Well at least in August it was drier than both June and July; towards the end of the month it seemed that summer had at last returned, for a few days at least. Just as well as otherwise our summer, in the UK, occurred during April this year.
As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.
Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.
I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:
The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.
In total I captured 566 samples during August, which have been catalogued as just 20 distinct families and variants. In comparison during July I captured 499 samples which were catalogued as 25 distinct families/variants. As you can see the captures in August are slightly up from July's total.
During August I captured and submitted just one brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention, such as my VB2007 paper.
Even though August's statistics were up on July's, I still feel that the general trend is downwards. It appears that social-engineering is still the technique of choice this year.
The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:
During August I reported 77 new Phishing sites which are now included in the Netcraft phishing site database used by the
Netcraft anti-phishing toolbar which I blogged about some time ago.
The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:
W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April. It now accounts for almost 82 percent of the samples captured in August.
There are seven [up from six] members of the Opaserv.worm family in August's chart. These are variants: AE, AI, D, AJ [is a New entry], AC, AD and AH [AH is a New entry] in second, third, fourth, fifth, sixth, eighth and tenth places respectively.
The Netsky family is hanging on in the top ten again after dropping out of the chart completely in May. In August's chart we still have only one survivor [down from three in June] this is: Q [aka P] down seven places from the runners up spot in July to ninth.
The final slot left is taken by a re-entry, this being seventh place and the malware is our old friend Dupator.
If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.
As you can see the top 10 from Kaspersky [below] for August Mytob.c has finally managed to climb up the chart from seventh to fourth place. We also have another member of the Mytob family in August's top 10, this being Mytob.t, in at ninth place.
Netsky.q [aka P] has also climbed back up the chart from second place back to the pole position it managed to grab back in June. It is joined by three [up from two in July] other family members, these being: Netsky.t, which has slipped down three places from fourth to seventh spot. Netsky.aa has reversed its direction, climbing once more, from sixth to third place. The final Netsky family member is Netsky.b which grabs tenth place.
Bagle.gt has reversed its slow journey down the chart, climbing back up one place from third to second.
Worm.Win32.Feebs.gen is static in August's chart, in fifth place.
The final free places in August's chart are taken by IMG-WMF.y moving up two places from tenth to eighth, and finally we have Mydoom.l up from eighth to sixth place in August's chart.
Kaspersky had this to say about August's chart:
"August once again turned out to be "dead season" for virus epidemics in 2007. Since August 2003, when the Lovesan worm caused the biggest epidemic in history, the final month of summer has typically been the quietest and most uneventful, as it is a period when both virus writers and antivirus professionals often go on holiday.
Even the waves of mass-mailings sent out by the Warezov and Zhelatin worms were missing in action in August. Warezov.pk, the leader in July, disappeared suddenly from our virus radar screens. However, it's worth remembering that the launching pad for Warezov.pk was created back in May by Trojan-Downloader.Win32.Agent.bcs. August's Top Twenty features a new program used to create botnets and the conditions for new epidemics: Trojan-Downloader.Win32.Agent.brk. It looks as though a significant new outbreak of email threats will be strike in September."
Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.
In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.
Mytob has slipped down one place from the runners-up place, to third. The runner-up spot has been taken by Zafi which climbs up from the third place it held in July.
Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to fifth from fourth.
According to SOPHOS Sality is a new entry in August, in at ninth place; although according to my records it was in sixth place in July's chart. Most odd! Other new entries include, Troj/Pushdo straight into the chart in fourth place and Mal/Dropper straight in at seventh place.
Bagle also slipped down the chart during August, from sixth to eighth place.
There is one re-entry in August, this being Troj/Dloadr back into the chart in fifth place.
To complete the chart we have Mydoom in sixth, down one place from fifth and TraxG down three places from seventh to tenth.
Here is some commentary on August from Sophos:
"The figures, compiled by Sophos's global network of monitoring stations, show a dramatic drop in malware spreading in the form of email attachments, with just one infected message in every 1,000 emails in August, compared to one in 322 during the first six months of 2007.
Spam, however, has continued to be a problem - much of it linking to malicious websites designed to infect users. A series of large-scale attacks have been made via spam email, directing users to infected webpages with the promise of ecards, pictures of nude celebrities, YouTube movies, and pop music videos. People visiting the sites are running the risk of having their PCs infected by malicious code which can then steal personal information, spam out more malware and junk email, or launch distributed denial of service attacks against innocent parties."
The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.
This month the table is headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again.
The final step of the podium, third place, is occupied by Dupator which is up two places from fifth place in July.
Netsky has slipped from third to fourth place in August's chart,
We have one new entry in the chart in August; this is none other than IRCBot, straight in at fifth place.
As with the new entries, we have just one re-entry to the chart in August, this being, Lorez back into the chart in seventh.
The rest of the chart is made up of the following malware: Funlove, up four places from tenth to sixth place.
The more astute of you may have noticed that the top ten for August, contains only seven entries. This is because there are only seven families present in the captures for August.
If you wish to see the current top 10, then see my external website at
http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.
Please feel free to ask questions if you need any clarification on the data, the setup or whatever.
Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of August] here. This clearly shows that August was busier than July. As shown in the figures for August, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards. The reason for the jumps during July and August is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected. This change in classification makes the figures look like the largest since October 2005.
The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.
If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 316,723 at the end of August. That's a growth of 94,250 new malware strains and/or variants so far in 2007, in August the number jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 125,600. Things have certainly speeded up during the second and third quarters of 2007!
What's New?Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.
Conclusions: The current trend of using social-engineering which has been widespread in January - July has continued during August, if anything it has accelerated. Otherwise, on the malware front, as confirmed by Kaspersky it was a rather 'dead' month with regard to major outbreaks.
We have surprisingly seen a slight drop in the level of spam during August and a move by the spammers towards using other file formats to try and bypass anti-spam defences.
The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during August. This is clearly shown in the massive jump in the percentage of phishing scams I've seen during August.
Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.
All in all, it looks like we could be in for a very interesting, and busy, rest of the year!
Links:Labels: all, malware, scams, spam, stats
