MoMusings

April has come and gone and spring has arrived. Another interesting month on the malware front it has been although as you will see the number of trapped malware is still low.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1657 samples during April, which have been catalogued as 54 distinct families and variants. In comparison during March I captured 1356 samples which were catalogued as 61 distinct families/variants. As you can see the captures in April are only slightly up on March and still below the high of January’s total.

During April I captured and submitted 5 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The low haul in April is mainly due to the apparent slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005. Part of the reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools.

During April I reported 157 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during April. Its percentage fell from 73 percent [in March] to 53 percent of the pie.

Netsky.P lost its second place slot from March falling down the chart to seventh place.

The Mytobs regained the ground lost during March when they accounted for just two slots in the top ten. In April they captured five out of ten places.

The share-crawling worms lost their hold they had on March’s table where they took six out of ten places. In April they are down to just three places, halving their presence.

The only other mass-mailing worm that made it into the top ten was W32/Mydoom.o@MM [McAfee].

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the Zafi family move out of the top ten.

In pole position we have Mytob.c, which was also number one for the last two months. Second place is occupied by Netsky.t [same as in March]. Lovegate.w makes a return [in third]. Netsky.q takes fourth place [up from seventh]. Lovegate.ad is a new entry at number five. The rest of the chart is made up of Netsky .b in sixth place [down from fourth. Mytob variants [y, t, u and q] in seventh, eighth, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has grabbed back its number one slot which it lost in March. Zafi.b slips from pole to second. Nyxem.D[aka MyWife] has consolidated its third place from March. Mydoom-AJ is stationary in fourth place [it was a new entry in March]. Another Netsky [D] grabs fifth place. The final places are made up of Mytob variants [ FO, C, Z and AS] in sixth, seventh, eighth and tenth respectively, broken up by the presence of a new entry Delebot.A in ninth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has dropped from 73 percent of all samples caught in March to just 53 percent in April. Mytob has grabbed back second place from Operserv which slips down to third. Fourth place is occupied by Mydoom, up from fifth in March. Netsky slips one place to sixth. Mytob.The rest of the vacant spots are almost all taken by share crawling worms and bots, these being: Sdbot, Ranky and the related multi-component dropper. The only e-mail based worms which appear in the lower five places of the chart are W32.Reatle and W32.Kapser [aka MyWife.D.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of April] here. This clearly shows that April was quieter than December 2005, which was the quietest month ever in the case of e-mail borne malware being trapped.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 188,252 [as at the end of April 2006]. That’s a growth of 19,445. Interestingly just like in March the growth of new malware slowed in April by almost 50 percent when compared to the first two months of the year

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in April 2006.

• E-mail Warning about Scams is a Scam
• Lost in MySpace
• WARNING:-Annual Internet Cleaning Day!

Conclusions:
Although malware growth slowed during April, you may have noticed that spam, phishing and 419 scams have been very aggressive during the same period and they show no sign of stopping. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

On this subject, I have been asked to present on ‘Rootkits’ at the Virus Bulletin 2006 conference to be held later this year. The paper will be made available for all to read once it has been presented.

Links:

• Virus Top Twenty for April2006 [Kaspersky]
• Top ten viruses and hoaxes for April 2006 [Sophos]

According to the blurb posted on their site:

“MySpace.com is an online community that lets you meet your friends’ friends. Create a private community on MySpace and you can share photos, journals and interests with your growing network of mutual friends!”

Some of the features of MySpace include:

• Upload Pictures
• Send Mail and IM’s
• Write Blogs & Comments
• Participate in forums and groups

It is all really about social networking.

However, all is not rosy in the MySpace virtual garden.

Firstly, MySpace was targeted by malware back in October 2005:-

Here’s a snippet from a news article that covered it:

“One clever MySpace user looking to expand his buddy list recently figured out how to force others to become his friend, and ended up creating the first self-propagating cross-site scripting (XSS) worm. In less than 24 hours, “Samy” had amassed over 1 million friends on the popular online community.”

Not bad for a bit of JavaScript and XSS [Cross-site-scripting]. At the time of writing the worm had been removed and the holes it used patched. However, there have been other MySpace worms created using Samy’s code as a starting point, some of these were able to spread.

Secondly, some kind soul has been circulating a warning about a virus that is allegedly spread via MySpace.com Instant Messaging, here’s the warning:

“If someone by the name of j_neutron07 wants to add you to their list dont accept it. Its a virus. Tell everyone on your hits because if somebody on your list adds them you will get it too. It is a hard drive killer and a very horrible virus.

PLEASE COPY/PASTE AND REPOST THIS”

However, this is not a real threat, as there is no such malware and as I write there is no way for this so-called virus to spread by just adding someone to your buddy list. Yes, this so-called virus is a HOAX.

And thirdly, it seems that MySpace has also been used to find ‘Rape Suspects‘, and has recently removed 200,000 ‘rude‘ profiles. According to the ‘Register’ the site has also been used by school bullies who post bogus profiles aimed at attacking or humiliating their victims.

As if the above issues are not worrying enough, then the recent sexual assaults on ‘young’ MySpace.com members appears to show that the service is being actively used by paedophiles to find victims to groom, meet and abuse.

The above issues once more make it abundantly clear [if you needed reminding] that you should not give out personal details via these types of services as a small minority will take advantage. Kids [and adults too] should remember that on the internet the person you think you are chatting or e-mailing may not be what they seem. You may think that they are a 12 year old girl from London, but it may well be that it is a 45 year old man from the other side of the world, or next door!

To steal the punch line from this cartoon “On the Internet, nobody knows you’re a dog”

Be careful out there on the ‘Wicked Wild Web’.

One of the things I do each year is to analyse what has occurred in the ‘big-bad-internet’ aka the ‘wicked-wicked-web’. I focus on what the Bad Guys/Girls[TM] have been up to; such as new platforms, techniques and technologies that they have used and abused during the previous year.

I then add all the data I have from the previous 20+ years of malware and related nastiness and try and predict what we may see in the coming year. This doesn’t include any predictions that might give the Bad Guys/Girls[TM] any new ideas that they haven’t already tried or at least discussed.

The last thing I want to happen is for me to give them something new to use; be it a technique, some technology they can abuse, or suggest new platforms they can attack. These ‘potentially dangerous’ predictions will not be published. I do not want to be held responsible for suggesting new ideas.

So let me disclose some of the results from being ‘up-to-the-armpits’ in malware entrails, meditations on 419 and phishing scams and looking at the vast pits of daily SPAM as well as gazing into my virtual crystal ball and interpreting the malware runes.

Without further ado, Let us see what 2006 may hold.

The Obvious Ones:

• Phishing to continue to grow
  More scams using social engineering to dupe users into disclosing private or confidential information or getting them to perform a task, such as running an attachment or deleting system files (user initiated malware). More phishing scams to use malware such as key-loggers and backdoors to compromise/further exploit a victims system. However, we have already seen a move towards more targeted phishing and pharming.
• Less mass-mailing worms
  We will actually see a fall in this method of distribution and an increase in the other more stealthy and invisible methods used by share-crawling worms and bots instead. Unlike others I don’t believe that the mass-mailing worm is quite dead yet, I give it at least another 12 months. Many anti-virus vendors predicted it’s death at the end of 2004.
• Increased use of blended threats and multi-stage attacks
  More vectors, more exploits, more fragmented attacks.
• Increased social-engineering use in malware
  Malware authors are well aware that most often the weakest link in a company’s security is the person behind the keyboard. Until users gain a healthy level of paranoia then the problem will continue and may be used more often to defeat a company’s anti-malware defence. 2005 saw numerous examples of social engineering being used to get user to infect their computers, fall for hoaxes, and disclose their personal and financial data to scammers and malware authors.
• Increased Cyber Blackmail
  In 2006 I expect that this will also include the threat of infecting systems with new worms/viruses and more cyber-hostage malware. 2005 saw a number of cases of malware encrypting data and demanding a ransom. There were a number of high profile DDoS attacks during the second half of 2005 and it seems that organised crime has moved their protection rackets in to the digital world.
• SPAM will continue to grow
  Despite the recent legislation passed in both the UK/EU and the US and even allowing for the arrests/prosecutions of spammers in 2005, the growth in risk of being caught will be offset by the increasing use of bot nets as spam proxies.

The Less Obvious Ones:

• Increase in Spyware and Adware as a problem in the corporate space
  Many companies currently don’t realise that they have a problem. This is expected to be one of the major areas of growth in 2006, both from the malware/spyware/adware authors and security solutions to counter the threat. If you don’t believe me just ask the average home user.
• Mobile malware will continue to grow
  I expect that it will follow the same pattern that we have seen in the past with both DOS and Windows malware however I expect that the timeframe will be significantly shorter.
• Increasing use of rootkit and or stealth/cloaking technology
  Use of this technology can effectively make malware almost invisible to most current anti-virus and anti-spyware tools. I also expect that we will start to see a growth in true polymorphic and stealth Windows malware as malware authors try to hide from anti-malware tools.
• Bots and botnets will continue to be the tool of choice for cyber-criminals
  What we will see in 2006 is a further move from using IRC for command and control, to other methods such as web servers running SSL [encrypted] command and control systems. We may also see encrypted peer-to-peer [P2P] networks created by bot/botnet creators as IRC server owner’s crackdown on misuse of their servers. Furthermore the increasing use of IPS/IDS to detect botnet IRC traffic will force the bad guys to move to encrypted protocols as an attempt to try and defeat the use of these technologies.
• Exploit code auctions to become common-place
  At the end of 2005 there was evidence that so-called zero-day exploit code was being offered for sale by authors. This was effectively an auction. It seems clear that this will become a common occurrence during 2006, as organised criminals look for new ways to gain access to targeted systems.
• Broadening of Operating Systems and platforms being targeted
  It has become clear over the last few years that malware authors are increasingly looking at operating systems other than Windows. The number of Linux malware is increasing steadily as they search for effective ways to target it. The same has been happening on the Apple Mac platform. We will see more, and increasingly complex and successful malware for Linux and Mac operating systems during 2006.

Agree, disagree whith these? Have your own predictions? If so that’s what the comments function is for, use it.

I wrote a paper a few years ago on this subject, the paper entitled ‘Hoaxes and Other Electronic Ephemera’. This covered the impact of Hoaxes, Scams, Chain E-Mail, Urban Legends, etc. on companies and suggested ways to help control or eliminate the effects they have on network/e-mail resources and staff productivity. The paper was written for and presented at the Virus Bulletin 2001 International Conference held in Prague, Czech Republic.

I updated the paper for another conference in 2004, this being the first Open University – Combating Vandalism in Cyberspace conference. The paper was entitled: ‘Mind Wars: Attack of the Memes[1]’.

Both papers can be found here: http://momusings.com/papers

If you are interested in memetics[2] then I have included a couple of pictures of books that would be good introductions to the subject, without being too involved, technical or boring.

Why am I informing you of this, now?

Well, two reasons:

1. I haven’t covered this area in this blog yet, apart from hoaxes.
2. A number of new hoaxes and chain e-mails have surfaced over the last month or so.

The first one below is the latest ‘Virus Hoax’ and is rather topical as it is using the Olympics.

Please read the attached warning issued today.

PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS:

You should be alert during the next days: Do not open any message with an attached filed called “Invitation” regardless of who sent it.

It is a virus that opens an Olympic Torch which “burns” the whole hard disc C of your computer.
This virus will be received from someone who has your e-mail address in his/her contact list, that is why you should send this e-mail to all your contacts.
It is better to receive this message 25 times than to receive the virus and open it.

If you receive a mail called “invitation”, though sent by a friend, do not open it and shut down your computer immediately.

This is the worst virus announced by CNN, it has been classified by Microsoft as the most destructive virus ever.

This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of virus.

This virus simply destroys the Zero Sector of the Hard Disc, where the vital information is kept.

SEND THIS E-MAIL TO EVERYONE YOU KNOW, COPY THIS E-MAIL AND SEND IT TO YOUR FRIENDS AND REMEMBER: IF YOU SEND IT TO THEM, YOU WILL BENEFIT ALL OF US.

The next one is a typical chain e-mail which has been circulating for many years in one form or another:

THIS TOOK TWO PAGES OF THE TUESDAY USA TODAY – IT IS FOR REAL

Subject: PLEEEEEEASE READ!!!! it was on the news!

!!!! It was on the news! Kathy South Alcoa – EHS Maintenance Coordinator Phone: 765/771 – 3547 Pager : 765/420 – 6575

To all of my friends, I do not usually forward messages, But this is from my good friend Pearlas Sandborn and she really is an attorney.

If she says that this will work – It will work. After all, What have you got to lose?
SORRY EVERYBODY.. JUST HAD TO TAKE THE CHANCE!!! I’m an attorney, And I know the law.
This thing is for real. Rest assured AOL and Intel will follow through with their promises for fear of facing a multimillion-dollar class action suit similar to the one filed by PepsiCo against General Electric not too long ago.

Dear Friends; Please do not take this for a junk letter. Bill Gates sharing his fortune. If you ignore this, You will repent later. Microsoft and AOL are now the largest Internet companies and in an effort to make sure that Internet Explorer remains the most widely used program, Microsoft and AOL are running an e-mail beta test.

When you forward this e-mail to friends, Microsoft can and will track it ( If you are a Microsoft Windows user) For a two weeks time period.

For every person that you forward this e-mail to, Microsoft will pay you $245.00 For every person that you sent it to that forwards it on, Microsoft will pay you $243.00 and for every third person that receives it, You will be paid $241.00. Within two weeks, Microsoft will contact you for your address and then send you a check.

Regards. Charles S Bailey General Manager Field Operations
1-800-842-2332 Ext. 1085 or 904-1085 or RNX
292-1085 Charles_Bailey@csx.com Charles_bailey@csx.com

I thought this was a scam myself, But two weeks after receiving this e-mail and forwarding it on.
Microsoft contacted me for my address and withindays, I receive a check for $24,800.00.
You need to respond before the beta testing is over. If anyone can affoard this, Bill gates is the man.

It’s all marketing expense to him. Please forward this to as many people as possible.
You are bound to get at least $10,000.00. We’re not going to help them out with their e-mail beta test without getting a little something for our time. My brother’s girlfriend got in on this a few months ago. When i went to visit him for the Baylor/UT game. She showed me her check. It was for the sum of $4,324.44 and was stamped “Paid in full”

Like i said before, I know the law, and this is for real.

Just to make sure you all get the point of this posting, I suggest you watch this: http://www.softlab.ece.ntua.gr/~sivann/pub/swf/may02-smilepop-soapbox4.swf

Don’t worry, it is fun and educational too.

But ‘pleeeeease‘ do NOT follow the advice at the end, just in case any of you were tempted to

[1] Memes (pronounced ‘Meems’ for plural, ‘Meem’ for singular) are contagious ideas, all competing for a share of our mind in a kind of Darwinian selection. As memes evolve, they become better and better at distracting and diverting us from whatever we’d really like to be doing with our lives. They are a kind of Drug or Virus of the Mind.
[2] Memetics is the study of Memes.

Seems that the hoaxers are out in force since the dreadful attacks on the 7th July, and the subsequent ‘failed’ attacks on the 21st July in London.

Here’s another one that they have started in the last few days:

Important Number you should note
25/Jul/05 09:24

If you travel to work on the tube please note the following information:
If your mobile phone has no signal (so even if you were in a tunnel) if you dial 112 it diverts to a satellite signal and puts you through to the 999 call centre.

ALL phone companies have signed up and as it is a satellite service it also gives them a trace to you if you don’t know where you are.

Why is this a hoax?

1. 112 is the emergency number for mainland Europe, not the UK.
2. Current non-satellite phones can’t use satellite technology.
3. Even if you have a satellite phone, you can’t use it underground as it requires ‘line-of-sight’ to work.
4. If you have no signal, you can’t make a call on the phone.

Spokepersons from both Orange and Vodafone state “that if you do not have a signal on your mobile, wherever you are, you simply cannot make a call.”

Comments from a London Transport spokesperson on this hoax:

“This e-mail is incorrect. The 112 number does link people through to 999, but it only works if you have a signal on your mobile phone. If you have no signal bars on your phone, it will not work, It will not divert to a satellite signal.”

They went on to state:

“Even with a satellite mobile phone (which very few people have), you would need to have a clear line-of-sight to the satellite. You would have to be outside, not in a building or a tube tunnel.”

Links:
BBC Article
Transport for London Statement
Urbanlegends page on this hoax

I recently blogged about an interesting idea from Bob Brotchie of the East Anglian Ambulance Trust in the UK. I mentioned that I thought it was a ‘good’ idea although it had a few shortcomings.

Well, as usual the hoaxers couldn’t resist and had to spoil the party by creating and distributing an e-mail that claimed that a ‘virus’ had been written to take advantage of the ICE entries in your phone.

Here are the two current versions of the ICE hoax e-mails:

The original:

The other variant:

Latest Mobile Phone Scam I have just received information that there is a new mobile phone scam concerning Pay as You Go (PAYG) Mobiles.
The scam is that you are asked to set up an “In Case of Emergency (ICE) Account” on your PAYG mobile.
Apparently this is a modular system that searches for the word ICE text and then changes your phones setting and takes any PAYG credit left on your phone.
Please ensure that this information is circulated to all staff and please pass on to family and friends

East Anglian Ambulance Service have confirmed that rumours of ‘ICE’ being a virus are a hoax. There currently is no such virus.

F-Secure had this to say about the hoaxes claims about ICE: “However, now some brain-dead pranksters have started a chain-letter email warning against such practice, because a mobile phone virus might exploit it. This is nonsense. No viruses to exploit the “ICE” number exist or are likely to exist. There are viruses already that go through the full phone book and attack every number.”

A quick search of my blog entries will turn up a number of posts on malware that can [and does] infect smart phones but none are ICE specific.

Links:
Information about the ‘real’ ICE campaign can be found at www.icecontact.com
Original press release about ICE – http://www.eastanglianambulance.com/content/news/newsdetail.asp?newsID=646104183

Some people just have far too much time on their hands and the morals and sensitivity of an amoeba….

Seems like a new London Bombing Alert e-mail is filling up inboxes around the World claiming that The Metropolitan Police have warned of an imminent attack on the underground system.

Here’s the text from the e-mail that will probably appear in an e-mail inbox near you soon!

FW: IMPORTANT INFO REGARDING LONDON UNDERGROUND – STATEMENT BEING ISSUED FROM MET

The Metropolitan Police will be strongly advising everyone that the they will be putting officers on tube stations 24/7 for the next week as they highly expect another attack within this time.

The police force have been in meetings all morning and will be publicly confirming this later on this evening. They will be advising the public to avoid the tube at all costs for the time being.

This news will filter through to the media in the next few hours and if it is not in the Evening Standard it will be on the 24 hour news channels.

Please take care on your journeys home, please pass this on to as many people as you know who use the Underground.

Piccadilly Circus & Leicester Square were closed for 3 hours earlier today and the bomb squad carried out a minor controlled explosion around the station area – this is going on all over Central London.

PLEASE BE CAREFUL TRAVELLING

As with all e-mail hoaxes it doesn’t have a timeframe when this attack is supposed to happen, this is so that is can be spread for months, if not years without having to be re-written by the scum that created it. All they want is for people to fall for it so that they can laugh at how naive and stupid they are for believing it.

By all means be alert and take care but don’t fall for the this sort of hoax, only accept such data from a trusted, reliable and accurate source.

Links:
http://www.snopes.com/rumors/tube.asp [Snopes De-bunk of this Hoax]
http://www.met.police.uk/news/terrorist_attacks/ [Metropolitan Police Page]