MoMusings

Random ramblings and musings about all things malware and related net-nasties...

Friday, 16 November 2007

October 2007 Malware Review

October was another very busy month for me as I created and presented a double security lecture [one on malware and one on spam, scams, hoaxes, etc.] at one of the major universities in the UK, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 649 samples during October, which have been catalogued as 35 distinct families and variants. In comparison during September I captured 457 samples which were catalogued as just 27 distinct families/variants. As you can see the captures in October are slightly up from September's total.

During October I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by October's statistics the general trend is still downwards [although the Bad Guys and Girls are back at work after their summer break]. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During October I reported 105 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 77 percent of the samples captured in October, down from the high point of 82 percent in August but up almost 1 percent on September.

As in September's chart there are eight members of the Opaserv.worm family in October's chart. These are variants: AE, AJ, AI, D, I, AH, K and AC in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is taken by our old friend Netsky.P who is down who comes back into the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for October Mytob.c has once continued its slide back down the chart from sixth to just hang on in tenth place.

Netsky.q [aka P] has further consolidated its hold on the pole position it managed to grab back in June. It is joined by two [down from three] other family members, these being: Netsky.t, which has reversed its slide from last month, climbing back up one place from eighth to seventh spot. Netsky.aa has started to fall down the chart from the runner-up spot; second place it held in September to the final podium place in third.

Bagle.gt has speeded up its journey down the chart, falling from fourth to eighth place.

Unlike Bagle.gt, Worm.Win32.Feebs.gen has reversed direction, climbing once more, up from seventh to fourth place.

The final free places in October's chart are taken by two new entries, these are: Trojan-Spy.HTML.Fraud.ay straight in at the runners up spot; second and Exploit.Win32.PDF-URI.k straight in in sixth place.

We also have Email-Worm.Win32.Nyxem.e [aka Mywife.D] down from fifth to ninth, a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l down from third to fifth place.

Kaspersky had this to say about October's chart:
"If this month's Top Twenty had been prepared using data from the first 26 days of October, two important malware related events would have been missing.
We're talking about two mass mailings that took place right at the end of the month. They turned out to be among the biggest mass mailings we've seen in the last few months, especially on the Russian Internet.

The first pushed Fraud.ay, a phishing attack, into second place in the rankings.

The second attack, which started on Friday, October 26, was more interesting. Email traffic was flooded with messages that included a PDF file. This file contained a known and recently discovered exploit for a vulnerability in Adobe products. When the PDF file was opened, this resulted in malicious code being executed and a Trojan downloader being installed. The attack is in sixth place in our rankings: Exploit.Win32.PDF-URI.k"


Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has, rather surprisingly lost pole position in Octobers chart and has to make do with the runner up spot; second. Last months runner-up Troj/Pushdo has managed to de-throne Netsky and steal its crown as it now head up the chart by grabbing pole position.

Mytob has lost ground, sliding down the chart from third to fifth place. W32/Zafi has suffered a similar fate sliding down from second to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, slipping down from seventh to eighth place.

There are just one re-entry in October's chart, this being Troj/Dloadr , back in to the chart in seventh place. One of last months re-entries has managed to remain in Octobers chart, this is Mal/IFrame slipping down one place from fifth to sixth.

To complete the chart we have one new entry, this being Troj/PDFex straight in to the chart in third place, and TraxG is up from tenth to ninth place. The place occupied by TraxG in last months chart is now the home of Mal/Dropper.

Here is some commentary on October from Sophos:
"PDFex only started to circulate at the very end of the month, but still managed to account for over 13 percent of all emailed malware during October. It was heavily spammed out between 26-28th October, and during that period, it accounted for a staggering two thirds, or 66 percent, of all malware spread via email," said Carole Theriault, senior security consultant at Sophos. "PDFs have long been used in business as a means of sharing information, so the social engineering trickery of using a PDF puts insufficiently protected businesses at risk. Adobe have issued an update to their Acrobat software that fixes the problem, and eyes are now turned to Microsoft to patch the underlying flaw in Windows which could also affect other vulnerable applications such as Skype and Firefox."


The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is occupied by a re-entry, this being Netsky.

Win32.Zhelatin falls one place to fifth, Win32.Agent climbs one place to fourth, IRC.Zapchast falls one place to ninth as does Win32.Tibs, falling to tenth. Sixth place is once more occupied by W32.Funlove, which was where it was in last months chart.

We have one new entry in October's chart, this is: Backdoor.Win32.mIRC-based straight in at eighth place.

The final place in October's chart is occupied by our old friend Dupator up from eighth to seventh place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of October] here. This clearly shows that October was quieter than the previous two months. As shown in the figures for October, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 339,691 at the end of October. That's a growth of 117,218 new malware strains and/or variants so far in 2007, in October the number jumped by almost 10,500. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 140,700. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.


Conclusions:
The current trend of using social-engineering which has been widespread in January - September has continued during October, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam are back to their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during October as they are still trying out other file formats which they hope will bypass anti-spam defences, as can be clearly seen by the MP3 spam example covered above.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last couple of months of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

Labels: , , , ,

posted by Martin @ 20:55

Digg! Slashdot Slashdot It! Save This Page

0 Comments:

Post a Comment

<< Home