March 2007 Malware Review

Just about managed to get this finished before the end of the month.

March has come and gone and already we have used up the first quarter of the year. However, some things don't change; it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with yet more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again! We have also seen an awful lot of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 638 samples during March, which have been catalogued as 38 distinct families and variants. In comparison during February I captured 894 samples which were catalogued as 43 distinct families/variants. As you can see the captures in March are significantly down from February's total.

During March I captured and submitted 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The March statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is the technique of choice so far this year.

During March I reported 58 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:


W32/Tenga.3666 [Frisk] had to settle for the runner-up position during March, as W32.Kasper.A [aka MyWife.D] forced its way to the top of the chart ousting February's pole sitter in the process by less than half a percentage point. Bear in mind that W32.Kasper.A wasn't even in the top ten in February, so it is a re-entry, which makes its position in March's chart even more incredible.

Mytob.J, which was the runner-up in February's chart and seriously threatening Tenga's hold on pole position, has slipped down the chart to sixth place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November 2006, fell on hard times in January and February only managing to fill one place in the chart, the survivor was Tenga.3666. What a difference a month makes, the Opaserv.worm family which completely failed to turn up in the chart in February, is back. Not just one or two, but four representatives are back in the top then. These are variants ae, d, ac and ai, in fifth, seventh, ninth and tenth places respectively.

IRC.Zapchast has managed to climb up the chart from the final slot in January's chart, stealing fourth place in February and finally climbing one place to third in March's chart.

A new entry in March's chart [in 4th place] is Virus.Win32.Virut.a which is a bit of a throw-back, being a real 'virus', an appending one, as well as being a Bot. We also have another new entry, even though it is a real oldie [Pate.B in 8th place], as it has been around for a long time but never managed to get in to the top ten, until now.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for March still has Mytob.c in seventh place which it managed to climb to in February, up from ninth in January.

Netsky.q has managed to climb back up to the runner-up spot in March, having fallen down the chart from second place in January to fourth in February. It is joined by three other family members, these being: Netsky.aa, which recovers its sixth place from the drop to tenth it suffered in February, Netsky.t, February's pole sitter slips back down to fourth and Netsky.b is a re-entry in at ninth place.

Bagle.gt continues its slow journey down the chart, slipping one place to third.

As seen in my own top 10 chart, the Zhelatin family which stormed the Kaspersky chart during February have disappeared from the top ten just as fast as they arrived.
We have three new entries in March's chart, these are: Bankfraud.ra straight in the chart in pole position, Warezov.jx in at fifth place, and to complete the top ten, we have Scano.gen a new entry in at eighth place and Mydoom.l which is a re-entry taking the final place; tenth spot.

Kaspersky had this to say about March's pole sitter:

"This month's leader, Trojan-Spy.HTML.Bankfraud.ra is also the result of recent virus epidemics. This Trojan is a typical phishing email, and millions of copies have been sent around the world. We've also noticed that this malicious program has been mass mailed several times. Bankfraud.ra was first detected on 27th February 2007, and in the space of a single month reached such a volume that this month it accounts for more than 30% of all malicious programs detected in mail traffic.
The Trojan targets clients of the Branch Banking and Trust Company (BB&T). It attempts to lure them to fake web sites registered by their undoubtedly malicious users in Croatia and the Cocos (Keeling) Islands."

In the SOPHOS chart we see a different pattern; Netksy.p has once more raised its game and stolen pole postion once more in March. Fenruary's pole position sitter, HckPk has completely dropped out of the top ten.

Here is some commentary on it from Sophos:

"Unwanted emails hiding copies of Netsky are still spreading like weeds in an untended garden, showing how well seeded these mass-mailing threats are," said Carole Theriault, senior security consultant at Sophos.

Zafi has dropped from February's fourth to sixth place in March. Meanwhile Nyxem.D [aka MyWife] has gained one place in March, up from ninth to eighth place.

Stratio has managed to claw its way back into the top ten, to seventh place, after falling out of the chart in February. Mytob has improved upon the third place it grabbed back in December 2006, and is up one place to be March's top ten runner-up.

Mydoom-O which was a re-entry in November's top climbs two places from sixth place to fourth and November's new entry, W32/Sality.AA has climbed another two more places from fifth place to third in March's chart.

The last remaining member of the Bagle family, Bagle-qw crawls further up the chart from seventh to fifth place.

To complete this month's top ten we have Clagger.a which is down one place from ninth to eighth spot and a new entry DwnLdr.GFX in at tenth place.

SOPHOS also noted the following:

"It's frustrating to think that there are a bunch of new threats out there that are much more targeted and devious in their approach, yet how can we expect the average computer user to protect against them when the Netskys and Mytobs remain so rooted? Users need to roll up their sleeves and commit to keeping their PCs secure both for their sake and the sake of everyone else connected to the web."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is not headed up by the September 2005 leader Tenga. This month a new 'pretender' has stolen its crown in March, so Tenga has had to make do with the runner-up spot once more. This 'pretender' is W32.Kasper [aka MyWife].

Mytob has dropped from third place in February's chart to sixth spot during March

Zapchast which stormed up the chart from ninth to fifth place in February has managed to move up to fourth place in March. Opaserv has also climbed up the chart in March from sixth to the final step on the podium; third place.

February's new entries Parite [aka Pate] is static in seventh and Sality is up one place to ninth place respectively. New entries include Virut and Cloner in at fifth and eighth places respectively. Dupator completes March's top ten, in tenth.




If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of March] here. This clearly shows that March was slightly down on the December 2006 total and significantly down on the first two month of 2007. As shown in the March figures, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 241,959 at the end of March. That's a growth of 19,486 new malware strains and/or variants in the first quarter of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just under 78,000.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in March 2007.

• A Police Website Line-up, Who's The Imposter? [March 12th, 2007]


• Bogus IE7 Being Spammed Out [March 30th, 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January and February has continued in March, as seen by the IE7 'fake' download detailed elsewhere in this report.

The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

Links:

• Virus Top Twenty for March 2007 [Kaspersky]


• Top ten viruses and hoaxes for March 2007 [Sophos]

Don't Look...

I told you not to look!

Too late, if the following screenshot was an e-mail you had previewed or opened on your system, and you hadn't patched or had other mitigating technologies or methodologies in place*, then your computer would now be infected. Yes, it would now belong to the 'Bad Guys and Girls'! You would be '0wn3d'.

Game over!

Here's the screenshot of the e-mail you might have already received:



Yes, I have doctored this screenshot, the real one is a little 'too risque' to post here!

The first picture, the one of 'Paris Hilton', barely wearing anything, is not 'bad'; what I mean is that this picture is not the problem in this spam e-mail, it is the 'bait'. The one to worry about is the second picture, which won't render [the one with the red diamond in the screenshot], as it isn't a real picture at all. It is a 'trojanised Windows MetaFile [WMF]' which has exploit code embedded in it to try and infect or take over your computer.

This e-mail arrived at my mail server just after midnight last night, and was quite rightly flagged as spam.

So, why am I flagging this now, I mean the exploit code used is old, and you should all be patched by now, you are patched, right? The reason I'm flagging this now is that this may well be a new phase of 'image' exploitation [in both senses of the word], such as this one using the 'WMF exploit', but I suspect we will see the same social engineering techniques used with other exploit code and droppers. In fact I know we will!

So, be careful out there when opening or even previewing e-mails, you may start a chain reaction which ends up with your system being turned into a zombie, and it's all downhill from then on...adware, spyware, malware, identity theft, keylogger, spam relay, phishing site hoster....You get the idea, don't you?

The site hosting the real and fake image files is still active as I write this, you have been warned!

Links to more WMF exploit information:

• http://momusings.blogsome.com/2005/12/30/lotus-notes-vulnerable-to-wmf-exploit/


• http://momusings.blogsome.com/2005/12/31/wmf-im-out-to-get-you/


• http://momusings.blogsome.com/2006/01/02/more-wmf-exploits/


• http://momusings.blogsome.com/2006/01/03/wmf-exploit-patches-and-workarounds/


• http://momusings.blogsome.com/2006/01/05/more-wmf-malware-developments/

* Such as a good up-to-date, and enabled, anti-malware solution and/or fully patched system or one not using Windows.

A Google Product Too Far?

There are now so many 'Google' products and services out there that it is easy to believe that 'Google' have a finger in every pie; a bit like the 'Virgin' empire, well almost.

We have 'Google Search, Google Mail, Google Talk, Google Reader, Google Adwords and Adsense, Google Docs and Spreadsheets, Google Notebook and the latest ones I know about are Google Checkout and Google's answer to Powerpoint'. The list is almost endless!

So with that in mind, how many of you out there have received an e-mail that reads like this one for 'Google Lottery'?:



Excellent, a 'Million Euros' would be most welcome...

OK, now how many of you have believed you have actually won something?

Go on, hands up, yes that includes you hiding at the back there! ;-)

If it was really from 'Google', why oh why does the named agent use an 'AIM' e-mail account? Surely they should use a 'Gmail' or 'Googlemail' one?

Yes, this is another 419, aka Nigerian or Advance-Fee-Fraud. More details on these can be found here, and I'll have an new article on 419s which I wrote for Virus Bulletin and was published in the April edition available here shortly.

I'm still waiting for 'Google' to make swimmimg goggles...that would be almost as ironic as 'Virgin condoms*'.


(*Yes, I know they exist!)

Who Removed The Pictures?

Those of you who read my blog from time to time, or are in the computer-security sector, will know that since the last quarter of 2006 the spammers have been converting from ASCII/HTML based spam to image based spam [*.gif, *.png, *.jpg, etc.]. This move caused many who work on anti-spam products and solutions a lot of sleepless nights trying to work out how they could add detection for such spam, without too many false positives or negatives.

Well, it seems that their prayers [the vendors and service providers] have been answered as I'm increasingly seeing a switch back to ASCII/HTML based spam, although a number of botnets used to send spam are still using images.

Here are three examples of one of the latest tricks the spammers are using:





Did you notice the lack of images in the spam itself? What these spammers have done is to host the graphical spam images at a image hosting/storage service known as 'ImageShack'. As you might have expected this technique only worked for a while before the anti-spam tools caught-up and 'ImageShack' started to actively purge the hosted spam images.

This next one take this minimalist approach to the highest level, take a look:



Couldn't be much more compact could it? As with the first three examples, the link takes you to a graphical spam message hosted on one of a number of sites, but not on 'ImageShack'.

The final one in this series is not as minimalist, in fact it is almost at the other end of the scale; being rather wordy. That is because it uses social engineering techniques 'borrowed' from the malware authors. have a look and see what I mean:



Doesn't that look rather like a rip-off of a mass-mailing worm or dropper seeding e-mail, such as those we are seeing right now [Nuwar/Zhelatin/Storm Worm]?

Now why would they want you to think you've bought a copy of 'Windows Vista'?

Well, guess what? You haven't, and if you click on any of the hyperlinks all you are doing is confirming that the e-mail address the spam was sent to is 'alive-and-well' and that a 'real-human-being' is actually reading it [and clicking on links, too].

Now isn't that sneaky?

I've said it before, and I'll say it again: "Never click on anything in a spam e-mail, or you may just end up proving that your e-mail address is valid, and live. This makes that e-mail address more valuable and you'll end up on more spammers lists, and get loads more spam."

Also:

• Use a good anti-spam solution, such as the one built-in to Thunderbird.


• Don't allow remote images to be loaded when the spam e-mail is rendered.


• Don't click on any links provided in the spam, especially any 'unsubscribe' links offered, as this will again prove your e-mail address is valuable, and as expected you'll end up getting more, not less, spam.


• Don't EVER buy anything offered in a spam e-mail, you are only helping to prove that the business model that the spammers use, is still viable.

Yes, I know I repeated myself in point 3 of the above list, but that was intentional, just to drive the point home ;-)

Secret Intelligence Service SCAM ALERT!! E-mail

Here's an interesting e-mail I received today. The following screenshots show the complete e-mail. Read it all the way through. What do you think, real or fake?






Hands up all those that said real?

All of you who said 'real' are in detention, write out, in full 100 times, my blog post covering 419 scams [here] and the recent blog entry on the 'Police Website Line-up' [here]. ;-)

Hands up all those that said fake?
Well done! Give yourself a pat on the back, it does indeed seem to be a fake. Details below:

Hmmm... the e-mail comes from [or so it claims], 'anti.scam-dpt@sis.gov.uk', SIS.GOV.UK is the domain owned and used by the SIS [Secret Intelligence Service, which is also known as MI6 in the UK.] However, the reply to address in the e-mail body is: 'hollace_fwilliam@britishsecretservice-uk.org', that sounds 'phishy'. So let's look at the domain details for it, shall we?

Here's the DNS entries:

britishsecretservice-uk.org. 600 IN SRV 1 1 5061 federation.messenger.msn.com.
britishsecretservice-uk.org. 600 IN MX 10 pamx1.hotmail.com.
britishsecretservice-uk.org. 600 IN A 65.54.132.254
britishsecretservice-uk.org. 86398 IN NS pdomns1.msn.com.
britishsecretservice-uk.org. 86398 IN NS pdomns2.msn.com.

The MX [e-mail] record is pointing to a 'hotmail.com' MX server, I can't see the SIS using Hotmail as their primary e-mail server, can you? Or, for that matter, MSN DNS servers as their primary and secondary DNS.

Let's look at the WHOIS record, shall we?

Domain ID:D106558818-LROR
Domain Name:BRITISHSECRETSERVICE-UK.ORG
Created On:08-Jun-2005 09:07:00 UTC
Last Updated On:01-Jul-2006 03:55:43 UTC
Expiration Date:08-Jun-2007 09:07:00 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:C338EEA0092FC35F
Registrant Name:MR. HOLLACE WILLIAM FRANCIS
Registrant Organization:MR. HOLLACE WILLIAM FRANCIS
Registrant Street1:3840 Fishcreek Rd
Registrant City:Stow
Registrant State/Province:OH
Registrant Postal Code:44224
Registrant Country:US
Registrant Phone:+1.3306282938
Registrant Email:hollace_fwilliam@britishsecretservice-uk.org
Admin ID:C338EEA0092FC35F
Admin Name:MR. HOLLACE WILLIAM FRANCIS
Admin Organization:MR. HOLLACE WILLIAM FRANCIS
Admin Street1:3840 Fishcreek Rd
Admin City:Stow
Admin State/Province:OH
Admin Postal Code:44224
Admin Country:US
Admin Phone:+1.3306282938
Admin Email:hollace_fwilliam@britishsecretservice-uk.org

Now why would the SIS or MI6 use someone living in Ohio in the US to register a domain for them?

And where is this domain being hosted?

5.54.132.254[Querying whois.arin.net]
[whois.arin.net]

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2004-12-09

Hmmmm.... I wonder if Microsoft know they are hosting a potential 419 scammer on their servers?

If you type 'http://britishsecretservice-uk.org' in to your web browser, after a small pause you end up here:



This is the 'REAL' MI5 website, seems that the domain owner for 'britishsecretservice-uk.org' is currently redirecting all web traffic to the MI5 site. I bet he isn't doing the same with the e-mail traffic, very sneaky!

The final proof that this is a fake, if you really needed any more, is that the SIS is part of MI6, but the fake domain redirects to the MI5 site which the SIS are not part of, and did you notice the use of an MI5 logo in the foot of the e-mail?

Back to the drawing board you 'Bad Guys and Gals from Lagos'....

A Police Website Line-up - The Verdict

As promised, [finally] here is my posting with the verdict on which one of the following suspects in my Metropolitan Police website line-up is the real one, and more importantly which is the fake one. I will also reveal what the fake one was set up for, and by who.

Just to refresh your memory, I originally asked:

"Do you think you can tell the difference between a real website and a copy which is a fake? Yes? Well, let's see how good you are, here's a test for you. Which of the following screenshots is from the real Metropolitan Police Service web site, and which is the fake?"

[Mug-shot 1]


A larger version of this screen-shot can be found here.

OR

[Mug-shot 2]


A larger version of this screen-shot can be found here.

I did get some responses, and those that did respond got it right!

Oh, you want the answer? OK, here's your starter for 10:

The real Metropolitan Police Service web site was 'Mug-shot 2', and the fake must be, by a process of elimination, 'Mug-shot 1'. I did leave one obvious clue to help you, did you spot it?

Take another look, look at the' McAfee Site Advisor' indicator in the status bar at the foot of the browser window; the real Met site shows as 'Green' which means it has been tested and is probably the real thing. Whereas the fake site, shows as 'Grey' which means it hasn't been tested yet, and probably should be treated as suspicious, for now.

Other clues that give the fake away include:

The two e-mail addreses and the domain name used, as in:

• new.scotland.yard@metpoliceuk-gov.com


• clarence.c.vernon@metpoliceuk-gov.com

And

The telephone and fax numbers given:

• Call us +442071936470 (24 hour switchboard)


• Fax us +448717200341

Why include an international dialling prefix, when the police force is only responsible for the London Metropolitan area? Bit of a give away!

Let's dig a bit deeper now; starting with the Whois record for the fake domain:

Domain Name: METPOLICEUK-GOV.COM
Name Server: NS.PIPNI.CZ
Name Server: NS2.PIPNI.CZ
Status: clientTransferProhibited
Updated Date: 13-mar-2007
Creation Date: 05-mar-2007
Expiration Date: 05-mar-2008

Name servers in the Czech Republic for a UK Police Force, I think not, and the domain was only created on the 5th of March 2007.

And here are the registrant details, which are probably spoofed.

Registrant:
Jennfier Mcsorley
74 Jermyn St
London, LONDON SW1Y6NP
Great Britain
( )442079305321
sn.tosin@yahoo.com

Of course, it must be a real, the London Metropolitan Police force all use free web mail services, such as Yahoo, don't they? ;-)

OK, enough detective work for now. But we still need to know the purpose behind setting up such a site, here are some suggestions. which one[s] seem most likely to you?

1. Nigerian (aka 419) scammers?


2. Terrorists?


3. Phishing scammers?


4. Other Organised criminal gang?

The answer, according to The Register is:

"Nigerian scammers have launched a fake London Metropolitan Police website, which includes a fake anti-terrorist hotline number.

According to anti-advance fee fraud organisation Ultrascan Advanced Global Investigations, the scam refers victims to an "official" website that sells so-called "anti-terrorist certificates" which are needed to secure payments from abroad. In the past, fraudulent Anti-Terrorist Stop Order letters were purportedly issued by the Financial Crimes Enforcement Network (FinCEN)."

The full article from the Register can be found here.

So now you know the which, the why, the when and the how of the crime... Book 'em Danno!

Up for another challenge some time?

New Perfect Security Technology Developed

Here's a press release about this new security technology from 'Polar Foil':

No More Updates
Yes, this new technology uses a technique known as the You Try Most Procedure. This means that you never have to update your anti-virus and anti-spyware ever again. It even solves the patching problem and the thornier and harder to deal with issues of social engineering, hacking, phishing and other internet scams and skullduggery.

Compatible with all OSes
Works with all known operating systems, including these popular ones:

• Windows [3.x, 98, Me, NT, XP, Vista]


• Linux and all other UNIX flavours


• DOS [1.x - 6.x]


• Mac OS


• BeOS

And many more...

Total Protection
No more worries about your system being infected, hacked, or having personal data stolen from your computer, and you don't even have to install anything to benefit from this technique.

"If used correctly and often enough, it offers 100% security against all online and offline threats....satisfaction guaranteed!"
- Mr. Alf P Rolo the CEO of 'Polar Foil'

The Secret?
Well, don't take my word for it, look at this technique in action.
Here and here.

It can even be used in a corporate or academic environment, an example of mass use of this technique can be seen here.

Or if you want to have some alternative fun with your computer without any online security risks worrying you, try this instead:

For more details on this amazing technique, please contact Mr. Alf P Rolo the CEO of 'Polar Foil' inc who markets this amazing technique.

Go on, give it a try, you know it makes sense*!

* Regular use of this technique also helps to relieve work-place or personal stress.




"You Try Most Procedure" is an anagram of "Destroy Your Computer" - Happy April Fools Day!