MoMusings: December 2007 Malware Review

December was another busy month for me as I was writing abstracts for conferences, doing presentations and trying to take some of my holiday entitlement as well as dealing with my usual workload. This meant that I didn't have quite as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals once more during the month.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

Kaspersky

SOPHOS

WormCharmer
Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 573 samples during December, which have been catalogued as just 27 distinct families and variants. In comparison during November I captured 476 samples which were also catalogued as 27 distinct families/variants. As you can see the captures in December are up once more, but this time of year is usually quite busy.

As shown, once more, by December's statistics the general trend is still downwards. It still appears that social-engineering has been the technique of choice and that 2007 should be now known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During December I reported 65 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 80 percent of the samples captured in December, just short of the high points of 82 percent it had in August.

As in the top tens for September, October, and November there are still eight members of the Opaserv.worm family in December's chart. These are variants: AE, D, AJ, K, AC, AD, AI and I in second, third, fourth, fifth, sixth, seventh, eighth and tenth places respectively.

The final slot left is occupied by a re-entry, this being our old friend Dupator who returns to the top ten in ninth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Netsky.q [aka P] is back into the top 10, straight back in at pole position, what a comeback! It is joined by another member of the family, AA which is also a re-entry back in at eighth place.

November's pole sitter, Scano.gen has had to settle for fifth place in December's chart after falling down the chart.

In the runner-up spot, we have a new entry, this being Diehard.dc, which is not the only member of this new family, as it is joined by Diehard.db and Diehard.dd which are also new entries, straight in to the chart in fourth and seventh place respectively.

Trojan-Spy.HTML.Fraud.ay has slipped further down the chart from fourth to ninth.

This month's chart is packed with new entries, the next one is Warezov.xd, straight in to the chart and stealing the final podium place; third.

And to complete the top ten, we have two more re-entries, these being, Bagle.gt and Nyxem.e [aka MyWife.D] in to the top ten in sixth and tenth places respectively.
Kaspersky had this to say about December's chart:

"At the end of the year, the mail traffic situation suddenly changed. In place of the traditional and somewhat dull domination of the rankings by old email worms, in December we encountered the explosive propagation of a new generation of programs. A new generation which are not worms.

It's true that first place this month is taken by the veteran NetSky.q worm. It returned with a leap and a bound from beyond the bottom of the rankings, having not figured in our November Top Twenty at all. It made up 20% of mail traffic - that's almost an epidemic, and it's unclear how a worm which has been in existence for almost 4 years, and which is known to all antivirus companies, has continued to survive and spread to the present day."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

IIn the SOPHOS chart we see a different pattern; Netksy has once more regained the runner-up position it last held in October's chart. Last months pole-sitter Troj/Pushdo has further managed to consolidate its hold on pole position.

Mytob has reversed its slide down the chart, once more climbing back up from sixth to third place. W32/Zafi has continued it progress sliding further down the chart from fifth to sixth place.

Mydoom which was a re-entry in October's chart has climbed up one place from eighth to seventh place.

There are two re-entries in December's chart, these are, Troj/Dloadr, back in to the chart in eighth place, and W32/Sality back in to the chart in tenth place.

W32/Bagle is up one place from tenth to ninth and to complete the chart we have W32/Strati up from ninth to the fourth and finally Mal/Dropper is down one place from fourth to fifth place.

Here is some commentary on December from Sophos:

"Overall, 0.09 percent of emails, or one in 1111, had malicious attachments in December 2007, with Pushdo retaining its position as the most prevalent email-based malware detected in December."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is once more occupied by our old friend Dupator.

Win32.Zhelatin has managed to consolidate its hold on the final place in the chart; tenth, Win32.Agent falls a single place down from eighth to ninth, and IRC.Zapchast has bucked the trend and climbs up from ninth to fourth place.

We have three re-entries in December's chart, these are: mIRC-Based back in to the chart in fifth, Hidrag grabs sixth place and W32.Tibs takes seventh place.

The final place in December's chart is occupied by our old friend Netsky, which has fallen from grace; down from third to eighth place.

If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of December] here. This clearly shows that December was busier than both October and November. As shown in the figures for December, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas; which can be seen in the What's New section of this blog postine.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 358,873 at the end of December. That's a growth of 136,400 new malware strains and/or variants for the whole of 2007. Just in December, the number of new malware found was 9,022.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during December 2007.

Rent-a-Spammer [Wednesday, 5 December 2007]

The Six Million Dollar Relative [Thursday, 6 December 2007]

UPS Delivery of Over ONE MILLION US Dollars! [Wednesday, 12 December 2007]

Don't Let Mrs. Santa Get Her Claus... [Monday, 24 December 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - November has continued during December, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer. In fact after Christmas the Storm Worm gang were working flat out producing new malware, web-sites and spam runs, but more on that, another time.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during December as they are still trying out other file formats which they hope will bypass anti-spam defences.

The phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during December, especially Natwest, Nationwide and Barclays, again.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this blog entry.

As expected December and the run up to Christmas and the New Year was a very busy time of the year for all the bad guys and girls as they took advantage of the season of goodwill to claim even more victims.

I would like to wish you all a very happy new year, stay safe!

Links: