November 2007 Malware Review

November was another very busy month for me as I was involved in several projects for customer accounts, as well as dealing with my usual workload. This meant that I didn't have as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 476 samples during November, which have been catalogued as just 27 distinct families and variants. In comparison during October I captured 649 samples which were catalogued as 35 distinct families/variants. As you can see the captures in November are down once more and very close to September's total.

During November I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown, once more, by November's statistics the general trend is still downwards. It still appears that social-engineering is very much the technique of choice this year. I believe that 2007 should be known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During November I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 72 percent of the samples captured in November, down from the high points of 82 percent in August and 77 percent in October.

As in both September's and October's charts there are still eight members of the Opaserv.worm family in November's chart. These are variants: AE,AC, AJ, D, A, AH, AI and AD in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is once more occupied by our old friend Netsky.P who is static in the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

We have a new pole sitter in November's chart, this being Scano.gen which is a re-entry to the top ten.

In the runner-up spot, we has another re-entry, this being Mytob.t and as you can see the top 10 from Kaspersky [above] for November Mytob.c has reversed its slide down the chart in October to climb back up from tenth to fifth place.

Netsky.q [aka P] has dropped out of the top 10 however two [down from three] other family members, these being: Netsky.t, which has continued its slide down the chart has slipped from seventh to tenth spot. Netsky.x is a re-entry, back in to the chart to snatch the final podium place; third.

One of the new entries in last months Trojan-Spy.HTML.Fraud.ay has slipped down two places from second to fourth.

The next three places, sixth, seventh and eighth are all taken by re-entries. These are; IMG-WMF.y, Warezov.pk and Lovegate.W respectively.

The final free slot in November's chart is taken by a new entry, this being another member of the Warezov family; Warezov.um in ninth place.

Kaspersky had this to say about November's chart:

"The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.
There's only one program in this month's Top Twenty which barely changed its position, and that's Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It's not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has, rather surprisingly lost the runner-up position from Octobers chart and has to make do with the final step of the podium; third. Last months pole-sitter Troj/Pushdo has managed to consolidate its hold on pole position.

Mytob has lost more ground, sliding down the chart from fifth to sixth place. W32/Zafi has suffered a similar fate sliding down from fourth to fifth place.

Mydoom which was a re-entry in November's chart has once more consolidated its hold on eighth place.

There are three re-entries in November's chart, these are, W32/Flcss, back in to the chart in seventh place, W32/Strati back in to the chart in ninth and W32/Bagle grabbing the final place in tenth.

To complete the chart we have TraxG is up from ninth to the runner-up spot; second place. The final free place is occupied by Mal/Dropper in fourth place.
Here is some commentary on November from Sophos:

"Traxg hurtling into second position this month has come as a complete surprise, and the fact that unsophisticated worms are still slipping through the net at such a rate of knots is a clear indication that huge numbers of users, and potentially companies, are failing to install even basic anti-virus protection," said Graham Cluley, senior technology consultant at Sophos. "In first place, Pushdo continues to wreak havoc. A clear reason for its ongoing success is the guilty cybercriminal's ability to quickly create different variants, which are being spread voraciously in a range of spam messages. Each new piece of spam that harbours the trojan has been created to tempt users, and whether it's enticing them to watch videos of Britney or view naked pictures of Angelina, this fraudster's tactics are certainly working."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is still occupied by last months re-entry, this being Netsky.

Win32.Zhelatin falls five places to tenth, Win32.Agent falls four places down to eight and IRC.Zapchast is static in ninth place. Fifth place is occupied by W32.Funlove, which is up one place from sixth.

We have two new entries in November's chart, these are: Win32.Protoride straight in to the chart in sixth and W32.Heretic takes seventh place.

The final place in November's chart is occupied by our old friend Dupator up from seventh to fourth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of November] here. This clearly shows that November was about as active as October. As shown in the figures for November, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 349,851 at the end of November. That's a growth of 127,378 new malware strains and/or variants so far in 2007, in November the number jumped by 10,160. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 139,000. Things have certainly speeded up during the third and fourth quarters of 2007!

What's New?

Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during November 2007.

• Equifax Phish [Tuesday, 6 November 2007]


• Do You YouTube? [Monday, 12 November 2007]


• One MSUpdate You Don't Want! [Tuesday, 13 November 2007]

Conclusions:

The current trend of using social-engineering which has been widespread in January - September has continued during October and November, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during November as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays and also new targets such as Equifax, as shown above.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this report.

All in all, it looks like we could be in for a very interesting, and busy, final month of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for November 2007 [Kaspersky]


• Top ten viruses and hoaxes for November 2007 [Sophos]

Please note: December's report, which should be published in January 2008 may well be the last one I do for the forseable future due to changes in my role.