Just about managed to get this finished before the end of the month.
April has come and gone and we are already well into second quarter of the year, this year seems to be flying by! However, on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.
Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.
I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.
I have included four sources of information for the graphs and pie-charts, these are:
The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.
In total I captured 736 samples during April, which have been catalogued as 40 distinct families and variants. In comparison during March I captured 638 samples which were catalogued as 38 distinct families/variants. As you can see the captures in April are slightly up from March's total.
During April I captured and submitted 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].
The April statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.
During April I reported 48 new Phishing sites which are now included in the Netcraft phishing site database used by the
Netcraft anti-phishing toolbar which I blogged about some time ago.
The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:
W32/Tenga.3666 [Frisk] is back in pole position after having to settle for the runner-up position during March, as W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart during March.
W32.Kasper.A has had to settle for the runner-up spot in April. This means that the top two have swapped places in April's chart.
W32/Sality.AD [Frisk] is back in the top ten again having dropped out of the chart in March, it has stormed back in to grab the final podium place, in third.
The Opaserv.worm family which completely failed to turn up in the chart in February and then stormed back in to the chart in March with four representatives has suffered a loss. In April's chart we have lost one of the Opaserv clan from the top ten, the remaining family members are; variants ae, d, and ac in fifth, eighth and tenth places respectively.
IRC.Zapchast which managed to climb up the chart from the final slot in January's chart, stealing fourth place in February and finally climbing one place to third in March's chart has suffered a fall, down three places to sixth.
Virus.Win32.Virut.a [which was a new entry in March's chart] has managed to consolidate the fourth place is managed to grab when it entered the chart in March.
We have two re-entries in April's chart, these are: W32/Netsky.P which has been in and out of the top ten for more than two years now, and Zhelatin.cq which is somewhat more recent, having only been created since the end of 2006.
If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.
As you can see the top 10 from Kaspersky [below] for April still has Mytob.c in seventh place which it managed to climb to in February, it seems to have setup home there.
Netsky.q has once more fallen off the runner-up spot, this time it has slipped just one place to third. It is joined by three other family members, these being: Netsky.aa, which has lost its sixth place from March, falling down to eight spot in April. Netsky.t, February's pole sitter which slipped down to fourth during March is back as the pole sitter in first place, and finally Netsky.b is has consolidated its hold on ninth place.
Bagle.gt continues its slow journey down the chart, slipping one place to fourth.
We have three new entries in April's chart, these are: Email-Worm.Win32.Warezov.ms straight in the chart in second place, Trojan-Spy.HTML.Bankfraud.ri in a fifth place and finally Worm.Win32.Feebs.gen just below it in sixth place.
To complete the top ten, we have Scano.gen which is holding on tight to the final place; tenth spot.
Kaspersky had this to say about April's chart:
"It's getting more and more interesting looking at the statistics on malicious code in mail traffic. Warezov and Zhelatin regularly cause virus outbreaks, hit the headlines, and create a huge amount of work for virus labs around the world, but it's NetSky.t, an old email worm, which grabbed first place this month. In the three years since NetSky.t appeared, its highest ranking ever was fourth place in February 2006. It subsequently disappeared from the rankings, but returned to lurk close to the top of the table. And this month it has taken first place by storm, pushing aside all the new generation worms.
This was probably the result of a new tactic: virus writers are now spamming multiple variants of their latest creation within a very short space of time. Many of these variants make it to the Top Twenty, but sometimes the sheer number of variants prevents them from gaining a high position: NetSky.t, a single variant which spread extremely widely, is proof of this."
In the SOPHOS chart we see a different pattern; Netksy.p has consolidated its grip on pole position during April and we have a re-entry in the runner-up spot, Dref-AF.
Here is some commentary on it from Sophos:
"Sophos has also revealed that while Netsky has held onto the number one spot for email-borne threats, Dref has shot back into the chart at number two, accounting for 24% of all malware spread via email"
Zafi-D has dropped from February's fourth to sixth place in March and has reversed its slide down the chart, ending up in fifth place in April . Meanwhile Nyxem.D [aka MyWife] has dropped one place in April; down from eighth place to ninth which was where is was back in February.
Stratio-Zip has managed to claw its way up from seventh to fourth place, after falling out of the chart in February. Mytob-C has dropped back down the chart from second to third place, which it grabbed back in December 2006.
Mydoom-O which was a re-entry in November's top drops three places from fourth to seventh place and November's new entry, W32/Sality.AA has likewise dropped three places from third place to sixth in April's chart.
The last remaining member of the Bagle family, Bagle-qw also drops three places from fifth to eighth place.
To complete this month's top ten we have a new entry Troj/Small-EIV in at tenth place.
The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is once more headed up by the September 2005 leader, Tenga. March's new 'pretender', W32/Kasper [aka MyWife] which stole Tenga's crown in March has had to make do with the runner-up spot once more.
Mytob has dropped out of the chart during April from the sixth spot it held during March . Opaserv has managed to consolidate its hold on the final step on the podium; third place.
Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March has fallen on hard times and slipped down to eight place in April.
Sality is up three place to sixth place, and we have two re-entries these are: Zhelatin and Netsky in back into the chart in fourth and fifth places respectively.
March's new entries, Virut and Cloner which came in to the chart in fifth and eighth places respectively have both dropped two places during April, falling to seventh and tenth respectively. New entry Hidrag completes April's top ten, coming into the top ten in ninth place.
If you wish to see the current top 10, then see my external website at
http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].
Please feel free to ask questions if you need any clarification on the data, the setup or whatever.
Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of April] here. This clearly shows that April was slightly up on the December 2006 total and slightly down on the first two month of 2007. As shown in the figures for April, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments.
The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.
If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 253,158 at the end of April. That's a growth of 30,685 new malware strains and/or variants in the first third of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 92,000. Things have certainly speeded up during April!
What's New?Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in April 2007.
Conclusions: The current trend of using social-engineering which has been widespread in January , February and March has continued in April, as seen by the vast numbers of fake e-cards notifications being trapped.
What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.
As mentioned elsewehere it seems that the scammers are upping their game by creating fake sites for key crime-fighting organisations in the UK, such as the Metropolitan Police and the Secret Intelligence Service. I wonder how long it will be before Interpol or the FBI sites have 'bogus' copies of their websites created by the scammers?
Links:Labels: all, malware, scams, stats
