May 2007 Malware Review

The 'Darling Buds of May' have now finished blossoming and we are almost halfway through 2007, now that 'Flaming June' is upon us.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 800 samples during May, which have been catalogued as 35 distinct families and variants. In comparison during April I captured 736 samples which were catalogued as 40 distinct families/variants. As you can see the captures in May are very slightly up from April's total.

During May I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The May statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

During Mayl I reported 70 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has consolidated the pole position it took back last month after after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart. In contrast to Tenga, W32.Kasper.A has completely fallen out of the top ten in May along with W32.Sality.AD which grabbed the final podium place, in third.

So, because of that we have two members of the Opaserv.worm family [ae which is up 3 places and d which is a re-entry] in second and third places respectively.

There are five other members of the Opaserv.worm family in May's chart, up from just three representatives in April's chart. These are variants ah, ai, I, ac and k in fifth, sixth, seventh, eighth and ninth places respectively. Quite a turn-around in fortunes for this family!

Other casualties in May's chart include: IRC.Zapchast, Virus.Win32.Virut.a, W32/Netsky.P and Zhelatin.cq.

The last two places are claimed by Trojan-Downloader.Win32.Agent.bjo which a new entry, straight in in fourth place and W32.Dupator which is a re-entry back in the chart in tenth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for May still has Mytob.c in seventh place which it managed to climb to in February, it seems to have setup home there.

Netsky.q has regained the runner-up spot it held in March and lost in April. It is joined by three other family members, these being: Netsky.aa, regained the sixth place it claimed in March after falling down to eighth spot in April. Netsky.t, February's pole sitter which slipped down to fourth during March is back as the pole sitter in first place in May, and finally Netsky.b is has slipped one place from ninth to tenth.

Bagle.gt has reversed its slow journey down the chart, climbing back up the chart one place from fourth to third. Worm.Win32.Feebs.gen has also climbed up one place from sixth to fifth place.

We have two new entries in May's chart, these are: Email-Worm.Win32.Sober.aa straight in the chart in fourth place and Trojan-Downloader.Win32.Agent.bqs four places below it in eighth place.

To complete the top ten, we have Scano.gen which has managed to climb one place from tenth to ninth place.

Kaspersky had this to say about May's chart:

"A first look at the top of the table for May might give the impression that we've slipped back in time to the end of 2005. You can rub your eyes as hard as you want but it won't change anything - Netsky, Bagle and Sober are topping the rankings again, just as they were a few years ago. "

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has finally lost its grip on pole position during May and we have a new pole sitter, this being Sober, which is a re-entry into the top ten.

Here is some commentary on it from Sophos:

"In May, Sober was the most prevalent email-borne attack, toppling Netsky from its top position and accounting for almost one third of all threats. Sober's dominance in the chart is primarily due to a huge outbreak on May 1st that coincided with May Day across Europe. During this 24-hour period, Sober accounted for nearly 70 percent of all infected email identified by Sophos."

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April is on the slide again, slipping down one place to sixth in May.
Meanwhile Nyxem.D [aka MyWife] has dropped another place in May; down from ninth to tenth place.

Stratio-Zip has consolidated its grip on fourth place, after falling out of the chart in February and Mytob has dropped likewise remained static in third place, which it grabbed back in December 2006.

Mydoom which was a re-entry in November's chart has recovered some ground after falling to seventh place in April; it is now up two places to fifth. November's new entry, Sality has lost one more place in May, down from sixth to joint seventh place in May's chart.

We have just one new entry in May's chart, this being Mal/Behav sharing seventh place with Sality.

To complete this month's top ten Bagle drops a single place from eighth to ninth place.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is once more headed up by the September 2005 leader, Tenga. March's new 'pretender', W32/Kasper [aka MyWife] which stole Tenga's crown in March has completely disappeared from the chart in May.

Mytob has dropped out of the chart during April from the sixth spot it held during March. Opaserv has managed to climb one place from the final step on the podium up to the runner-up spot; second.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March has fallen on hard times after slipping down to eighth place in April it has lost more ground and slides down one more place to ninth. Netsky is static in fifth place.

We have two re-entries in May, these are: Email-Worm.Win32.Warezov and W32.Dupator in fourth and sixth places respectively.

One of March's new entries, Virut has consolidated its hold on seventh place in May's chart. Talking of new entries, we have three in the top ten for May, these are: Trojan-Downloader.Win32.Agent, Trojan-Spy.Win32.Banker and Trojan.BAT.Runner.b coming into the top ten in third, eighth and tenth places respectively.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.



Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of May] here. This clearly shows that May was the quietest month since I started keeping these statistics. As shown in the figures for May, the overall trend is still downwards and that we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 265,284 at the end of May. That's a growth of 42,811 new malware strains and/or variants in the first five months of 2007, in May the number jumped by 12,126. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 102,700.

Things have certainly speeded up during April and May!
What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• A Death Phish? [Wednesday, 2 May 2007]


• Would You Rather Be A Mule? [Thursday, 31 May 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - April has continued in May, as seen by continuing high numbers of fake e-cards notifications being trapped.

We have seen an unexpected recovery in the level of spam in May this may have dented the figures for both 419s and Malware arriving via e-mail, only time will tell.

The phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Links:

• Virus Top Twenty for May 2007 [Kaspersky]


• Top ten viruses and hoaxes for May 2007 [Sophos]
  

Father's Day Surprise!

Father's Day [in the UK] fell on Sunday the 17th of June and along with the usual cards and presents from my wife and son I received an e-card, which I wasn't expecting.

Here is a screenshot of the e-mail I received:



The link, as you might expect actually goes to a different site than the 'AmericanGreetings.com', in fact at the time I received it, it went to 'americangreetingsc.net 'and a second one I received a few minutes later went to 'americangreetingsc.org'. Did you notice the appended 'c'?

Here's a screenshot of the website, asking you to download 'Flash Player', which is actually malware:



Interestingly, if you go to the site afterwards, you see a real Father's Day e-card from AmericanGreetings.com. I suspect that they are using a cookie or other tracking method to work out if you have already been to the site before, and change the page behaviour to suit. Very sneaky, although not a new trick as I reported on the same trick back in February!

Here's a screenshot of the website, showing what you will see when you reload the page or return to the site again:



The 'fake' Flash Player is now detected by most AV vendors. List below, correct at time of posting:

Scan report of: install_flash_player.exe
@Proventia-VPS -
AntiVir TR/Dldr.Small.eog.4
Avast! Win32:Small-FED [Trj]
AVG -
BitDefender Trojan.Downloader.Agent.YCL
ClamAV Trojan.Downloader-9530
Command -
Dr Web Trojan.DownLoader.22389
eSafe Win32.Small.eog
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Small.eog
F-Prot -
F-Secure Trojan-Downloader.Win32.Small.eog
F-Secure (BETA) Trojan-Downloader.Win32.Small.eog
Fortinet W32/Small.IAU!tr
Fortinet (BETA) W32/Small.IAU!tr
Ikarus Trojan-Downloader.Agent.YCL
Kaspersky Trojan-Downloader.Win32.Small.eog
McAfee Generic Downloader.k trojan
McAfee (BETA) Generic Downloader.k trojan
Microsoft -
Nod32 -
Norman W32/DLoader.CXCE
Panda Trj/Downloader.OUX
Panda (BETA) Trj/Downloader.OUX
QuickHeal TrojanDownloader.Small.eog
Rising Trojan.DL.Win32.Mnless.e
Sophos Troj/DwnLdr-GVP
Symantec Downloader
Symantec (BETA) Downloader
Trend Micro TROJ_SMALL.IAU
Trend Micro (BETA) TROJ_SMALL.IAU
VBA32 Trojan.DownLoader.22389
VirusBuster -
WebWasher Trojan.Dldr.Small.eog.4
YY_A-Squared -
YY_Spybot -

I will be writing about the current glut of fake e-cards again later this week as the 'Bad Guys and Girls' seem to be using this as their preferred social engineering technique at the moment, sometimes with hilarious or very messy results...

Can you spot the difference?

Here's a little test for you all, can you spot the difference between these screenshots of e-mails I've recently received?







Found any/many?

Well, truth be told these screenshots are adverts trying to recruit mules to launder stolen money, etc. All three claim to be separate companies, these are: TriVision Global, Barden Systems and finally Batterman Group. Isn't it also amazing that all three of these companies can't afford their own mail systems, web servers or domains and are forced to use 'googlemail' instead? ;-)

It seems that the mule recruiters are very busy at the moment looking for new idiots^H^H^H^H^H^H, er I mean naive or desperate individuals to turn into mules.

Currently I'm getting around 20 mule recruiting e-mails like these each and every day. These ones and the ones I've already blogged about are by far the most professional looking, in these cases created by professional criminals.

If you see an interesting one then please feel free to send me a copy, or even if you are not sure about something you've been sent, including chain e-mails, hoaxes, urban legends and so on.

Marks & Spencer Vouchers Hoax

Oh dear, someone obviously has a grudge against either Marks and Spencer or Persimmon Homes, or both, as some nice person has created a new 'forward e-mail for money/prizes' hoax.

Here's the version that is currently clogging up inboxes and mail systems all over the UK.

Fw: Free M&S vouchers
Marks & Spencer's, in conjunction with Persimmon Homes, are giving away free vouchers. Marks & Spencer's are trying word-of-mouth advertising to introduce its products and the reward you receive for advertising for them is free non-refundable vouchers to be used in any M&S store.

To receive your free vouchers by e-mail all you have to do is to send this email out to 8 people (for £100 of free vouchers) or 20 people(for £500 of free vouchers).

Within 2 weeks you will receive an e-mail with your vouchers attached. They will contact you through your e-mail address.

Please mark a copy to:[email address removed]

How do I know this is a hoax? Well, for one I have spoken to Persimmon Homes and they are aware of the hoax, their e-mail systems are in meltdown because of it, and they will be putting a warning about this hoax on their website later today.

Secondly, it seems that the person behind it has simply taken an existing hoax aimed at Sony Ericsson, which is based on an even older hoax which targeted Nokia.

Just to sum up; this e-mail is both a hoax and a chain e-mail. You will not get any vouchers but you will annoy lots of people if you insist on sending this to 8-20 people, so just say NO and don't forward it.

If you want to see more of these sorts of debunks of scams, hoaxes, urban legends, etc. then take a look at my site dedicated to these things: cluestick.info.

UPDATE:

Persimmon have now added a note to one of their webpages about this, screenshot below:



Quite why they tucked it away there instead of on one of the front pages of their sites; seems they don't want to help themselves?

It appears that anyone now sending an e-mail to the address in the hoax will get an auto-response stating:

A hoax e-mail is being circulated offering a promotion of free Marks and Spencer vouchers for forwarding the e-mail to colleagues and friends.

Neither Marks and Spencer or Persimmon Homes have made any such promotional offer.

Please delete the hoax e-mail and notify the people to whom you have sent it that it is a hoax.

'Nuff said!

Virus Bulletin 2007 Abstract Selected

Virus Bulletin have just informed me that my abstract entitled: 'The Journey So Far: Trends, Graphs and Statistics.' has been selected for the Virus Bulletin 2007 international conference to be held from the 19th to the 21st September 2007 at the Vienna Hilton, Vienna, Austria.

The abstract for the paper appears below:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

I haven't blogged about this until now as I wanted to make sure I had approval for not only writing the paper, but also attending the conference and getting approval for the travel, hotel and other expenses. Also, VB contacted me rather late as they have asked me to be a reserve speaker. Last time I was a reserve speaker for them was back in 2003, in New Orleans, and I ended up presenting anyway due to a hurricane causing chaos. Hopefully, we won't see a hurricane, or any other disaster in Vienna?

All I have to do now is carry out all the required research and write the paper, piece of cake, NOT!

This will be the tenth time I've written a paper for the Virus Bulletin International Conference. I've also written a number of articles for the Virus Bulletin periodical as well, including a book review which is published in this months edition [June 2007].

The value to me personally in attending this conference is the knowledge I gain each and every time I attend, that in itself is priceless. It is also a chance to finally meet some of the people I converse with via e-mail, and catch up with like minded people I've met before, some of whom I would now consider to be friends.

If you have never been to a Virus Bulletin conference and you work in the information security field, then it is about time you did, you won't regret it!

The full paper will be made available after the conference. I'll post an announcement here shortly after the conference has finished.