July 2007 Malware Review

July has come and gone and like June in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from more flash or prolonged flooding for parts of the month.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 499 samples during July, which have been catalogued as 25 distinct families and variants. In comparison during June I only captured 209 samples which were catalogued as 31 distinct families/variants. As you can see the captures in July are significantly up from June's total.

During July I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is partly due to other work requiring my attention.

Even though July's statistics were up on May's, I still feel that the general trend is downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During July I reported 90 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are six [up from five] members of the Opaserv.worm family in July's chart. These are variants: D, AE, AI [AI is a New entry], AC, AD and K [AD and K are Re-entries] in third, fourth, sixth, seventh, eighth and ninth places respectively.

The Netsky family is hanging on in the top ten again after dropping out of the chart completely in May. In July's chart we have only one survivor [down from three in June] this is: Q [aka P] up two places from fourth to the runners up spot.

Zapchast which managed to steal the final podium position in June has fallen on hard times and slipped down the chart to the final place; tenth.

The final slot left is taken by a new entry, this being fifth place and the malware is also a new one, in this case it is: Packed.Win32.PolyCrypt.b which is spreading via open shares in much the same way that the Opaserv family does.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for July once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has slipped back down from the pole position it managed in June to the runner-up spot it last held in March. It is joined by two [down from three in June] other family members, these being: Netsky.t, which has slipped down one place from third to fourth spot, and Netsky.aa, slipped back down to the position is last held in May's chart; slipping two places from fourth to sixth place.

Bagle.gt has restarted its slow journey down the chart, slipping back down one place from second to third.

Worm.Win32.Feebs.gen has reversed last month slippage and climbed back up one place from sixth to fifth.

We have two new entries in July's chart, these are: Warezov.pk straight in at number one, Nyxem.e in at ninth and finally IMG-WMF.y grabbing the final place in July's chart.

Kaspersky had this to say about July's chart:

"On the whole, despite the blast-off of Warezov.pk, which was first detected on June 26 and peaked in early July, the situation remains stable (it is actually quite rare for the rankings to be so stable, with Warezov.pk being one of only two newcomers to the Top Twenty). The conditions are not favorable for new global epidemics, so the main threat is posed by local attacks targeting users from individual countries."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has consolidated its grip on pole position which it lost during May.

Mytob has also managed to consolidate its hold on the runners-up place it grabbed in June after being static in third place back in April and May.

The final step of the podium; third, is taken by Zafi which climbs up from the sixth place it held in June.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to fifth from fourth.

November's new entry, Sality has reversed its progress up the chart, slipping down one place from fifth to sixth during July.

Bagle also slipped down the chart during July, from sixth to eighth place. Meanwhile Nyxem.D [has fallen right out of the top ten during July and Mal/Iframe has slipped one place from third to fourth.

There is one re-entry in July, this being Mal/Clagger back into the chart in ninth place.

To complete the chart we have two new entries, these are: Troj/Agent in at the seventh spot, and W32/Strati which just scrapes into the chart in tenth.

Here is some commentary on July from Sophos:

"Interestingly"The security dangers of the web still aren't fully registering with a great many businesses - this is providing rich pickings for hackers hell-bent on gaining access to sensitive information," said Carole Theriault, senior security consultant at Sophos. "It's no surprise to see legitimate webpages targeted for these attacks - businesses generally aren't too strict about stopping their employees accessing these websites, while the sites themselves will already have their own daily flow of user traffic, saving hackers the trouble of trying to entice unenlightened web surfers."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is headed up by the September 2005 leader, Tenga which has once more regained the crown it lost in June when Opaserv stole it. Operserv has had to settle for the runner-up spot; second.

The final step of the podium, third place, is once more occupied by Netsky which is static in July.

Zapchast which stormed up the chart from ninth to fourth place in June has once more slipped back down the chart, however, this time it is only two places from fourth to sixth place.

W32.Dupator has consolidated the fifth place it managed to claim in June's chart.

We have one new entry in the chart in July; this is none other than Polycrypt, straight in at fourth place.

As with the new entries, we have just one re-entry to the chart in July, this being, Zhelatin back into the chart in seventh.

The rest of the chart is made up of the following malware: Spaces, down one place to eighth, MyDoom, down one place to ninth and finally Funlove, static in tenth place.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of July] here. This clearly shows that July was busier than June which was the quietest month since I started keeping these statistics. As shown in the figures for July, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards. The reason for the jump during July is that I've adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers. This makes the figures look like the largest since January 2006.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 304,153 at the end of July. That's a growth of 81,680 new malware strains and/or variants so far in 2007, in July the number jumped by over 28,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 122,500. Things have certainly speeded up during the second and third quarters of 2007!


What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Watch Out, Watch Out, There's an E-card About! [3rd July]


• How Not To Spam [10th July]


• Have You Got Anything Without Spam? [11th July]


• Experiments In Spam [25th July]

Conclusions:
The current trend of using social-engineering which has been widespread in January - June has continued during July, if anything it has accelerated.

We have surprisingly seen a slight drop in the level of spam during July and a move by the spammers towards using other file formats to try and bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during July. This is clearly shown in the jump in the percentage of phishing scams I've seen during July.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, rest of the year!

Links:

• Virus Top Twenty for Jule 2007 [Kaspersky]


• Top ten viruses and hoaxes for Jule 2007 [Sophos]