As I didn’t get chance to post this last week, I decided to do it now, even though I’m on holiday…

November has come and gone and yet again it has been another very busy month for me, winter still hasn’t really arrived in the UK yet. Some farmers are still picking soft fruit as at the start or December, which is normally all over by the end of October at the very latest. On the malware and related security threats front it has been an interesting month with lots of phishing going on.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 1280 samples during November, which have been catalogued as 51 distinct families and variants. In comparison during October I captured 886 samples which were catalogued as 53 distinct families/variants. As you can see the captures in November are up, on both October and even September.

During November I captured and submitted just 1 brand new malware strain/variant [unknown to all or most AV companies at the time of submission].

Although November was significantly up on October, the general trend is still downwards. The main reason for this general downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During November I reported over 3,300 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] yet again retained the pole position during November. Unlike October, where it lost ground, its percentage has increased from 40.5 percent in October to over 75 percent in November. Yet again, Tenga.3666 seems very intent in keeping pole position for itself.

The Mytobs have once more completely dropped out of the chart, after making a short lived re-appearance in October.

This disappearance of Mytob from Octobers chart has allowed Netsky.P [aka Netsky.q] to regain the second place spot it gained in August. Another member of the Netsky family [Netsky.d] came into Novembers chart in seventh place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September have managed to halt this decline. They still account for four of the ten places in November. The four are: Tenga.3666 in pole, Opaserv.worm.ae in eighth, Opaserv.worm.ai in ninth and Opaserv.worm.ac in tenth.
Like the Mytobs, the Mydoom variants have completely dropped out of the top ten during November.

We have four new entries in Novembers chart, these being three variants of the Warezov family [fb, fh and ev], in third, fourth and fifth spots respectively, and Mechbot.d in to the top ten, at six.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] November has seen the Mytob family make a modest comeback in November, they completely disappeared from the top ten in October. The variants that managed to claw their way back into the top ten are: Mytob.c and Mytob.t, in sixth and tenth respectively.

Octobers pole position holder, Netsky.q, has slipped down to seventh and is joined by two other family members, these being: Netsky.t, in fourth and Netsky.aa in ninth place.

Pole position in November has been stormed by Warezov.gj, which is a new entry and this is joined by Warezov.ev in the runner-up spot [second], up from the fifth place it acquired in October when it entered the chart.

Nyxem.E is a re-entry in third place, back in after dropping out of the top ten in October.

Scano.gen, drops from fourth, to fifth and the final member of the top ten, is Zafi.b back in in eighth place.

There are no Bagles or Mydoom family members in November’s chart.

In the SOPHOS chart we see a different pattern; Netksy.p has slipped from pole in October to second spot in November. Its pole position has been stolen by W32/Stratio-Zip [aka Warezov] which was anew entry in October’s chart.

Zafi.b has made a significant climb up the chart in November from eighth up to fourth place and is joined by another member of the family, Zafi.D, in tenth. Nyxem.D [aka MyWife] has also climbed back up the chart from ninth to sixth place.

Only one member of the Mytob family has managed to stay in the top ten in November, this being Mytob.C dropping from sixth to eighth place. Netsky [D] has further consolidated its hold on fifth place.

Mydoom has made a re-entry, in this case it is Mydoom.O back in at seven.

There is only one new entry in November’s chart, this being W32/Sality.AA.

To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart, climbing back up the chart to third place which it originally grabbed in July.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has bounced back from its fall to just 40.5 percent in October, back up to account for over 75 percent of the November pie. Mytob has once more dropped out of the chart after making a brief appearance in Octobers chart. Operserv has regained the second place which it lost in October where it was in third spot. Netsky has further consolidated its hold on fourth. Mydoom also makes it back into November’s chart, in eighth place, after dropping out of the top ten in October. Dupator is up one space from seventh to sixth place.

Warezov jumps from fifth place up to third in November’s chart and is making its presence felt as part of the reason for the massive increase in spam we are all seeing.

Bagle slips down the chart from sixth to seventh and Downloader slips from eighth to tenth place.

New entries include Mechbot and Small, in at fifth and ninth places respectively.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of November] here. This clearly shows that November was significantly down from September’s relative high. The overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 220,091 [as at the end of November 2006]. That’s a growth of 51,284 new malware strains and/or variants so far this year. We could see over 55,000 by the end of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in October 2006.

• Barclays Phish Just Keep Coming
• Massive Jump in Spam
• PayPal Phish With a Sting in the Tail…

Conclusions:
Spam appeared to drop during November, with both 419s and Phishing scams recovering slightly from their fall in October. Malware [via e-mail] also continued to drop during November. However, the amount of ‘personal’ mail to my ‘personal’ mail server rose by over 10,000 during the same period. Could this rise be skewing the figures?

Spammers are still increasing their use of graphical based spam, which is harder for anti-spam tools to identify without the use of OCR or other technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots, colour maps and other graphical artefacts, such as geometric shapes and random borders.

Links:

• Virus Top Twenty for November 2006 [Kaspersky]
• Top ten viruses and hoaxes for November 2006 [Sophos]

Scammed, Spammed, or Both at the same time.

As it is the season for giving gifts and thinking of others less fortunate than ourselves, I was somewhat surprised when I received the following email:

However, I was even more surprised, when I looked at the e-mail in more depth, and the resulting website being linked to in the e-mail.

First off, the e-mail body was a graphic, not ASCII text. This immediately set off alarm bells in my mind, as this is the most widespread trick being used by spammers, especially those that send out spam using botnets.

Secondly, I was receiving dozens of copies of the e-mail, but they all had different forged from addresses and subject lines, another sure sign that it is either the work of a spammer, scammer or malware.

If you went to the site [which is now down], this is what you would have seen:

Very slick, very professional…Of course what they have done is merge the content of two other ‘real’ sites to make this ‘fake’ one.

Even the donation button goes to a ‘real’ payments handling service, who I’m sure had no idea that this was to be used to con people; getting them to part with their money by using a despicable social engineering trick; that of sick children who need help.

Talking of spam, I seem to remember that at the start of 2004, Bill Gates said that the spam problem would be solved within two years…Guess again Bill!

Jan. 24, 2004, Gates told a group at the World Economic Forum that “two years from now, spam will be solved.”

The spam problem will only be solved when two things happen:

1. People stop buying products being offered via spam.
2. The companies that use spammers to hawk their wares are prosecuted, fined or taken to court. Or are made to pay in some other way.

Anyone got any other suggestions what we should do to the spammers; I was thinking along the lines of cruel and unusual punishments, such as getting them to read every spam e-mail sent out by them over a year out loud, whilst being physically spammed, with real ‘SPAM‘

Don’t even ask what I’d like to happen to the scammers…

To all of you out there that are not spammers, scammers, malware authors, cyber-criminals [or normal criminals too] I would like to wish you a very Happy Christmas and a prosperous new year. If you don’t celebrate Christmas, then happy holidays.

Is this the first case of an honest spammer, or is it just a case of incredible cosmic irony? You decide…

Here is a screenshot of a typical ‘pump-and-dump-scam‘ spam e-mail spotted by my colleague Darren, today:

A larger version can be found here.

As you can see it is a typical spam e-mail offering stocks that the spammers/scammers have bought and are trying to inflate before they dump them and make a profit, leaving all the other new investors out of pocket as a result of their actions.

However, that is not what is important in this case.

Did you notice the chunk of text below the ‘—’?

This is taken from news sites, so should be topical news at the time the spam e-mail is being created. This type of text is added to try and get the spam past anti-spam filters, but in most cases it doesn’t work. But, in this case the final news piece added is just so ironic, that you almost think it had to be added on purpose, just to raise a smile, if nothing else.

I have highlighted the pertinent section of the e-mail to make it clear which news item I’m on about.

So, what do you think, is it a case of cosmic irony, karma, fate, etc. Or, is it a case of a spammer honestly trying to warn the recipient? Nah, scratch that, there are no spammers with that level of concern for their victims, they are only interested in how much money they can make for themselves; worrying about swamping the internet and users mailboxes with the ‘crud‘ they are peddling just doesn’t come into the equation.

October has come and it has been another very busy month for me. On the malware front it has been an interesting month with new techniques being used.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 886 samples during October, which have been catalogued as 54 distinct families and variants. In comparison during September I captured 1226 samples which were catalogued as 43 distinct families/variants. As you can see the captures in October are down from those of September.

During October I captured and submitted 3 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this general downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During October I reported 140 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] yet again retained the pole position during October. However, its percentage dropped, yet again, down from 57 percent in September to only 40.5 percent in October. Even allowing for this drop it seems very intent in keeping pole position for itself.

The Mytobs are definitely back. In August they completely dropped out of the chart, but one member of the family managed to storm back into the chart in September, grabbing second place. In October, Mytob.AC managed to keep hold of second spot, despite a number of challengers.

This reappearance of Mytob knocked Netsky.P from the second place it gained in August, back to third in September, and like Mytob.AC, is has consolidated its hold on this spot. Another member of the Netsky family [Netsky.AB] came into Octobers chart in fifth place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September have managed to halt this decline. They still account for four of the ten places in October. The four are: Tenga.3666 in pole, Opaserv.worm.d in sixth, Opaserv.worm.ae in eighth and Dupator.1503 in ninth.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot. During October it regained one more spot from September, up from eighth to seventh.

The two new entries from September, known as IRC.Flood.b and ev [McAfee] have fallen back out of the top ten during October. They have been replaced by Warzov.gen3!W32DL and Bagle.fc!pwdzip in fourth and tenth places respectively.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] October has seen the Mytob family completely disappear from the top ten. In September held four places out of the top ten.

Lovegate.w also falls out of the top ten in October along with Nyxem.E which was a new entry in Junes chart and has been in the top ten until now. Only one Netsky family member has survived the top ten shake-up that occurred in October, this being Netsky.q, which grabs pole.

Only one of the two new entries from September, both from the Scano family, have managed to stay in the top ten in October, this being Scano.gen, in fourth,with the aq variant replaced by another family member, this being the e variant, in tenth. Both of these variant arrive attached to a spammed e-mail message, the attachment is the virus. Scano does not spread on its own.

New entries this month include, three members of the Warezov family, these being, Warezov.dn in third spot, Warezov.ev in fifth, and Warezov.dc in seventh.

The rest of the chart is made up of Bagles; Bagle.gen in third and Bagle.mail in sixth, and Mydooms, Mydoom.l in eighth and Mydoom.m in ninth.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b consolidated its place in eighth. Nyxem.D [aka MyWife] has slid down the chart from fourth to ninth. Mytob.AS has further consolidated its second place in the top ten, it stormed up the chart from fourth spot in June and we see two other Mytob family members in the top 10; this being C in sixth and E in tenth place. Another Netsky [D] consolidates its hold on fifth place. All members of the Mydoom family have fallen out of the top ten this month.

As with both my own top ten, and the top ten from Kaspersky, we have a couple of new entries, these being Stratio-Zip and Stratio-AY. Stratio is SOPHOS’s name for the warezov family, which is at least partially responsible for the recent jump in the amount of spam, but more on that next month.
To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart which slides down the chart from the third place which it grabbed in July, to fourth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has finally dropped from 57 percent in September 2006 to just 40.5 percent in October. Mytob is up one place to second after disappearing altogether from the chart in August and coming back in September in third. Operserv has slipped down one place from second to third place. Netsky has consolidated its hold on fourth. Mydoom drops out of the top ten. Dupator is up one space from eighth to seventh spot. Warezov is static in fifth place.

New entries include Downloader, Zapchat and Agent, in at eighth, ninth and tenth places respectively.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of October] here. This clearly shows that October was significantly down from September’s relative high. The overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 217,151 [as at the end of October 2006]. That’s a growth of 52,362 new malware strains and/or variants so far this year. We could see over 60,000 by the end of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in October 2006.

• An Orange Phish, not a Gold One
• Italian ex-Prime Minister Needs Your Help
• Do People Ever Learn From History?

Conclusions:
Malware, 419s and phishing scams have shown a significant drop in numbers during October, however this may not be all it seems as the amount of spam has grown almost fourfold in the same period.

Spammers are still increasing their use of graphical based spam, which is harder for anti-spam tools to identify without the use of OCR or other technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped. We have also seen animated GIF files being used by spammers, including some that use so-called subliminal programming techniques. We also saw spam being sent in Word documents. The latest trick is to use PNG files, instead of GIFs and also to use a graphic for each letter of the alphabet, sort of like a digital version of a ransom note cut from newspapers, but more on that next month.

Links:

• Virus Top Twenty for October 2006 [Kaspersky]
• Top ten viruses and hoaxes for October 2006 [Sophos]

I have written a number of blog entries about the newer tricks being used by those that love to clog up the internet and more personally, our inboxes with the scourge of Spam!

We have been seeing a rather massive increase in the quantity of spam, as well as more graphical spam, which the spammers seem to be using more and more in place of ASCII text, HTML and the usual obfuscation tricks and techniques to try and fool the anti-spam tools many of us use.

Just to prove the point that spam has increased, here is a chart that clearly shows the current increase [Source: David Hart]:

The full chart can be found here on David’s own web site.

Here is a very sobering quote from an article from ‘The Register‘, about this massive rise: ‘Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months, and the amount of spam filtered out every week by security software maker Sunbelt Software has more than tripled compared to six months ago.‘

If you don’t believe this, then here’s another article with other people saying much the same thing.

What’s behind this massive surge? Well, no prizes for guessing that the main culprits are the many botnets that are increasingly being used to send out the vast swathes of spam that we are seeing. However, there have been two new malware strains that may also be, at least partially, responsible for the recent and sudden increase. The new malware in the spotlight are, the SpamThru trojan and the massive number of variants of Warezov.

If you want to see how bots are used to send spam, then take a look at this blog article from the McAfee AVERT Labs blog.

So, now we know what the probable causes for the massive increase in spam are, let us now look at the latest tricks being used by those hated miscreants; the spammers:

All the following screenshot of actual spam e-mails I have personally received have been sanitised, to hide the e-mail addresses that received them [mine]; this is to stop spammers sending me even more spam than they do now [over 93 percent of all mail I now get is spam], and secondly to not assist them in advertising the websites they sell their ‘crud‘ from.

Here is a screenshot of a new hybrid spam [graphical and text] that I’m seeing quite a lot of right now:

A larger version can be found here.

This particular spam is using multiple tricks; a graphic with the actual spam message [in this case, each letter in a coloured box, is a separate graphic], and text taken from books or websites, above and below the image file[s]. Why? Well this is a common trick to try and fool anti-spam filters, especially, in this case Bayesian classifiers. They have even thrown in a string on random characters, just to try and confuse filters, or so they think!

Here is a screenshot of a new graphical spam, which uses a new technique to try and slip past anti-spam filters. As with the previous example, I’m seeing quite a lot of this right now:

A larger version can be found here.

The above graphical spam is different from what we had seen so far, in that unlike previous graphical spam, this one doesn’t rely on a hyperlink [URL] in the body of the e-mail, again this move is to try and make the job of filtering out spam harder. Instead, the graphical spam tells you to manually type in the URL in your browser, to go to the site being advertised. The url in the displayed box is even animated, showing one character at a time, as if it was being typed.

There is a variant of the one above, that uses the ‘random text/sentence’ trick from the first example, as well as the graphic seen in the second example.

Did you think that because of the rise in the use of graphic based spam, that ASCII or HTML based spam was dead? Well, think again, it is diminishing, however, as the following screenshot of ASCII based spam shows, the spammers still use it and it can still bypass anti-spam filters:

Yes, it is just ASCII text characters, well apart from the URL at the top, which takes you to their website.

So, how do we defeat the spammers and get our inboxes back? Well, I covered a number of tricks and tools in my blog posting entitled ‘Do You Like SPAM?‘

As a final thought on how the spammers can be defeated, here’s a quote, again from ‘The Register’ article mentioned previously: Hart argues that, if no one bought the goods hawked by spammers, then the incentive for bulk emailers would rapidly go away. The message is simple, he added.

“If you don’t like spam, then don’t do business with spammers.”

If this sounds familiar, well regular readers of this blog will know that I said the same thing quite a while ago [almost 16 months ago to be exact], here it is: ‘Never buy anything from a SPAM e-mail, it will only make the problem worse.‘ Yes, it is from the ‘Do You Like SPAM‘ entry I mentioned above, how’s that for a good tie-in?

Following hot on the heals of the August Malware Review, here is the Monthly Malware Review for September 2006, just in time for me to think about starting the process all over again for the October Malware Review!

September has come and it has been a very busy month for me, writing and updating a number of presentations, one for the Virus Bulletin conference, one for the University of Warwick and one for a customer visit. This is on top of my usual work! On the malware front it has been an interesting month with new techniques being used.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 1226 samples during September, which have been catalogued as 43 distinct families and variants. In comparison during August I captured 948 samples which were catalogued as 40 distinct families/variants. As you can see the captures in September are back up, a bit.

During September I captured and submitted just 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this general downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During September I reported 85 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during September. However, its percentage dropped from 72 percent in August to only 57 percent in September. Even allowing for this drop it seems very intent in keeping pole position for itself.

The Mytobs are back. In August they completely dropped out of the chart, but one member of the family has managed to storm back into the chart in September, grabbing second place.

This reappearance of Mytob knocked Netsky.P from last month second place, back to third. Another member of the Netsky family [Netsky.c] came into Septembers chart in fourth place.

Interestingly, the share-crawling worms suffered a decrease in their numbers; down from seven of the ten slots in August to just four in September.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot. During September it fell down the chart again, to eighth.

We have two new entries this month, known as IRC.Flood.b and ev [McAfee]. These jumped into the chart in fifth and sixth places respectively. These IRC flooders are included as part of a multi-component self-extracting archive [using RAR]. These are commonly being disguised as links to ‘e-cards’. However, when the link is clicked on and the alleged ‘e-card’ is launched, instead of seeing a electronic greeting card, the downloaded file un-archives the files contained inside it and installs a number of malware, including bot components, rootkit files and IRC flooders. This underlines the move by the malware authors back towards using Trojans as their preferred malware type.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the Mytob family once more grab four places out of the top ten, this is down from six in August.

In pole position we still have Mytob.c, which was also number one for the last six months. Lovegate.w moves up one place from fourth to third place. Nyxem.E which was a new entry in Junes chart has consolidated its hold on second place. Netsky.b drops from its third slot it grabbed in July and August to fifth, and is joined by another member of its family, Netsky.t in ninth place.

We have two new entries in September, both from the Scano family, both of these [gen and aq in fourth and eight respectively] arrive attached to a spammed e-mail message, the attachment is the virus. Scano does not spread on its own.

The rest of the chart is made up of Mytob variants [t, u, and w] in sixth, seventh and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b slides back up one place from ninth to eighth. Nyxem.D[aka MyWife] has further consolidated it place in fourth. Mytob.AS has further consolidated its second place in the top ten, it stormed up the chart from fourth spot in June and we see two other Mytob family members appear in the top 10; these being E and C in sixth and seventh place respectively. Another Netsky [D] consolidates its hold on fifth place. We have two members of the Mydoom family in the top ten again this month, this being Mydoom.O which slips from eighth to ninth spot and Mydoom.AJ which just gets in to the chart in tenth. To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart which consolidates its third place which it grabbed in July.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has finally dropped from 72 percent in August to just 57 percent in September. Mytob is back in the chart at third place after disappearing altogether from the chart in August. Operserv has further consolidated its grip on second place. Netsky is down one place from third to fourth. Mydoom slips from the fifth place it managed to grab in July and August to sixth. Dupator is static in eighth spot. IRC Generic Flooder slips from fourth to seventh. New entries IRC Flood and Warezov come in at fifth and tenth places respectively. Kapser aka Mywife.D has re-entered the top ten this month in ninth place.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of September] here. This clearly shows that September was the busiest month since June. The overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 213,407 [as at the end of August 2006]. That’s a growth of 48,616 new malware strains and/or variants so far this year. We could see over 60,000 by the end of the year.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in September 2006.

• Developments in Spam and Spamming

Conclusions:
Malware picked up slightly in September along with spam, however both 419 and phishing scams have shown a small drop in numbers. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

Rootkits will be covered in more depth in next months report, including a link to a paper I will present at the Virus Bulletin 2006 conference in October.

As shown elsewhere in this report spammers are increasingly moving to using graphical spam as it is harder for anti-spam tools to identify without the use of OCR technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped. We have also seen animated GIF files being used by spammers, including some that use so-called subliminal programming techniques. We also saw spam being sent in Word documents. The latest trick is to use PNG files, instead of GIFs.

Links:

• Virus Top Twenty for September 2006 [Kaspersky]
• Top ten viruses and hoaxes for September 2006 [Sophos]

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2006 conference, which was held at the Fairmont Queen Elizabeth Hotel in Montreal, Canada, between the 11th and 13th of October [Yes, that was a Friday; Friday the 13th, and knowing the recent spate of problems that the VB Conference has experienced since 2001, it seemed that they were tempting fate once more!]

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 - Wednesday the 11th of October:

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by Mikko Hypponen who gave his keynote speech, which was entitled ‘Case: Virus X‘, which he informed us he couldn’t now talk about due to legal restrictions. So, instead he did a presentation covering the major developments of malware since the start of the problem, almost exactly 20 years ago. It was a very interesting presentation, given in an unusual but very effective style. He used 164 slides in just 40 minutes!

The next session was also interesting, a presentation by Rob Murawski of the CERT Coordination Centre on ‘Data exfiltration techniques: how attackers steal your sensitive data‘. This talk sort of set the tone of the rest of the conference, as it covered cyber-crime, of which we would hear a number of talks about - from different perspectives.

After lunch, the conference split into its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, but for a number of reasons I spent the rest of the first day in the corporate stream instead.

The first talk in the afternoon that I attended was a slightly controversial one to say the least, on user education, given by Stefan Gorling. His talk was entitled: ‘The myth of user education‘. The focus of his talk was on how it was “pointless” to try and educate end users.

The very next presentation was also on user education, given by Peter Cooper and entitled: ‘User education: teaching techniques and learning styles for damage limitation‘. This very ‘memorable‘ presentation approached user education from the opposite side, saying that anyone can be trained, given the right approach. The presentation was memorable for two reasons, it used a new technique that I hadn’t seen used before, the 10/20/30 method which Peter assured us would make it a memorable presentation, and secondly because just as he mentioned about his presentation being memorable his MAC laptop shut down! This lead many of the audience to ask Peter after his talk whether this was purely coincidental or part of his presentation.

Then it was time for a tea break, which I used to setup my laptop for my presentation, which was the next one on the ‘Corporate stream‘. While I was setting up, I was asked for my opinion on ‘user education’ by a delegate, and I mentioned that I agreed with both of the previous speakers. I continued to say that I, like Stefan, thought that generally trying to educate end users on the technical side of malware was a waste of time; for most end-users anyway. But, that with infinite time and resources then they should be educated, but mainly on simple policies and procedures, rather than the specific details of a specific threat, which most of them are not interested in, or even want to know about. Only a few days later did I find out that the ‘delegate’ was a journalist; he never introduced himself and his badge was obscured, and I was distracted in setting up my laptop - slightly sneaky of him!

So, as you may have guessed by now, my presentation [’Rootkits: risks, issues and prevention‘] was next, however we started 5 minutes late. This meant I never got to use my last 3-4 slides. Overall, I think the presentation went well as I had a number of people approach me and tell me they had enjoyed it and/or discuss some aspects in more detail. I also received very positive feedback on the actual paper too.

My presentation was followed by Matthew Braverman, who spoke about ‘Behavioural modelling of social engineering based malicious software‘. This was another excellent presentation and rounded off the end of the first day in the ‘Corporate stream‘.

Later in the evening we had a welcome drinks reception, which gave us a chance to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way. Oh, and enjoy a drink or two to help keep the brain lubricated.

Day 2 - Thursday the 12th of October:

For the first three sessions of the second day, I decided to stay in the ‘Technical Stream‘, these were:

• Full potential of dynamic binary translation for AV emulation engine - Presented by Jim Wu
• Anti-rootkit safeguards and methods of their bypassing - Presented by Aleksander Czarnowski
• Botnet tracking techniques and tools - Presented by Jose Nazario

The last two of these presentations caused quite a bit of discussion, especially Aleksanders, which was picked up by the press and numerous articles appeared on specific points he raised about fooling Vista. His paper was also a really good technical look at rootkits, which sort of complimented my own one on the same subject.

For the next two sessions of the second day, I decided to switch back to the ‘Corporate Stream‘, these were:

• The challenge of detecting and removing installed threats - Presented by Jason Bruce
• Dirty money on the wires: the business models of cyber criminals - Presented by Guillaume Lovet

The last of these presentations caused quite a bit of discussion as Guillaume had a quote that claimed that cyber-crime was more profitable now to the ‘Mob‘ than drugs! I’ll post more on this when I get a copy of his slides.

After lunch, I decided to stay in the ‘Corporate stream‘, partly because I was chairing the first two sessions, and then the final two presentations on the ‘Corporate stream‘ were the most interesting. Oh, and then there was a panel discussion.

• The game goes on: an analysis of modern spam techniques - Presented by Rob Thomas and Dmitry Samosseiko
• Containing spam - the local challenge - Presented by Jay Goldin
• Spy-phishing - a new breed of blended threats - Presented by Jamz Yaneza
• Phishing trojan creation toolkits: an analysis of the technical capabilities and the criminal organizations behind them - Presented by Dmitri Alperovitch
• Panel discussion: Anti-Spyware Coalition - working together to combat spyware - Chaired by Richard Baldry

As you can see the afternoon was full of spam and phish, and we’d already had lunch!

After this there was a special ‘Birds of a feather‘ session on tackling graphical spam, which was lively and very interesting.

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied, and more nerdy/geeky chat too. The after dinner entertainment was supplied by jugglers and acrobats and rounded off by a good band.

Day 3 - Friday the 13th of October:

The last day of the conference was ahead of us, the first two days had gone past so quickly, so much to digest, both physically and mentally! On the final day I was in the ‘‘ for the first three presentations and then switched back to the ‘Technical stream‘ for the rest of the day. The ones I attended on the the corporate stream were:

• Applying collaborative anti-spam techniques to anti-virus - Presented by Adam J. O’Donnell
• The inspector: automating the forensic investigation of infected computers - Presented by John Morris and Eric Kedrosky
• Can strong authentication sort out phishing and fraud? - Presented by Paul Ducklin

The last two were the most interesting with John and Eric showing how they had used free scanning/forensic tools to remotely inspect systems that were suspected of being infected. These tools were scripted and for the most part automated, nice work guys, and no I won’t be writing a paper on how to improve the system, this time!

Paul’s presentation was great and informative, as we have all come to expect from such a knowledgeable guy who is also a very animated presenter.

Switching back to the ‘Technical stream‘ for the final talk before lunch, I sat in on:

• Macintosh OSX binary malware - Presented by Marius van Oers

During lunch the speakers photo was taken, here it is:

I’m right in the center of the front row [blue checked shirt and white trainers], next to me in the red sleeveless top is Michael Morgan and next to him is Morton Swimmer. The other side of me is Paul Ducklin and then Dr. Richard Ford. A full version of this picture, naming all of those in it, will be available on the Virus Bulletin site as soon as they have collated all commented all the pictures they have from the conference and of Montreal itself.

After lunch I stayed on the ‘Technical stream‘, the presentations I saw were:

• SymbOS malware classification problems - Presented by Dr Vesselin Bontchev
• A deep look into Symbian threats - Presented by Robert X. Wang
• Me code write good - the l33t skillz of the virus writer - Presented by John Canavan
• Panel discussion: Fighting cybercrime: one size does NOT fit all!. - ‘The Internet Strike Force’, led by David Perry

Although the presentations on Symbian were interesting there was little new information in them. The best of the afternoon session was the panel on Cybercrime led by the animated and funny Dave Perry in his ‘Internet Strike Force‘ bowling shirt.

And then it was the final session of the day, and of the whole conference:

• Conference closing session - Presented by Helen Martin

All in all, this was a very good Virus Bulletin conference, although I felt that the ‘technical stream‘ was the poorest I had ever seen, with only a small number of interesting papers and presenters this year. However, this was offset by the number of excellent papers and presentations given on the ‘Corporate stream‘, and I’ve been at nine of the last eleven VB conferences. Even allowing for this, there is still nothing quite like a VB conference, and long may it continue! I’m already looking forward to next years and thinking up possible papers to submit abstracts for possible selection for VB2007, which will be held in Vienna, Austria!

And even though the conference ran on Friday the 13th, there were no problems, no disasters, outbreaks of diseases, hurricanes, confiscated mugs, and so on, it all went very smoothly - well apart from Peter Cooper’s MAC laptop that crashed on the first day; Wednesday the 11th, so it doesn’t count. And, there were no major virus/malware outbreaks either during VB, that in itself is rather spooky!

Just in case you didn’t spot the link to my paper, here it is again: Rootkits: Risks, Issues and Prevention

I would be keen to hear from others who attended VB2006, at least to find out what they thought of the conference content this year.

Finally, here is the Mothly Malware Review for August 2006, better late than never? OK, I own up, I wrote it and then forgot to post it here, happy now?

August has come and you can feel the start of autumn in the air in the evenings and mornings. On the malware front it has been an interesting month with new techniques being used.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 948 samples during August, which have been catalogued as 40 distinct families and variants. In comparison during July I captured 1358 samples which were catalogued as 42 distinct families/variants. As you can see the captures in August have fallen to the lowest since I started to record the samples I captured.

During August I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The main reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During August I reported 74 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during August. Its percentage jumped from 71 percent in July to 72 percent in August. It seems very intent in keeping pole position for itself.

Netsky.P jumped up from last month third place to second, replacing the Mytob variant that held it in July.

The Mytobs lost even more ground during August, completely dropping out of the chart.

The share-crawling worms increased their position from July gaining an extra slice of the pie, up from six to seven. The Opaserv family also increased its hold on the top ten accounting for six of the seven places taken by share-crawling worms and bots.

Mydoom reappeared in the chart during July with W32/Mydoom.o@MM jumping in to fifth spot. During August it fell two places to seventh.

We have a new entry this month, known as W32/Virtool.GL [Frisk]. This jumped into the chart in sixth place and is a collection of malware which uses social engineering to get users to download the malware from a website and infect their computer; in other words these are Trojans not viruses or worms. This underlines the move by the malware authors back towards using Trojans as their preferred malware type.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the the Mytob family once more grab six places out of the top ten, this is the same number it managed in June and July, up from five in May.

In pole position we still have Mytob.c, which was also number one for the last five months. Lovegate.w moves up one place from fifth to fourth place. Nyxem.E which was a new entry in Junes chart has consolidated its hold on second place. Netsky.b likewise retains its third slot it grabbed in July, and is joined by another member of its family, Netsky.y in eighth place which also featured in July’s chart. The rest of the chart is made up of Mytob variants [u, q, w, t, and cg] in fifth, sixth, seventh, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its number one slot which it lost in March and grabbed back in April. Zafi.b slips three places from sixth place to ninth. Nyxem.D[aka MyWife] has consolidated it place in fourth. Mytob.AS consolidates its second place in the top ten, it stormed up the chart from fourth spot in June. Mytob FO slips from ninth to tenth and we see two other Mytob family members appear back in the top 10; these being C and E in sixth and seventh place respectively. Another Netsky [D] jumps from seventh place to fifth. We have only one member of the Mydoom family in the top ten this month, down from two in July; this being Mydoom.O which slips from fifth to eighth spot. To complete this month’s top ten we have W32.Bagle-Zip which was a new entry in June’s chart which consolidates its third place which it grabbed in July.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has climbed from 71 percent in July to over 72 percent in August. Mytob has disappeared from the chart altogether in August. Operserv has consolidated its grip on second place. Netsky is up one place from fourth to third. Mydoom consolidates its fifth place it managed to grab in July. Dupator is also static in eighth spot. New entries W32.VirTool, W32.Downloader, IRC Generic Flooder and Trojan.Downloader.Win32.Banload come in at fourth, sixth, seventh and tenth places respectively. Funlove has fallen out of the top ten this month.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of August] here. This clearly shows that August was the slowest month since I started to collate data on e-mail borne malware, even worse than July.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 208,517 [as at the end of August 2006]. That’s a growth of 39,710 new malware strains and/or variants in last eight months.

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in August 2006.

• Is Anti-Virus Software ‘Past Its Sell By Date’?!
• A Lebanese Request To Liberate 24 Million US Dollars

Conclusions:
Malware slowed again during August; however spam and phishing scams have shown a further increase, with only 419 scams showing a small drop in numbers. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

It is also clear that cyber-criminals are increasingly using Trojans as their preferred attack tool, rather than viruses. It also seems that phishers are increasingly looking at using malware to enable them to steal personal data as well as other technologies that may help them to fool their victims.

Spammers are increasingly moving to using graphical spam as it is harder for anti-spam tools to identify without the use of OCR technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots; this ensures that this type of filtering would be side-stepped. We have also seen animated GIF files being used by spammers, including some that use so-called subliminal programming techniques. We also saw spam being sent in Word documents. I will cover both of these developments in September’s malware review, which I’m writing right now, and should be posted here by the end of the week.

Links:

• Virus Top Twenty for August 2006 [Kaspersky]
• Top ten viruses and hoaxes for August 2006 [Sophos]

Somewhat late I know, but I am finally going to post selected parts and snippets from the 2006 half-year malware review I finished in July as I promised, and I do try and keep my promises. So better late than never, here we go…

Malware Review of 2006 [January - June]

Below is a summary of the state of malware and related ‘things-that-go-bump-in-the-net’ for the first six months of 2006. If you need further details on any issue you will find a list of references throughout and can always search my blog for more details on a specific topic. All feedback and questions are welcome.

Overview

The beginning of 2006 was also the 20th anniversary of the first PC virus, Brain.

For anyone outside the security industry the first six months of 2006 were pretty uneventful; however this is just a case of the ‘Swan Principal‘ - All serene and smooth on top but furious activity going on beneath the surface - both in the malware and anti-malware camps.

E-mail borne malware is fast becoming extinct as malware authors move to using other infection vectors or links instead of attaching malware. The other trend that is occurring is the move back towards Trojans and using social engineering to get users to infect their own computers. SOPHOS found that only 1 in 91 e-mail were viral compared to 1 in 35 for the same period last year.

Phishing has grown from a minor inconvenience to a widespread and growing problem which currently shows no sign of a slowdown. However, there is somewhat of a change happening in that phishing scams are no longer just targeting customers of online payment systems [paypal], banks, building societies and ISPs. They are increasingly turning their attention to smaller firms and more targeted attacks. Increasingly we are seeing botnets being used to Spam out phishing e-mails and also bot infected computers used to host the bogus ‘phishing’ site itself.

Bots and Botnets have become big business with many ‘botnet owners’ making serious money renting out their ‘army’ of ‘drones’ to be used for DDoS attacks or pushing Spam, Phishing e-mails or other scams through. Botnets are also being used to seed new malware and adware/spyware; effectively giving it a head start which allows it to appear almost instantaneously all over the world.

Malicious software aimed at mobile devices, such as PDAs and SmartPhones have grown quickly so far this year. This is not surprising as more and more of us now have SmartPhones with more computer power in our hands than a desktop computer offered a mere 10 years ago. During the review period the number of malware targeting mobile devices exceeded the 200 mark.

Ransomware
Data or disks being encrypted by malware is nothing new, however we seem to be seeing a increase in the use of this technique to extort money from those that get infected. In some cases it has almost become a hostage shooting scenario as if infected users do not pay-up within a specified period files get deleted and this is repeated until the user gives in and pays up.

Multi-stage malware is malware that arrives in parts, sections. This is not a new technique but it is one that is increasingly being used by the malware authors.

As this blog posting is ’selected highlights‘ of the full 16 page report, let us look at some of the areas mentioned above in more detail:

Malware Growth

Almost at 200,000 malware strains/variants

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 199,255 [as at the end of June 2006]. That’s a growth of 30,448 new malware strains and/or variants in the first half of the year. If we extrapolate that out we are looking at least 60,000 new malware strains and/or variants by the end of this year.

I have already written a blog entry on this, so to save space, and my fingers, you can the original posting here.

The following chart shows the actual growth of malware each month for the first half of 2005 and the first half 2006. You can clearly see the same trends at work; however the numbers are much larger.

The average per month for the first half of 2005 was 4494 new malware variants, whereas the average per month for the first half of 2006 was 5075 new malware variants. This equates to 28 new malware found on average each and every day during the first six months of 2006, for the same period last year the figure was just 25.

Now, let us look at the growth and trends from actual data from my own internet facing malware sensors. The first graph shows data from January 2004 until June 2006 and only shows malware samples captured which travel via e-mail.

Let us now look at the whole six month period with respect to individual malware variants and families. The first pie chart shows the top 10 malware variants. This data is from my WormCharmer and includes not only e-mail based malware but also share-crawling worms and bots too.

As you can see there are a number of Mytob variants in the top 10, in fact they take 4 of the 10 slots; the other 6 are taken by W32/Tenga.3666 which accounts for over 65 percent of the top 10 pie, and over 50 percent of all samples captured in the first six months of 2006. Tenga is a ‘blast from the past’ as it had been suggested by some anti-virus vendors that ‘viruses’ were now extinct, apart from those already known and catalogued. The rest of the pie is made up of W32/MyWife.d@MM, W32/Netsky.p@MM, W32/Opaserve.ae and finally W32/Opaserv.d [in 5th, 6th, 7th and 10th respectively].

The above pie-chart shows the data for the same period but grouped by malware ‘families’. As you can clearly see the Tenga family [which is only made up of the initial version] account for the largest slice, almost 55 percent. Mytob are forced into second place, accounting for just 23 percent of the pie. These top two are followed by the ‘Opaserv’ family and the ‘Netsky’ family. Next come MyWife, Sdbot, Mydoom, Sdbot and Ranky Dropper and in ninth spot is Ranky. Bringing up the rear is the ‘Agobot’ family.

Right, now we have covered some of the statistics of the first half of 2006, let us now look at some of the trends reported in the review:

Trends

Ransomware

Data or disks being encrypted by malware is nothing new, however we seem to be seeing a rebirth of this technique to extort money from those that get infected.

One of the first ransomware found was Virus.Win32.Gpcode.a [Kaspersky] which was found in December of 2004, a second variant appeared later that month. We are now seeing versions of this ransomware using strong encryption. In January variant ac was found and it used a RSA algorithm with a 56 bit key-length. Next we saw a version using a 260 bit key, then a 330 bit key, each of these were cracked by the anti-virus firms. To top it all in June the author released a new version using a 660 bit key, this should have taken around 30 years to crack, but Kaspersky managed to crack it within 24 hours. It is expected that we will see more of these Gpcode variants using larger and larger keys along with new malware that uses strong encryption techniques to hide or steal data.

If we see this technique added to bots we may well have to add a new entry to the definition of DDoS attacks, as encrypting files or whole disks without the owners knowledge is definitely a denial of service as they won’t be able to use the data or disk that has been encrypted.

In one case a ransomware malware known as Ransom-A [Sophos] prevented users from accessing their computer until the ransom was paid via Western Union. The fee demanded was a measly 10.99 [US Dollars]. The amount may be small, but to try and ensure that the victim paid up, for every thirty minutes which passed it claimed it would delete a file. Furthermore, Ransom-A displayed pornographic images and messages on the infected systems screen which added to the pressure to pay up, especially if you were in an office or public place where your screen could be seen.

Along similar lines is the data-stealing malware, more often than not these are Trojans specialising in stealing passwords and other sensitive data. There have been cases where Phishers have used these tools by using known vulnerabilities in Microsoft Internet Explorer to automatically download an install the Trojan as the phishing e-mail is being read.

Script Malware Returns

Script viruses and other malware have been around for many years, but interest in them has waned over the last few years, or so it seemed. This year we have seen a number of script based malware, these include:

• Yamanner
• Stardust
• Feebs
• Scano

It seems that we are seeing the rebirth of script-based malware, this time the target is web-based applications and the servers running these applications and sites. What is more worrying is that some of these, such as Feebs and Scano are polymorphic and therefore are harder to reliably detect as they mutate each time they infect.

A Half-Year Packed with PoCs

It seems to have been rather manic on the ‘proof of concept’ front with regard to malware, so far this year we have seen the following new targets attacked:

• Matlab
• Microsoft Project
• Open Office
• Mac OSX
• J2ME

This year may have been short on major outbreaks, so far. This is partially because the malware authors are spending the time in investigating new attack vectors and methods. I suspect that the second half of 2006 will see a similar increase in PoCs.

Right, finally let me cover some of the things I see in my crystal ball…

Expectations for the rest of 2006

Let us look into our virtual crystal-ball and see what the last half of 2006 may hold.

Actually this is more scientific than merely guessing as it uses all the data from 2006 so far and the other twenty years of malware activity to come up with the most likely scenarios. However, something new and unexpected can always turn up to turn everything on its head.

Phishing to continue to grow.
More scams using social engineering to dupe users into disclosing private or confidential information or getting them to perform a task, such as running an attachment or deleting system files (user initiated malware). More phishing scams to use malware such as key-loggers and backdoors to compromise/further exploit a victims system. Man-in-the-middle scams to become more widespread.

Increased social-engineering use in malware.
Malware authors are well aware that most often the weakest link in a company’s security is the person behind the keyboard. Until users gain a healthy level of paranoia then the problem will continue and may be used more often to defeat a company’s anti-malware defence.

SPAM will continue to grow, despite the recent legislation passed in both the UK/EU and the US and even allowing for the arrests/prosecutions of spammers in 2004, the growth in risk of being caught will be offset by the increasing use of bot nets as spam proxies. Not only will we see and increase in e-mail spam, but also instant messaging spam [known as spim] and VoIP spam [known as spit].

Bots and botnets will continue to be the tool of choice for cyber-criminals. What we will continue to see during the rest of 2006 is a further move from using IRC for command and control, to other methods such as web servers running SSL [encrypted] command and control systems. We may also see encrypted peer-to-peer [P2P] networks created by bot/botnet creators as IRC server owner’s crackdown on misuse of their servers. Furthermore the increasing use of IPS/IDS to detect botnet IRC traffic will force the bad guys to move to encrypted protocols as an attempt to try and defeat the use of these technologies.

It has become clear over the last few years that malware authors are increasingly looking at operating systems other than Windows. The number of Linux malware is increasing steadily as they search for effective ways to target it. The same has been happening on the Apple Mac platform. We will see more, and increasingly complex and successful malware for Linux and Mac operating systems during the rest of 2006.

So, there you have it, a quick peek at some of the facts, findings, trend analysis and a bit of crystal ball gazing to round it all off.

Other Malware Reviews

• http://www.viruslist.com/en/viruses/analysis?pubid=184012401
• http://www.viruslist.com/en/viruses/analysis?pubid=191951869
• http://www.f-secure.com/2006/1/
• http://www.sophos.com/pressoffice/news/articles/2006/07/securityreportmid2006.html

Quite a number of people have asked me why they are suddenly seeing Spam, or more Spam than they are used to. To answer this I decided to put together this blog entry to try and explain why more Spam appears to be turning up on our computers, and how they bypass the anti-spam tools and filters most companies have in place. I covered a number of the tricks and techniques in a presentation I gave back in July. For those that saw the presentation this can be considered an update.

I have covered spam on this blog a number of times and to be honest apart from the constantly increasing amount and the subject matter used in spam constantly changing not much has changed in the way that spam is created. This has predominantly been either plain ASCII text or HTML based. These are sometimes disguised by using encoding methods or other obfuscation techniques to try and fool anti-spam tools and bypass filters.

However, since the move by the spammers in sending nearly all their spam via botnets; it is believed that over 80 percent of all spam is sent via bots and botnets now, other new techniques have been seen. This blog entry will discuss some of these new techniques and why the spammers are using them.

Graphical Spam
This was the first major change made by the spammers, instead of just using graphics for pictures they decided to make the whole spam message into a graphical one. This they believed would allow them to fool or bypass anti-spam filters. To improve the likelihood of their message getting through they often would include random text or text stolen from news or other articles and even books in the body of the e-mail. You can see an example of this type of spam message below:

A larger version of this screenshot can be found here.

The next step was to add random dots to the graphical spam; this means that you can no longer just filter graphical spam out by using a checksum or hash value as a temporary fix, as now the checksum or hash will be different each time the spammers produce an image spam using a new microdot pattern or position. If you look carefully at the example above you may notice little black dots where this technique has been used on this graphical spam.

This type of graphical spam using micro-dots is allowing spam to bypass many anti-spam tools which is why many people are seeing more spam than they had before. However, this is not the end of the development cycle of the spammers. Next they decided to animate them…

Animated GIF Spam
So, why do the spammers want to use animated gifs for spam? I mentioned above that the spammers are increasingly using microdots to effectively make hashing or checksumming techniques for detecting graphical spam almost useless, however they make the spam look messy. So, to solve this problem the spammers move the microdots to a separate GIF or in some cases more than one. This allows them to place these before and after their clean and tidy graphical spam image. To make this work well the microdot image frames of the animated GIF are set to only appear for a fraction of a second. You can see an example of this type below:

I have modified the above animated GIF to allow you to see the other frames which contain the microdots or other graphical data. This animated GIF originally only animated once, I have changed it to animate forever.

Subliminal Spam
The next step taken by the spammers was to think “Well we are now using animated gifs, why not use the microdot frames another way? How about we put subliminal messages in them?” So that’s what they did. You can see a modified example below:

I have modified the above animated GIF to allow you to see the other frames which contain the subliminal message data. This GIF animates forever, all I have done is change the interval that the so-called subliminal data shows.

Please note these are not only spam, but also what is known as ‘pump-and-dump’ stock scams, do not use the data that the spammers supply to buy any of the stock, as unless you are very quick and manage to sell the stocks you buy from them, before they dump theirs, you will end up losing lots of money.
Don’t do it.

These types of scams are now being investigated and I expect that at least a few of those responsible will start to get arrested, charged, tried, and then sent to prison where they belong.

Word Document Spam
The next change appeared a couple of weeks ago. All of a sudden I started getting lots of e-mails with Word documents attached. These came attached to e-mails with subject line like:

• Hospital Office Billing Update #57769
• Confirm amount of charges fro Claim #86774
• Filed under your account via Claim #91023
• Records confirmation. See claim #94801
• Your receipt for Statement #95775
• Billing Update, Form #33128
• Billing Summary - Invoice #62633
• …and so on…

They also only contained a single line of ASCII text urging me to open the attachment to check certain details.

To say I was suspicious of these e-mails is an understatement. These Word documents may have contained malware or used one of the many recent known vulnerabilities in Word, so I only opened them in OpenOffice, and only then after I had tested them against numerous anti-virus and anti-spyware tools. What did I find?

Well, you can see for yourself, nothing malicious, no exploit code, no dangerous embedded files, scripts or links, only Spam!

Here is a second example of Word document based Spam.

The use of Word documents as a method of sending out spam is both interesting and worrying; interesting in that the spammers seem to be be trying out file formats which they believe will allow them to bypass anti-spam tools and get their message through to you. This will mean that to counter this move to graphical spam we are probably going to have to use anti-spam tools that use OCR [Optical Character Recognition] to extract the text from the spam and then analyse it as before. As for the move to Word documents, we may have to update anti-spam tools to use content filtering and/or file extension filtering, much as we already do for dealing with malware.

So what’s next from the spammers?
Unfortunately, we are seeing a similar ‘arms-race’ in the spam and anti-spam arena that we have been living with in the malware and anti-malware arena for the last two decades. You can bet that we will see other file formats being used by spammers, and we may also see them starting to use some of these file formats to not only get their spam through our defences, but also, I fear, to use them to drop malware/spyware onto unsuspecting users systems. We may also see the spammers start to use exploit code to infiltrate systems and turn them into spam relays or to install keyloggers to steal financial or other personal or commercial data.

Hold on tight, I think we are in for a bumpy ride! Anyone got any good recipes for Spam, apart from Spam fritters?