MoMusings: December 2006 Malware Review

Here you go, the final Monthly Malware Review for 2006...

Not only has December come and gone, but also 2006 has run its course. However some things don't change, it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with the re-appearance of mass-mailing malware, somewhat of a rarity in 2006, but more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

Kaspersky

SOPHOS

WormCharmer
Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 711 samples during December, which have been catalogued as 36 distinct families and variants. In comparison during November I captured 1280 samples which were catalogued as 51 distinct families/variants. As you can see the captures in December are down from Novembers high.

During December I captured and submitted 2 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As you can clearly see December was significantly down from the relative high of November. The December statistics show that the general trend is still downwards. The main reason for this downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During December I reported over 500 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] yet again retained the pole position during December. However, it has lost ground once more, as we also saw in October, its percentage has decreased from over 75 percent in November to just over 48.5 percent in December. Once again, Tenga.3666 seems very intent in keeping pole position for itself, although it has had stiff competition during December.

Netsky.P [aka Netsky.q] has disappeared from the chart in December, however, we have two other members of the Netsky family [Netsky.d] came into Novembers chart in seventh place and has risen to third place, and Netsky.c is in to the top ten taking the seventh place held by Netsky.d in November.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November, have managed to retain the four places again in December. The four are: Tenga.3666 in pole, Opaserv.worm.ae in sixth [up from eighth], Opaserv.worm.ai in eighth [up from ninth] and Opaserv.worm.d [a re-entry] in ninth.

IRC.Zapchast is back in the top ten in December, in fifth spot.

We have just two new entries in December's chart, these being Win32.Tibs.jy, straight in to the chart in second place and Sality.AD in fourth place.

Warezov fared badly in December, down from three variants in the top ten in November to just one, Warezov.fh being the only survivor of its family, just hanging on in tenth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] December has seen the Mytob family lose more ground, down from its modest comeback in November grabbing two places then, to just one in December. The only survivor of the Mytob clan is Mytob.c in seventh place.

In November Netsky.q slipped down to seventh, but managed to climb up two places to fifth spot in December. It is joined by two other family members, these being: Netsky.t, in fourth [same as in November] and Netsky.aa in eighth place up from ninth.

Pole position in December has been stormed by Warezov.fb [a new entry] with November pole position sitter, Warezov.gj falling out of the top ten. However, we have two new members of the Warezoz family in second [Warezov.dn] and third place [Warezov.hb] making it a clean sweep of the top three spots for Warezov.

Scano.gen has dropped down the chart from fifth to tenth allowing Zafi.b to move up one place to ninth.

One of the Bagle family [Bagle.gt] has managed to claw its way back in to the top ten, after November's failure to make an appearance at all in the top ten.

In the SOPHOS chart we see a different pattern; Netksy.p has consolidated its grip on second place in December. Pole position has been stolen by Dref-V [aka tibs.jy] which is a new entry in December's chart, just managing to squeeze in before the end of the month. Here is some commentary on it from Sophos:

"The Dref-V mass-mailing worm, which poses as a New Year e-card, was discovered on December 30, 2006, and by the following day accounted for 93.7% of infected emails."

Zafi.b has dropped down the chart in December from fourth to sixth. Nyxem.D [aka MyWife] has reversed direction and has fallen down the chart from sixth to ninth.

Stratiozip [aka Warezov] which was November's pole sitter has fallen down the chart to fourth place. The downloader variant of Stratio is in the tenth and final slot of December's top ten.

Only one member of the Mytob family has managed to stay in the top ten in December, this being Mytob.C, however, it has climbed back up from eighth to third place. Netsky [D] has disappeared from the top ten again. Mydoom-O which made a re-entry in November's top ten remains static in seventh place in December.

November's new entry, W32/Sality.AA is now up one place from ninth to eighth place.

To complete this month's top ten we have W32.Bagle-Zip which was a new entry in June's chart, dropping down the chart from third place to fifth spot.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has dropped back from its high of over 75 percent of the November pie to just over 48.5 percent in December. Mytob has reappeared again after dropping out of November's chart, it is back in in eighth place. Operserv has lost the second place which it gained in November, dropping down to sixth spot. Netsky has further consolidated its hold on fourth. Dupator is up one space from seventh to sixth place.

Warezov jumps from fifth place up to third in November's chart and is making its presence felt as part of the reason for the massive increase in spam we are all seeing.

Bagle slips down the chart from sixth to seventh and Downloader slips from eighth to tenth place.

New entries include Tibs, Sality, Warezov, Zapchast and Small, in at second, third, fifth, seventh and ninth places respectively. IRC.Flood completes the chart, in tenth place.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of December] here. This clearly shows that December was significantly up from November's relative low, this can be attributed to the Tibs.aj mass-mailer that we saw at the end of December. However, the overall trend is still downwards.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2006, it grew from 168,807 [as at the end of December 2005] to 222,473 [as at the end of 2006]. That's a growth of 53,666 new malware strains and/or variants during 2006, just short of my guesstimate of 55,000.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in December 2006.

'Tis The Season To Be ... [Archived]

An Honest Spammer?[Archived]

Conclusions:
Spam appeared to have recovered during December from the drop witnessed during November.419s seem to have dropped unexpectedly, and we've seen Phishing scams recovering further from their fall in October. Malware [via e-mail] bucked the trend and rose during December, mainly due to Tibs. As shown above the scammers have been out in force during December, the 'Savechilds.net' example included in this report is just one of a number of similar scams deployed during December.

Spammers are still increasing their use of graphical based spam, which is harder for anti-spam tools to identify without the use of OCR or other technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots, colour maps and other graphical artefacts, such as geometric shapes and random borders. Looks like we are witnessing yet another arms-race, this time it is between the spammers and the spam fighting tools and community.

Links: