, McAfee is launching their own similar service, named ‘Falcon‘.

Symantec are also planning a similar service which they were going to name ‘Genesis’, however their service is delayed and has also been renamed to ‘Norton 360′.

As previously mentioned on this blog I had a paper selected for the EICAR 2006 conference which was held at the Hotel Hafen in Hamburg, Germany between the 30th of April and the 3rd of May.

The hotel was quite interesting, made up of the ‘Classic’ part [left side of the picture with the hotel name on it]; which was the sailor’s mission [home] from 1864 until 1979, and the new ‘Residenz’ modern section [on the right side, includes the modern tower and you can just see part of the Ellipses]. The conference was held in the modern part of the hotel for the first two days, and then moved to the ‘Classic’, old part of the hotel for the final day.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 - Sunday 30th April:

The start of the day was used by many of the Working Groups and Task Forces that EICAR has. The conference ‘proper’ was kicked off by Sarah Gordon who gave her keynote speech. Sarah covered some interesting areas such as sociology, ethics and her being seen as a heretic when she originally published some of her research and ideas some years ago. These have now [for the main part] become considered as part of the mainstream. At the end of her keynote, Sarah challenged those in the room to dare to be the next heretic!

This was followed by a panel session about ‘groups’ in both the anti-malware and malware scenes.

After a break, I decided to stay in one of the two streams, this one being held in Ellipse I. The session room was smaller, but the number of people attending them meant that a number had to stand as there was not enough seating. The ones that I found most interesting were:

• Mystery Meat: Where does spam come from, and why does it matter? - Presented by Christopher Lueg.
• Spam Zombies from Outer Space. - Presented by John Aycock and Nathan Friess

Both of these caused a flurry of questions and the lively debate raged on after the sessions.

The end of day 1 was rounded off by the ‘Meet the Experts’ session which was a chance for many of us to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way.

Day 2 - Monday 1st May:

The first sessions of the day that I attended were held in Ellipse II and were all on Spyware; from very different perspectives. I was the second slot of the four to be given during the first half of the morning.

• Spyware: A risk model for business - Presented by Vanja Svajcer
• Spyware: Risks, Issues and Prevention - Presented by Martin Overton
• The Trials and Tribulations of Testing Spyware Solutions: Towards a Testing Methodology - Presented by Larry Bridwell
• A Testing Methodology for Anti-Spyware Product’s Removal Effectiveness - Presented by Josh Harriman

The next set of presentations which I found interesting were these:

• Behavioral Classification - Tony Lee
• TTAnalyze: A Tool for Analyzing Malware - Presented by Ulrich Bayer, Engin Kirda, Christopher Kruegel
• Enlisting the End-User - Education as a Defense Strategy - Presented by Jeannette Jarvis
• Pharming: a real threat? - Presented by David Sancho
• Evolution from a Honeypot to a distributed honey net - Presented by Oliver Auerbach

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied. The after dinner entertainment was supplied by a somewhat manic magician who spoke very fast and almost only in German which left about half to two-thirds of those assembled trying to work out the jokes, punchlines and the general patter that went along with the rather good magic.

Day 3 - Tuesday 2nd May:

On the last day of the main conference we moved from a two stream format to a single stream held in a conference room in the ‘Classic’ part of the hotel. This layout was significantly better than the first two days where it was somewhat cramped and there were no tables, only rows of chairs.

The day started off with another keynote, this time it was given by Professor Klaus Brunnstein. Although it was a very interesting talk he over ran by almost half an hour which put the rest of the days schedule off. Here are the presentations that I found most interesting druing the morning sessions:

• Inherent Technical Risks will lead Information and Knowledge Societies into a risk Society - Presented by Prof. Klaus Brunnstein
• Future Trends in the realm of malware - Presented by Guillaume Lovett
• Windows Rootkits - Presented by Mika Stahlberg

The rootkit one I found particularly interesting as I’m currently writing a paper for the Virus Bulletin conference on this very subject. Thanks go to Mika for helping me by writing and presenting his paper [and sending me his slides too] as this will help me no end in writing mine [with due credit of course].

The afternoon also proved to be eventful as several of the sessions planned had to be removed due to speakers not turning up to present. This meant that the schedule went from being half an hour late to almost an hour early. So, the panel session was moved forward to take up the slack. As usual with panel sessions this proved to be quite animated, especially when David Perry of TREND is part of the panel .

I didn’t stay for the last day [3rd of May] as it was a day just for Task Force meetings.

All in all, this was a very good EICAR conference, in fact it was the best attended ever with almost 100 attendees! I’m already looking forward to next years.

Just in case you didn’t spot the link to my paper, here it is again: Spyware: Risks, Issues and Prevention

It never fails to surprise me when the 419ers [the Boys and Girls from Lagos who run the Advance-Fee-Frauds, aka Nigerian scams] try and get a potential mark [victim] to trust that the e-mail, letter or fax is genuine, by either using well known company names, grand sounding personal titles, such as Queen this, Princess that, General other, or trying to pass themselves off as professionals, such as Doctors, Lawyers, government officials, bank staff or ministers of religion. They have also been known to ‘borrow’ names of famous or infamous people.

Occasionally they change tactics, such as trying to make you believe that the deal being offered is not a scam, by stating that it is ‘100 percent legal‘ or stating ‘this is not a scam‘.

The latest twist in their tactics is ‘borrowed’ from the malware authors, in that the scam e-mail itself warns against scams, rather ironic I would say!

Here’s a screenshot of the e-mail:

Probably the best know case of malware using this tactic is Swen [screenshot below] which arrived as an e-mail claiming to come from Microsoft warning you about the holes which it warns could be used by malicious code. The beautifully formated HTML e-mail had the required ‘patch’ attached, which was in fact the malware itself. The e-mail was very believable, so it was not surprise that lots of people ran the attachment and infected their computers.

This latest twist just reinforces that the ‘bad guys and girls’ are learning from each other. Phishers are learning from the 419ers, who are learning from the malware authors, who are learning from spyware authors, who are learning from the phishers…..round and round we go!

Let’s hope some of them get dizzy and fall off into the waiting arms law enforcement, who will sit them down, read them their rights and then let have their day in court.

Hopefully they will get ‘a real sentence’ that will finally send out the right message that cyber-crime does not pay, rather than the more common ’slap-on-the-wrist’ being handed out that we have seen in the vast majority of cases so far.

I know, I can dream…

According to the blurb posted on their site:

“MySpace.com is an online community that lets you meet your friends’ friends. Create a private community on MySpace and you can share photos, journals and interests with your growing network of mutual friends!”

Some of the features of MySpace include:

• Upload Pictures
• Send Mail and IM’s
• Write Blogs & Comments
• Participate in forums and groups

It is all really about social networking.

However, all is not rosy in the MySpace virtual garden.

Firstly, MySpace was targeted by malware back in October 2005:-

Here’s a snippet from a news article that covered it:

“One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, “Samy” had amassed over 1 million friends on the popular online community.”

Not bad for a bit of JavaScript and XSS [Cross-site-scripting]. At the time of writing the worm had been removed and the holes it used patched. However, there have been other MySpace worms created using Samy’s code as a starting point, some of these were able to spread.

Secondly, some kind soul has been circulating a warning about a virus that is allegedly spread via MySpace.com Instant Messaging, here’s the warning:

“If someone by the name of j_neutron07 wants to add you to their list dont accept it. Its a virus. Tell everyone on your hits because if somebody on your list adds them you will get it too. It is a hard drive killer and a very horrible virus.

PLEASE COPY/PASTE AND REPOST THIS”

However, this is not a real threat, as there is no such malware and as I write there is no way for this so-called virus to spread by just adding someone to your buddy list. Yes, this so-called virus is a HOAX.

And thirdly, it seems that MySpace has also been used to find ‘Rape Suspects‘, and has recently removed 200,000 ‘rude‘ profiles. According to the ‘Register’ the site has also been used by school bullies who post bogus profiles aimed at attacking or humiliating their victims.

As if the above issues are not worrying enough, then the recent sexual assaults on ‘young’ MySpace.com members appears to show that the service is being actively used by paedophiles to find victims to groom, meet and abuse.

The above issues once more make it abundantly clear [if you needed reminding] that you should not give out personal details via these types of services as a small minority will take advantage. Kids [and adults too] should remember that on the internet the person you think you are chatting or e-mailing may not be what they seem. You may think that they are a 12 year old girl from London, but it may well be that it is a 45 year old man from the other side of the world, or next door!

To steal the punch line from this cartoon “On the Internet, nobody knows you’re a dog”

Be careful out there on the ‘Wicked Wild Web’.

One of the things I do each year is to analyse what has occurred in the ‘big-bad-internet’ aka the ‘wicked-wicked-web’. I focus on what the Bad Guys/Girls[TM] have been up to; such as new platforms, techniques and technologies that they have used and abused during the previous year.

I then add all the data I have from the previous 20+ years of malware and related nastiness and try and predict what we may see in the coming year. This doesn’t include any predictions that might give the Bad Guys/Girls[TM] any new ideas that they haven’t already tried or at least discussed.

The last thing I want to happen is for me to give them something new to use; be it a technique, some technology they can abuse, or suggest new platforms they can attack. These ‘potentially dangerous’ predictions will not be published. I do not want to be held responsible for suggesting new ideas.

So let me disclose some of the results from being ‘up-to-the-armpits’ in malware entrails, meditations on 419 and phishing scams and looking at the vast pits of daily SPAM as well as gazing into my virtual crystal ball and interpreting the malware runes.

Without further ado, Let us see what 2006 may hold.

The Obvious Ones:

• Phishing to continue to grow
  More scams using social engineering to dupe users into disclosing private or confidential information or getting them to perform a task, such as running an attachment or deleting system files (user initiated malware). More phishing scams to use malware such as key-loggers and backdoors to compromise/further exploit a victims system. However, we have already seen a move towards more targeted phishing and pharming.
• Less mass-mailing worms
  We will actually see a fall in this method of distribution and an increase in the other more stealthy and invisible methods used by share-crawling worms and bots instead. Unlike others I don’t believe that the mass-mailing worm is quite dead yet, I give it at least another 12 months. Many anti-virus vendors predicted it’s death at the end of 2004.
• Increased use of blended threats and multi-stage attacks
  More vectors, more exploits, more fragmented attacks.
• Increased social-engineering use in malware
  Malware authors are well aware that most often the weakest link in a company’s security is the person behind the keyboard. Until users gain a healthy level of paranoia then the problem will continue and may be used more often to defeat a company’s anti-malware defence. 2005 saw numerous examples of social engineering being used to get user to infect their computers, fall for hoaxes, and disclose their personal and financial data to scammers and malware authors.
• Increased Cyber Blackmail
  In 2006 I expect that this will also include the threat of infecting systems with new worms/viruses and more cyber-hostage malware. 2005 saw a number of cases of malware encrypting data and demanding a ransom. There were a number of high profile DDoS attacks during the second half of 2005 and it seems that organised crime has moved their protection rackets in to the digital world.
• SPAM will continue to grow
  Despite the recent legislation passed in both the UK/EU and the US and even allowing for the arrests/prosecutions of spammers in 2005, the growth in risk of being caught will be offset by the increasing use of bot nets as spam proxies.

The Less Obvious Ones:

• Increase in Spyware and Adware as a problem in the corporate space
  Many companies currently don’t realise that they have a problem. This is expected to be one of the major areas of growth in 2006, both from the malware/spyware/adware authors and security solutions to counter the threat. If you don’t believe me just ask the average home user.
• Mobile malware will continue to grow
  I expect that it will follow the same pattern that we have seen in the past with both DOS and Windows malware however I expect that the timeframe will be significantly shorter.
• Increasing use of rootkit and or stealth/cloaking technology
  Use of this technology can effectively make malware almost invisible to most current anti-virus and anti-spyware tools. I also expect that we will start to see a growth in true polymorphic and stealth Windows malware as malware authors try to hide from anti-malware tools.
• Bots and botnets will continue to be the tool of choice for cyber-criminals
  What we will see in 2006 is a further move from using IRC for command and control, to other methods such as web servers running SSL [encrypted] command and control systems. We may also see encrypted peer-to-peer [P2P] networks created by bot/botnet creators as IRC server owner’s crackdown on misuse of their servers. Furthermore the increasing use of IPS/IDS to detect botnet IRC traffic will force the bad guys to move to encrypted protocols as an attempt to try and defeat the use of these technologies.
• Exploit code auctions to become common-place
  At the end of 2005 there was evidence that so-called zero-day exploit code was being offered for sale by authors. This was effectively an auction. It seems clear that this will become a common occurrence during 2006, as organised criminals look for new ways to gain access to targeted systems.
• Broadening of Operating Systems and platforms being targeted
  It has become clear over the last few years that malware authors are increasingly looking at operating systems other than Windows. The number of Linux malware is increasing steadily as they search for effective ways to target it. The same has been happening on the Apple Mac platform. We will see more, and increasingly complex and successful malware for Linux and Mac operating systems during 2006.

Agree, disagree whith these? Have your own predictions? If so that’s what the comments function is for, use it.

According to a new survey ‘Two-thirds of U.K. businesses fail to patch‘ their Windows desktops and servers. An older survey found ‘Patch Management An Ongoing Challenge For Many Companies‘ with ‘only about one in five completely ready for the next virus attack‘. Why is this a problem?

Well read on, and all will hopefully be made clear:

Over the last few years we have seen the window between a vulnerability being announced and malware exploiting it shrink from years to months, weeks and more often now just a few days[1]. So, this area needs to be addressed in the fight against malware and spyware as many use known vulnerabilities [which have patches available] to gain access to vulnerable systems.

Some of these vulnerabilities may be used when you visit a website which uses exploit code that your system is not yet patched against. These are commonly called ‘drive-by-downloads‘ or ‘drive-by-infections’. In most of these types of attacks, such as with the WMF vulnerability you may not even be aware that your computer has become infected. There is no warning, no download prompt, nothing to warn you or tip you off that something nasty and underhand has taken place during your visit to the site.

So, what can you do?
For home systems and those not already managed via third party or in-house patch management tools, you should at the very least ensure that all Windows systems are set to automatically check the Windows Update website at least once a week. If your systems run Windows 2000, 2003 or XP make sure you enable the Windows update service via Automatic Updates. This will ensure that updates are automatically downloaded and installed on those systems.

If you or your customers prefer to control when windows updates are deployed across their networks then you could use the Microsoft Software Update Server [SUS].

Here is some data on SUS from the Microsoft site:

SUS is a version of Windows Update designed for organizations that want to approve each software update before installing them. SUS allows administrators to quickly and easily deploy Windows related security updates and critical updates to any computer running Windows 2000, Windows XP Professional, or Windows Server 2003 systems. SUS includes the following capabilities:

• Software updates can be approved on each SUS server, enabling testing in a separate environment as well as phased deployments across an enterprise.
• SUS clients, which are the same as the Automatic Update component described earlier, can be configured to download software updates from the SUS server (saving bandwidth on shared Internet connections), or directly from Windows Update.
• Software updates can also be copied onto a CD-ROM from an SUS server connected to the Internet, and then transferred to SUS server in a protected network with no Internet access.

SUS servers require Windows 2000 Server or Windows Server 2003, IIS, and port 80 communications with SUS clients. SUS servers can be configured to synchronize software update packages and approvals either manually or automatically from a parent SUS server (or from Windows Update), enabling flexibility in how the environment is maintained.

There are lots of other third party patch management systems available, and some companies create their own instead of using off-the-shelf patch management tools.

Below are links to articles covering other solutions:

• http://www.networkworld.com/reviews/2003/0303patchrev.html
• http://www.serverwatch.com/tutorials/article.php/3414841
• http://www.serverwatch.com/tutorials/article.php/3381211
• http://www.serverwatch.com/tutorials/article.php/3424551

[1] There have been a number of malware using so-called ‘Zero-day’ exploits. In this case there is no patch from the vendor to actually fix the hole in the operating system or application, and other mitigation techniques are required to partially or ideally completely manage the situation until a patch becomes available. An example of this would be the WMF exploit that surfaced in December 2005, but was not patched by Microsoft until January 2006.

And now for something completely different, but related:
I have blogged about rootkits previously, but I came across a new one recently that I’d never heard of before.

The difference is this one is not a piece of malicious software, actually it is a band named ‘Root Kit‘ from Sydney, Australia. The fun thing is that they have just released a music video cheekily called ‘Patch Me Up‘, hence the title of this entry, and it has lots of security buzzwords in it. Normally I’d just ignore such trivia, however the video is quite good and the song is catchy. There are a few comedy moments in there too.

Let me know what you think of it.

Oh, you want a link to it? No problem, here you go, via Google: http://video.google.com/videoplay?docid=9151435244001559688

If you prefer to download it, you can via this link: http://www.rootkitonline.com/NetNuke/Download/tabid/55/Default.aspx

A number of new developments have come to light in the mysterious case of the WMF vulnerability:

First off, the people behind MetaSploit have updated their exploit code again; the latest version allows lots of random data to be used to create malicious WMF files. This is a ‘bad thing ^[TM]‘ and will only lead to more malware using the WMF vulnerability.

Secondly; the ‘bad guys ^[TM]‘ are experimenting with other ways to use this vulnerability, as this snippet from the Kaspersky web log shows:

“At the moment, the number of different WMF exploits we’ve seen has gotten well past a hundred and more are coming every hour.

But that’s not the worst. The most recent exploits show that malicious users bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year.”

On this note, Andreas Marx from [http://www.av-test.org] posted the following on Bugtraq:

“We have analysed some 100 malware WMF files and they can do almost anything. We saw download trojans, adware and spyware apps, backdoors, lots of bots (zombie programs), as well as password-spying programs which are looking for PINs and TANs for online banking attacks. I expect that some 1,000 websites are already compromised.

One of the malware apps we have discovered at 2005-12-29 (some days ago!) already had a build-in infection counter at a (hidden) website and we saw the number 233,000. This means, a few days back, some 100,000 PCs seems to be compromised already. Today, the website is still working, and has delivered more than 1,000,000 malware installation files already. With 1+ million PCs under your control, you can do almost everything!

This means, the issue is extremely critical, even if the current attack vector seems to be websites only. We already saw a few malware WMF files in e-mails, but not many. The chances are good, however, that we might see a worm in the next few days which spreads using WMF files and e-mail as infection vector. Well, I can’t understand why Microsoft is considering some 1,000,000 infections as being “not widespread”. And that’s the counter for just ONE special malware file!”

The patch from Ilfak Guilfanov’s is now available from a number of ’security’ sites; this is due to the fact that around half the planet has tried to download his patch from his own server, which caused his service provider to get upset. The new links to the patch appear below:

• http://www.grc.com/miscfiles/wmffix_hexblog14.exe
• http://handlers.sans.org/tliston/wmffix_hexblog14.exe
• http://castlecops.com/modules.php?name=Downloads&d_op=getit&lid=496
• http://csc.sunbelt-software.com/wmf/wmffix_hexblog14.exe
• http://www.antisource.com/download/wmffix_hexblog14.exe
• http://hexblog.axmo12.de/wmffix_hexblog14.exe
• http://www.dsinet.org/files/wmffix_hexblog14.exe
• http://lab.nsl.it/wmffix_hexblog14.exe

Microsoft have stated the following: “Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.” - Quoted from Microsoft Security Advisory (912840)

Now what was it that the captain of the Titanic is supposed to have said before the ship’s fateful maiden voyage? Oh yeah, that’s right: “Even God couldn’t sink this ship”

Could this WMF vulnerability be Microsoft’s digital version of the fatal Titanic iceberg……only time will tell!