February has come and gone and although the months and seasons change, some things don't change, it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again! We have also seen an awful lot of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.
Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.
I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.
I have included four sources of information for the graphs and pie-charts, these are:
- Kaspersky
- SOPHOS
- WormCharmer
- Malware Bayesian Filter
The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4.5 years, Malware Bayesian Filter 3.5 years.
In total I captured 894 samples during February, which have been catalogued as 43 distinct families and variants. In comparison during January I captured 991 samples which were catalogued as 54 distinct families/variants. As you can see the captures in February are down slightly from January's total.
During February I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].
As you can clearly see February's captures are up from December 2006, but fell slightly from January's haul. The February statistics consolidate my view that the general trend is still downwards. It seems that social-engineering is the technique of choice so far this year.
During February I reported 78 new Phishing sites which are now included in the Netcraft phishing site database used by the
Netcraft anti-phishing toolbar which I blogged about some time ago.
The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:
W32/Tenga.3666 [Frisk] yet again retained the pole position during February. However, it has gained back some of the ground it lost in January; its percentage has increased from over 36 percent in January to over 42 percent in February. Once again, Tenga.3666 seems very intent in keeping pole position for itself, although it had very strong competition again during February, this time from Mytob.J.
Netsky.P [aka Netsky.q] has disappeared from the chart again in February after being the only representative of the family left in January's chart.
The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November 2006, have fallen on hard times in January and February only managing to fill one place in the chart, the survivor, yet again, is Tenga.3666 in pole. There are yet again no Opaserv.worm family representatives in the chart in February. IRC.Zapchast has managed to climb up the chart from the final slot in January's chart, up to fourth place.
It has been another bumper month for new entries, in January's chart we had seven new entries, in February's we have eight, these being: Five members of the Zhelatin [aka Nuwar] family [u, o, m, r and ab] in third, fifth, seventh, eighth and tenth respectively. Next up are two members of the Tibs family [kj and jr] in sixth and ninth places respectively. The final new entry is Mytob.J which has stormed into the chart in second place. All in all another very hectic month!
If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.
As you can see the top 10 from Kaspersky [below] February has seen the Mytob family gain a little of the ground it lost in January. The only survivor of the Mytob clan is Mytob.c bouncing up from ninth to seventh place to February.
Netsky.q has managed fallen down the chart from second place in January to fourth. It is joined by two other family members, these being: Netsky.aa, which drops from all the way down to tenth and Netsky.t is up from fourth and has stolen pole position from January's pole sitter, Bagle.gt which slips down one place to second.
As seen in my own top 10 chart, the Zhelatin family have stormed the Kaspersky chart account for four of the top ten spots. These are Zhelatin [dam, o, u and m] in third, fifth, eighth and ninth respectively. All of these are new entries.
Kaspersky had this to say about Zhelatin:
"During February we issued three virus alerts with a 'medium' threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants."
Finally we have another new entry, this being Warezov.ls in at sixth place.
In the SOPHOS chart we see a different pattern; Netksy.p has yet again consolidated its grip on second place in February. Pole position has been stolen by HckPk which is sort of a new entry as it is a 'generic[ label for malware that uses HckPk to obfuscate itself, such as Dorf and Dref.
Here is some commentary on it from Sophos:
"Hackers are increasingly using encryption and packer tools - such as those belonging to the HckPk family - to camouflage their malicious code. January's hardest-hitting worm, Dorf, plus the prevalent Dref mass-mailing worms are just two examples of the malware currently being hidden within HckPk programs. Sophos has also found that cybercriminals are constantly modifying their HckPk disguises in an attempt to bypass IT defences."
SOPHOS also noted the following:
"HckPk is a bit like Mr Potato Head - it uses disguises to bamboozle anti-virus protection into thinking the attachment is safe when, in reality, malicious code lies within," said Carole Theriault, senior security consultant at Sophos. "Today's most widespread threats, such as Dref and Dorf, use HckPk, so by blocking it, we zap the nasty threats lurking inside. Users need to check that their anti-virus protection can proactively detect against previously unseen malware, otherwise they could be next in a long line of victims."
Zafi.d has managed to climb up from fifth place in January's chart to fourth in February's. Meanwhile Nyxem.D [aka MyWife] has further consolidated its place in ninth.
The downloader variant of Stratio [StraDl]has managed to claw its way back into the top ten, to ninth, after falling out of the chart in January.
Mytob.C has further consolidated its third place it grabbed back in December 2006. Netsky [D] has disappeared from the top ten again. Mydoom-O which was a re-entry in November's top ten remains in sixth place in February's chart.
November's new entry, W32/Sality.AA has climbed another two more places from seventh to fifth place in February's chart.
The last remaining member of the Bagle family, Bagle-qw crawls back up the chart from eighth to seventh place.
To complete this month's top ten we have Clagger.i which was is a re-entry in tenth.
The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is once more headed up by the September 2005 leader Tenga. This month the 'pretender' that stole its crown in January has had to make do with the runner-up spot. This 'pretender' is Zhelatin [aka Nuwar, Tibs]. Operserv has once more slipped down the chart, from fifth to sixth spot during February. Netsky has managed to halt its slide down the chart and has consolidated its position in eighth.
Tibs has managed to grab fourth place, and we have Mytob which has stolen the final step of the podium, in third spot.
Zapchast has stormed up the chart from ninth to fifth place and Small is down from sixth to ninth.
New entries include Parite and Sality in at seventh and tenth places respectively.
If you wish to see the current top 10, then see my external website at
http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].
Please feel free to ask questions if you need any clarification on the data, the setup or whatever.
Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of February] here. This clearly shows that February was only slightly less busy than January, but still up on the December 2006 total. This jump can be attributed to the Tibs [aka Dorf, Nuwar, Zhelatin] mass-mailers which were widespread during February. Even allowing for this significant rise, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.
The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.
If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 233,084 at the end of February. That's a growth of 10,611 new malware strains and/or variants in the first two months of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 63,500.
What's New?Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in February 2007.
Conclusions: The use of social-engineering has made life somewhat more troublesome during January and February than we have seen during most of 2006. This has been somewhat compounded by the event that happened on the 14th of February. The use of social engineering around that time was quite excessive, as indicated by the two articles listed above.
The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.
Note: EICAR have informed me that the EICAR 2007 conference to be held in Budapest, Hungary between the 3rd and the 8th of May has been cancelled.
Links:Labels: all, malware, scams, spam, stats
