June 2007 Malware Review

'Flaming June' has come and gone, however in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from flash or prolonged flooding for parts of the month.
We are now past the halfway point of 2007 and I'll include some comments on trends, etc. that have occurred during the first half of the year.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured only 209 samples during June, which have been catalogued as 31 distinct families and variants. In comparison during May I captured 800 samples which were catalogued as 35 distinct families/variants. As you can see the captures in June are significantly down from May's total.

During June I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The June statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During June I reported just 26 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are just four [down from five] members of the Opaserv.worm family in June's chart. These are variants: AE, D, I and AC in second, seventh, eighth and tenth places respectively.

The Netsky family is back in the top ten again after dropping out of the chart completely in May. We have a trio of family members in June's chart, these are: Q [aka P] back in at fourth place, Y back in in fifth and finally X back in at sixth place. Looks a bit like the London Bus affect, wait for ages for one to appear, and then three appear at the same time!

As with Netsky, we have one final re-entry in June's top ten, this being Zapchast which has managed to steal the final podium position coming back in to the third spot.

The final slot left is taken by Dupator, which is up one place from tenth to ninth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for June once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has climbed up from the runner-up spot it held in March and lost in April to snatch pole position in June's chart. It is joined by three other family members, these being: Netsky.t, February's pole sitter which slipped down to fourth during March and the pole sitter in first place in May, has fallen two places to occupy the final step of the podium; third place and to mirror that change, Netsky.aa, has gained two places, up from sixth to fourth place.

Bagle.gt has further reversed its slow journey down the chart, climbing back up the chart one more place from third to take the runner-up spot; second.

Worm.Win32.Feebs.gen has fallen back down one place from fifth to sixth effectively reversing its progress from May.

We have three new entries in June's chart, these are all members of the same family, this being Warezov. We have variant OZ straight in to the chart in fifth place, variant OV occupying the eight spot, and finally variant OP in ninth place.

To complete the top ten, we have a re-entry, this being an oldie; Mydoom-L which takes the final slot in tenth place.

Kaspersky had this to say about June's chart:

"After a long break, first place was again taken by the all-time leader of 2004 and 2005: the NetSky.q worm. Right on its heels is a worm from an equally old family, Bagle.gt. Meanwhile, NetSky.t, the leader in May, slipped very slightly down the table, ending up in third place.

Probably the most noteworthy event this month was the disappearance of May's rabble-rouser, Sober.aa. This virus appeared after a six-month stint in the shadows, suddenly taking fourth place before disappearing again. Will we be seeing this family in our reports again? I suspect not".

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has regained its grip on pole position which it lost during May, and is back as the pole sitter. May's pole sitter, Sober, has once more dropped out of the top ten.

Mytob has managed to climb up the chart one place, to steal the runners-up place on the podium after being static in third place back in April and May.

The final step of the podium; third, is taken by a new entry which has only appeared in SOPHOS's web threat chart before. This new entry is Mal/Iframe.

Here is some commentary on it from Sophos:

"Interestingly, Mal/Iframe's appearance in the email-based chart demonstrates that it is not limited to only infecting via the web. Hackers can embed the malware into emails using HTML to exploit users".

Mydoom which was a re-entry in November's chart has recovered more ground during June after falling to seventh place in April and climbing to fifth in May, it is now up one more place to fourth.

November's new entry, Sality has reversed its slide down the chart, jumping up three places from effectively eighth place in May to fifth in June.

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April has now halted its slide, and is sitting in sixth place as it was in May.

Bagle is up a single place in June's chart from eighth to seventh place. Meanwhile Nyxem.D [aka MyWife] is likewise static in tenth place.

To complete the chart we have two re-entries, these are: Mal/DownLdr in eighth and W32/Stratio in ninth.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is not headed up by the September 2005 leader, Tenga. Its crown has been stolen once more, this time by Opaserv. Tenga has been forced to accept the runners-up spot; second in June.

The final step of the podium, third place, has been occupied by Netsky which is up from the fifth place it held in May.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March then suffered a setback, slipping down to eighth place in April and to ninth in May, has experienced a major turn around, storming back up the chart and taking fourth place in June.

W32.Dupator has moved up one place in June from sixth to fifth place.

The rest of June's chart is made up by re-entries, these are: Tibs, Spaces, MyDoom, Small and finally Funlove, in sixth, seventh, eighth, ninth and tenth places respectively.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of June] here. This clearly shows that June was busier than May which was the quietest month since I started keeping these statistics. As shown in the figures for June, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 275,995 at the end of June. That's a growth of 53,522 new malware strains and/or variants in the first half of 2007, in June the number jumped by over 10,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 107,044. Things have certainly speeded up during the second quarter of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• Marks and Spencer Vouchers Hoax [5th June]


• Can you spot the difference? [8th June]


• Father's Day Surprise! [19th June]

Conclusions:
The current trend of using social-engineering which has been widespread in January - May has continued in June, if anything it has accelerated.

We have seen another rise in the level of spam during June and this may have dented the figures for both 419s, Phishes and Malware arriving via e-mail, only time will tell.

The Phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity [as can be seen in the article I have included in this months report]. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Another trend which has made itself very obvious during the first half of the year is that of the malware authors relying on social engineering to get victims to infect their computers, rather than having to use exploit code or include mass-mailing or other infection routines into their creations.

The final trend I wish to mention that has become prevalent this year, and ties up with the social engineering comments above, is that the malware authors and cyber-criminals are increasing their use of web sites to hold their malware and sending e-mails that contain nothing more than a link to it. In many cases this is not just a single web site, but can be as many as 10,000.

Looks like we could be in for a very interesting second half of the year!

Links:

• Virus Top Twenty for June 2007 [Kaspersky]


• Top ten viruses and hoaxes for June 2007 [Sophos]