MoMusings: January 2007 Malware Review

Welcome to a new year, 2006 is no more, say hello to 2007.

It may well be a new year but some things don't change, it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with the more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again!

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

Kaspersky

SOPHOS

WormCharmer

Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4.5 years, Malware Bayesian Filter 3.5 years.

In total I captured 991 samples during January, which have been catalogued as 54 distinct families and variants. In comparison during December 2006 I captured 711 samples which were catalogued as 36 distinct families/variants. As you can see the captures in January are up from December 2006, but still down from the November 2006 high.

During January I captured and submitted 7 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As you can clearly see January's captures are up from December 2006, but still down from the relative high of November 2006. The January statistics show that the general trend is still downwards. The main reason for this downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware, although the so-called 'Storm-Worm' family is trying to keep it alive.

During January I reported over 300 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] yet again retained the pole position during January. However, it has lost even more ground; its percentage has decreased from over 48.5 percent in December to almost 36 percent in January. Once again, Tenga.3666 seems very intent in keeping pole position for itself, although it has had very strong competition during January.

Netsky.P [aka Netsky.q] is back again after it disappeared from the chart in December, however the other two members of the Netsky family [Netsky.d and c] which held up the family name during its absence have now departed leaving Netsky.p once more as the only representative of the family in the January chart.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November, have fallen on hard times in January only managing to fill one place in the chart, the survivor is Tenga.3666 in pole. There are no Opaserv.worm family representatives in the chart in January. IRC.Zapchast has managed to hang on to the final slot in January's chart, down from the fifth spot it captured in December 2006.

We have seven new entries in January's chart, these being: Three members of the Zhelatin [aka Nuwar] family [a, h and k] in second, third and sixth respectively. Next up is Banwarum.I [aka Tibs] in fourth place, which is followed in fifth by a new Downloader [AYDY]. In seventh we have a new member of the Small family [ciw] followed by Lager.dp in eighth. All in all a very hectic month!

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] January has seen the Mytob family lose more ground, down from its modest comeback in November grabbing two places then, to just one in December. The only survivor of the Mytob clan is Mytob.c down from seventh place to ninth in January.

Netsky.q has managed to climb up from fifth spot in December to second place in Janaury. It is joined by thtree other family members, these being: Netsky.aa, in third [up from eighth] , Netsky.t in fourth [same as in December] and Netsky.b whixh is a new entry in seventh place.

One of the Bagle family [Bagle.gt] has managed to claw its way to the top of the chart [up from sixth], stealing pole. Another member of the family is in fifth place [Bagle.gen] which is a re-entry.

We have two members of the Small family in January's chart, these are: Small.dam which caused some confusion as many thought that this was a damaged variant, not variant dam, and Small.ciw; both are new entries.

Finally we have Mydoom.l bringing up the rear in tenth place which is also a re-entry.

In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its grip on second place in January. Pole position has been stolen by Dorf-fam [aka Small, Tibs, Zhelatin and Nuwar] which was a new entry in December's chart, in January's chart it accounts for 46 percent of the pie. Here is some commentary on it from Sophos:

"Spammed out with hard-hitting headlines and the promise of exclusive news content, the Dorf malware, or 'Storm Trojan', moved at gale force speeds and battered inboxes worldwide in an attempt to compromise users' PCs," said Carole Theriault, senior security consultant at Sophos. "Though not a particularly sophisticated form of attack, preying upon public interest by using breaking news events is a tried and trusted trick. It has proven to be a remarkably effective method of fooling recipients into lowering their guard."

SOPHOS also noted the following:

"The proportion of infected email, while substantially higher than in December 2006, is still small at just one in 238 (0.42%)"

Zafi.d has managed to grab fifth place in January's chart and Nyxem.D [aka MyWife] has managed to halt the slide it suffered in December and consolidate its place in ninth.

Stratiozip [aka Warezov] has consolidated its fourth place. The downloader variant of Stratio has fallen out of the top ten in January.

Mytob.C has consolidated its third place it grabbed in December. Netsky [D] has disappeared from the top ten again. Mydoom-O which made a re-entry in November's top ten remains has managed to climb from seventh place in December to sixth in January.

November's new entry, W32/Sality.AA has climbed another one place from eighth to seventh place in January's chart.

The last remaining member of the Bagle family, Bagle-qw slips down the chart from fifth to eighth.

To complete this month's top ten we have Wukill which was a new entry in December's chart, static in tenth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is not headed up by the September 2005 leader Tenga. This month its crown has been stolen by Zhelatin [aka Nuwar, Tibs], forcing Tenga to settle for the runner-up slot. Operserv has managed to claw its way back up the chart, after its fall from grace in December, from sixth spot up to fifth. Netsky has had a bad month falling from fourth down to eighth.

It has been a good month for Downloader which recovered from its fall in December, down to tenth place, grabbing the final step of the podium, in third.

Zapchast moves up one spot from tenth place to ninth.

New entries include Banwarum, Small, Lager and Tiny, in at fourth, sixth, seventh and tenth places respectively.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 - 2007 [up to the end of January] here. This clearly shows that January was significantly up on December's figure. This jump can be attributed to the Tibs [aka Dorf, Nuwar, Zhelatin] mass-mailers which were widespread during January. Even allowing for this significant rise, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 226,207 at the end of Janaury. That's a growth of 3,734 new malware strains and/or variants in the first month of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just short of 45,000.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in January 2007.

Paper Selected For The EICAR 2007 Conference

Storm Worm Gang Have Been 'Very, Very' Busy

When is a Damaged Malware NOT a Damaged Malware...

Conclusions:
Malware [via e-mail] bucked the trend and rose significantly during January, mainly due to the so-called 'Storm-worm' gang.
The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

Links: