MoMusings

September was a very busy month for me as I wrote and presented a paper at the Virus Bulletin conference in Vienna, Austria, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We’ve also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 457 samples during September, which have been catalogued as 27 distinct families and variants. In comparison during August I captured 566 samples which were catalogued as just 20 distinct families/variants. As you can see the captures in September are slightly down from August’s total.

During September I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by September’s statistics the general trend is still downwards. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During September I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 76 percent of the samples captured in September, down from almost 82 percent in August.

There are eight [up from seven] members of the Opaserv.worm family in September’s chart. These are variants: AI, AE, D, AJ, E, I, AD and AH in second, third, fourth, fifth, sixth, seventh, ninth and tenth places respectively.

The final slot left is taken by our old friend Dupator who is down one place from seventh to eighth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for September Mytob.c has once more started to slide back down the chart from fourth to sixth place.

Netsky.q [aka P] has consolidated its hold on pole position it managed to grab back in June. It is joined by three [same as in August] other family members, these being: Netsky.t, which has slipped down one place seventh to eighth spot. Netsky.aa continues its upward climb, up from third to the runner-up spot; second place. The final Netsky family member is Netsky.b which is static in tenth place.

Bagle.gt has reversed once more restarted its slow journey down the chart, falling from second to fourth place.

Like Bagle.gt, Worm.Win32.Feebs.gen is slipping down the chart once more, from fifth to seventh place.

The final free places in September’s chart are taken by one re-entry, this being Email-Worm.Win32.Nyxem.e [aka Mywife.D], a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l up from sixth to the final podium step; third.

Kaspersky had this to say about September’s chart:

“Our forecasts for September turned out not to be spot on. Trojan-Downloader.Win32.Agent.brk, which was spreading actively in August, didn’t extend the botnet that it builds, and as a result, there’s not a single Warezov variant in September’s Top Twenty.
However, the authors of another email worm, Zhelatin (aka the Storm worm) stepped up their activity. Throughout August security companies provided regular reports and estimates on the scale of the botnet created by the worm. Some estimates were as high as 2 million infected computers around the world – indicating that a new epidemic was on the horizon. However, September was remarkably calm from this point of view. Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere.”

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has consolidated its grip on third place. The runner-up spot has been taken by Troj/Pushdo which climbs up from the fourth place it held in August. Last month’s runner-up spot sitter, W32/Zafi has fallen down to fourth place.

Mydoom which was a re-entry in November’s chart has once more lost ground, falling back down to seventh from fifth.

Bagle also slipped down the chart during September, from eighth to ninth place.

There are two re-entries in September’s chart, these being Mal/IFrame and Mal/Behav in fifth and sixth place respectively.

To complete the chart we have one new entry, this being Mal/Basine and the final place is occupied by TraxG static in tenth.

Here is some commentary on September from Sophos:

“The figures, compiled by Sophos’s global network of monitoring stations, have shown a rise in the percentage of infected email. Overall in September, 0.12 percent of emails were carrying malicious email attachments, or 1 in every 833, compared to 1 in every 1000 during August. This is primarily due to a coordinated campaign by hackers to spam out the Pushdo Trojan horse en masse during the second half of September. The emails, which pose as naked pictures of Hollywood actresses such as Angelina Jolie and “Holly Berry” [sic], carry a malicious payload designed to give criminal hackers control over infected PCs. During a single 24-hour period in the last week of September, Sophos reports that the Pushdo Trojan accounted for almost 4 in every 5 infected emails.”

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again and the final step of the podium, third place, is occupied by Dupator which is where it was in August’s chart.

We have five re-entries in the chart in September; these are Win32.Zhelatin, Win32.Agent, Trojan.BAT.Runner, IRC.Zapchast and Win32.Tibs back in the chart in fourth, sixth, seventh, eight and ninth place respectively. Sixth place is occupied once more by W32.Funlove.

The final place in September’s chart is occupied by Lorez down from seventh to tenth.

The more astute of you may have noticed that the top ten for September, once more contains ten entries rather than the seven we had in August.

If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 – 2007 [up to the end of September] here. This clearly shows that September was quieter than the previous two months. As shown in the figures for September, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the ‘Storm Worm’ gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 329,196 at the end of September. That’s a growth of 106,723 new malware strains and/or variants so far in 2007, in September the number once more jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just almost 142,300. Things have certainly speeded up during the second and third quarters of 2007!

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• New Storm Worm Run… [6th September]
• NFL = Nuwar File Link? [9th September]
• You SPIM Me Round… [11th September]
• Oh, Vienna…Update [25th September]

Conclusions:
The current trend of using social-engineering which has been widespread in January – August has continued during September, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam seen are almost back to their usual levels after the slight drop in the level of spam during August. The spammers haven’t been idle during September as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during September. This is clearly shown in the massive jump in the percentage of phishing scams we’ve seen during both August and September.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last quarter of the year! Typically the last quarter of the year and specifically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Links:

• Virus Top Twenty for September 2007 [Kaspersky]
• Top ten viruses and hoaxes for September 2007 [Sophos]

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2007 conference, which was held at the Hilton Hotel in Vienna, Austria, between the 19th and 21st of September.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

“A warm and friendly welcome to Vienna, unless you’re a Kangaroo!”

Day 1 – Wednesday 19th September 2007
The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by “A road to big money: evolution of automation methods in malware development” presented by Maksym Schipka from MessageLabs on the Technical Stream. As always Maksym’s talk was both interesting and contained lots of useful information.

The final session on the Corporate Stream before lunch was also interesting, a presentation by Abhilash Sonwane of Cyberoam entitled “Changing battleground: security against targeted, low-profile attacks “. This talk touched on cyber-crime and targeted attacks which would be mentioned throughout most of the rest of the conference presentations; from different perspectives.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream. The first two presentation after lunch were:

• DSD Tracer – implementation and experimentation – Boris Lau, Sophos
• Pimp my PE: taming malicious and malformed executables – Casey Sheehan, Sunbelt Software

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Anti-rootkit safeguards: welcome Vista – Aleksander Czarnowski, Avet
• Patching. Is it always with the best intentions? – Alex Hinchliffe, McAfee

I decided to sit in on one of the two vendor presentations after the days main proceedings, I decided to choose my good friend Larry Bridwell from Grisoft [AVG]. It was a great presentation, instead of the dry marketing material he was given, he gave a very entertaining one instead. This rounded of the day wonderfully!

Later we had the “Welcome drinks reception” which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

Day 2 – Thursday 20th September 2007
Day two started early for me as I was the first speaker to present on the Corporate Stream, so I had to get there early to check that my laptop worked fine with the projector, it did.

So, promptly at 09:00 I gave my own presentation based on my paper entitled “The journey so far: trends, graphs and statistics“. Instead of trying to cover everything in the paper, all 30,000 words of it. I decided to just cover the key statistics, trends and a few examples, such as Brain, Casino and Ambulance.A, as well as some e-mail worms, such as Sircam, Loveletter and MyParty. When I was researching the paper I noticed that quite a few myths existed about the early days of malware, so I covered a number of these too.

I even finished on time and got asked several questions.

Next up, straight after me was the following presentation:

• What a waste – the AV community DoS-ing itself – Joe Telafici, Dmitry Gryaznov, McAfee

This was an interesting look at sample sharing between security companies and researchers, the end result is often lots of duplicated samples and sets; these can easily be in excess of 500GB. In fact the guys from McAfee are seriously looking at drives that have a larger capacity than 1TB.

The it was time for a quick tea/coffee break. During this I received quite a lot of very positive feedback on my presentation, as well as discussing several issues that I had mentioned with some of the original researchers who were there when the events I covered happened. The results from these discussions have enabled me to update my paper to be more accurate and to offer yet another set of first-hand witnesses to those events.

After the break I decided to stay on the Corporate Stream for the rest of the morning. These were the next batch of presentations:

• The WildList is dead, long live the WildList! – Andreas Marx, Frank Dessmann, AV-Test.org
• Have you got anything without spam in it? – Tim Ebringer, CA
• A testing methodology for rootkit removal effectiveness – Josh Harriman, Symantec

Although all of these were interesting I found the presentation by Josh Harriman very interesting and engaging. He covered the results of tests with rootkits against cleaning/removal tools and showed that fairly often they don’t remove all the components of the rootkit and/or the other system changes made by them.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we’d seen so far.

After lunch, once more I decided to sit in on the Corporate Stream until the tea/coffee break, at least. The next two presentations were:

• Transforming victims into cyber-border guards: education as a defence strategy – Jeannette Jarvis, Microsoft
• Phish phodder: is user education helping or hindering? – Andrew Lee, Eset David Harley, Small Blue-Green World

Both of these were interesting, and in the case of the latter one also quite amusing as David and Andy’s presentation included a ‘Game Show’.

Then it was time for another caffeine break

After the tea/coffee break I moved to the Technical Stream as I was chairing the next two ‘Last-minute’ presentations, these were:

• Andrew Walenstein, University of Louisiana at Lafayette
• Erik Wu and Feike Hacquebord, Trend Micro

This is a new section of the conference, and it seemed to work reasonably well, although in some cases the presenters appeared to have submitted presentations that were originally meant for the normal 40 minute slots, rather than the 20 minute slots they tried to shoe-horn their longer presentation into. I think this area still needs a little tweaking. In fact, although this was only being tried out on the Technical Stream it may well be better suited to the Corporate Stream instead.

After these, I made a quick dash back to the final presentation on the Corporate Stream. This was:

• Pump-n-dump for fun & profit: an in-depth look into stock spam and brokerage account compromise operations – Dmitri Alperovitch, Secure Computing

This was a very interesting presentation as it suggested that the so-called Pump-n-Dump scams didn’t work the way many of us had imagined. It was less Pump-n-Dump and more just dump the stock they had acquired by creating an artificial market for it.

As on the first day of the conference, I decided to sit in on a vendor presentations after the days main proceedings. This time is was Vinny Gulloto from Microsoft, as with Larry’s it was an entertaining one with very little marketing. Vinny also let slip that he had a waiting list of malware/anti-malware researchers who wanted to join him at Microsoft. This immediately put me in mind of the song “As some day it may happen” from Gilbert and Sullivan’s “The Mikado” where the song is sung by Ko-Ko (The Lord High Executioner) as he goes through an imaginary list. So much so, that I found it hard not to whistle the tune!

Later we had the “pre-dinner drinks and the Gala dinner and cabaret”. As always the food was excellent and the entertainment was typically Viennese; two couples performing various types of waltzes. This was followed up after desert, by our own private casino.

Day 3 – Friday 21st September 2007
The final day of the conference had arrived, I’m still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Menace 2 the wires: advances in the business models of cybercriminals – Guillaume Lovet, Fortinet

This presentation expanded on the one that Guillaume had given last year; which included a quote that claimed that “Cyber-crime was now more profitable than running drugs”. Once more he had some very interesting material to share. Including a fax from the CEO of e-Gold.

So, another quick tea and coffee break and then more from the Corporate Stream:

• The trojan money spinner – Mika Ståhlberg, F-Secure
• Once upon a time a trojan… – Luis Corrons, Panda
• New approaches to categorising economically-motivated digital threats – Anthony Arrott, David Perry, Trend Micro

All of these were very good and interesting talks and all covered cyber-crime in one form or another.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional “Speakers Photo”. As usual, much hilarity was had by all, especially by those who were trying to trick Jeanette Jarvis of Microsoft.

After lunch I spent the first part of the afternoon on the Technical Stream.These were the presentations I sat in on:

• A deeper look at malware – the whole story – Bryan Lu, Fortinet
• Malware removal – beyond content and context scanning – Tom Brosch, Maik Morgenstern, AV-Test.org

Both of these were interesting if a little obscure in parts. Both talks prompted a number of questions from the audience. Then it was time for the final refreshments break. Yes, it was the very last VB2007 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference were straight after the break and I decided that I’d sit in on the last one on the Corporate Stream. This was:

• Future threats – John Aycock, Department of Computer Science, University of Calgary Alana Maurushat, Faculty of Law, University of New South Wales

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion:

• The fight against international cyber crime – enforcing the law – David Thomas, FBI, Stacy Arruda, FBI, Kevin Zuccato, Australian Federal Police, Mark Oram, CPNI

Finally it was time for the Conference closing session, once more led by Helen martin, the editor of Virus Bulletin. It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some ‘comic’ ones. This year it seemed to be a case of “I’m Sparticus“, as a lot of people seemed to be wearing Dr. Vesselin Bontchev’s name badge and no it wasn’t him in varying disguises either!

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2007/slides/index.xml The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2007/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Vienna, here: http://www.flickr.com/photos/14178057@N07/sets/72157602179472057/detail/

Yes, the pictures include the “welcoming statue“, along with details on where in Vienna the picture was taken.

Oh yes, before I sign off, I really ought to own up that I, rather ironically, caught a virus whilst attending the Virus Bulletin conference! No, not a computer virus, a cold/flu variant. At least it waited for me to get back home before it knocked me off my feet and left me sounding like Barry White (after gargling bricks and broken glass). Back in Chicago [VB2004] I wasn’t so lucky, I went down with almost the same thing whilst travelling to Chicago and tortured everyone that came to my presentation with my ‘interesting‘ vocal range; from deep-bass, to Kermit-the-frog-a-like, to loss-of-signal. I don’t know who suffered more, the audience or me

Well, that’s another VB conference covered, I’m already looking forward to the possibility of attending next year, where it will be in Ottawa, Canada at the start of October 2008. Right, now I need to find some ideas for a few abstracts to submit….any suggestions?

As promised in my last posting, I have now created a PDF version of the paper I presented last week [Thursday the 20th of September] at the Virus Bulletin 2007 international conference in Vienna, Austria.

Karlskirche, Karlsplatz, Vienna
[Picture (c) Copyright, Martin Overton 2007, All Rights Reserved]

Here’s the abstract:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.
• Targets; file formats and operating systems.
• Obfuscation and related tricks and counter techniques.
• The use of social-engineering by malware authors.
• The cat and mouse game between the malware authors and vendors.
• The challenges of classification of malware.
• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

The paper is now available on my web site, and one of my other mirror sites. Here and here. Also, later this week I will post a short review of the conference, as I have done for the last 3 or 4 years.

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2006 conference, which was held at the Fairmont Queen Elizabeth Hotel in Montreal, Canada, between the 11th and 13th of October [Yes, that was a Friday; Friday the 13th, and knowing the recent spate of problems that the VB Conference has experienced since 2001, it seemed that they were tempting fate once more!]

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 – Wednesday the 11th of October:

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by Mikko Hypponen who gave his keynote speech, which was entitled ‘Case: Virus X‘, which he informed us he couldn’t now talk about due to legal restrictions. So, instead he did a presentation covering the major developments of malware since the start of the problem, almost exactly 20 years ago. It was a very interesting presentation, given in an unusual but very effective style. He used 164 slides in just 40 minutes!

The next session was also interesting, a presentation by Rob Murawski of the CERT Coordination Centre on ‘Data exfiltration techniques: how attackers steal your sensitive data‘. This talk sort of set the tone of the rest of the conference, as it covered cyber-crime, of which we would hear a number of talks about – from different perspectives.

After lunch, the conference split into its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, but for a number of reasons I spent the rest of the first day in the corporate stream instead.

The first talk in the afternoon that I attended was a slightly controversial one to say the least, on user education, given by Stefan Gorling. His talk was entitled: ‘The myth of user education‘. The focus of his talk was on how it was “pointless” to try and educate end users.

The very next presentation was also on user education, given by Peter Cooper and entitled: ‘User education: teaching techniques and learning styles for damage limitation‘. This very ‘memorable‘ presentation approached user education from the opposite side, saying that anyone can be trained, given the right approach. The presentation was memorable for two reasons, it used a new technique that I hadn’t seen used before, the 10/20/30 method which Peter assured us would make it a memorable presentation, and secondly because just as he mentioned about his presentation being memorable his MAC laptop shut down! This lead many of the audience to ask Peter after his talk whether this was purely coincidental or part of his presentation.

Then it was time for a tea break, which I used to setup my laptop for my presentation, which was the next one on the ‘Corporate stream‘. While I was setting up, I was asked for my opinion on ‘user education’ by a delegate, and I mentioned that I agreed with both of the previous speakers. I continued to say that I, like Stefan, thought that generally trying to educate end users on the technical side of malware was a waste of time; for most end-users anyway. But, that with infinite time and resources then they should be educated, but mainly on simple policies and procedures, rather than the specific details of a specific threat, which most of them are not interested in, or even want to know about. Only a few days later did I find out that the ‘delegate’ was a journalist; he never introduced himself and his badge was obscured, and I was distracted in setting up my laptop – slightly sneaky of him!

So, as you may have guessed by now, my presentation [’Rootkits: risks, issues and prevention‘] was next, however we started 5 minutes late. This meant I never got to use my last 3-4 slides. Overall, I think the presentation went well as I had a number of people approach me and tell me they had enjoyed it and/or discuss some aspects in more detail. I also received very positive feedback on the actual paper too.

My presentation was followed by Matthew Braverman, who spoke about ‘Behavioural modelling of social engineering based malicious software‘. This was another excellent presentation and rounded off the end of the first day in the ‘Corporate stream‘.

Later in the evening we had a welcome drinks reception, which gave us a chance to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way. Oh, and enjoy a drink or two to help keep the brain lubricated.

Day 2 – Thursday the 12th of October:

For the first three sessions of the second day, I decided to stay in the ‘Technical Stream‘, these were:

• Full potential of dynamic binary translation for AV emulation engine – Presented by Jim Wu
• Anti-rootkit safeguards and methods of their bypassing – Presented by Aleksander Czarnowski
• Botnet tracking techniques and tools – Presented by Jose Nazario

The last two of these presentations caused quite a bit of discussion, especially Aleksanders, which was picked up by the press and numerous articles appeared on specific points he raised about fooling Vista. His paper was also a really good technical look at rootkits, which sort of complimented my own one on the same subject.

For the next two sessions of the second day, I decided to switch back to the ‘Corporate Stream‘, these were:

• The challenge of detecting and removing installed threats – Presented by Jason Bruce
• Dirty money on the wires: the business models of cyber criminals – Presented by Guillaume Lovet

The last of these presentations caused quite a bit of discussion as Guillaume had a quote that claimed that cyber-crime was more profitable now to the ‘Mob‘ than drugs! I’ll post more on this when I get a copy of his slides.

After lunch, I decided to stay in the ‘Corporate stream‘, partly because I was chairing the first two sessions, and then the final two presentations on the ‘Corporate stream‘ were the most interesting. Oh, and then there was a panel discussion.

• The game goes on: an analysis of modern spam techniques – Presented by Rob Thomas and Dmitry Samosseiko
• Containing spam – the local challenge – Presented by Jay Goldin
• Spy-phishing – a new breed of blended threats – Presented by Jamz Yaneza
• Phishing trojan creation toolkits: an analysis of the technical capabilities and the criminal organizations behind them – Presented by Dmitri Alperovitch
• Panel discussion: Anti-Spyware Coalition – working together to combat spyware – Chaired by Richard Baldry

As you can see the afternoon was full of spam and phish, and we’d already had lunch!

After this there was a special ‘Birds of a feather‘ session on tackling graphical spam, which was lively and very interesting.

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied, and more nerdy/geeky chat too. The after dinner entertainment was supplied by jugglers and acrobats and rounded off by a good band.

Day 3 – Friday the 13th of October:

The last day of the conference was ahead of us, the first two days had gone past so quickly, so much to digest, both physically and mentally! On the final day I was in the ‘‘ for the first three presentations and then switched back to the ‘Technical stream‘ for the rest of the day. The ones I attended on the the corporate stream were:

• Applying collaborative anti-spam techniques to anti-virus – Presented by Adam J. O’Donnell
• The inspector: automating the forensic investigation of infected computers – Presented by John Morris and Eric Kedrosky
• Can strong authentication sort out phishing and fraud? – Presented by Paul Ducklin

The last two were the most interesting with John and Eric showing how they had used free scanning/forensic tools to remotely inspect systems that were suspected of being infected. These tools were scripted and for the most part automated, nice work guys, and no I won’t be writing a paper on how to improve the system, this time!

Paul’s presentation was great and informative, as we have all come to expect from such a knowledgeable guy who is also a very animated presenter.

Switching back to the ‘Technical stream‘ for the final talk before lunch, I sat in on:

• Macintosh OSX binary malware – Presented by Marius van Oers

During lunch the speakers photo was taken, here it is:

I’m right in the center of the front row [blue checked shirt and white trainers], next to me in the red sleeveless top is Michael Morgan and next to him is Morton Swimmer. The other side of me is Paul Ducklin and then Dr. Richard Ford. A full version of this picture, naming all of those in it, will be available on the Virus Bulletin site as soon as they have collated all commented all the pictures they have from the conference and of Montreal itself.

After lunch I stayed on the ‘Technical stream‘, the presentations I saw were:

• SymbOS malware classification problems – Presented by Dr Vesselin Bontchev
• A deep look into Symbian threats – Presented by Robert X. Wang
• Me code write good – the l33t skillz of the virus writer – Presented by John Canavan
• Panel discussion: Fighting cybercrime: one size does NOT fit all!. – ‘The Internet Strike Force’, led by David Perry

Although the presentations on Symbian were interesting there was little new information in them. The best of the afternoon session was the panel on Cybercrime led by the animated and funny Dave Perry in his ‘Internet Strike Force‘ bowling shirt.

And then it was the final session of the day, and of the whole conference:

• Conference closing session – Presented by Helen Martin

All in all, this was a very good Virus Bulletin conference, although I felt that the ‘technical stream‘ was the poorest I had ever seen, with only a small number of interesting papers and presenters this year. However, this was offset by the number of excellent papers and presentations given on the ‘Corporate stream‘, and I’ve been at nine of the last eleven VB conferences. Even allowing for this, there is still nothing quite like a VB conference, and long may it continue! I’m already looking forward to next years and thinking up possible papers to submit abstracts for possible selection for VB2007, which will be held in Vienna, Austria!

And even though the conference ran on Friday the 13th, there were no problems, no disasters, outbreaks of diseases, hurricanes, confiscated mugs, and so on, it all went very smoothly – well apart from Peter Cooper’s MAC laptop that crashed on the first day; Wednesday the 11th, so it doesn’t count. And, there were no major virus/malware outbreaks either during VB, that in itself is rather spooky!

Just in case you didn’t spot the link to my paper, here it is again: Rootkits: Risks, Issues and Prevention

I would be keen to hear from others who attended VB2006, at least to find out what they thought of the conference content this year.

No I haven’t fallen off the edge of the world, been kidnapped by aliens, or been hibernating. I’ve been preparing for the Virus Bulletin 2006 conference which was held last week in Montreal, Canada. Before that I was in France for 4 days at a customer site, I have also been updating a presentation for a guest lecture that I will give tomorrow at the University of Warwick, so, I’ve been busy creating and giving presentations. Oh, and that’s on top of my ‘usual‘ workload.

I will post a review of the conference in a week or so, covering my own personal thoughst on the conference and the content. This will include my thoughts on some of the presentations I attended on both the technical and corporate streams.

So, now the conference is over, I can make the paper I presented available to anyone that wants a copy.

Here’s the abstract that I submitted, and was selected back in March:

“Rootkits have been around almost since the start of computing, however over the last two years the threat has changed; no longer is it just a *NIX [Unix/Linux] problem, corporate and academic computers running Microsoft Windows are now an increasing target. We are now at a tipping point; rootkits are no longer a minor annoyance or threat, they are starting to become a major cause for concern.

Many corporate security staff have a rather vague understanding of rootkits, not just what they are, but how they work. Furthermore many have little understanding of the risks to their company or their own home computer.

This paper will explain what rootkits are and how they work. It will also discuss ways to combat them using methods that range from simple security methodologies through to technical solutions. ”

The full paper [in Adobe Acrobat format (PDF)] can be found here: http://momusings.com/papers*

All feedback, comments, flames, suggestions, etc. are most welcome.

Normal service will be resumed as soon as I’ve caught up with the backlog of work I have piling up around me. So, if you see a news article saying: “A computer geek was found today buried under piles of work… he was finally extracted, alive, by teams of rescuers digging him out 48 hours after they were alerted to the disaster…” then you know it was probably me.

[*] All my other conference papers and magazine articles I’ve written can also be found there.

April has come and gone and spring has arrived. Another interesting month on the malware front it has been although as you will see the number of trapped malware is still low.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter .

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky
• SOPHOS
• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 3 years, Malware Bayesian Filter 2 years.

In total I captured 1657 samples during April, which have been catalogued as 54 distinct families and variants. In comparison during March I captured 1356 samples which were catalogued as 61 distinct families/variants. As you can see the captures in April are only slightly up on March and still below the high of January’s total.

During April I captured and submitted 5 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The low haul in April is mainly due to the apparent slow-down in new samples being spread via SMB [Windows shares] which was first noticed in December 2005. Part of the reason for this slow down is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools.

During April I reported 157 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

W32/Tenga.3666 [Frisk] retained the pole position again during April. Its percentage fell from 73 percent [in March] to 53 percent of the pie.

Netsky.P lost its second place slot from March falling down the chart to seventh place.

The Mytobs regained the ground lost during March when they accounted for just two slots in the top ten. In April they captured five out of ten places.

The share-crawling worms lost their hold they had on March’s table where they took six out of ten places. In April they are down to just three places, halving their presence.

The only other mass-mailing worm that made it into the top ten was W32/Mydoom.o@MM [McAfee].

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple ‘vectors’ and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] this month has seen the Zafi family move out of the top ten.

In pole position we have Mytob.c, which was also number one for the last two months. Second place is occupied by Netsky.t [same as in March]. Lovegate.w makes a return [in third]. Netsky.q takes fourth place [up from seventh]. Lovegate.ad is a new entry at number five. The rest of the chart is made up of Netsky .b in sixth place [down from fourth. Mytob variants [y, t, u and q] in seventh, eighth, ninth and tenth place respectively.

In the SOPHOS chart we see a different pattern; Netksy.p has grabbed back its number one slot which it lost in March. Zafi.b slips from pole to second. Nyxem.D[aka MyWife] has consolidated its third place from March. Mydoom-AJ is stationary in fourth place [it was a new entry in March]. Another Netsky [D] grabs fifth place. The final places are made up of Mytob variants [ FO, C, Z and AS] in sixth, seventh, eighth and tenth respectively, broken up by the presence of a new entry Delebot.A in ninth.

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has dropped from 73 percent of all samples caught in March to just 53 percent in April. Mytob has grabbed back second place from Operserv which slips down to third. Fourth place is occupied by Mydoom, up from fifth in March. Netsky slips one place to sixth. Mytob.The rest of the vacant spots are almost all taken by share crawling worms and bots, these being: Sdbot, Ranky and the related multi-component dropper. The only e-mail based worms which appear in the lower five places of the chart are W32.Reatle and W32.Kapser [aka MyWife.D.

If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let’s switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of April] here. This clearly shows that April was quieter than December 2005, which was the quietest month ever in the case of e-mail borne malware being trapped.

The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware so far this year, it grew from 168,807 [as at the end of December 2005] to 188,252 [as at the end of April 2006]. That’s a growth of 19,445. Interestingly just like in March the growth of new malware slowed in April by almost 50 percent when compared to the first two months of the year

What’s New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest or cover some of the interesting occurrences in April 2006.

• E-mail Warning about Scams is a Scam
• Lost in MySpace
• WARNING:-Annual Internet Cleaning Day!

Conclusions:
Although malware growth slowed during April, you may have noticed that spam, phishing and 419 scams have been very aggressive during the same period and they show no sign of stopping. The growth in malware, including spyware which uses rootkit [cloaking/stealth] techniques is becoming a major problem and corporations need to address this now before it gets completely out of control with widespread infestations throughout their infrastructure.

On this subject, I have been asked to present on ‘Rootkits’ at the Virus Bulletin 2006 conference to be held later this year. The paper will be made available for all to read once it has been presented.

Links:

• Virus Top Twenty for April2006 [Kaspersky]
• Top ten viruses and hoaxes for April 2006 [Sophos]

As previously mentioned on this blog I had a paper selected for the EICAR 2006 conference which was held at the Hotel Hafen in Hamburg, Germany between the 30th of April and the 3rd of May.

The hotel was quite interesting, made up of the ‘Classic’ part [left side of the picture with the hotel name on it]; which was the sailor’s mission [home] from 1864 until 1979, and the new ‘Residenz’ modern section [on the right side, includes the modern tower and you can just see part of the Ellipses]. The conference was held in the modern part of the hotel for the first two days, and then moved to the ‘Classic’, old part of the hotel for the final day.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:

Day 1 – Sunday 30th April:

The start of the day was used by many of the Working Groups and Task Forces that EICAR has. The conference ‘proper’ was kicked off by Sarah Gordon who gave her keynote speech. Sarah covered some interesting areas such as sociology, ethics and her being seen as a heretic when she originally published some of her research and ideas some years ago. These have now [for the main part] become considered as part of the mainstream. At the end of her keynote, Sarah challenged those in the room to dare to be the next heretic!

This was followed by a panel session about ‘groups’ in both the anti-malware and malware scenes.

After a break, I decided to stay in one of the two streams, this one being held in Ellipse I. The session room was smaller, but the number of people attending them meant that a number had to stand as there was not enough seating. The ones that I found most interesting were:

• Mystery Meat: Where does spam come from, and why does it matter? – Presented by Christopher Lueg.
• Spam Zombies from Outer Space. – Presented by John Aycock and Nathan Friess

Both of these caused a flurry of questions and the lively debate raged on after the sessions.

The end of day 1 was rounded off by the ‘Meet the Experts’ session which was a chance for many of us to chat more and discuss what we had seen or heard so far, catch up with old friends, make new friends and contacts and generally chew-the-cud in a geeky/nerdy sort of way.

Day 2 – Monday 1st May:

The first sessions of the day that I attended were held in Ellipse II and were all on Spyware; from very different perspectives. I was the second slot of the four to be given during the first half of the morning.

• Spyware: A risk model for business – Presented by Vanja Svajcer
• Spyware: Risks, Issues and Prevention – Presented by Martin Overton
• The Trials and Tribulations of Testing Spyware Solutions: Towards a Testing Methodology – Presented by Larry Bridwell
• A Testing Methodology for Anti-Spyware Product’s Removal Effectiveness – Presented by Josh Harriman

The next set of presentations which I found interesting were these:

• Behavioral Classification – Tony Lee
• TTAnalyze: A Tool for Analyzing Malware – Presented by Ulrich Bayer, Engin Kirda, Christopher Kruegel
• Enlisting the End-User – Education as a Defense Strategy – Presented by Jeannette Jarvis
• Pharming: a real threat? – Presented by David Sancho
• Evolution from a Honeypot to a distributed honey net – Presented by Oliver Auerbach

The end of day 2 was rounded off by the Gala Dinner; good food and wine were supplied. The after dinner entertainment was supplied by a somewhat manic magician who spoke very fast and almost only in German which left about half to two-thirds of those assembled trying to work out the jokes, punchlines and the general patter that went along with the rather good magic.

Day 3 – Tuesday 2nd May:

On the last day of the main conference we moved from a two stream format to a single stream held in a conference room in the ‘Classic’ part of the hotel. This layout was significantly better than the first two days where it was somewhat cramped and there were no tables, only rows of chairs.

The day started off with another keynote, this time it was given by Professor Klaus Brunnstein. Although it was a very interesting talk he over ran by almost half an hour which put the rest of the days schedule off. Here are the presentations that I found most interesting druing the morning sessions:

• Inherent Technical Risks will lead Information and Knowledge Societies into a risk Society – Presented by Prof. Klaus Brunnstein
• Future Trends in the realm of malware – Presented by Guillaume Lovett
• Windows Rootkits – Presented by Mika Stahlberg

The rootkit one I found particularly interesting as I’m currently writing a paper for the Virus Bulletin conference on this very subject. Thanks go to Mika for helping me by writing and presenting his paper [and sending me his slides too] as this will help me no end in writing mine [with due credit of course].

The afternoon also proved to be eventful as several of the sessions planned had to be removed due to speakers not turning up to present. This meant that the schedule went from being half an hour late to almost an hour early. So, the panel session was moved forward to take up the slack. As usual with panel sessions this proved to be quite animated, especially when David Perry of TREND is part of the panel .

I didn’t stay for the last day [3rd of May] as it was a day just for Task Force meetings.

All in all, this was a very good EICAR conference, in fact it was the best attended ever with almost 100 attendees! I’m already looking forward to next years.

Just in case you didn’t spot the link to my paper, here it is again: Spyware: Risks, Issues and Prevention

Virus Bulletin have just informed me that my abstract entitled: ‘Rootkits: Risks, Issues and Prevention‘ has been selected for the Virus Bulletin 2006 international conference to be held from the 11th to the 13th October 2006 at the Fairmont The Queen Elizabeth, Montr

Woohoo, my paper on using Bayesian Filtering to classify malware has been mentioned on no other than the ‘Looswire’ blog run by Jeremy Wagstaff. Jeremy, apart from having a very interesting blog is also a regular columnist for WSJ.

The paper was written for and presented at the Virus Bulletin 2004 international conference in Chicago, USA.

The tool he is discussing is POPfile a FREE anti-spam tool for all platforms that support PERL [for Windows you don\’t have to install PERL as it is all part of the Windows install package supplied].

It is very easy to set up and it learns very quickly. Why not give it a try?

The blog entry can be found here: How to Make More Use of the Vicar

The Vicar in question is Thomas Bayes, an 18th Century nonconformist minister who came up with a simple but very effective way to classify things using a simple theorem. If you want to know more then take a look at the paper.

EICAR have just informed me that my abstract, entitled: ‘Spyware: Risks and Prevention‘ has been selected for the EICAR 2006 conference to be held in Hamburg, Germany between the 29th April and the 2nd of May 2006.

The abstract for the paper appears below:

Spyware has grown over the last two years from a minor annoyance to what it is today; a major headache for companies and academia (most of them just don’t know it yet) and home users alike.

This paper will investigate the growth of this threat and the ‘cart-load’ of risks and issues that Spyware and related risks bring to the corporate table. Furthermore it will investigate what the security staff in corporations can implement to address the risks and their companies liability, including.

• Policy
• Education
• Firewalls
• Proxies
• Intrusion Detection Systems
• Anti-Virus tools
• And last but not least, Anti-Spyware tools.

The processes, procedures and other solutions and guidance offered in this paper will come mainly from real-world experience of tackling spyware and related issues/risks.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months…Hang on they need the completed paper by the 17th of March!!!

The full paper will be made available after the conference. I’ll post an announcement here shortly after the conference has finished.