Look here Kido, stop trying to Conficker my computer...

Yes, I know I haven't posted for ages, but I've been kind of busy helping customers with outbreaks, ethical hacking, application testing and computer forensics. I have also been busy writing an article for a magazine (more on that in a moment) and writing abstracts for the 2009 Virus Bulletin conference; one of which was accepted, I'll blog about that when I have more time.

OK, enough of the lame excuses from me.

So, back to the article...

Over the last few months one particular malware family has been hyped out of all proportion and unless you've been living under a rock or had no access to a computer since the end of November you must already know which malware family I'm writing about?

At the beginning of March this year, after spending a significant amount of time dealing with the most virulent variant at that time, the B variant (or variants). I was asked to write an article for a magazine on Conficker, which I duly did.

It was submitted, and I'd made it clear that there was no way that my employer would willing waive it's copyright. So, what do I get asked to sign?

So, to cut a long story short, it was agreed that the article would not be published by the magazine after all, but I could publish it on my blog, etc. as long as my employers copyright of the material was mentioned.

The upshot of this is my article on the evolution and functionality of Conficker. Please bear in mind that this was completed on the 9th of March 2008, weeks before every man and his cerberus had decided they ought to write such an article.

I hope that you find it useful, enlightening and maybe entertaining too?

The article entitled "Have you been Confickered" can be found here: http://momusings.com/papers/Have-You-Been-Confickered-v1.01.pdf

As usual all feedback is most welcome.

Discount Coupons from Hell...

We all like a bargain, right?

How many of you out there use coupons to get discounts on things you buy, or plan to buy?

Do you use the paper coupons that you get from flyers, papers, magazines and brochures, or do you use the electronic coupon codes instead?

Whichever you do use, I'm sure that you all love the feeling that you've saved some of your hard earned money by using them? Of course the cynics amongst us would say it is just social engineering to get us to buy a particular brand or even buy something we didn't really plan to buy, or in some cases even need.......So whilst I'm on this topic I was intrigued when I received the following email yesterday:

Here's a screenshot of one of the email that I've received:



Oh goody I thought, coupons! ;-)

I clicked on the link and this is where I ended up:



Now that's interesting, how have they managed to show me offers for a town near where I live?

A quick look at the page source shows that they are using GeoIP [Geographic resolution of the IP address used to request the page, in other words my routers public IP address].

So, if you are in say Manchester, UK you would be shown ones allegedly tailored for that area, likewise if you are in, say, San Diego, US or Munich, Germany or even Sydney, Australia.

More digging shows that the page is also laced with exploit code, to catch the un-patched and infect their systems [using a hidden IFRAME].

So, what happens when I click on the 'Click Here' icon on the page?

Ah, I get offered an executable file [list.exe], not a PDF or any real coupons at all, a windows binary file that I suspect is actually malware, probably a new variant of Waledac. So lets refresh the page and see if anything changes?

Yes, the filename offered changes, after the page reload it became: saleslist.exe! More page reloads show that it is using a number of different names in rotation. So, I scanned the files [both of them] and they are identical in size and MD5 hash, this means they are identical internally.

At the time of posting this blog entry the detection of the offered files was rather poor, with only 9 out of 32 tested scanners identifying that this is a malicious file. Most of the ones that did detect it were using heuristic or generic detection, which means this is indeed a new variant.

So it sems that once more the bad guys and girls are trying new social engineering techniques to try and get us to infect our systems and effectively press-gang our systems into the botnet army they control. These are the same group of cyber-criinals responsible for the Valentine Day fake e-card development kit that I blogged about recently.

Here are some useful links if you want to know more about Waledac [please bear in mind that the descriptions used may not be valid for this new variant]:

• http://www.securitypronews.com/insiderreports/insider/spn-49-20081231StormWormReincarnatesAsWaledac.html


• http://www.symantec.com/en/th/enterprise/security_response/writeup.jsp?docid=2008-122308-1429-99


• http://www.f-secure.com/v-descs/email-worm_w32_waledac_a.shtml

Don't let your guard down just because you think you are getting a good deal, some free coupons, free iPod, laptop, or whatever.......Just remember there is no such thing as a free lunch, someone has to pay for it, either directly or indirectly, don't let it be you...

UPDATE:
As I was finishing off this blog entry, I re-checked the site, and found that the files offered, still use the same list of names [15 so far], but the filesize and MD5 hash value is now different to yesterdays. Seems they are seeding new variants each day.....so, be on you guard!

Another Valentine's Day...

...Another Chance to Get Infected!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Saturday?

It seems that the bad guys and girls are back playing cupid again and couldn't resist the opportunity to try and get you to infect your computer, yet again using the guise of a valentine e-card, again. The latest wave of these started yesterday:

Here's a screenshot of one of the email that I've received:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like the one below, at least for now it does:



Very nice of them to offer you a tool to make your own valentine day greetings? Of course, in reality it is just an infected file used to recruit your PC into the botnet army of the author of this malcode.

When I first started to see these Valentine Day e-mails, late last week [a test run maybe?] the landing page looked like this instead:



However you spend the day, whatever you do for the 'love-of-your-life', don't become part of the collateral damage of the annual 'Valentine's Day [Malware] Massacre'.

If I see anymore 'bogus' Valentine's Day e-mails, I'll try and post details here when I can. Also, if you see any that I haven't yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle! ;-)

At the time of posting this blog entry the detection of the offered files [at least two distinct unique files (MD5 hash value)] was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is offering different file names, although the actual file is internally identical in many cases, as mentioned above.

If I get any further useful data or news then I'll try and post it here.

Oh, and don't forget the risk of getting an infection isn't just for Valentine's Day, it is for everyday of the year, don't let your guard down.......stay safe!

Virus Bulletin 2008 Conference Review

As previously mentioned on this blog, I was going to attend the Virus Bulletin 2008 conference as just a delegate, for the very first time; I usually attend as a speaker. The conference was held at the Westin Ottawa, in Ottawa, Canada [surprisingly ;-)] between the 1st and 3rd of October.

However, I ended up being a speaker again, which I don't mind, but I was actually looking forward to having a more relaxed conference than I usually do, but that's life!



This posting is a quick review of the conference:

Day 1 - Wednesday 1st October 2008

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by the Keynote address "The AV industry: Quo Vadis?" presented by Alex Eckelberry of Sunbelt Software. This was a very interesting speech and contained lots of useful information, as well as a general overview of what the bad guys [and girls] are up to, as well as what the good guys [and girls] are up to.

You can find a recording of it here, along with the slides: http://sunbeltblog.blogspot.com/2008/10/virus-bulletin-2008-keynote-address.html

The final session on the Technical Stream before lunch was also interesting, a presentation by Morton Swimmer [who used to work for IBM] entitled:

• Towards integrated malware defence

It was a good presentation, however as Morton had moved to TREND just before the conference he no longer had access to all his data, which was a shame, as it seems to have been rather an effective solution.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream.

The first two presentation after lunch were:

• Your computer is now stoned (...again!). The rise of MBR rootkit - Kimmo Kasslin, F-Secure
• When the hammer falls - effects of successful widespread disinfection on malware development and direction - Matt McCormack, Microsoft

The presentation given by Kimmo was esepcially interesting as it covered the rebirth of MBR infectors; something that had almost died out when Windows NT, 2000 and XP came along [yes there have been some MBR infectors for those, but not many, and not with stealth capability].

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Applying user-mode memory scanning on Windows NT - Eric Uday Kumar, Authentium
• Packer visualisation: a fast entropy scanning algorithm that preserves local detail - Li Sun, RMIT University

I decided to sit in on the vendor presentation after the days main proceedings, this was given by my good friend David Harley, from Eset.

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

This was staged with a couple of Ice Hockey players; for those that wanted pictures, as well as a bit of fun from Ken Bechtel, who's hat did the rounds and photos were taken of those that ended up wearing it, including me. If you've ever met Ken, you'll know which hat I mean as he is rarely seen without it.

Day 2 - Thursday 2nd October 2008

Day two started early for me as I was informed when I arrived that I might be needed to present [I was the emergency reserve speaker; "in case of a missing speaker, break glass and grab Martin ;-)"], as one of the speakers for the morning session on the Technical Stream was unaccounted for; he never did turn up.

So, I had to go back to my hotel [I wasn't staying at the Westin], get changed, grab my laptop and get back to the conference by the morning tea break to check that my laptop worked fine with the projector, it did.

This meant that I effectively missed the first two presentations I had planned to attend, oh well.

To complicate matters, I was also supposed to be chairing the three sessions on the Corporate Stream between the morning tea break and lunch; which I couldn't now do, as I was presenting in the other stream at the same time. Luckily, my old friend from Nortel, John Morris, stepped into the void as the new session chair.

So after the morning tea-break I was back in the Technical Stream for the next three presentations, these were:

• The robustness of new email identification standards - Reza Rajabiun, COMDOM Software and York University
• Coordinated distributions method for tracking botnets sending out spam - Andrey Bakhmutov, Kaspersky Lab
• Malware forenscis: detecting the unknown - Martin Overton, IBM ISS

The presentation given by Andrey was extremely good, some excellent research which was well presented and explained. This led to a flurry of questions.

It seemed rather surreal when I gave my presentation, as it was designed for an audience on the Corporate Stream; so as an old English saying goes "it was like teaching my grandmother how to suck eggs". In other words the presentation was an overview of forensic techniques and tools for finding and analysing malware [known or new] on an infected system.

This was presented on the Technical Stream to about 70 or more of the worlds best malware researchers, hence my use of the saying.

The presentation was actually based on my EICAR 2008 paper which I was unable to present at the EICAR conference, ironically due to the fact I was tied up in a malware forensics case.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

I received some nice feedback from a few of those that sat in, and no awkward questions. In fact one of the guys who were running the audio-visual side of the conference said he thoroughly enjoyed my presentation and found it most useful and enlightening.

After lunch, once more I decided to sit in on the Technical Stream until the tea/coffee break, at least. The next four presentations, all last minute ones limited to 20 minutes each, were:

• VB testing - present status, future plans, John Hawes, Virus Bulletin
• Race to zero with online scanners, Boris Lau, Sophos
• There is (some) honour among South American authors of infostealer trojans!, Pedro Bueno, McAfee
• Apple iPhone programming with SDK, Marius van Oers, McAfee

This year these short technical presentation worked rather well, although it was hard for some of the presenters to keep to the 20 minute slot limit, yes, you know who you are.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Corporate Stream as I was chairing the last two presentations on that stream, these were:

• The NorTel Mailer: effective open-source spam filtering for enterprises - Chris Lewis, Nortel
• SCADA security - who is really in control of our control systems? - Peter Allor, IBM

Both of these were very interesting presentations and it was a shame that so few delegates had decided to sit in on them.

Before the day was over we also had our first panel session, this was:

• The state of anti-malware testing

Later we had the "pre-dinner drinks and the Gala dinner and entertainment".

As always the food was excellent and the entertainment this year differed quite a bit, it was a quiz, which was fun but took longer than expected to complete. As one delegate was heard to say "we have travelled 3,500 miles for a pub quiz!". Personally, I enjoyed it, it just needed to be shorter.


Day 3 - Friday 3rd October 2008

The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Understanding and teaching bots and botnets - Randy Abrams, ESET

This presentation covered a topic that I had presented on back at VB2005 in Dublin, but from a high-level perspective and more focussed on how to educate staff about these threats via using robot vacum cleaners known as Roombas.

As usual Randy was both informative and entertaining.

So, another quick tea and coffee break and then back to the Technical Stream until lunch, these were the next presentations I sat in on:

• Automatic rules-based binary analysis with IDA Pro and CLIPS - Ryan Hicks, AVG
• Rebuilding testing for the future - Igor Muttik
• Samples.malware.org: sample sharing for the next decade? - Richard Ford, Florida Institute of Technology

All of these were very good and interesting talks and all generated lots of discussion and questions.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all. However, I think I can honestly say that this years photo was the quickest ever as it took less than 5 minutes to organise all the speakers and take a number of photos.

After lunch I spent the first part of the afternoon on the Corporate Stream.These were the presentations I sat in on:

• Where do your users want to go today and can you stop them? - Bruce Hughes, AVG
• The name of the dose: does malware naming still matter? - Pierre-Marc Bureau and David Harley, ESET

Both of these were interesting and prompted a number of questions from the audience.

Then it was time for the final refreshments break. Yes, it was the very last VB2008 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference, were straight after the break and I decided that I'd sit in on the last one on the Technical Stream again. This was:

• Darwin inside the machines: malware evolution and the consequences for computer security - Peter Ször, Symantec
  Dimitris Iliopoulos, Keck Graduate Institute of Applied Life Science

This was a very interesting presentation, basically saying that malcode could in theory evolve following Darwinian principles. Not sure that we will see such malware any time soon, as there are a number of things that need to happen first.

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion on:

• Security in banking forum

Finally it was time for the Conference closing session, once more led by Helen Martin, the editor of Virus Bulletin.

It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be another case of "I'm Sparticus", as a lot of people seemed to be wearing Ken Bechtel's hat, including me, and no it wasn't him in varying disguises either!

My final impressions of VB2008 are mixed; I enjoyed it, but I [and others who I chatted with] seem to think it may have lost its edge. Is this a case of becoming too commercialised or due to a lack of the usual swathe of quality research papers [which may be due to security companies cutting research budgets], or is it just a sign of the times as the marketplace has matured and that threats have now converged?

If you attended VB2008 and have an opinion, then please let me know your thoughts, thanks.

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2008/slides

The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2008/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Ottawa, here: http://picasaweb.google.com/overtonm/OttawaCanada2008?authkey=SEeottY873o#

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Geneva, Switzerland at the end of September 2009. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Virus Bulletin 2008 International Conference

Next week the Virus Bulletin International Conference is being held in Ottawa, Canada [1st to the 3rd of October]. This is the premier conference for people involved with fighting malware and related security threats. The programme can be found here.

This year I was going to be there just as a delegate; normally when I attend this conference I attend as a speaker, which means I have to write a paper and present it at the conference to an audience of 50-200 uber-geeks from various industries as well as the world's best malware researchers.  This can be pretty daunting! This will be my 11th Virus Bulletin Conference since my very first I attended and presented at back in 1996.

However, I've now been asked to be a reserve speaker, so I have to have a presentation ready, just in case I'm needed. The last time I was a reserve speaker it was for VB2002 which was held in New Orleans that year, and was nearly washed away by a hurricane! Needless to say, I ended up presenting my paper that year.

If any of you ready this are going to be there, then please feel free to stop me and have a chat, or just to say hello. I don't bite, honest ;-)

The presentation I am working on for the conference is to do with malware forensics, so it should be fun to do, as well as interesting for any audience I get; if I get to present it, that is.

As usual, I will write a short review of the conference, including what I personally found interesting, and may also post some mini-reviews and updates via Twitter.

If you can make it, then I hope to see you there; if not then stay tuned and I'll post a review as soon as I can.

FREE Anti-Virus Software...

I thought it is about time for me to cover this again due to the current world-wide credit crunch and fuel, power and food costs soaring. This means many people are looking for ways to cut costs; including costs for protecting their computers. FREE isn't a bad word, but the bad guys and girls have started to make it feel like it ought to be. The phrase Caveat Emptor [Let The Buyer Beware] seems to be more pertinent than ever.

What do I mean by "the bad guys and girls have started to make it feel that it ought to be"? Let me explain:

Look at these for examples of the rather naughty ways that the bad guys and girls are trying to get you to download and use their anti-virus:

First they try scare tactics:



Then they try a little more direct approach:



If you are foolish enough to go to the sites, then this is what you'd currently see:



Looks very professional, doesn't it? Hard to believe that this is a bad site! Want proof? OK, here it is:



That is the very same site [URL] but visited using Firefox 3.x instead.

But that isn't all, this site is also being promoted by a botnet called Asprox. This botnet searches for sites using SQL, and it then tries to run exploit code, which if successful, overwrites all URLs in the database with a single link. If this now 'bogus' link is clicked on a website using the SQL injected database for content, it starts a chain reaction, which often ultimately ends up either on the site shown above, or it may infect vulnerable systems using exploit code that was run as part of the chain reaction. This may include infecting your system and making it part of the Asprox botnet.

But there's more.....

Here's a screenshot of another e-mail I received recently:



The link, if foolishly clicked on, takes you here:



Does it look familiar?

Here's a screenshot of the source of the above page:



Notice how it uses the REFRESH function to popup a download of the executable they offer; no it isn't anti-virus software, it is actually malware!

So, who can you trust if you want FREE anti-virus software?

These are the FREE ones I'd personally recommend include:

• AVG


• Avast


• AntiVir

Please be aware that there are a number of 'bogus' anti-spyware tools out there too and probably even 'bogus' personal firewalls.

You can find all the links mentioned above, and other useful tools, etc. here.

At the end of the day to help keep you system free of net nasties and their kin, you need to ensure that you have a personal firewall, up to date anti-virus installed, anti-spyware tool(s) installed, and last but not least practice 'Safe-Hex'.

Computer problems are bad enough most of the time which means the following anti-stress kit might be useful? However once you add malware to the more usual computer problems it becomes a must have piece of kit, well it stops the common hair-loss normally associated with stress! ;-)





Hopefully, this posting will help you retain your sanity, or at least reduce the cranial damage you may do to yourself using the above anti-stress kit.

Be careful out there, the web is a dangerous place without suitable protection...

If any of you out there in blog land have other security software that you recommend then please feel free to drop me a line or leave the details in a comment.Thanks!

A Stormy Independence Day...

It seems that the so-called 'Storm Worm Gang' are back and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a 4th of July [American Independence Day] firework show. This latest wave started early this morning:

The subjects of the e-mails I've seen so far include:

America the Beautiful
Celebrating the spirit of our Country
Time for Fireworks
Well done 4th!
Light up the sky
The best firework you've ever seen
Long Live America
Celebrating the Glory of our Nation
American Independence Day

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Amazing Independence Day show
Stars and Strips forever
Well done 4th!
Celebrate the spirit of America
Happy Independence Day
Home of the Brave
Spectacular fireworks show
Long Live America
Amazing Independence Day salute

Here's a screenshot of one of the emails that I've received this morning:



Here's a screenshot of another one of the emails that I've received this morning [Can you spot the difference ;-)]:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



And here is the source of the web page currently in use:



The more eagle-eyed of you may have noticed that the code includes an IFRAME which loads a PHP file called 'ind.php; this is what part of the page source code looks like for that file:



You may notice that this uses an obfuscated JavaScript routine, the end result, if you have JavaScript enabled in your web browser and your anti-malware doesn't detect this malcode, is that a dropper will be written to your hard disk. This is effectively a 'drive-by-download' as you don't have to click on anything on the webpage to download the file hidden in the JavaScript in 'ind.php'. The lower part of the code has been digitally munged by myself, as you don't need to see all of it.

At the time of posting this blog entry the detection of the offered 'fireworks.exe' file was still not complete, with only 20 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different, not in size but the MD5 hash is not the same. I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today.

For those of you celebrating this particular holiday, I would like to wish you a very happy day and enjoy the real fireworks rather than the fake ones being offered in the latest Storm Worm run.

Oh by the way, I forgot to mention that this isn't the first time that fireworks have been used to get people to infect their own computers, anyone remember 'Happy99.exe' (also-known-as 'Ska')?

I'll Have a 419 With a Side Order of Malware, Please....

No this isn't about an order being placed at my local Chinese restaurant or takeaway; their menu item number don't go up that far, believe me I have checked ;-).

So for starters, let me show you a screenshot of an e-mail I received this morning:



Looks like a pretty typical 419 scam e-mail doesn't it? A little more terse than usual, I'll grant you, but still a 419 scam, hang on it has an attachment, most unusual! Here's a screenshot showing the attached file:



An executable file, very suspicious and most unusual for it to be attached to a 419 scam. I wonder what the Bad Guys and Girls from Lagos are up to now? I think a bit of testing and investigation is in order, don't you?

Some details on the executable file first:

FileName: 108 3386 8257.exe
FileDateTime: 26/06/2008 11:38:39
Filesize: 303842
MD5: 3e5480b34a38d2dc5e1f45f561c7d5f2
CRC32: F7A3CF76
File Type: PE Executable

Which is a WinRAR SFX [executable archive] and this contains the following files:

108 3386 8257.txt
gbt.exe
gbthk.dll
inst.dat
kw.dat
pk.bin
rinst.exe

So, let me extract the files, no not by running the RAR SFX file, as that would infect my system with the malware contained inside it.

Of these only one is a true executable file, this is:

FileName: rinst.exe
FileDateTime: 24/06/2007 21:08:18
Filesize: 19456
MD5: f3d0beef15eb987dbcec8e803bf6c89d
CRC32: 94F8865E
File Type: PE Executable

This file "rinst.exe" is packed using Armadillo and the executable itself appears to be written using Microsoft Visual C++.

This is the main installation file, and if you are foolish enough to run the attachment, all the enclosed files are dropped to "C:\WINDOWS\TEMP\RarSFX0" and then it proceeds to run "rinst.exe" to perform the install of the malcode; in this case it also tries to identify and kill any recognised anti-malware tools. Once installed it attempts to load the "108 3386 8257.txt" file which contains the following text:

MTCN CONTROL NUMBER 108 3386 8257
AMOUNT : $3,450USD
RECIEVER : JONATHAN NWEKE,LAGOS NIGERIA

The rest of the files appear to be obfuscated files that are part of the installation of a keylogger, so not only is this malware attempting to kill any security defences you have in place, it is also trying to record what you type, etc. Nasty!

So next time you receive a 419, have a closer look and see if the Bad Guys and Girls from Lagos have included an attachment to get you to infect your computer and steal your personal data. It seems that they have finally learned that this is now a multi-billion dollar business, and if they fail to adapt then they will either get left behind or other professional cyber-criminals will take their traditional business away from them.

If you want to know more about 419 scams and their genesis, then you can find more here.

Right, back to my analysis of this to find out what else it does...

They're Back!!! Beijing Earthquake

Early this morning we started to see emails pushing a new variant of the so-called 'Storm Worm'. These are using a similar tactic to those that gave the malware authors their name, in this case it isn't real storms it is a fictional new earthquake in Beijing, China.

Here is a screenshot showing many of the subject lines seen so far for this new Storm Worm run:



Here is a screenshot of one of the e-mails I have received:



Most of them do not have the anti-virus scanning message at the bottom, I picked this one as I'm not sure whether this was added by one of the infected clients, or as part of the next wave, as some form of extra social-engineering ploy. It should also be noted that they have gone back to using real domain names for this run, instead of their more usual dotted IP addresses. According to F-Secure, these are all flast-fluxed.

Here's a screenshot of the website you would end up on if you clicked on the link:



The file offered is not a video, it is, not surprisingly an executable file, here are the details of a sample I downloaded earlier today.

FileName: beijing.exe
FileDateTime: 19/06/2008 12:56:05
Filesize: 83608
MD5: 3752f1a45c897471369f5f17dc42c8ee
CRC32: DA97A2FB
File Type: PE Executable

Here are the scan results of the currently offered file 'beijing.exe' as scanned by over 30 up-to-date malware scanners:

@Proventia-VPS NOT DETECTED
AntiVir Worm/Zhelatin.zc
Avast! Win32:TDrop [Drp]
AVG NOT DETECTED
BitDefender Trojan.Peed.JLV
CA-AV NOT DETECTED
CA-AV (BETA) NOT DETECTED
ClamAV NOT DETECTED
Command NOT DETECTED
Dr Web NOT DETECTED
eSafe File [100] (suspicious)
Ewido NOT DETECTED
F-Prot NOT DETECTED
F-Secure NOT DETECTED
F-Secure (BETA) NOT DETECTED
Fortinet NOT DETECTED
Fortinet (BETA) NOT DETECTED
Ikarus Email-Worm.Win32.Zhelatin.zy
Kaspersky NOT DETECTED
McAfee NOT DETECTED
McAfee (BETA) NOT DETECTED
Microsoft NOT DETECTED
Nod32 Win32/Nuwar worm
Norman NOT DETECTED
Panda NOT DETECTED
Panda (BETA) NOT DETECTED
QuickHeal NOT DETECTED
Rising NOT DETECTED
Sophos W32/Nuwar-E
Sunbelt NOT DETECTED
Symantec NOT DETECTED
Symantec (BETA) NOT DETECTED
Trend Micro NOT DETECTED
Trend Micro (BETA) NOT DETECTED
VBA32 NOT DETECTED
VirusBuster NOT DETECTED
WebWasher Worm.Zhelatin.zc
YY_A-Squared NOT DETECTED
YY_Spybot Worldsecurityonline.FakeAlert,,Executable

It should also be noted that the Storm-Worm gang are trying something new with this new variant, they are using Alternate Data Streams [ADS] , in this case there is an ADS called Zone.Identifier, which is a text file that contains:

[ZoneTransfer]
ZoneId=3

I'm not quite sure what they are using this for at the moment, maybe some form of tracking data?

UPDATE: This may actually be nothing to do with the Storm Worm gang after all [the ADS part, that is], as it seems that this may be a new 'feature' of Firefox 3.x instead, sneaky!

So what do you do if you receive such an e-mail? Simply delete it, do not click on the link and definitely do not download and launch the file that is offered, and finally update your anti-virus at least once a day, as otherwise you will become a victim. Hopefully most anti-virus products will be able to detect this within the next 24 hours.

EICAR 2008 Conference Paper Now Available

This is a quick update on my posting from yesterday, and to announce that the full paper for the EICAR 2008 conference which was held earlier this week is now available for download as a PDF [Adobe Acrobat] file.

To refresh you memories,here is the abstract from the paper, entitled "Where To Now: Detecting The Unknown":

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn't a week ago and that they can't access the Windows 'Task Manager' or open a command prompt any more.

Is this caused by malware or is it a 'user' problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the 'suspect' system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for 'odd' system or network behaviour.

The paper can be downloaded via the following links:

• http://momusings.com/papers/EICAR2008-Where-To-Now-1.01.pdf


• http://momusings.co.uk/Documents/EICAR2008-Where-To-Now-1.01.pdf

As usual all feedback is most welcome.

No, I [Still] Haven't Fallen Off The Edge Of The World....

Or been kidnapped by aliens, gone over to the dark side or gone down with a virus [or should that now be malcode?].

It seems that about this time, every year, I end up writing a post like this, so here is this years version. ;-)

Sorry for the lack of blog entries over the last month or so, but I've been writing a conference paper for the EICAR international conference which is, as I write this, being held in Laval, France.

So, am I writing this blog entry from there? No, unfortunately not, let me explain...

Why am I not presenting my paper at EICAR 2008 in Laval, France? Why am I not there today?

Well, the decision was made that because we [the new team/service I'm part of] was in the middle of a major analysis of new malcode, and this was a very high priority. It was decided at a commercial level that it would be better if I were available at a moments notice if new samples were found that required immediate analysis. If I were in Laval, France I would be unable to work on live malcode and keep in contact.

So, I'd like to apologise once more to EICAR that I was unable to attend and present my paper at the conference. Hopefully, if the team I'm now part of is expanded this won't have to happen again. Anyone that attended EICAR will have still seen my paper presented, but by Eric Filiol [who does not work for IBM or ISS] instead. This was the best solution we could come up with at the last moment.

The paper will be made available later this week at the following locations*:

• http://momusings.com/papers


• http://momusings.co.uk/publications.aspx

Writing the paper for EICAR is only one of the reasons for my lack of posting, other changes have been afoot!

Firstly, I have moved to a new company, well sort of, I now work for Internet Security Systems, who as some of you may know were acquired by IBM a while ago. So, I now work for ISS, which is owned by IBM. However, my role has changed as I now work in the X-Force Professional Security Services section as a Malware Analyst and Consultant.

So, what does this new role involve?

The main part of it is malware analysis and reverse-engineering. So, in some ways I have stepped back in time to the sort of work I used to do when I wrote my own anti-virus detection and remediation tools [whilst I was working for another company]. However, the game has changed quite a bit since then; luckily my skills are not that rusty, so I have managed to get back up to speed very quickly. Other skills I have picked up and honed over the years will probably also be required for other parts of my new role; more on that another time.

However, that is not all that has kept me from posting recently, other things include:

• Lecturing at the University of Warwick on malware and internet security later this month, so my slides need to be updated and tweaked before then.


• Writing and submitting abstracts for this years Virus Bulletin conference to be held in Ottawa, Canada this year.


• Building systems and finding/creating tools to help in the analysis of new samples, they just keep coming!


• Working very long hours on malcode analysis.

Normal, [once or twice a week postings] service will be resumed as soon as I can find that elusive 25th hour in the day, or I decide to give up trying to get any sleep at all!



* All my published papers and articles can be found at those web addresses.

Don't 'Fool' For It...

Normally I do my own April Fools blog posting, using some bogus malware, anti-malware or other computer related bit of nonsense for a bit of fun, and hopefully you find them funny, or at least interesting?

However, this year I didn't need to bother, as the Bad Guys and Girls have their own; trouble is, it isn't a joke, and it certainly isn't funny!

It seems that the so-called 'Storm Worm Gang' are back playing the fool again and couldn't resist the opportunity to try and get you to infect your computer using the guise of a April Fools e-card. This new wave started late last night/early this morning [depending where you are in the world]:

The subjects of the e-mails I've seen so far include:

Surprise!
Happy April Fools!
Happy All Fool's Day
Gotcha! April Fool!
Gotcha! All Fool!
I am a Fool for your Love
Today You Can Officially Act Foolish
Join the Laugh-A-Lot
Surprise! The joke's on you

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1]

Here's a screenshot of one of the emails that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



After 5 seconds you'll see a download dialogue box, like this:



And here is the source of the web page currently in use:



However you spend the day, whatever jokes you play, or end up the victim of, don't 'Fool' for this one, as otherwise you computer will get infected and the Bad Guys and Girls will have the last laugh again, at you expense!.

At the time of posting this blog entry the detection of the offered 'funny.exe' file was rather poor, with less than half of 32 tested scanners identifying that this is a malicious file. This is the default file and is automatically offered for download [within 5 seconds of the page rendering].

You may have noticed that two other filenames appear in the HTML source; these are:

kickme.exe
foolsday.exe

If you click on the image, you get kickme.exe, and if you click on "click here" you get foolsday.exe. instead.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

Whilst I was browsing the web looking for a good basis for an April Fools blog posting, I found these:

• Unusual banking trojan found today


• RAPIL - a slap in the face for hackers and virus writers

Please let me know if you spot any more, thanks!

3D Screensaver E-mails?

This morning I started to receive e-mails offering me screensavers. I immediately smelt a rat, well at least a malware author, anyway! ;-)

So, I took a look at it in more details, here's a screenshot of one of the e-mails:



I clicked on the link to see where I'd end up, and you can see what I found, below:



Looks like a very professional and polished website offering 3D Screensavers; very believable, isn't it?

So, I clicked on one of the links offered and I ended up here:



Still very believable, so I proceeded to download a copy of the screensaver offered, so that I could analyse it [you didn't think I was actually going to install it, did you? ;-)].

Will you be surprised to learn that the results of my analysis showed that this wasn't a screensaver at all, it was a piece of malware. I then proceeded to download several other samples, from the other selections offered, and the resulting files, although having different names, were all the same size [18,944 bytes], had the same MD5 hash value [which means they are all effectively identical internally], and were not being detected by a number of anti-malware tools.

At the time of posting this the files I downloaded from the site were named "Screensaver-66713.scr", "Screensaver-8719.scr" and "Screensaver-83580.scr", this of course may change, and there are certainly others with different filenames being offered.

If you see an e-mail like the one shown above, then simply delete it, as otherwise you will infect your computer, rather than save it's screen.

Hopefully by the end of today most anti-malware vendors should have updated their products to detect it.

So, in those immortal words, "Be careful out there...."

Out of Office Notifications Are...

An accident waiting to happen!

In fact a number of these accidents have already happened. But I'm getting ahead of myself. So, why do I think that they are inherently bad?

Personally, I hate out of office notifications, not because it means that I can't get a reply from the person I sent an e-mail too in the first place, but because they can be misused by not just the person who is 'Out of the Office' but also by the 'Bad Guys and Girls'. Let me explain in more detail, what I mean...

1. Too Much Information
Often when people enable 'Out of Office' they offer too much information; such as when they are going and coming back, and where they are going to. They also often include a second person's details to contact in their absence; including their full e-mail address. This is then often enabled for all incoming e-mail to their e-mail address, which means that not only internal [company/organisation] colleagues are informed, but also, in many cases anyone on the internet that sends them e-mail. The next two points explain in more details why this is a 'bad' thing.

2. Confirmation that your e-mail address exists
As mentioned above, if you enable your 'Out of Office' notification to send an automatic response to all e-mail that is received, you are assisting spammers, scammers and malware authors by confirming that the e-mail address is in use [that makes it worth more]. If you also include another persons details to contact while you are away, then the 'Bad Guys and Girls' can also harvest that to either sell on for profit to others, misuse it themselves, or often both. The end result is more spam, scams and malware arriving in yours and anyone else's inbox that you kindly supplied in your 'Out of Office' notification, I'm sure that they will be quick to thank you for all the extra 'crud' they are now receiving ;-)

3. Physical and Cyber attacks while you are 'away'.
If you are unwise enough to indicate you are on holiday or just out of the country where you normally reside, then the 'Bad Guys and Girls' can do a number of things whilst you are not at home. If they have enough data on you, then you could come back to find your house burgled, full of squatters, vandalised or even worse.

If they don't have access to that level of information then can hack into your personal webspace, social networking and other web sites you may use. They could also perform a 'Joe Job' or a 'DDoS' to discredit you or damage your business or reputation. While you are away they may use your stolen identity to take out loans, credit cards and even mortgages in your name. If they already have some of your financial data, such as bank account or credit card data, you could suddenly find your bank account empty or unathorised charges [and ATM withdrawals] on your debit or credit cards.

In all these cases listed above, this is only likely to happen if you have come to their attention; such as being a thorn in their side, or making life difficult for them, or someone else is willing to pay for the information and/or attacks to take place.

If you don't believe that these things happen, then I can assure you that many of the cyber attacks happen to many of us who work in computer security, especially those that are widely published or who work for anti-malware companies or in law-enforcement.

Figure 1: Too Much Information is an Invitation for Trouble!

4. Bounced Spam
This is the latest way that 'Out of Office' notifications can be mis-used and it affects all of us who are already on spammers/scammers and malware authors lists (or soon will be).

Here is the scenario:
The Bad Guys or Girls sign up for a free webmail account, at say, Google, Yahoo, Live, etc. and then enable the 'Out of Office' feature. They then place the spam message they want to distribute in the 'Out of Office' e-mail body.

Next, the spammer sends this new webmail account with the enabled 'Out of Office' feature, lots of e-mails using spoofed 'From:' addresses so that the 'Out of Office' reply will be sent to the intended victim [the spoofed From: address].

Why do this? Well, e-mail sent from this booby-trapped spamming webmail account will contain anti-spam header information, such as DKIM, DomainKey, Sender ID or any of the other similar systems, which means that the mail server that deals with the intended victims email will be more likely to let the spam through as it has come from a trusted source.

This is now easier for the spammers to do, as the CAPTCHA systems used by Yahoo and Googlemail have been cracked; so that they can now automate the creation of these 'trusted' 'Out of Office' spam relays.

Figure 2: Out of Office Spam Setup

So, next time you go to enable your 'Out of Office' feature, think carefully about what information you provide, and if you can do not enable the respond to internet address option, as you may live to regret it!

FREE Greetings FOR YOU !!!

Looks like a busy day for me today, just what I need, not!

Here's a screenshot of another tempting* email that I've received this afternoon:



If you are foolish enough to click on the link in the email, you'll end up being offered a file called 'greeting.exe', this file appears to be hosted on the free web-hosting service called ZeroCatch. Here's a screenshot of the default page for the sub-domain hosting the file. As you can see the malware author couldn't even be bothered to put a basic page together:



So, I hear you all ask, do you get FREE Greetings, as promised? Nope, all you'll get is an infected PC for your trouble, although it will be FREE! ;-)

At the time of posting this blog entry the detection of the offered 'greeting.exe' file was very poor, with only 6 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered appears to be a static binary, as in my testing so far all samples downloaded are the same size and produce the same MD5.

[*] Only really tempting if I had a lobotomy or suffered other severe head or brain trauma which seriously affected my common-sense.

Another Stormy Valentine's Day...

...Coming To A PC Near You, Soon!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Thursday?

It seems that the so-called 'Storm Worm Gang' are back playing cupid again and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a valentine e-card, again. The latest wave of these started early this morning:

The subjects of the e-mails I've seen so far include:

Blind Love
Heart pump
Love Rose
Phone Love
With All My Love
Valentine Friends
Happy Valentine's day!
The love Train
You're Super Sweet
Me & You

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Love You
My Heart
Rockin' Valentine
Smiley Kiss
You Stay In My Heart
Valentine Friends

Here's a screenshot of one of the email that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like one of these [these are not all the known permutations], the graphic shown on the website is randomly chosen from a pool of at least 6:







And here is the source of the web page currently in use:



However you spend the day, whatever you do for the 'love-of-your-life', don't become part of the collateral damage of the annual 'Valentine's Day [Malware] Massacre'.

If I see anymore 'bogus' Valentine's Day e-mails, I'll try and post details here when I can. Also, if you see any that I haven't yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle! ;-)

At the time of posting this blog entry the detection of the offered 'valentine.exe' file was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different in size, I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

UPDATE: The URLs [Web links] included in the e-mail may also now be domain names containing the word 'moon' which I will omit from the web links I have seen so far, see below:

• [the-m-word]starfood.com
• destroythe[the-m-word].com

I suspect that others will appear shortly, please do not go to those domains as they contain live malware, you have been warned!

Presenting at The University of Loughborough...

Once more I have been asked to present at a conference, this time it is one being held at the University of Loughborough in Leicestershire.

So, this is another one for me to add to my collection of Universities I've presented/lectured at. These include: The Open University and Warwick University.

This presentation is on Rootkits, and is an updated version of the one I gave at the Virus Bulletin 2006 conference in Montreal, Canada. If you are interested in finding out more about rootkits, then the paper can be found here: http://momusings.com/papers

As usual you will not only find the Rootkit paper there, but also all my published papers and magazine articles too.

I'm hoping that the weather doesn't cause any issues with the trains, and that the rails have been repaired after this mornings crash on the same line!

For those of you that are interested, here is a link to the UCISA website covering the details and agenda for the event.

The travel time from where I live is about 3.5 hours each way, so I will probably leave home about 6AM and won't get back until around 9PM, still I might get a chance to write some of my EICAR 2008 paper, or at least some abstracts for the Virus Bulletin 2008 conference.

Paper Selected For The EICAR 2008 Conference

EICAR have informed me that my abstract has been selected for the EICAR 2008 conference to be held in Laval, France between the 3rd and the 6th of May.

The abstract for the paper appears below:

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn't a week ago and that they can't access the Windows 'Task Manager' or open a command prompt any more.

Is this caused by malware or is it a 'user' problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the 'suspect' system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for 'odd' system or network behaviour.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months. However, as usual they need the completed paper by the 17th of March!

I've several other ideas for abstracts already sketched out ready for to submit for this years Virus Bulletin conference. Any topics that you think should be covered are most welcome, just drop me a note or leave a comment.

December 2007 Malware Review

December was another busy month for me as I was writing abstracts for conferences, doing presentations and trying to take some of my holiday entitlement as well as dealing with my usual workload. This meant that I didn't have quite as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals once more during the month.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 573 samples during December, which have been catalogued as just 27 distinct families and variants. In comparison during November I captured 476 samples which were also catalogued as 27 distinct families/variants. As you can see the captures in December are up once more, but this time of year is usually quite busy.

As shown, once more, by December's statistics the general trend is still downwards. It still appears that social-engineering has been the technique of choice and that 2007 should be now known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During December I reported 65 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 80 percent of the samples captured in December, just short of the high points of 82 percent it had in August.

As in the top tens for September, October, and November there are still eight members of the Opaserv.worm family in December's chart. These are variants: AE, D, AJ, K, AC, AD, AI and I in second, third, fourth, fifth, sixth, seventh, eighth and tenth places respectively.

The final slot left is occupied by a re-entry, this being our old friend Dupator who returns to the top ten in ninth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Netsky.q [aka P] is back into the top 10, straight back in at pole position, what a comeback! It is joined by another member of the family, AA which is also a re-entry back in at eighth place.

November's pole sitter, Scano.gen has had to settle for fifth place in December's chart after falling down the chart.

In the runner-up spot, we have a new entry, this being Diehard.dc, which is not the only member of this new family, as it is joined by Diehard.db and Diehard.dd which are also new entries, straight in to the chart in fourth and seventh place respectively.

Trojan-Spy.HTML.Fraud.ay has slipped further down the chart from fourth to ninth.

This month's chart is packed with new entries, the next one is Warezov.xd, straight in to the chart and stealing the final podium place; third.

And to complete the top ten, we have two more re-entries, these being, Bagle.gt and Nyxem.e [aka MyWife.D] in to the top ten in sixth and tenth places respectively.
Kaspersky had this to say about December's chart:

"At the end of the year, the mail traffic situation suddenly changed. In place of the traditional and somewhat dull domination of the rankings by old email worms, in December we encountered the explosive propagation of a new generation of programs. A new generation which are not worms.

It's true that first place this month is taken by the veteran NetSky.q worm. It returned with a leap and a bound from beyond the bottom of the rankings, having not figured in our November Top Twenty at all. It made up 20% of mail traffic - that's almost an epidemic, and it's unclear how a worm which has been in existence for almost 4 years, and which is known to all antivirus companies, has continued to survive and spread to the present day."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

IIn the SOPHOS chart we see a different pattern; Netksy has once more regained the runner-up position it last held in October's chart. Last months pole-sitter Troj/Pushdo has further managed to consolidate its hold on pole position.

Mytob has reversed its slide down the chart, once more climbing back up from sixth to third place. W32/Zafi has continued it progress sliding further down the chart from fifth to sixth place.

Mydoom which was a re-entry in October's chart has climbed up one place from eighth to seventh place.

There are two re-entries in December's chart, these are, Troj/Dloadr, back in to the chart in eighth place, and W32/Sality back in to the chart in tenth place.

W32/Bagle is up one place from tenth to ninth and to complete the chart we have W32/Strati up from ninth to the fourth and finally Mal/Dropper is down one place from fourth to fifth place.

Here is some commentary on December from Sophos:

"Overall, 0.09 percent of emails, or one in 1111, had malicious attachments in December 2007, with Pushdo retaining its position as the most prevalent email-based malware detected in December."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is once more occupied by our old friend Dupator.

Win32.Zhelatin has managed to consolidate its hold on the final place in the chart; tenth, Win32.Agent falls a single place down from eighth to ninth, and IRC.Zapchast has bucked the trend and climbs up from ninth to fourth place.

We have three re-entries in December's chart, these are: mIRC-Based back in to the chart in fifth, Hidrag grabs sixth place and W32.Tibs takes seventh place.

The final place in December's chart is occupied by our old friend Netsky, which has fallen from grace; down from third to eighth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of December] here. This clearly shows that December was busier than both October and November. As shown in the figures for December, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas; which can be seen in the What's New section of this blog postine.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 358,873 at the end of December. That's a growth of 136,400 new malware strains and/or variants for the whole of 2007. Just in December, the number of new malware found was 9,022.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during December 2007.

• Rent-a-Spammer [Wednesday, 5 December 2007]


• The Six Million Dollar Relative [Thursday, 6 December 2007]


• UPS Delivery of Over ONE MILLION US Dollars! [Wednesday, 12 December 2007]


• Don't Let Mrs. Santa Get Her Claus... [Monday, 24 December 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - November has continued during December, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer. In fact after Christmas the Storm Worm gang were working flat out producing new malware, web-sites and spam runs, but more on that, another time.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during December as they are still trying out other file formats which they hope will bypass anti-spam defences.

The phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during December, especially Natwest, Nationwide and Barclays, again.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this blog entry.

As expected December and the run up to Christmas and the New Year was a very busy time of the year for all the bad guys and girls as they took advantage of the season of goodwill to claim even more victims.

I would like to wish you all a very happy new year, stay safe!

Links:

• Virus Top Twenty for December 2007 [Kaspersky]


• Top ten viruses and hoaxes for December 2007 [Sophos]

Please note: December's report may well be the last one I do for the forseable future due to changes in my role.

From Storm With Love...

It seems that the Storm Worm Gang have decided that you all need some loving, so they are now sending out fake e-card e-mail notifications informing you how much they love you, because you make their job of building botnets so easy ;-)

Either that or their calendar is screwed up again; they almost missed Christmas and were then very early for New Year!

Here's a screenshot of what just one of these new With Love based emails look like:



The body text can be one of a number of text strings. The rest of the e-mail is usually a link, this time they have gone back to using IP addresses rather than actual domain names, not sure why? The IP addresses used are varied, so don't just think that they use just the one shown in the example here.

Of course, when you click on the link you go to a very nice, but fake e-card site.

Here is a screenshot of the web page you could end up on if you click on the link in one of these fake With Love themed e-mails.



Here's a screenshot showing the HTML source for the page, does it look familiar? It should as this is almost exactly the same code used during the New Year campaign.



The message shown is fake, the 'withlove.exe' file offered isn't an ecard offering words of love from an admirer, partner or colleague, in other words, if you are unwise enough to download the file and run it you won't get to see an ecard, in fact you will get a bot installed instead and your computer will join one of the many Storm Worm botnets.

At the time of publishing this entry detection was almost non-existent, with most of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

More details on the file currently being offered can be found here on my VSUB blog, complete with detection results at the time of publishing.

MySpace Storm...

It seems that the Storm Worm Gang have finally changed their social engineering tactic from the New Year e-cards that we have been seeing since the 26th of December until the 2nd of January when they sent out their last new version of that particular tactic!

So, what are they now using to get you to infect your computer? They are using fake MySpace invite e-mails which contain links to phishing quality fake MySpace websites.

This seems rather spooky as I was blogging about social network engineering on the 4th of January!

Here's a screenshot of what just one of these new MySpace based emails look like:





The body text can be one of a number of fake names and text strings. The rest of the e-mail including the links appear to be fairly static, at the moment, anyway. Once more the link is an actual domain name, rather than the more usual IP address based links that the Storm Worm gang used to use.

Of course, when you click on the link you go to a very professional, but fake MySpace site.

Here is a screenshot of the web page you could end up on if you click on the link in one of these fake MySpace themed e-mails.



In fact there are several links in the e-mail which take you to different domain names, all under the control of the Storm Worm gang.

Here's another example showing another domain name in use.



The message shown is fake, the 'install_flash_player.exe' file offered isn't genuine, in other words, if you are unwise enough to download the file and run it you won't get a copy of Flash Player installed, in fact you will get a bot installed instead and your computer will join one of the many Storm Worm botnets.

Just to make it crystal clear, the file offered on this site will NOT install or update Flash Player; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

More details on the file currently being offered can be found here on my VSUB blog, complete with detection results at the time of publishing.

No doubt I'll be updating this post in the next day or so, as the Bad Guys and Girls tinker with their latest social engineering technique, or they change it to a new one...

As I post this I have now received over FIFTY of the fake MySpace invite e-mails!

Social Network Engineering

Social networks such as Myspace, LinkedIn, Facebook, Bebo, Xing and all the others are BIG business at the moment, all of them trying to be 'the one' that everyone must be seen on.

So, it isn't that surprising that the Bag Guys and Girls have started to take an interest in them, is it?

However, it isn't just Social Networking sites that they are interested in, they are also interested in Virtual Worlds and On-line Games, such as SecondLife and World of Warcraft, amongst others.

This post will cover some of the things the Bad Guys and Girls have so far tried in these areas, many of which may surprise users of these online communities, be they social networks, virtual worlds or on-line games.

Hand up all of you out there that use Facebook? Many, if not most of you, then do use it....not that surprising, so for you Facebook users out there, you need to be aware of something I've been expecting for some time on this network, malicious applications (Facebook applications or plugins).

This new application uses social engineering, in this case it uses the same techniques that proved to be so successful for the ILOVEYOU e-mail worm, these being curiosity and sex!
When installed Secret Crush [Created by Secret Crush] will request that you invite five friends before you can see who has a secret crush on you. Needless to say, this is a form or viral marketing, and even if you comply and effectively infect five of your friends [who may shortly no longer be your friends], you still won't be shown who your secret crush is, because there was no secret crush, it was all a ploy to get you to install it.

You are directed to a Zango [previously known as 180Solutions] website to install Crush Calculator which is a piece of Spyware! This means that Secret Crush is actaully a Facebook Trojan Horse which uses social engineering.




If you think that this is a new phenomenon in social networking sites then you'd be mistaken. Myspace has had a number of malware adventures over the last year or so, with the Sami Worm probably being the most successful.

SecondLife has also seen malicious virtual objects inserted into it, these when interacted with by users, begin to replicate, impacting the performance of the system.

Instead of writing lots of fluff about these I'll just supply a number of links so that you can get more information about these threats, when you have some time to spare.

Links:

Facebook:

• Nice write-up by Guillaume Lovet on the Secret Crush application http://www.fortiguardcenter.com/advisory/FGA-2007-16.html

Myspace:

• http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html


• http://www.computerworld.com/securitytopics/security/holes/story/0,10801,105484,00.html


• http://www.f-secure.com/v-descs/js_quickspace_a.shtml


• http://www.f-secure.com/weblog/archives/00000930.html

SecondLife:

• http://www.technewsworld.com/story/viruses-malware/54384.html


• http://anti-virus-rants.blogspot.com/2006/10/second-lifes-grey-goo.html


• IBM's own Morton Swimmer also wrote a paper on the attacks that SecondLife has seen so far: http://www.virusbtn.com/conference/vb2007/abstracts/SwimmerHusemann.xml

World of Warcraft:

• http://www.f-secure.com/v-descs/wow.shtml


• http://www.theregister.co.uk/2006/05/08/wowcraft/


• http://www.theregister.co.uk/2007/09/11/online_games_hacking_trends/

The bottom line is that for the Bad Guys and Girls, this is not about being social, nor is this a game to them as they do not care if the systems or people they socially engineer to infect their avatars or their computer are in the real world or a virtual one, it is all about stealing information, property and making money [or friends], not virtual money but real hard cold currency....

Will 2008 become the year of the Social Network Engineer?

Watch Out, Watch Out...

..There Are Malicious New Year Ecards About!

This is a quick note to all those that have been away over the Christmas and/or the New Year period.

Please be very suspicious of any e-mails that claim you have been sent a New Year Ecard [or Christmas ones too], as these may lead to websites that, instead of offering you a real Ecard, will try and get you to download an executable file that is malicious.

Most of these are the output of the so-called 'Storm Worm Gang' and I have been updating my last blog posting [31/12/2007] when new variants have shown up, and I will continue to do so, so please check back from time to time for the latest information.

However, they are not the only group that are using this technique; others are trying to trick you into downloading 'plugins' which are not the real thing, so that you can view the ecard you have been sent. However, the 'plugin/viewer/codec' being offered is malicious, and there is no real ecard for you.

Please take care over the next few weeks, and I hope you all have a very Happy and Prosperous New Year, and a malware free one too.

More New Year Storm Waves...

It seems that four waves of New Year Ecard notification e-mails isn't enough for the Storm Worm Gang with the weekend bringing two more nice new shiny versions. Looks like the Storm Worm Gang are stuck in a rut at the moment, you can see what I mean from the screenshots I captured and have included in this posting!

Here's a screenshot of what just one of the fifth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [yet another new one], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the fifth wave of New Year themed e-mails.




Here's a screenshot of what just one of the sixth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [yes, yet another new one!], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the sixth wave of New Year themed e-mails.



The website HTML code is the same as the last three waves and still includes a JavaScript routine to obfuscate the URL to the malware file being offered as a fake New Year Ecard, in this case the real filename being offered is still 'happynewyear2008.exe' in both of the new waves seen over the weekend.

Just to make it crystal clear, the file offered on this site will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

I'm just wondering how many waves it is going to take to get the Storm Worm Gang to change their tactics once more, any offers? ;-)

UPDATE1:
More new waves have now appeared, these use the following domain names, and filenames:

Domain: happy2008toyou . com hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: hellosanta2008 . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: hohoho2008 . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: happysantacards . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Please do not go to those sites and download the files offered, as they are real, live, malware.

I've now created and put up a video on my YouTube channel here: http://www.youtube.com/momusings This shows all ten of the New Years fake e-card sites, from the start on the 26th of December 2007 until the tenth variant which arrived mid-afternoon on the 31st December 2007.

UPDATE2:
More waves were released on the 1st and 2nd of January, these use the same e-mail notifications and the website style is similar to that used in the previous waves. They are using more new domains, details below:

Domain: santapcards . com hosting the Filename: happy_2008.exe [1st Jan 2008]

Domain: parentscards . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: postcards-2008 . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: santawishes2008 . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: merrychristmasdude . com also hosting the Filename: happy_2008.exe [3rd Jan 2008]

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

November 2007 Malware Review

November was another very busy month for me as I was involved in several projects for customer accounts, as well as dealing with my usual workload. This meant that I didn't have as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 476 samples during November, which have been catalogued as just 27 distinct families and variants. In comparison during October I captured 649 samples which were catalogued as 35 distinct families/variants. As you can see the captures in November are down once more and very close to September's total.

During November I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown, once more, by November's statistics the general trend is still downwards. It still appears that social-engineering is very much the technique of choice this year. I believe that 2007 should be known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During November I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 72 percent of the samples captured in November, down from the high points of 82 percent in August and 77 percent in October.

As in both September's and October's charts there are still eight members of the Opaserv.worm family in November's chart. These are variants: AE,AC, AJ, D, A, AH, AI and AD in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is once more occupied by our old friend Netsky.P who is static in the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

We have a new pole sitter in November's chart, this being Scano.gen which is a re-entry to the top ten.

In the runner-up spot, we has another re-entry, this being Mytob.t and as you can see the top 10 from Kaspersky [above] for November Mytob.c has reversed its slide down the chart in October to climb back up from tenth to fifth place.

Netsky.q [aka P] has dropped out of the top 10 however two [down from three] other family members, these being: Netsky.t, which has continued its slide down the chart has slipped from seventh to tenth spot. Netsky.x is a re-entry, back in to the chart to snatch the final podium place; third.

One of the new entries in last months Trojan-Spy.HTML.Fraud.ay has slipped down two places from second to fourth.

The next three places, sixth, seventh and eighth are all taken by re-entries. These are; IMG-WMF.y, Warezov.pk and Lovegate.W respectively.

The final free slot in November's chart is taken by a new entry, this being another member of the Warezov family; Warezov.um in ninth place.

Kaspersky had this to say about November's chart:

"The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.
There's only one program in this month's Top Twenty which barely changed its position, and that's Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It's not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has, rather surprisingly lost the runner-up position from Octobers chart and has to make do with the final step of the podium; third. Last months pole-sitter Troj/Pushdo has managed to consolidate its hold on pole position.

Mytob has lost more ground, sliding down the chart from fifth to sixth place. W32/Zafi has suffered a similar fate sliding down from fourth to fifth place.

Mydoom which was a re-entry in November's chart has once more consolidated its hold on eighth place.

There are three re-entries in November's chart, these are, W32/Flcss, back in to the chart in seventh place, W32/Strati back in to the chart in ninth and W32/Bagle grabbing the final place in tenth.

To complete the chart we have TraxG is up from ninth to the runner-up spot; second place. The final free place is occupied by Mal/Dropper in fourth place.
Here is some commentary on November from Sophos:

"Traxg hurtling into second position this month has come as a complete surprise, and the fact that unsophisticated worms are still slipping through the net at such a rate of knots is a clear indication that huge numbers of users, and potentially companies, are failing to install even basic anti-virus protection," said Graham Cluley, senior technology consultant at Sophos. "In first place, Pushdo continues to wreak havoc. A clear reason for its ongoing success is the guilty cybercriminal's ability to quickly create different variants, which are being spread voraciously in a range of spam messages. Each new piece of spam that harbours the trojan has been created to tempt users, and whether it's enticing them to watch videos of Britney or view naked pictures of Angelina, this fraudster's tactics are certainly working."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is still occupied by last months re-entry, this being Netsky.

Win32.Zhelatin falls five places to tenth, Win32.Agent falls four places down to eight and IRC.Zapchast is static in ninth place. Fifth place is occupied by W32.Funlove, which is up one place from sixth.

We have two new entries in November's chart, these are: Win32.Protoride straight in to the chart in sixth and W32.Heretic takes seventh place.

The final place in November's chart is occupied by our old friend Dupator up from seventh to fourth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of November] here. This clearly shows that November was about as active as October. As shown in the figures for November, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 349,851 at the end of November. That's a growth of 127,378 new malware strains and/or variants so far in 2007, in November the number jumped by 10,160. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 139,000. Things have certainly speeded up during the third and fourth quarters of 2007!

What's New?

Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during November 2007.

• Equifax Phish [Tuesday, 6 November 2007]


• Do You YouTube? [Monday, 12 November 2007]


• One MSUpdate You Don't Want! [Tuesday, 13 November 2007]

Conclusions:

The current trend of using social-engineering which has been widespread in January - September has continued during October and November, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during November as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays and also new targets such as Equifax, as shown above.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this report.

All in all, it looks like we could be in for a very interesting, and busy, final month of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for November 2007 [Kaspersky]


• Top ten viruses and hoaxes for November 2007 [Sophos]

Please note: December's report, which should be published in January 2008 may well be the last one I do for the forseable future due to changes in my role.

Late For Christmas, Early For New Year - TNG!

It seems that three waves of New Year Ecard notification e-mails isn't enough for the Storm Worm Gang, this morning brought me a nice new shiny version, ho hum!

Here's a screenshot of what just one of the fourth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [another new one], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the fourth wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



As I said in my posting yesterday [27th December 2007]:

"Usually, the websites used by the Storm Worm Gang are loaded with exploit code so that any vulnerable systems get automatically infected, however, in these cases [so-far], they are just using social engineering to get you to infect your own computer by clicking on the link and running the file."

It seems that they were listening, as this new wave now includes a JavaScript routine to obfuscate the URL to the malware file being offered as a fake New Year Ecard, in this case the real filename being offered is 'happynewyear2008.exe'.

Just to make it crystal clear, the file offered on this site will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

Late For Christmas, Early For New Year!

If the Storm Worm Gang left their Christmas present to all new computer users, and all exiting computer users, to the last minute, they have certainly not left their New Year gifts to suffer the same fate. In fact they couldn't even wait for Christmas day to be over before they started their next campaign.

Yet again this shows the folly of publishing your end of year reports before the end of the year, as they won't include the Storm Worm runs we've so far seen during the last two weeks and anything that may happen in the last 4-5 days until the year really does end!

So, what have the Storm Worm Gang unleashed this time? They have decided to use the old favourite of 'fake e-card notifications'.

Here's a screenshot of what just one of the first wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the first wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



However, it seems that the Storm Worm Gang weren't content with just one round of New Year wishes, and on Boxing Day [26th December], they unleashed a new version,

Wave 2:

Here's a screenshot of what just one of the second wave of New Year based emails look like:



As with the first wave version, the body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the second wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



However, it seems that they still weren't happy with two rounds of New Year wishes, and today [76th December], they unleashed another new version,

Wave 3:

Here's a screenshot of what just one of the third wave of New Year based emails look like:



As with the first and second wave version, the body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the third wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



Usually, the websites used by the Storm Worm Gang are loaded with exploit code so that any vulnerable systems get automatically infected, however, in these cases [so-far], they are just using social engineering to get you to infect your own computer by clicking on the link and running the file.

Just to make it crystal clear, the files offered on these sites will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

I suspect we will see more waves of New Year attacks, but by then I suspect that the website used will contain graphics [as seen in the Christmas version], and possibly exploit code too. They may also shift to a new social-engineering attack, such as using news items once more, bringing their techniques full circle to where they began on the 19th of January 2007.

At the time of publishing this entry detection was still very patchy, with many of the top anti-virus products not detecting the malware laden files as infected, you have been warned.

I would like to wish you all a very happy but safe New Year...

Don't Let Mrs. Santa Get Her Claus...

...In To Your Computer This Christmas.

I knew that the so-called Storm-Worm Gang couldn't resist using Christmas as a way to get you to infect your own computers. They just left it to the last minute, knowing that most anti-virus companies have already published their 2007 end of year reports, and would have picked up on the lack of Storm Worm runs during December as part of their analysis. I suppose that will teach them to publish end of year reports before the actual year has ended?

Some odd e-mails started arriving very early this morning [UK Time]. Here's a screenshot of what just one of these look like now:



The body text can be one of a number of text strings and the link, at the moment, is unusually for the Storm Worm Gang, an actual domain name, rather than the more usual IP address based links.

Of course, when you click on the link you go to a very professional looking site, complete with falling snow! Here is a screenshot of the web page you could end up on if you click on the link in one of these Christmas themed e-mails.



Usually, the websites used by the Storm Worm Gang are loaded with exploit code so that any vulnerable systems get automatically infected, however, in this case [so-far], they are just using social engineering to get you to infect your own computer by clicking on the link or graphic and running the file.

As I've often mentioned here, the 'Bad Guys and Girls' seem to be using social engineering as their primary tool to try and get you to infect your own computer, so be very careful and make sure your system is fully patched and protected if you must let curiosity get the better of you...don't make their job even easier.

Just to make it crystal clear, the file offered on this site will NOT show you a seasonal 'Strip Show'; the only one getting stripped will be your computer! It may well be stripped of any useful personal and/or financial data, and be turned in to a zombie [bot infected computer that is part of a botnet].

At the time of publishing this entry detection was still very patchy, with many of the top anti-virus products not detecting the malware laden file ['stripshow.exe'] as infected, you have been warned.

I would like to wish tou all a very happy but safe Christmas...

I will be posting the November Malware Review before the end of December, apologies that it is later than planned, but there have been other work and issues taking up my time.

A YouTube video of the site showing the full effect of the website is now available here.

A Seasonal Selection...

No, not cheeses, nor sweets, nor hymns or other music, nor vegetables, fruits, nuts or meats. Give up yet? ;-)

Well, I suppose you could call some of the selection spam, and the other fake ecard e-mails bearing malware gifts. So, let's have a look at a small selection of some seasonal spam and related scummery.

The spammers started early this year, as far as seasonal themed spam goes. This first one is dated the 17th of November!:



I though that this next one was rather clever, as on the Christmas tree, we don't have the usual baubles or other hanging decorations, no we have a Christmas tree with 'pills' instead:



This next one was quite clever, although I have no idea what the text in the spam says*. The use of a figure dressed as Santa checking his stock is quite clever:



This final spam email is more restrained, just a few references to Christmas, as well as urging you to buy their knock-off [fake] watches and other crud:



The text below the spamvertised goods/services seen in the first and fourth spam example is what is sometimes called a 'Hashbuster'. The text is only there to try and fool anti-spam filters, especially those that use Bayesian or other similar techniques. However, this doesn't fool the Bayesian filters I use!

This final one, which is a fake e-card notification, arrived on the 1st of December, and if you click on the link provided in it [which doesn't take you to www.123greetings.com], this will download an executable file called 'x-mas.exe' which is NOT an e-card at all, it is malware, in this case it is a self-extracting RAR file.



The end result of running this file [x-mas.exe] is that your system will be infected by a variant of Zapchast [also known as a IRC.Flood.dr variant]. As part of the installation routine this malware installs an IRC client and then signs into a Command and Control channel and awaits new orders. At this point the computer no longer belongs to you, it is now a so-called 'Zombie' or 'Bot' in one of the many bad guys and girls 'Botnets'.

So, be careful out there, just because it is getting close to Christmas doesn't mean that it isn't a jungle out there. Don't give the bad guys and girls a present this year by falling for their scams, malware or buying anything they peddle in their spam. Remember, Santa only gives gifts to good boys and girls, not naughty ones!

On this note, I'd like to wish all the readers of this blog [which numbers at least 2 ;-)] a very Happy Christmas and a Prosperous New Year. Although, if you are a bad guy or girl who does any of the nasty things I blog about here, I hope that you finally see sense and get a real 'useful' job, before you finally get caught and prosecuted. Maybe next year you will then get a gift from Santa, who knows, and maybe hell will freeze over too? ;-)

* If anyone out there is willing to translate the remaining text on this spam, then please contact me, thanks.

PS I haven't forgotten about my promised 'Amazon Adventures - Part Deux' posting, it is coming, honest.

Birds of a Feather...

No this isn't about either the feathered sort of 'Birds', or anything to do with the fairer sex [colloquially known as 'Birds' in some parts of the world], nor am I going to blog about the famous Alfred Hitchcock movie. This posting is about a recent book I reviewed for Virus Bulletin which was written by members of AVIEN* [do you get the 'Birds' reference now? ;-)]

Here's a snippet from the review I wrote:

"The AVIEN Malware Defense Guide has been written by members of the AVIEN/AVIEWS online communities with the aim of passing on knowledge that they believe will be both interesting and useful to those involved in the real-world battle against malware in organizations.

The cover of the book claims that it will 'stop the stalkers on your desktop' and also provide:

• Complete coverage of the relationship between enterprise security professionals, customers, vendors and researchers.


• In-depth consideration of key areas of the 21st century threat landscape.


• System security and DIY defence using a range of specialist detection and forensic techniques and tools.

Meanwhile, the back cover states: 'AVIEN members represent the best-protected large organizations in the world, and millions of users. When they talk, security vendors listen: so should you.' So, after making such a bold statement, does the book deliver on the promises it makes?"

And here's another snippet:

"My overriding impression is that this book is very well written; the whole book comes together and flows very well – which can be a difficult feat when a book has several different contributors.

The book eases the reader in gently, starting with non-technical chapters and building to some very technical ones towards the end of the book.

The pedigree and diversity of the contributors involved in this book makes it a very readable, informative, and accurate reference guide for all interested parties, be they new to the fight or old hands.

The book delivers on many of the promises it made. In fact, I would say that this is the best general malware/anti-malware book currently available, and it should be a mandatory read for anyone new to computer security in general, and anti-malware specifically."

Here's a link to the complete book review I wrote: [PDF format]

So, if you are hunting for a perfect present for the security professional in your life, or just for yourself, then this book may be just what you/they always wanted...

If you want to buy the book or to see other reviews, then feel free to click on the relevant link below:

UK LINK US LINK

As usual all my other published articles and papers can be found here or here.

* Yes, I know that this isn't spelt the same way as AVIAN, but please let me have a little poetic license ;-)

October 2007 Malware Review

October was another very busy month for me as I created and presented a double security lecture [one on malware and one on spam, scams, hoaxes, etc.] at one of the major universities in the UK, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 649 samples during October, which have been catalogued as 35 distinct families and variants. In comparison during September I captured 457 samples which were catalogued as just 27 distinct families/variants. As you can see the captures in October are slightly up from September's total.

During October I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by October's statistics the general trend is still downwards [although the Bad Guys and Girls are back at work after their summer break]. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During October I reported 105 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 77 percent of the samples captured in October, down from the high point of 82 percent in August but up almost 1 percent on September.

As in September's chart there are eight members of the Opaserv.worm family in October's chart. These are variants: AE, AJ, AI, D, I, AH, K and AC in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is taken by our old friend Netsky.P who is down who comes back into the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for October Mytob.c has once continued its slide back down the chart from sixth to just hang on in tenth place.

Netsky.q [aka P] has further consolidated its hold on the pole position it managed to grab back in June. It is joined by two [down from three] other family members, these being: Netsky.t, which has reversed its slide from last month, climbing back up one place from eighth to seventh spot. Netsky.aa has started to fall down the chart from the runner-up spot; second place it held in September to the final podium place in third.

Bagle.gt has speeded up its journey down the chart, falling from fourth to eighth place.

Unlike Bagle.gt, Worm.Win32.Feebs.gen has reversed direction, climbing once more, up from seventh to fourth place.

The final free places in October's chart are taken by two new entries, these are: Trojan-Spy.HTML.Fraud.ay straight in at the runners up spot; second and Exploit.Win32.PDF-URI.k straight in in sixth place.

We also have Email-Worm.Win32.Nyxem.e [aka Mywife.D] down from fifth to ninth, a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l down from third to fifth place.

Kaspersky had this to say about October's chart:

"If this month's Top Twenty had been prepared using data from the first 26 days of October, two important malware related events would have been missing.
We're talking about two mass mailings that took place right at the end of the month. They turned out to be among the biggest mass mailings we've seen in the last few months, especially on the Russian Internet.

The first pushed Fraud.ay, a phishing attack, into second place in the rankings.

The second attack, which started on Friday, October 26, was more interesting. Email traffic was flooded with messages that included a PDF file. This file contained a known and recently discovered exploit for a vulnerability in Adobe products. When the PDF file was opened, this resulted in malicious code being executed and a Trojan downloader being installed. The attack is in sixth place in our rankings: Exploit.Win32.PDF-URI.k"

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has, rather surprisingly lost pole position in Octobers chart and has to make do with the runner up spot; second. Last months runner-up Troj/Pushdo has managed to de-throne Netsky and steal its crown as it now head up the chart by grabbing pole position.

Mytob has lost ground, sliding down the chart from third to fifth place. W32/Zafi has suffered a similar fate sliding down from second to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, slipping down from seventh to eighth place.

There are just one re-entry in October's chart, this being Troj/Dloadr , back in to the chart in seventh place. One of last months re-entries has managed to remain in Octobers chart, this is Mal/IFrame slipping down one place from fifth to sixth.

To complete the chart we have one new entry, this being Troj/PDFex straight in to the chart in third place, and TraxG is up from tenth to ninth place. The place occupied by TraxG in last months chart is now the home of Mal/Dropper.

Here is some commentary on October from Sophos:

"PDFex only started to circulate at the very end of the month, but still managed to account for over 13 percent of all emailed malware during October. It was heavily spammed out between 26-28th October, and during that period, it accounted for a staggering two thirds, or 66 percent, of all malware spread via email," said Carole Theriault, senior security consultant at Sophos. "PDFs have long been used in business as a means of sharing information, so the social engineering trickery of using a PDF puts insufficiently protected businesses at risk. Adobe have issued an update to their Acrobat software that fixes the problem, and eyes are now turned to Microsoft to patch the underlying flaw in Windows which could also affect other vulnerable applications such as Skype and Firefox."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is occupied by a re-entry, this being Netsky.

Win32.Zhelatin falls one place to fifth, Win32.Agent climbs one place to fourth, IRC.Zapchast falls one place to ninth as does Win32.Tibs, falling to tenth. Sixth place is once more occupied by W32.Funlove, which was where it was in last months chart.

We have one new entry in October's chart, this is: Backdoor.Win32.mIRC-based straight in at eighth place.

The final place in October's chart is occupied by our old friend Dupator up from eighth to seventh place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of October] here. This clearly shows that October was quieter than the previous two months. As shown in the figures for October, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 339,691 at the end of October. That's a growth of 117,218 new malware strains and/or variants so far in 2007, in October the number jumped by almost 10,500. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 140,700. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Warnen, Bin Ich Ansteckend [Friday, 5 October 2007]


• Stealthed Spam [Wednesday, 17 October 2007]


• Watch Out, Watch Out... [Thursday, 18 October 2007]


• Trick, But NO Treat! [Wednesday, 31 October 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - September has continued during October, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam are back to their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during October as they are still trying out other file formats which they hope will bypass anti-spam defences, as can be clearly seen by the MP3 spam example covered above.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last couple of months of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for October 2007 [Kaspersky]


• Top ten viruses and hoaxes for October 2007 [Sophos]
  

One MSUpdate You Don't Want!

If you religiously install all Microsoft Updates, then this is something you really need to be aware of before it is too late!

Here is a screenshot of something a little different I received in my inbox this evening, it is an e-mail that says it has been sent by 'Microsoft Corp':



This nicely formatted e-mail that says it has come from Microsoft and tells you that that 'Microsoft recommends that customers apply the update immediately following the links below corresponding to your system', there then follows three links to click on. However, clicking on any of the links in the e-mail takes you to the site shown in this screenshot:



How many of you would have believed that this is a screenshot of the real Microsoft Update site and then proceeded to download the 'Patch' offered?

Very convincing isn't it? Looks like the real thing... [almost as good as the YouTube one from yesterday!]

But it isn't the 'real' Microsoft Update site at all [or any other 'real' Microsoft site], and to make matters worse for anyone that believed it was the 'real' site and then downloaded the 'Patch' offered, not only didn't they download and install 'MS07-055', they now have an infected computer, just because they let misplaced trust in a company name [Microsoft] get the better of them.

I'll repeat what I wrote yesterday for the YouTube blog posting:

"It looks like the malware authors have been taking lessons from the Phishers, as this is a very well done 'Fake' site and using this level of social engineering means that more people will fall for this and infect their computers, which may well mean that if the malware offered is a bot, or proxy then the infected computer could soon be sending out lots of spam or taking part in a DDoS attack [Distributed Denial of Service]."

More data on the file and the level of detection when I first found it [very, very low], can be found here on my VSUB blog.

If you are going to install updates at least make sure they are genuinely from Microsoft and not a product of the Bad Guys and Girls who must have seen the last very effective use of this technique, as used by Swen... talk about Deja-vu! ;-)

Do You YouTube?

If you do YouTube, then this is something you really need to be aware of before it is too late!

Here is a screenshot of something a little different I received in my inbox this morning, it is an e-mail that says it has been sent by 'YouTube Service' aka 'service@youtube.com':



This nicely formatted e-mail that says it has come from a friend contains lots of links to click on; all the ones shown on the right of the e-mail go to YouTube or Google pages, as they claim to. However, clicking on any of the links on the left of the e-mail takes you to the site shown in this screenshot:



How many of you would have believed that this is a screenshot of the real YouTube site and then proceeded to download the 'Flash Player' offered?

Very convincing isn't it? Looks like the real thing...!

But it isn't the 'real' YouTube site at all, and to make matters worse for anyone that believed it was the 'real' site and then downloaded the 'Flash Player' offered, not only didn't they download and install 'Adobe Flash Player', they now have an infected computer, just because they let curiousity get the better of them.

It looks like the malware authors have been taking lessons from the Phishers, as this is a very well done 'Fake YouTube' site and using this level of social engineering means that more people will fall for this and infect their computers, which may well mean that if the malware offered is a bot [Agent], or proxy [Hacktool.Proxy] then the infected computer could soon be sending out lots of spam or taking part in a DDoS attack [Distributed Denial of Service].

More data on the file and the level of detection when I first found it, can be found here on my VSUB blog.

In fact as it is such a good example of the level of social engineering now being used I might well create a video of it and post it to the 'real' YouTube, on my own channel.

The video is now on YouTube, here is a direct link to it.

Trick, But NO Treat - REDUX!

I recently blogged about a new e-card spam run coming from the 'Bad Guys and Girls' known as the 'Storm Worm Gang', the last run was using fake Halloween e-card notifications, as this was happening just before Halloween it was a reasonable trick to use, but as I mentioned in that posting, it was all 'Trick' and 'No Treat'.

It has been rather quiet since then, as far as the 'Storm Worm Gang' have been concerned. That is until last night when a new wave of fake e-card notification e-mails started to appear. So I checked out the latest offering from them, clicked on the link, went to the site, and it looked exactly the same as the previous run, even the fake e-card filename was the same; this being 'halloween.exe'. So, I tried to grab a sample to see if they had repacked it or otherwise modified the malware file, and all I got was a file that contained an error message from the server that the file didn't exist, most odd!

However, this morning it seems that they have now fixed the problem, and are now offering a new file 'dancer.exe' instead, which is not only a new name, but the file is a new malware variant too.

My only though is, why are they starting to spam out another wave of Halloween e-card notifications, is it laziness or are they just getting a jump on the festivities for next years Halloween? ;-)

I suspect, however, that this is merely a stop-gap until they find a new theme to use, such as a new media event or the upcoming festive season of Christmas.

Here's a screenshot of what just one of these new e-mails look like now:



The body text can be one of a number of text strings and the link, at the moment, is one composed of numbers [IP Address].

Of course, when you click on the link you go to another site, not the one you expect to go to. Here's a screenshot of one of the web pages you could end up on if you click on the link in one of these 'fake e-card' e-mails.

Here's a screenshot taken this morning:


What you don't see happening in the background is that just by you visiting the site it is letting the Bad Guys and Girls run exploit code against your system, if your system isn't fully patched, you'll get infected. If that fails [because your system is fully patched, or otherwise protected] they can always use social engineering to get you to infect your own computer by clicking on the link or graphic and running the file.

The main problem with the recent waves of fake e-card e-mails we have been seeing is that the link to the 'fake e-card' takes you to is often a website that contains the following payloads that can automatically infect your computer just by visiting it with a system that isn't fully patched:

• Various Browser Exploits.


• Various Windows Exploits.


• A download [fake e-card] which is actually malware.

It also appears that the so-called Storm-Worm Gang are constantly looking for new angles and ways to get you to add your computer to their botnet. This doesn't bode well for the upcoming festive season as that is when social engineering seems to work best. Why this is the case is not clear, it could be due to good will or a drop of the good-stuff? ;-) Maybe, it is just because people are more willing to spare a thought for others at this time of year, and in return expect them to spare a thought for them?

As I've often mentioned here, the 'Bad Guys and Girls' seem to be using social engineering as their primary tool to try and get you to infect your own computer, so be very careful and make sure your system is fully patched and protected if you must let curiosity get the better of you...don't make their job even easier.

Just to make it crystal clear, the file offered on these sites will NOT show you a dancing skeleton; the only one dancing will be you, to the tune of the botmasters! Any sinister/mad laughter you imagine you hear are the same people laughing all the way to the bank.

More details on the file, including the level of detection by products at the time I submitted a copy to them can be found here on my VSUB blog.

Trick, But NO Treat!

As some of you may have noticed we are seeing a massive campaign by the 'Bad Guys and Girls' who are now using social engineering techniques via fake Halloween e-card notification e-mails. The last ones used cats as the bait!

Here's a screenshot of what just one of these look like now:



The body text can be one of a number of text strings and the link, at the moment, is one composed of numbers [IP Address].

Of course, when you click on the link you go to another site, not the one you expect to go to. Here are a couple of screenshots of one of the web pages you could end up on if you click on the link in one of these 'fake e-card' e-mails.

Here's a screenshot taken last night:


Here's a screenshot taken this morning:


Did you notice any difference? ;-)

What you don't see happening in the background is that just by you visiting the site it is letting the Bad Guys and Girls run exploit code against your system, if your system isn't fully patched, you'll get infected. If that fails [because your system is fully patched, or otherwise protected] they can always use social engineering to get you to infect your own computer by clicking on the link or graphic and running the file.

The main problem with the recent waves of fake e-card e-mails we have been seeing is that the link to the 'fake e-card' takes you to is often a website that contains the following payloads that can automatically infect your computer just by visiting it with a system that isn't fully patched:

• Various Browser Exploits.


• Various Windows Exploits.


• A download [fake e-card] which is actually malware.

It also appears that the so-called Storm-Worm Gang are constantly looking for new angles and ways to get you to add your computer to their botnet. This doesn't bode well for the upcoming festive season as that is when social engineering seems to work best. Why this is the case is not clear, it could be due to good will or a drop of the good-stuff? ;-) Maybe, it is just because people are more willing to spare a thought for others at this time of year, and in return expect them to spare a though for them?

As I've often mentioned here, the 'Bad Guys and Girls' seem to be using social engineering as their primary tool to try and get you to infect your own computer, so be very careful and make sure your system is fully patched and protected if you must let curiosity get the better of you...don't make their job even easier.

Just to make it crystal clear, the file offered on these sites will NOT show you a dancing skeleton; the only one dancing will be you, to the tune of the botmasters! Any sinister/mad laughter you imagine you hear is the same people laughing all the way to the bank.

Have a fun but safe Halloween...

Who's the Weakest Link?

This posting discusses the findings of an online survey carried out by Sophos.

"The research shows that 31 percent of companies believe remote or mobile users expose their networks to the greatest threat, compared to 25 percent that consider guests or external contractors the greater danger. In contrast, an additional 44 percent of companies believe standard employees are actually more likely to expose the network."

The problem is somewhat more fundamental than this survey would have you believe; the problem isn't just that employees [whichever group they fall into] are a risk, the real root of the problem is that people are the weakest link in security[1]...let me explain how I know this:


You only have to look around to see people that are taking risks either with their personal and/or computer security.

It's even worse when they behave the same way on their employers computers or network. Whether it is ignoring security policy/rules; opening attachments they shouldn't, visiting websites to retrieve e-cards or view questionable or illegal material, disable security tools to speed up the computer, giving away personal or proprietary information, or possibly hacking into systems for either fun or profit.

The worst of it all is when 'good' people fall for the tricks used by the bad guys and girls, such as social engineering. [I've included links to a number of the risks mentioned, in the material below.]

The bad guys and girls have long known that social engineering is the most effective way to get their malware installed on a victims computer, just as the scammers know that social engineering makes them the most money; as more victims fall for this approach than any other. I have already blogged about the 'human element' in security [or should that be insecurity?;-)] a number of times before; be it 'click-a-holics', e-cards, lottery/grant notifications, 419 and Phishing scams, lost friends or relatives and hoaxes, in fact the whole enchilada.

This year has seen the bad guys and girls use social engineering as their number one infection vector; rarely do they now include a coded infection routine in their malware, they just get the recipient to infect their own computer, it works very well and means they have less work to do to create new malware.

Here's a good and timely example:
Adobe Acrobat [PDF] vulnerability which was first disclosed on September 20th, 2007. Here's some data from Symantec about what the bad guys and girls did with it:

"One day later, we have discovered a new Trojan named Trojan.Pidief.A that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.

The Trojan will most likely arrive through email with a subject such as "invoice", "statement" or "bill" of some description, and just containing the .pdf file. So far we have seen the following file names used:

- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf

If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe."

In other words, once you have been socially engineered and you've opened the PDF, the exploit code will execute and your system will get infected unless you have other mitigating technologies/methodologies in place to stop it. From then on your computer is no longer yours, it belongs to the bad guys and girls.

So, what can you do to stop this particular threat [not social engineering in general]?

You can install the 'official' patch for Acrobat Reader from here or the 'official 'Acrobat Reader update from here here. Trust me I'm a security specialist ;-)

Maybe humans need to learn from the mistakes of others; history is littered with such material, so that they are less likely to repeat them, ad nauseum. Although I wouldn't bet on it happening anytime soon!

What do you think is the best way to stop people falling for social engineering?

Links to other stories/surveys on Social Engineering:

• Firms warned they are failing to block social engineering attacks


• Office workers give away passwords for a cheap pen


• What's the greatest security risk?


• You are the Weakest Link, Goodbye! - Passwords, Malware and You


• You are the Weakest Link, Goodbye! - Malware Social Engineering Comes of Age

[1] In security, computer or otherwise, a system is only considered to be as strong as its weakest link; as that is the place where it is most likely to fail. Just like a real chain

September 2007 Malware Review

September was a very busy month for me as I wrote and presented a paper at the Virus Bulletin conference in Vienna, Austria, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 457 samples during September, which have been catalogued as 27 distinct families and variants. In comparison during August I captured 566 samples which were catalogued as just 20 distinct families/variants. As you can see the captures in September are slightly down from August's total.

During September I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by September's statistics the general trend is still downwards. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During September I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 76 percent of the samples captured in September, down from almost 82 percent in August.

There are eight [up from seven] members of the Opaserv.worm family in September's chart. These are variants: AI, AE, D, AJ, E, I, AD and AH in second, third, fourth, fifth, sixth, seventh, ninth and tenth places respectively.

The final slot left is taken by our old friend Dupator who is down one place from seventh to eighth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for September Mytob.c has once more started to slide back down the chart from fourth to sixth place.

Netsky.q [aka P] has consolidated its hold on pole position it managed to grab back in June. It is joined by three [same as in August] other family members, these being: Netsky.t, which has slipped down one place seventh to eighth spot. Netsky.aa continues its upward climb, up from third to the runner-up spot; second place. The final Netsky family member is Netsky.b which is static in tenth place.

Bagle.gt has reversed once more restarted its slow journey down the chart, falling from second to fourth place.

Like Bagle.gt, Worm.Win32.Feebs.gen is slipping down the chart once more, from fifth to seventh place.

The final free places in September's chart are taken by one re-entry, this being Email-Worm.Win32.Nyxem.e [aka Mywife.D], a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l up from sixth to the final podium step; third.

Kaspersky had this to say about September's chart:

"Our forecasts for September turned out not to be spot on. Trojan-Downloader.Win32.Agent.brk, which was spreading actively in August, didn't extend the botnet that it builds, and as a result, there's not a single Warezov variant in September's Top Twenty.
However, the authors of another email worm, Zhelatin (aka the Storm worm) stepped up their activity. Throughout August security companies provided regular reports and estimates on the scale of the botnet created by the worm. Some estimates were as high as 2 million infected computers around the world - indicating that a new epidemic was on the horizon. However, September was remarkably calm from this point of view. Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has consolidated its grip on third place. The runner-up spot has been taken by Troj/Pushdo which climbs up from the fourth place it held in August. Last month's runner-up spot sitter, W32/Zafi has fallen down to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to seventh from fifth.

Bagle also slipped down the chart during September, from eighth to ninth place.

There are two re-entries in September's chart, these being Mal/IFrame and Mal/Behav in fifth and sixth place respectively.

To complete the chart we have one new entry, this being Mal/Basine and the final place is occupied by TraxG static in tenth.

Here is some commentary on September from Sophos:

"The figures, compiled by Sophos's global network of monitoring stations, have shown a rise in the percentage of infected email. Overall in September, 0.12 percent of emails were carrying malicious email attachments, or 1 in every 833, compared to 1 in every 1000 during August. This is primarily due to a coordinated campaign by hackers to spam out the Pushdo Trojan horse en masse during the second half of September. The emails, which pose as naked pictures of Hollywood actresses such as Angelina Jolie and "Holly Berry" [sic], carry a malicious payload designed to give criminal hackers control over infected PCs. During a single 24-hour period in the last week of September, Sophos reports that the Pushdo Trojan accounted for almost 4 in every 5 infected emails."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again and the final step of the podium, third place, is occupied by Dupator which is where it was in August's chart.

We have five re-entries in the chart in September; these are Win32.Zhelatin, Win32.Agent, Trojan.BAT.Runner, IRC.Zapchast and Win32.Tibs back in the chart in fourth, sixth, seventh, eight and ninth place respectively. Sixth place is occupied once more by W32.Funlove.

The final place in September's chart is occupied by Lorez down from seventh to tenth.

The more astute of you may have noticed that the top ten for September, once more contains ten entries rather than the seven we had in August.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of September] here. This clearly shows that September was quieter than the previous two months. As shown in the figures for September, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 329,196 at the end of September. That's a growth of 106,723 new malware strains and/or variants so far in 2007, in September the number once more jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just almost 142,300. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• New Storm Worm Run... [6th September]


• NFL = Nuwar File Link? [9th September]


• You SPIM Me Round... [11th September]


• Oh, Vienna...Update [25th September]

Conclusions:
The current trend of using social-engineering which has been widespread in January - August has continued during September, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam seen are almost back to their usual levels after the slight drop in the level of spam during August. The spammers haven't been idle during September as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during September. This is clearly shown in the massive jump in the percentage of phishing scams we've seen during both August and September.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last quarter of the year! Typically the last quarter of the year and specifically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Links:

• Virus Top Twenty for September 2007 [Kaspersky]


• Top ten viruses and hoaxes for September 2007 [Sophos]
  

Stealthed Spam

Here's an interesting trick that the spammers are increasingly using to defeat not only software and hardware anti-spam defences but also "wetware" anti-spam defences; wetware is the geek/nerd term for you, dear reader, the interface between the chair and the keyboard. ;-)

Stealth is not a new idea, computer viruses and other malware have been using technique to hide since the very beginning of the problem on IBM and compatible PCs. In fact the very first virus on this platform 'Brain' used stealth. Also, most of you are aware that stealth is widely used by the military, not only to make warplanes invisible [or almost] to radar and other tracking technologies, but also warships.

So, what do these 'Stealthed' spam e-mails look like?

Well, to answer that question take a look at the screenshot of just three of the many I've so far received:

The first one claims to be from 'Parents.com':



The second one claims to be from 'Television Food Network':



The third and final one claims to be from 'Charles Schwab & Co.':



With all of the above examples, all the URLS [web-links] used in the e-mail point to the real site, not a spammy one. All the text is real taken from real newletters/e-mails from the targeted company. These e-mails pass the tests that most of use to decide if something is spam or not, in other words they pass the 'Eyeball' test fairly easily as they look like genuine e-mails from real companies. The only missing pieces are any remote graphics, which most e-mail programs will not show, at least not by default.

So, what do they look like when I enable 'allow remote images' in the e-mail program?

They look like this:







Now they all fail the 'Eyeball' test with ease.

Why do I call these 'Stealthed Spam'? Well, simply because the spam component is hidden and not in plain view.

As they say "Keep 'em peeled!", which means keep your eyes open and stay alert. Or, as other might say, "don't believe everything you see or read", it may be a clever fake.

If you see any other interesting new tricks/techniques or file formats being used by spammers then please feel free to send me the details or post the information as a comment. Thanks!

Catastrophic Infector

Have you been receiving e-mails stating that you have received an e-card, more precisely a Crazy Cat or Laughing Kitty or other Cat related word-play cards?

If so then there is something you should know, there is no e-card, this is a another new 'Storm Worm' run in progress. This one is using a new topic; Cats as the bait. Which is not one we've seen them use before.

This is what one of the new e-mails look like:



And here is what you'll see if you click on the link:



What you won't see, is that as usual with most Storm Worm sites, in the background on a vulnerable system is that your system is being compromised and infected without any need for you to click on the link in the webpage. You are fully patched, aren't you? Even if you are fully patched do not download and run the file offered, as it is malware. Every link on the page is to the malware file, currently named 'SuperLaugh.exe'.

However, if you have a decent up-to-date anti-malware you will be protected, as you can see from the screenshot below:



To save you falling for this, and letting curiosity kill the cat, I have included a first for this blog. I recorded a video of the page, complete with the infectious laughter that accompanies the fake e-card.

So, if you must see what the full page looks like while not getting infected, then be a cool cat and use the video link I've provided.

UPDATE: I've now created a YouTube account and posted it there.



All anti-malware tools should detect this new 'Storm Worm' variant before the end of the day.

If you like the use of video to show a new threat, then please let me know and I'll try and include them in future, where feasible.

Warnen, Bin Ich Ansteckend

For those of you that don't speak or read/write German, the title of this post roughly translates as: 'Warning, I am infectious'.

Hmmm...seems to be a rather busy day for me today!

This posting is mainly a warning for those of you out there that speak German, although if you don't you could still give in to your curiosity with potentially disastrous results.

Here's a screesnhot of an e-mail I started to see this morning:



This is a screenshot of the website that the link in the e-mail takes you to:



If you are curious enough to click on the hyperlink at the foot of the web page a file gets downloaded; at this time the file is called, 'behnert.exe'.

More data on the file can be found here: http://momusings.com/vsub/2007/10/vs0710002-possible-new-malware-bzub.html

I've submitted the file to the anti-virus vendors, so detection should be near complete within 24 hours.

The core of the e-mail claims that 'Anne Behnert' went to the same school in Germany that I attended. This might have been more believable if I had gone to school in that country, but I didn't. However, ironically I was born there!

Here are 'Google' translations of text from both the e-mail and the webpage, as you'd expect the translations are not very good:

E-Mail text:

Did you recognize me? I bin's Anne Behnert.
I imagine in such a way, we would have with you in a school gelernt.
It is stop much time past and so can you you to me probably not more erinnern.
And I cannot forget it yet, we was best friends.
Do you remember those walks after the school? This was genuinly cool, gell?
It was however everything after the removal of my parents to end.
We pulled into another city.
I had to leave you all of the school and I felt so lonely at that time, remained completely alone and the feeling of the isolation deprimierte me riesig.
Then I have new contacts constructed and now give it again friends, am long already however completely different history!
And I remember nevertheless nearly nobody from the school, thus only you.
I would like that we further constantly communicate ourselves könnten.
Do you want to times actually see, how I look now?

Web page text:

There are you here probably because of my invitation or perhaps only that you can know me.
However I am pleased much to see you here!
I learned in several schools, because my parents from place had pulled to place. First it was very unpleasant for me, then I had resigned myself to it. I became acquainted with a great many people only volatilely. Some of it, these were not bad I directly forgot, some were o.k., with which I would maintain still gladly relations, could however because of some circumstances. And now, if I arose want I mean friendship volumes again to strengthen! Well that I must now nirgendswo him and one can make oneself after the search!
After tormenting school I began with the study and then was successfully finished I with it. Momentarily I work as a child psychologist. Whether it to be strange should:)? I feel very destined as it. From my childhood I am very much accustomed to the children. And now I help them.
That was actually everything! I am pleased to your answer!
So I am it now.

So, hopefully you can see why I entitled this blog post as I have, as she is indeed infectious?

Interestingly a similar e-mail, this time in English, is mentioned on the Sophos Blog, here: http://www.sophos.com/security/blog/2007/10/623.html

Hentai Malware E-Mail

Heads-up, there is a new 'Storm Worm' run in progress.

This is what one of the new e-mails look like:



Yes, I've modified a certain 'area' of the screenshot as it may be considered 'explicit' and/or unsuitable for publishing in its original form, by many people.

The unusual thing about this version, apart from the change in subject matter to try and get you to infect your computer, is that the e-mail doesn't link to a remote site, there is a file attached to the e-mail.

The attachment in this example is currently called 'hent.zip' and it contains a file called 'hent.exe'.

More data on the file can be found here: http://momusings.com/vsub/2007/10/vs0710001-possible-new-malware-agent.html

Some other data suggests that the body may be quite variable, and in some cases also padded out with text from data stolen from other websites.

I've submitted the file to the anti-virus vendors, so detection should be near complete within 24 hours.

Virus Bulletin 2007 Conference Review

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2007 conference, which was held at the Hilton Hotel in Vienna, Austria, between the 19th and 21st of September.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:


"A warm and friendly welcome to Vienna, unless you're a Kangaroo!" ;-)

Day 1 - Wednesday 19th September 2007
The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by "A road to big money: evolution of automation methods in malware development" presented by Maksym Schipka from MessageLabs on the Technical Stream. As always Maksym's talk was both interesting and contained lots of useful information.

The final session on the Corporate Stream before lunch was also interesting, a presentation by Abhilash Sonwane of Cyberoam entitled "Changing battleground: security against targeted, low-profile attacks ". This talk touched on cyber-crime and targeted attacks which would be mentioned throughout most of the rest of the conference presentations; from different perspectives.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream. The first two presentation after lunch were:

• DSD Tracer - implementation and experimentation - Boris Lau, Sophos


• Pimp my PE: taming malicious and malformed executables - Casey Sheehan, Sunbelt Software

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Anti-rootkit safeguards: welcome Vista - Aleksander Czarnowski, Avet


• Patching. Is it always with the best intentions? - Alex Hinchliffe, McAfee

I decided to sit in on one of the two vendor presentations after the days main proceedings, I decided to choose my good friend Larry Bridwell from Grisoft [AVG]. It was a great presentation, instead of the dry marketing material he was given, he gave a very entertaining one instead. This rounded of the day wonderfully!

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

Day 2 - Thursday 20th September 2007
Day two started early for me as I was the first speaker to present on the Corporate Stream, so I had to get there early to check that my laptop worked fine with the projector, it did.

So, promptly at 09:00 I gave my own presentation based on my paper entitled "The journey so far: trends, graphs and statistics". Instead of trying to cover everything in the paper, all 30,000 words of it. I decided to just cover the key statistics, trends and a few examples, such as Brain, Casino and Ambulance.A, as well as some e-mail worms, such as Sircam, Loveletter and MyParty. When I was researching the paper I noticed that quite a few myths existed about the early days of malware, so I covered a number of these too.

I even finished on time and got asked several questions.

Next up, straight after me was the following presentation:

• What a waste - the AV community DoS-ing itself - Joe Telafici, Dmitry Gryaznov, McAfee

This was an interesting look at sample sharing between security companies and researchers, the end result is often lots of duplicated samples and sets; these can easily be in excess of 500GB. In fact the guys from McAfee are seriously looking at drives that have a larger capacity than 1TB.

The it was time for a quick tea/coffee break. During this I received quite a lot of very positive feedback on my presentation, as well as discussing several issues that I had mentioned with some of the original researchers who were there when the events I covered happened. The results from these discussions have enabled me to update my paper to be more accurate and to offer yet another set of first-hand witnesses to those events.

After the break I decided to stay on the Corporate Stream for the rest of the morning. These were the next batch of presentations:

• The WildList is dead, long live the WildList! - Andreas Marx, Frank Dessmann, AV-Test.org


• Have you got anything without spam in it? - Tim Ebringer, CA


• A testing methodology for rootkit removal effectiveness - Josh Harriman, Symantec
  

Although all of these were interesting I found the presentation by Josh Harriman very interesting and engaging. He covered the results of tests with rootkits against cleaning/removal tools and showed that fairly often they don't remove all the components of the rootkit and/or the other system changes made by them.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

After lunch, once more I decided to sit in on the Corporate Stream until the tea/coffee break, at least. The next two presentations were:

• Transforming victims into cyber-border guards: education as a defence strategy - Jeannette Jarvis, Microsoft


• Phish phodder: is user education helping or hindering? - Andrew Lee, Eset David Harley, Small Blue-Green World

Both of these were interesting, and in the case of the latter one also quite amusing as David and Andy's presentation included a 'Game Show'.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Technical Stream as I was chairing the next two 'Last-minute' presentations, these were:

• Andrew Walenstein, University of Louisiana at Lafayette


• Erik Wu and Feike Hacquebord, Trend Micro

This is a new section of the conference, and it seemed to work reasonably well, although in some cases the presenters appeared to have submitted presentations that were originally meant for the normal 40 minute slots, rather than the 20 minute slots they tried to shoe-horn their longer presentation into. I think this area still needs a little tweaking. In fact, although this was only being tried out on the Technical Stream it may well be better suited to the Corporate Stream instead.

After these, I made a quick dash back to the final presentation on the Corporate Stream. This was:

• Pump-n-dump for fun & profit: an in-depth look into stock spam and brokerage account compromise operations - Dmitri Alperovitch, Secure Computing

This was a very interesting presentation as it suggested that the so-called Pump-n-Dump scams didn't work the way many of us had imagined. It was less Pump-n-Dump and more just dump the stock they had acquired by creating an artificial market for it.

As on the first day of the conference, I decided to sit in on a vendor presentations after the days main proceedings. This time is was Vinny Gulloto from Microsoft, as with Larry's it was an entertaining one with very little marketing. Vinny also let slip that he had a waiting list of malware/anti-malware researchers who wanted to join him at Microsoft. This immediately put me in mind of the song "As some day it may happen" from Gilbert and Sullivan's "The Mikado" where the song is sung by Ko-Ko (The Lord High Executioner) as he goes through an imaginary list. So much so, that I found it hard not to whistle the tune! ;-)

Later we had the "pre-dinner drinks and the Gala dinner and cabaret". As always the food was excellent and the entertainment was typically Viennese; two couples performing various types of waltzes. This was followed up after desert, by our own private casino.



Day 3 - Friday 21st September 2007
The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Menace 2 the wires: advances in the business models of cybercriminals - Guillaume Lovet, Fortinet

This presentation expanded on the one that Guillaume had given last year; which included a quote that claimed that "Cyber-crime was now more profitable than running drugs". Once more he had some very interesting material to share. Including a fax from the CEO of e-Gold.

So, another quick tea and coffee break and then more from the Corporate Stream:

• The trojan money spinner - Mika Ståhlberg, F-Secure


• Once upon a time a trojan... - Luis Corrons, Panda


• New approaches to categorising economically-motivated digital threats - Anthony Arrott, David Perry, Trend Micro

All of these were very good and interesting talks and all covered cyber-crime in one form or another.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all, especially by those who were trying to trick Jeanette Jarvis of Microsoft.

After lunch I spent the first part of the afternoon on the Technical Stream.These were the presentations I sat in on:

• A deeper look at malware - the whole story - Bryan Lu, Fortinet


• Malware removal - beyond content and context scanning - Tom Brosch, Maik Morgenstern, AV-Test.org

Both of these were interesting if a little obscure in parts. Both talks prompted a number of questions from the audience. Then it was time for the final refreshments break. Yes, it was the very last VB2007 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference were straight after the break and I decided that I'd sit in on the last one on the Corporate Stream. This was:

• Future threats - John Aycock, Department of Computer Science, University of Calgary Alana Maurushat, Faculty of Law, University of New South Wales

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion:

• The fight against international cyber crime - enforcing the law - David Thomas, FBI, Stacy Arruda, FBI, Kevin Zuccato, Australian Federal Police, Mark Oram, CPNI

Finally it was time for the Conference closing session, once more led by Helen martin, the editor of Virus Bulletin. It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be a case of "I'm Sparticus", as a lot of people seemed to be wearing Dr. Vesselin Bontchev's name badge and no it wasn't him in varying disguises either!

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2007/slides/index.xml The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2007/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Vienna, here: http://www.flickr.com/photos/14178057@N07/sets/72157602179472057/detail/

Yes, the pictures include the "welcoming statue", along with details on where in Vienna the picture was taken.

Oh yes, before I sign off, I really ought to own up that I, rather ironically, caught a virus whilst attending the Virus Bulletin conference! No, not a computer virus, a cold/flu variant. At least it waited for me to get back home before it knocked me off my feet and left me sounding like Barry White (after gargling bricks and broken glass). Back in Chicago [VB2004] I wasn't so lucky, I went down with almost the same thing whilst travelling to Chicago and tortured everyone that came to my presentation with my 'interesting' vocal range; from deep-bass, to Kermit-the-frog-a-like, to loss-of-signal. I don't know who suffered more, the audience or me ;-)

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Ottawa, Canada at the start of October 2008. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Oh, Vienna...Update

As promised in my last posting, I have now created a PDF version of the paper I presented last week [Thursday the 20th of September] at the Virus Bulletin 2007 international conference in Vienna, Austria.



Karlskirche, Karlsplatz, Vienna
[Picture (c) Copyright, Martin Overton 2007, All Rights Reserved]

Here's the abstract:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

The paper is now available on my web site, and one of my other mirror sites. Here and here. Also, later this week I will post a short review of the conference, as I have done for the last 3 or 4 years.

Oh, Vienna...

Walked in the cold air
Freezing breath on a window plane
Lying and waiting
A man in the dark in a picture frame
So mystic and soulful
A voice reaching out in a piercing cry
It stays with you until

The feeling has gone only you and I
It means nothing to me
This means nothing to me
Oh, Vienna...

Those are just part of the lyrics to the song 'Vienna' by 'Ultravox'. Their lead singer is none other than 'Midge Ure'. It seemed a nice link to this post, hope you agree?'

Why am I waffling on about Ultravox and their song Vienna? Well, I'm travelling to Vienna today so that I can attend, and present at the premier anti-malware and anti-spam conference of the year; this being Virus Bulletin's international conference.

This year it is back in Europe, which means that travel is easier, for me and the other Europeans that attend, although it is harder on those from the US, Canada and Asia-pacific.

I was informed that my paper is now on the main agenda and I get to 'do-my-thing' on Thursday morning [20th of September] on the corporate stream. This is the seventeenth time the conference has run, and the tenth time I have attended and presented at it.

For those of you that have forgotten, [shame on you! ;-)] my paper and presentation is on malware history and statistics. Here's the abstract:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

The paper will be made available on my web site early next week. I will post an entry with a link to it once I have got back from Vienna. I will also try and post one of my usual conference reviews.

The video of the song can be found here. Enjoy!

BTW, for anyone reading this that is attending the conference please feel free to say hello or have a chat with me, I don't bite, honest! ;-)

August 2007 Malware Review

Well at least in August it was drier than both June and July; towards the end of the month it seemed that summer had at last returned, for a few days at least. Just as well as otherwise our summer, in the UK, occurred during April this year.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 566 samples during August, which have been catalogued as just 20 distinct families and variants. In comparison during July I captured 499 samples which were catalogued as 25 distinct families/variants. As you can see the captures in August are slightly up from July's total.

During August I captured and submitted just one brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention, such as my VB2007 paper.

Even though August's statistics were up on July's, I still feel that the general trend is downwards. It appears that social-engineering is still the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During August I reported 77 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April. It now accounts for almost 82 percent of the samples captured in August.

There are seven [up from six] members of the Opaserv.worm family in August's chart. These are variants: AE, AI, D, AJ [is a New entry], AC, AD and AH [AH is a New entry] in second, third, fourth, fifth, sixth, eighth and tenth places respectively.

The Netsky family is hanging on in the top ten again after dropping out of the chart completely in May. In August's chart we still have only one survivor [down from three in June] this is: Q [aka P] down seven places from the runners up spot in July to ninth.

The final slot left is taken by a re-entry, this being seventh place and the malware is our old friend Dupator.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for August Mytob.c has finally managed to climb up the chart from seventh to fourth place. We also have another member of the Mytob family in August's top 10, this being Mytob.t, in at ninth place.

Netsky.q [aka P] has also climbed back up the chart from second place back to the pole position it managed to grab back in June. It is joined by three [up from two in July] other family members, these being: Netsky.t, which has slipped down three places from fourth to seventh spot. Netsky.aa has reversed its direction, climbing once more, from sixth to third place. The final Netsky family member is Netsky.b which grabs tenth place.

Bagle.gt has reversed its slow journey down the chart, climbing back up one place from third to second.

Worm.Win32.Feebs.gen is static in August's chart, in fifth place.

The final free places in August's chart are taken by IMG-WMF.y moving up two places from tenth to eighth, and finally we have Mydoom.l up from eighth to sixth place in August's chart.
Kaspersky had this to say about August's chart:

"August once again turned out to be "dead season" for virus epidemics in 2007. Since August 2003, when the Lovesan worm caused the biggest epidemic in history, the final month of summer has typically been the quietest and most uneventful, as it is a period when both virus writers and antivirus professionals often go on holiday.
Even the waves of mass-mailings sent out by the Warezov and Zhelatin worms were missing in action in August. Warezov.pk, the leader in July, disappeared suddenly from our virus radar screens. However, it's worth remembering that the launching pad for Warezov.pk was created back in May by Trojan-Downloader.Win32.Agent.bcs. August's Top Twenty features a new program used to create botnets and the conditions for new epidemics: Trojan-Downloader.Win32.Agent.brk. It looks as though a significant new outbreak of email threats will be strike in September."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has slipped down one place from the runners-up place, to third. The runner-up spot has been taken by Zafi which climbs up from the third place it held in July.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to fifth from fourth.

According to SOPHOS Sality is a new entry in August, in at ninth place; although according to my records it was in sixth place in July's chart. Most odd! Other new entries include, Troj/Pushdo straight into the chart in fourth place and Mal/Dropper straight in at seventh place.

Bagle also slipped down the chart during August, from sixth to eighth place.

There is one re-entry in August, this being Troj/Dloadr back into the chart in fifth place.

To complete the chart we have Mydoom in sixth, down one place from fifth and TraxG down three places from seventh to tenth.

Here is some commentary on August from Sophos:

"The figures, compiled by Sophos's global network of monitoring stations, show a dramatic drop in malware spreading in the form of email attachments, with just one infected message in every 1,000 emails in August, compared to one in 322 during the first six months of 2007.
Spam, however, has continued to be a problem - much of it linking to malicious websites designed to infect users. A series of large-scale attacks have been made via spam email, directing users to infected webpages with the promise of ecards, pictures of nude celebrities, YouTube movies, and pop music videos. People visiting the sites are running the risk of having their PCs infected by malicious code which can then steal personal information, spam out more malware and junk email, or launch distributed denial of service attacks against innocent parties."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again.

The final step of the podium, third place, is occupied by Dupator which is up two places from fifth place in July.

Netsky has slipped from third to fourth place in August's chart,

We have one new entry in the chart in August; this is none other than IRCBot, straight in at fifth place.

As with the new entries, we have just one re-entry to the chart in August, this being, Lorez back into the chart in seventh.

The rest of the chart is made up of the following malware: Funlove, up four places from tenth to sixth place.

The more astute of you may have noticed that the top ten for August, contains only seven entries. This is because there are only seven families present in the captures for August.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of August] here. This clearly shows that August was busier than July. As shown in the figures for August, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards. The reason for the jumps during July and August is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected. This change in classification makes the figures look like the largest since October 2005.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 316,723 at the end of August. That's a growth of 94,250 new malware strains and/or variants so far in 2007, in August the number jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 125,600. Things have certainly speeded up during the second and third quarters of 2007!


What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Q: When Is A ZIP file Not A ZIP file? [6th August 2007]


• Do You Know Joe... [7th August 2007]


• Doing It By The Numbers [8th August 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - July has continued during August, if anything it has accelerated. Otherwise, on the malware front, as confirmed by Kaspersky it was a rather 'dead' month with regard to major outbreaks.

We have surprisingly seen a slight drop in the level of spam during August and a move by the spammers towards using other file formats to try and bypass anti-spam defences.
The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during August. This is clearly shown in the massive jump in the percentage of phishing scams I've seen during August.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, rest of the year!

Links:

• Virus Top Twenty for August 2007 [Kaspersky]


• Top ten viruses and hoaxes for August 2007 [Sophos]

NFL = Nuwar File Link?

Heads-up, there is a another new 'Storm Worm' run in progress. This one is using a new topic; American Football [NFL] as the bait. Which is not one we've seen them use before.

This is what one of the new e-mails look like:



And here is what you'll see if you click on the link:



What you won't see, is that as usual, in the background on a vulnerable system is that your system is being compromised and infected without any need for you to click on the link in the webpage. You are fully patched, aren't you? Even if you are fully patched do not download and run the file offered, as it is malware. Every link on the page is to the malware file, currently named 'tracker.exe'.

More data on the file can be found here: http://momusings.com/vsub/2007/09/vs0709002-possible-new-malware.html

I've submitted the file to the anti-virus vendors, so detection should be near complete within 24 hours.

UPDATE:
According to F-Secure: "What's interesting is that the website they want you to visit doesn't contain exploit code anymore. To become infected you have to click on one of the links or on the picture (they all point to the same file tracker.exe) and run the file. Still, this can change at any moment so don't click on any links you receive in these e-mails. "

I bet that the exploit code will be back soon, as soon as the malware authors responsible find that they are only infecting <50 percent of systems they usually do. Maybe it is some sort of experiment to gauge just how succesful social engineering is on its own?

New Storm Worm Run...

Heads-up, there is a new 'Storm Worm' run in progress.

This is what one of the new e-mails look like:



And here is what you'll see if you click on the link:



What you won't see, is that in the background on a vulnerable system is that your system is being compromised and infected without any need for you to click on the link in the webpage. You are fully patched, aren't you? Even if you are fully pacthed do not download and run the file offered, as it is malware.

More data on the file can be found here: http://momusings.com/vsub/2007/09/vs0709001possible-new-malware-tibsnuwar.html

I've submitted the file to the anti-virus vendors, so detection should be near complete within 24 hours.

July 2007 Malware Review

July has come and gone and like June in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from more flash or prolonged flooding for parts of the month.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 499 samples during July, which have been catalogued as 25 distinct families and variants. In comparison during June I only captured 209 samples which were catalogued as 31 distinct families/variants. As you can see the captures in July are significantly up from June's total.

During July I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is partly due to other work requiring my attention.

Even though July's statistics were up on May's, I still feel that the general trend is downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During July I reported 90 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are six [up from five] members of the Opaserv.worm family in July's chart. These are variants: D, AE, AI [AI is a New entry], AC, AD and K [AD and K are Re-entries] in third, fourth, sixth, seventh, eighth and ninth places respectively.

The Netsky family is hanging on in the top ten again after dropping out of the chart completely in May. In July's chart we have only one survivor [down from three in June] this is: Q [aka P] up two places from fourth to the runners up spot.

Zapchast which managed to steal the final podium position in June has fallen on hard times and slipped down the chart to the final place; tenth.

The final slot left is taken by a new entry, this being fifth place and the malware is also a new one, in this case it is: Packed.Win32.PolyCrypt.b which is spreading via open shares in much the same way that the Opaserv family does.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for July once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has slipped back down from the pole position it managed in June to the runner-up spot it last held in March. It is joined by two [down from three in June] other family members, these being: Netsky.t, which has slipped down one place from third to fourth spot, and Netsky.aa, slipped back down to the position is last held in May's chart; slipping two places from fourth to sixth place.

Bagle.gt has restarted its slow journey down the chart, slipping back down one place from second to third.

Worm.Win32.Feebs.gen has reversed last month slippage and climbed back up one place from sixth to fifth.

We have two new entries in July's chart, these are: Warezov.pk straight in at number one, Nyxem.e in at ninth and finally IMG-WMF.y grabbing the final place in July's chart.

Kaspersky had this to say about July's chart:

"On the whole, despite the blast-off of Warezov.pk, which was first detected on June 26 and peaked in early July, the situation remains stable (it is actually quite rare for the rankings to be so stable, with Warezov.pk being one of only two newcomers to the Top Twenty). The conditions are not favorable for new global epidemics, so the main threat is posed by local attacks targeting users from individual countries."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has consolidated its grip on pole position which it lost during May.

Mytob has also managed to consolidate its hold on the runners-up place it grabbed in June after being static in third place back in April and May.

The final step of the podium; third, is taken by Zafi which climbs up from the sixth place it held in June.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to fifth from fourth.

November's new entry, Sality has reversed its progress up the chart, slipping down one place from fifth to sixth during July.

Bagle also slipped down the chart during July, from sixth to eighth place. Meanwhile Nyxem.D [has fallen right out of the top ten during July and Mal/Iframe has slipped one place from third to fourth.

There is one re-entry in July, this being Mal/Clagger back into the chart in ninth place.

To complete the chart we have two new entries, these are: Troj/Agent in at the seventh spot, and W32/Strati which just scrapes into the chart in tenth.

Here is some commentary on July from Sophos:

"Interestingly"The security dangers of the web still aren't fully registering with a great many businesses - this is providing rich pickings for hackers hell-bent on gaining access to sensitive information," said Carole Theriault, senior security consultant at Sophos. "It's no surprise to see legitimate webpages targeted for these attacks - businesses generally aren't too strict about stopping their employees accessing these websites, while the sites themselves will already have their own daily flow of user traffic, saving hackers the trouble of trying to entice unenlightened web surfers."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is headed up by the September 2005 leader, Tenga which has once more regained the crown it lost in June when Opaserv stole it. Operserv has had to settle for the runner-up spot; second.

The final step of the podium, third place, is once more occupied by Netsky which is static in July.

Zapchast which stormed up the chart from ninth to fourth place in June has once more slipped back down the chart, however, this time it is only two places from fourth to sixth place.

W32.Dupator has consolidated the fifth place it managed to claim in June's chart.

We have one new entry in the chart in July; this is none other than Polycrypt, straight in at fourth place.

As with the new entries, we have just one re-entry to the chart in July, this being, Zhelatin back into the chart in seventh.

The rest of the chart is made up of the following malware: Spaces, down one place to eighth, MyDoom, down one place to ninth and finally Funlove, static in tenth place.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of July] here. This clearly shows that July was busier than June which was the quietest month since I started keeping these statistics. As shown in the figures for July, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards. The reason for the jump during July is that I've adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers. This makes the figures look like the largest since January 2006.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 304,153 at the end of July. That's a growth of 81,680 new malware strains and/or variants so far in 2007, in July the number jumped by over 28,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 122,500. Things have certainly speeded up during the second and third quarters of 2007!


What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Watch Out, Watch Out, There's an E-card About! [3rd July]


• How Not To Spam [10th July]


• Have You Got Anything Without Spam? [11th July]


• Experiments In Spam [25th July]

Conclusions:
The current trend of using social-engineering which has been widespread in January - June has continued during July, if anything it has accelerated.

We have surprisingly seen a slight drop in the level of spam during July and a move by the spammers towards using other file formats to try and bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during July. This is clearly shown in the jump in the percentage of phishing scams I've seen during July.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, rest of the year!

Links:

• Virus Top Twenty for Jule 2007 [Kaspersky]


• Top ten viruses and hoaxes for Jule 2007 [Sophos]

Doing It By The Numbers

Here's something new, that is also old too, confused? No need to be, all will be made clear [hopefully?] before the end of this post.

Do any of you out there in blogland recognise the following screenshot of one of a number of e-mails I received yesterday and today?



Does it look familiar?

Well, for those of you that follow these things, the last time we saw e-mails like this [just consisting of numbers, both decimal and hex] it was attributed to the 'Bagle' [aka Beagle] e-mail worm. It was claimed, at that time, that the e-mails are a form of 'e-mail probe' to allow the authors to clean their 'victim' list of e-mail addresses that are no longer valid, or have now installed better anti-malware and anti-spam defences.

So, the question we should ask now, is this a 'warning' that a major e-mail worm attack is going to happen soon? Not forgetting the current 'Storm Worm fake e-cards e-mails' that are currently swamping e-mail inboxes across the world.

Also bear in mind that a number of the worst malware 'epidemics' have occurred during August. Anyone remember 'Nimda', 'Blaster and Welchi', 'Sobig' or 'Zotob'?

You know what to do, make sure you defences are in place and up to date, and DON'T open any attachments or links in e-mails that you were not expecting, even from someone you know and trust. Remember, the malware authors, spammers and scammers almost always now 'spoof/forge' e-mail addresses, so they almost never come from who they claim to have been sent by.

Stay safe and alert!

By the way, don't you just love the name used in the e-mail screenshot?

Asked By A Reader...

The following question was asked by a reader of this blog, and I informed the reader that as it was a good question and that the answer is quite involved, that I'd cover it later as a separate blog entry, so here we go.

Here's the question:

"Since you are discussing Spam I will ask a question that I've had for some time. Why can't email vendors (google, AOL, MSN, etc.) setup on one of their gateways to return emails as undeliverable, if their customer puts the mail in a Spam folder. Won't that result in the Spammer removing the email from their distribution list after a few undeliverable messages?"

And here's the answer:

Nice idea, if the vast majority of spammers:

• Didn't fake [spoof] the address that the e-mail appears to be from, so the real spammer rarely sees any bounces as all bounced mail ends up going to the e-mail address that the spammers stole, this type of attack is known as a 'Joe Job'. In some cases this is intentional to try and discredit a company or individual.


• Didn't totally ignore unsubscribe requests, in fact this only makes the e-mail address you try and unsubscribe more valuable to the spammers as it means it is active. You will get more, not less spam if you insist on using them.


• Weren't criminals using botnets to send 90 percent of their 'crud' and as these criminals are using computers that they have infected with malware to allow them to send their 'crud' through, they have little to fear from their own ISPs.


• So, the bottom line is, nice idea, but it is completely unworkable using the current SMTP standards. SMTP2 anyone?

A quick update on my latest anti-spam experiment:

Since my last posting I've received just 12 spam/malware e-mails which managed to sidestep the new defences. To put this in context , before I put these new techniques in place I usually received around 1,000 e-mails a day, of those about 90 percent was spam, so instead of around 900 spam e-mails a day, I'm now getting about 6!

So, does anyone have any other questions they would like me to try and answer, or have anything to say about this one?

* I'll cover this in detail in another posting.

Experiments In Spam

No. This doesn't mean I've been dabbling in creating or sending spam...Quite the opposite, in fact.

Last night I took a step into the unknown, I made major changes to the way I deal with spam arriving at my personal mail server. Why?

Well, at the moment I use a mix of Bayesian filtering, custom filtering rules and a DNS Blacklist to tag known spam. This works well, as I still get to see the spam so that I can analyse it, generate statistics, etc. which I use for trend analysis, in reports [such as my Monthly Malware Reviews], presentations and so on.

However, I just don't have the spare capacity to manage this at the moment as I have other commitments that need to be given 90 percent or more of my time so that I can complete them.

To this end I thought I'd try a different approach to spam.

What I put in place last night are a number of techniques which I'm using to no longer just flag [tag with custom headers] spam [so they can be filtered out and analysed later]. Instead I'm actively rejecting it at my mail server using a mixture of custom Content Control/Compliance rules, DNS blacklists [such as Spamhaus and Spamcop], and Graylisting.

My Bayesian classifier will still be used to deal with anything that gets through. I estimate that using Graylisting and aggressive DNS blacklisting will drop the amount of spam I have to process down to around 10 percent, rather than the 90 percent it stands at now, as you can see from the following graph:



Early results seem to confirm my estimates, as overnight my usual haul of spam* has dropped from the typical 400-600 to just 12, quite an effect!

Furthermore it appears from these early results that several spammers, scammers and malware authors have already adapted their tools/techniques to handle Graylisting. This can be seen as instead of the mail being sent, being rejected [temporarily], and never being seen again [as happens with most spam/scams/malware distributed via e-mail]. The 'Bad Guys and Girls' appear to have added a 'retry' feature to enable them to slip past Graylisting as if they were a real 'mail server' which fully supports the relevant RFCs [SMTP standards].

To check this, I have investigated the raw e-mail headers and I can confirm that not one of these 'spammy' e-mails that managed to get past the Graylisting tool used a third party MX, they ALL came directly from the infected [bot controlled] system or spammers own system, usually a DSL connected PC.

So, it looks like Graylisting may only be useful for a while, as usual I suspect it will be my usual approach that will cope best, this being Defence in Depth.

No doubt I'll make some changes to the current configuration, tweaking it, maybe adding/removing things, either way, I'll keep you posted...In the meantime, a question for you:
"How do you deal with spam?"

On the spam front there have been a couple of new developments, but that's another posting ;-)

* In this case spam refers to not only UCE [Unsolicited Commercial E-mail], but also Malware and Scams [Phishing and 419s] too.

Articles and Book Reviews

You might remember that I had been writing a number of articles for the Virus Bulletin magazine and I mentioned that I'd let you all know when I would have copies available on my website, well now I do:

So, to refresh your memory, here's a snippet about the latest article which I mentioned in the 'Watch Out, Watch Out, There's an E-card About!' posting on the 3rd of July:

"In a rather 'twilight zone' moment, last month I wrote an article on the use of HTML based e-mail and the use of e-cards [fake ones] by the 'Bad Guys and Girls' for the Virus Bulletin magazine; this was before the latest attacks started....most spooky.

The article has just been published in the July issue, so no, the 'Bad Guys and Girls' didn't use the data and other information contained in the article I wrote for VB. I will make a copy of the article available early next month. Many thanks to VB for allowing me to do this."

Here's a link to the article: [PDF format]

The other article I recently wrote for 'Virus Bulletin' was a book review on a subject that I've both blogged about and written a paper on, this being: 'Bots and Botnets'. The book was recently published by Syngress and is the first [to the best of my knowledge] book which focusses on this area.

Here's a link to the book review I wrote: [PDF format]

If you want to add the book to your library or to see other reviews, then feel free to click on the relevant link below:

UK LINK US LINK

As usual all my other published articles and papers can be found here or here.

June 2007 Malware Review

'Flaming June' has come and gone, however in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from flash or prolonged flooding for parts of the month.
We are now past the halfway point of 2007 and I'll include some comments on trends, etc. that have occurred during the first half of the year.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured only 209 samples during June, which have been catalogued as 31 distinct families and variants. In comparison during May I captured 800 samples which were catalogued as 35 distinct families/variants. As you can see the captures in June are significantly down from May's total.

During June I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The June statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During June I reported just 26 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are just four [down from five] members of the Opaserv.worm family in June's chart. These are variants: AE, D, I and AC in second, seventh, eighth and tenth places respectively.

The Netsky family is back in the top ten again after dropping out of the chart completely in May. We have a trio of family members in June's chart, these are: Q [aka P] back in at fourth place, Y back in in fifth and finally X back in at sixth place. Looks a bit like the London Bus affect, wait for ages for one to appear, and then three appear at the same time!

As with Netsky, we have one final re-entry in June's top ten, this being Zapchast which has managed to steal the final podium position coming back in to the third spot.

The final slot left is taken by Dupator, which is up one place from tenth to ninth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for June once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has climbed up from the runner-up spot it held in March and lost in April to snatch pole position in June's chart. It is joined by three other family members, these being: Netsky.t, February's pole sitter which slipped down to fourth during March and the pole sitter in first place in May, has fallen two places to occupy the final step of the podium; third place and to mirror that change, Netsky.aa, has gained two places, up from sixth to fourth place.

Bagle.gt has further reversed its slow journey down the chart, climbing back up the chart one more place from third to take the runner-up spot; second.

Worm.Win32.Feebs.gen has fallen back down one place from fifth to sixth effectively reversing its progress from May.

We have three new entries in June's chart, these are all members of the same family, this being Warezov. We have variant OZ straight in to the chart in fifth place, variant OV occupying the eight spot, and finally variant OP in ninth place.

To complete the top ten, we have a re-entry, this being an oldie; Mydoom-L which takes the final slot in tenth place.

Kaspersky had this to say about June's chart:

"After a long break, first place was again taken by the all-time leader of 2004 and 2005: the NetSky.q worm. Right on its heels is a worm from an equally old family, Bagle.gt. Meanwhile, NetSky.t, the leader in May, slipped very slightly down the table, ending up in third place.

Probably the most noteworthy event this month was the disappearance of May's rabble-rouser, Sober.aa. This virus appeared after a six-month stint in the shadows, suddenly taking fourth place before disappearing again. Will we be seeing this family in our reports again? I suspect not".

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has regained its grip on pole position which it lost during May, and is back as the pole sitter. May's pole sitter, Sober, has once more dropped out of the top ten.

Mytob has managed to climb up the chart one place, to steal the runners-up place on the podium after being static in third place back in April and May.

The final step of the podium; third, is taken by a new entry which has only appeared in SOPHOS's web threat chart before. This new entry is Mal/Iframe.

Here is some commentary on it from Sophos:

"Interestingly, Mal/Iframe's appearance in the email-based chart demonstrates that it is not limited to only infecting via the web. Hackers can embed the malware into emails using HTML to exploit users".

Mydoom which was a re-entry in November's chart has recovered more ground during June after falling to seventh place in April and climbing to fifth in May, it is now up one more place to fourth.

November's new entry, Sality has reversed its slide down the chart, jumping up three places from effectively eighth place in May to fifth in June.

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April has now halted its slide, and is sitting in sixth place as it was in May.

Bagle is up a single place in June's chart from eighth to seventh place. Meanwhile Nyxem.D [aka MyWife] is likewise static in tenth place.

To complete the chart we have two re-entries, these are: Mal/DownLdr in eighth and W32/Stratio in ninth.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is not headed up by the September 2005 leader, Tenga. Its crown has been stolen once more, this time by Opaserv. Tenga has been forced to accept the runners-up spot; second in June.

The final step of the podium, third place, has been occupied by Netsky which is up from the fifth place it held in May.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March then suffered a setback, slipping down to eighth place in April and to ninth in May, has experienced a major turn around, storming back up the chart and taking fourth place in June.

W32.Dupator has moved up one place in June from sixth to fifth place.

The rest of June's chart is made up by re-entries, these are: Tibs, Spaces, MyDoom, Small and finally Funlove, in sixth, seventh, eighth, ninth and tenth places respectively.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of June] here. This clearly shows that June was busier than May which was the quietest month since I started keeping these statistics. As shown in the figures for June, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 275,995 at the end of June. That's a growth of 53,522 new malware strains and/or variants in the first half of 2007, in June the number jumped by over 10,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 107,044. Things have certainly speeded up during the second quarter of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• Marks and Spencer Vouchers Hoax [5th June]


• Can you spot the difference? [8th June]


• Father's Day Surprise! [19th June]

Conclusions:
The current trend of using social-engineering which has been widespread in January - May has continued in June, if anything it has accelerated.

We have seen another rise in the level of spam during June and this may have dented the figures for both 419s, Phishes and Malware arriving via e-mail, only time will tell.

The Phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity [as can be seen in the article I have included in this months report]. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Another trend which has made itself very obvious during the first half of the year is that of the malware authors relying on social engineering to get victims to infect their computers, rather than having to use exploit code or include mass-mailing or other infection routines into their creations.

The final trend I wish to mention that has become prevalent this year, and ties up with the social engineering comments above, is that the malware authors and cyber-criminals are increasing their use of web sites to hold their malware and sending e-mails that contain nothing more than a link to it. In many cases this is not just a single web site, but can be as many as 10,000.

Looks like we could be in for a very interesting second half of the year!

Links:

• Virus Top Twenty for June 2007 [Kaspersky]


• Top ten viruses and hoaxes for June 2007 [Sophos]

Fake Malware Alert E-mails

It seems that the so-called 'Storm-Worm Gang' has decided to change their social engineering approach again, originally they used fake [and real] news items to get potential victims to infect their computers, they then moved on to using 'Fake e-card notifications' [which I've blogged about several times over the last week or so]. They have now decided to try a new approach [for them anyway], this being using warning e-mails that claim your computer is infected with a virus, worm or trojan.

This is what they tend to look like at the time of writing this:

'Virus' Variant Screen Shot:


'Worm' Variant Screen Shot:


As you can hopefully see these e-mails do not have any attachments, instead they include a link to where the fake 'patch' is hosted. The patch is not a patch at all, but malware. At the time of writing this the malware hosted was a new variant of Tibs, however this will almost certainly be changed over the next week, at least once, maybe more often. This enables the 'Bad Guys and Girls' to evade [or try to] any anti-malware defences that you may have in place.

So far I've seen the following subject lines used:

• Alert!


• ATTN!


• Trojan Detected!


• Virus Activity Detected!


• Virus Alert!


• Virus Detected!


• Warning!


• Worm Activity Detected!


• Worm Alert!


• Worm Detected!

And they have used the following from names [along with random e-mail addresses]:

• Abuse Team Robot


• Administrator


• Customer Support


• Customer Support Center


• Mailer-Deamon


• Postmaster

Expect these e-mails to mutate over the next week or so before the 'Storm-Worm Gang' change tack once more.

Independence Day Greetings

A new wave of e-card notification e-mails which use the American Independence Day as a theme has been circulating overnight, these are the subject lines I've seen so far:

• 4th Of July Celebration


• American Pride, On The 4th


• America's 231st Birthday


• Americas B-Day


• America the Beautiful


• Celebrate Your Independence


• Celebrate Your Nation


• Fireworks on The 4th


• Fourth of July Party


• God Bless America


• Happy 4th of July


• Happy B-Day USA


• Happy Birthday America


• Happy Fourth of July


• Independence Day At The Park


• Independence Day Celebration


• Independence Day Party


• July 4th B-B-Q Party


• July 4th Family Day


• July 4th Fireworks Show


• Your Nations Birthday

And here is a screen shot of one of the latest versions:



So far all the links [that work] show the same web content as the screenshot from my original article on e-cards [Watch Out, Watch Out, There's an E-card About!]. However, it may well change at some point.

By all means enjoy the holiday, but don't let your common sense take a break too.

Watch Out, Watch Out, There's an E-card About!

As some of you may have noticed we are seeing a massive campaign by the 'Bad Guys and Girls' who are using social engineering techniques via fake e-card notification e-mails. Here is a screenshot of just part of one of the e-mail folders I have full of these e-mails:



Here's a screenshot of what just one of these look like now:



Oh, it is nice to be worshipped ;-). I've had ones that claim to come from a:

• Class-Mate


• Colleague


• Family Member


• Friend


• Mate


• Neighbor


• Neighbour


• Partner


• School-Mate


• School Friend


• Worshipper

They claim to come from many 'real' e-card sites, such as:

• 123Greetings.com


• 2000Greetings.com


• All-Yours.net


• AmericamGreetings.com


• Bluemountain.com


• DGreetings.com


• E-Cards.com


• Freewebcards.com


• Funnypostcard.com


• Greet2k.com


• Greeting-cards.com


• Hallmark.com


• ILoveCards.com


• Mypostcards.com


• NetFunCards.com


• Postcards.com


• Postcards.org


• Riversongs.com


• VintagePostcards.com

Of course, when you click on the link you go to another site, not the one you expect to go to. Here's a screenshot of one of the web pages you could end up on if you click on the link in one of these 'fake e-card' e-mails.



Yeah right, 'testing a new browser feature', sure they are! What they are doing is running exploit code, and if that fails they can always use social engineering to get the visitor to the site to infect their own computer by clicking on the link and running the file.

Before that the fake e-card e-mails looked like this:



And in one wave they turned rather messy, sort of a 'everything-but-ther-kitchen-sink' variant ;-):



What a mess, eh?

In a rather 'twilight zone' moment, last month I wrote an article on the use of HTML based e-mail and the use of e-cards [fake ones] by the 'Bad Guys and Girls' for the Virus Bulletin magazine; this was before the latest attacks started....most spooky.

The article has just been published in the July issue, so no, the 'Bad Guys and Girls' didn't use the data and other information contained in the article I wrote for VB. I will make a copy of the article available early next month here. Many thanks to VB for allowing me to do this.

The main problem with the recent waves of fake e-card e-mails we have been seeing is that the link to the 'fake e-card' takes you to is often a website that contains the following payloads that can automatically infect your computer just by visiting it with a system that isn't fully patched:

• Various Browser Exploits.


• Various Windows Exploits.


• A download [fake e-card] which is actually malware.

As I've often mentioned here, the 'Bad Guys and Girls' seem to be using social engineering as their primary tool to try and get you to infect your own computer, so be very careful and make sure your system is fully patched and protected if you must let curiosity get the better of you.....don't make their job easier.

May 2007 Malware Review

The 'Darling Buds of May' have now finished blossoming and we are almost halfway through 2007, now that 'Flaming June' is upon us.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 800 samples during May, which have been catalogued as 35 distinct families and variants. In comparison during April I captured 736 samples which were catalogued as 40 distinct families/variants. As you can see the captures in May are very slightly up from April's total.

During May I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The May statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

During Mayl I reported 70 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has consolidated the pole position it took back last month after after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart. In contrast to Tenga, W32.Kasper.A has completely fallen out of the top ten in May along with W32.Sality.AD which grabbed the final podium place, in third.

So, because of that we have two members of the Opaserv.worm family [ae which is up 3 places and d which is a re-entry] in second and third places respectively.

There are five other members of the Opaserv.worm family in May's chart, up from just three representatives in April's chart. These are variants ah, ai, I, ac and k in fifth, sixth, seventh, eighth and ninth places respectively. Quite a turn-around in fortunes for this family!

Other casualties in May's chart include: IRC.Zapchast, Virus.Win32.Virut.a, W32/Netsky.P and Zhelatin.cq.

The last two places are claimed by Trojan-Downloader.Win32.Agent.bjo which a new entry, straight in in fourth place and W32.Dupator which is a re-entry back in the chart in tenth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for May still has Mytob.c in seventh place which it managed to climb to in February, it seems to have setup home there.

Netsky.q has regained the runner-up spot it held in March and lost in April. It is joined by three other family members, these being: Netsky.aa, regained the sixth place it claimed in March after falling down to eighth spot in April. Netsky.t, February's pole sitter which slipped down to fourth during March is back as the pole sitter in first place in May, and finally Netsky.b is has slipped one place from ninth to tenth.

Bagle.gt has reversed its slow journey down the chart, climbing back up the chart one place from fourth to third. Worm.Win32.Feebs.gen has also climbed up one place from sixth to fifth place.

We have two new entries in May's chart, these are: Email-Worm.Win32.Sober.aa straight in the chart in fourth place and Trojan-Downloader.Win32.Agent.bqs four places below it in eighth place.

To complete the top ten, we have Scano.gen which has managed to climb one place from tenth to ninth place.

Kaspersky had this to say about May's chart:

"A first look at the top of the table for May might give the impression that we've slipped back in time to the end of 2005. You can rub your eyes as hard as you want but it won't change anything - Netsky, Bagle and Sober are topping the rankings again, just as they were a few years ago. "

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has finally lost its grip on pole position during May and we have a new pole sitter, this being Sober, which is a re-entry into the top ten.

Here is some commentary on it from Sophos:

"In May, Sober was the most prevalent email-borne attack, toppling Netsky from its top position and accounting for almost one third of all threats. Sober's dominance in the chart is primarily due to a huge outbreak on May 1st that coincided with May Day across Europe. During this 24-hour period, Sober accounted for nearly 70 percent of all infected email identified by Sophos."

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April is on the slide again, slipping down one place to sixth in May.
Meanwhile Nyxem.D [aka MyWife] has dropped another place in May; down from ninth to tenth place.

Stratio-Zip has consolidated its grip on fourth place, after falling out of the chart in February and Mytob has dropped likewise remained static in third place, which it grabbed back in December 2006.

Mydoom which was a re-entry in November's chart has recovered some ground after falling to seventh place in April; it is now up two places to fifth. November's new entry, Sality has lost one more place in May, down from sixth to joint seventh place in May's chart.

We have just one new entry in May's chart, this being Mal/Behav sharing seventh place with Sality.

To complete this month's top ten Bagle drops a single place from eighth to ninth place.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is once more headed up by the September 2005 leader, Tenga. March's new 'pretender', W32/Kasper [aka MyWife] which stole Tenga's crown in March has completely disappeared from the chart in May.

Mytob has dropped out of the chart during April from the sixth spot it held during March. Opaserv has managed to climb one place from the final step on the podium up to the runner-up spot; second.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March has fallen on hard times after slipping down to eighth place in April it has lost more ground and slides down one more place to ninth. Netsky is static in fifth place.

We have two re-entries in May, these are: Email-Worm.Win32.Warezov and W32.Dupator in fourth and sixth places respectively.

One of March's new entries, Virut has consolidated its hold on seventh place in May's chart. Talking of new entries, we have three in the top ten for May, these are: Trojan-Downloader.Win32.Agent, Trojan-Spy.Win32.Banker and Trojan.BAT.Runner.b coming into the top ten in third, eighth and tenth places respectively.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.



Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of May] here. This clearly shows that May was the quietest month since I started keeping these statistics. As shown in the figures for May, the overall trend is still downwards and that we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 265,284 at the end of May. That's a growth of 42,811 new malware strains and/or variants in the first five months of 2007, in May the number jumped by 12,126. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 102,700.

Things have certainly speeded up during April and May!
What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• A Death Phish? [Wednesday, 2 May 2007]


• Would You Rather Be A Mule? [Thursday, 31 May 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - April has continued in May, as seen by continuing high numbers of fake e-cards notifications being trapped.

We have seen an unexpected recovery in the level of spam in May this may have dented the figures for both 419s and Malware arriving via e-mail, only time will tell.

The phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Links:

• Virus Top Twenty for May 2007 [Kaspersky]


• Top ten viruses and hoaxes for May 2007 [Sophos]
  

Father's Day Surprise!

Father's Day [in the UK] fell on Sunday the 17th of June and along with the usual cards and presents from my wife and son I received an e-card, which I wasn't expecting.

Here is a screenshot of the e-mail I received:



The link, as you might expect actually goes to a different site than the 'AmericanGreetings.com', in fact at the time I received it, it went to 'americangreetingsc.net 'and a second one I received a few minutes later went to 'americangreetingsc.org'. Did you notice the appended 'c'?

Here's a screenshot of the website, asking you to download 'Flash Player', which is actually malware:



Interestingly, if you go to the site afterwards, you see a real Father's Day e-card from AmericanGreetings.com. I suspect that they are using a cookie or other tracking method to work out if you have already been to the site before, and change the page behaviour to suit. Very sneaky, although not a new trick as I reported on the same trick back in February!

Here's a screenshot of the website, showing what you will see when you reload the page or return to the site again:



The 'fake' Flash Player is now detected by most AV vendors. List below, correct at time of posting:

Scan report of: install_flash_player.exe
@Proventia-VPS -
AntiVir TR/Dldr.Small.eog.4
Avast! Win32:Small-FED [Trj]
AVG -
BitDefender Trojan.Downloader.Agent.YCL
ClamAV Trojan.Downloader-9530
Command -
Dr Web Trojan.DownLoader.22389
eSafe Win32.Small.eog
eTrust-VET -
eTrust-VET (BETA) -
Ewido Downloader.Small.eog
F-Prot -
F-Secure Trojan-Downloader.Win32.Small.eog
F-Secure (BETA) Trojan-Downloader.Win32.Small.eog
Fortinet W32/Small.IAU!tr
Fortinet (BETA) W32/Small.IAU!tr
Ikarus Trojan-Downloader.Agent.YCL
Kaspersky Trojan-Downloader.Win32.Small.eog
McAfee Generic Downloader.k trojan
McAfee (BETA) Generic Downloader.k trojan
Microsoft -
Nod32 -
Norman W32/DLoader.CXCE
Panda Trj/Downloader.OUX
Panda (BETA) Trj/Downloader.OUX
QuickHeal TrojanDownloader.Small.eog
Rising Trojan.DL.Win32.Mnless.e
Sophos Troj/DwnLdr-GVP
Symantec Downloader
Symantec (BETA) Downloader
Trend Micro TROJ_SMALL.IAU
Trend Micro (BETA) TROJ_SMALL.IAU
VBA32 Trojan.DownLoader.22389
VirusBuster -
WebWasher Trojan.Dldr.Small.eog.4
YY_A-Squared -
YY_Spybot -

I will be writing about the current glut of fake e-cards again later this week as the 'Bad Guys and Girls' seem to be using this as their preferred social engineering technique at the moment, sometimes with hilarious or very messy results...

Virus Bulletin 2007 Abstract Selected

Virus Bulletin have just informed me that my abstract entitled: 'The Journey So Far: Trends, Graphs and Statistics.' has been selected for the Virus Bulletin 2007 international conference to be held from the 19th to the 21st September 2007 at the Vienna Hilton, Vienna, Austria.

The abstract for the paper appears below:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

I haven't blogged about this until now as I wanted to make sure I had approval for not only writing the paper, but also attending the conference and getting approval for the travel, hotel and other expenses. Also, VB contacted me rather late as they have asked me to be a reserve speaker. Last time I was a reserve speaker for them was back in 2003, in New Orleans, and I ended up presenting anyway due to a hurricane causing chaos. Hopefully, we won't see a hurricane, or any other disaster in Vienna?

All I have to do now is carry out all the required research and write the paper, piece of cake, NOT!

This will be the tenth time I've written a paper for the Virus Bulletin International Conference. I've also written a number of articles for the Virus Bulletin periodical as well, including a book review which is published in this months edition [June 2007].

The value to me personally in attending this conference is the knowledge I gain each and every time I attend, that in itself is priceless. It is also a chance to finally meet some of the people I converse with via e-mail, and catch up with like minded people I've met before, some of whom I would now consider to be friends.

If you have never been to a Virus Bulletin conference and you work in the information security field, then it is about time you did, you won't regret it!

The full paper will be made available after the conference. I'll post an announcement here shortly after the conference has finished.

April 2007 Malware Review

Just about managed to get this finished before the end of the month.

April has come and gone and we are already well into second quarter of the year, this year seems to be flying by! However, on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 736 samples during April, which have been catalogued as 40 distinct families and variants. In comparison during March I captured 638 samples which were catalogued as 38 distinct families/variants. As you can see the captures in April are slightly up from March's total.

During April I captured and submitted 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The April statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

During April I reported 48 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] is back in pole position after having to settle for the runner-up position during March, as W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart during March.

W32.Kasper.A has had to settle for the runner-up spot in April. This means that the top two have swapped places in April's chart.

W32/Sality.AD [Frisk] is back in the top ten again having dropped out of the chart in March, it has stormed back in to grab the final podium place, in third.

The Opaserv.worm family which completely failed to turn up in the chart in February and then stormed back in to the chart in March with four representatives has suffered a loss. In April's chart we have lost one of the Opaserv clan from the top ten, the remaining family members are; variants ae, d, and ac in fifth, eighth and tenth places respectively.

IRC.Zapchast which managed to climb up the chart from the final slot in January's chart, stealing fourth place in February and finally climbing one place to third in March's chart has suffered a fall, down three places to sixth.

Virus.Win32.Virut.a [which was a new entry in March's chart] has managed to consolidate the fourth place is managed to grab when it entered the chart in March.

We have two re-entries in April's chart, these are: W32/Netsky.P which has been in and out of the top ten for more than two years now, and Zhelatin.cq which is somewhat more recent, having only been created since the end of 2006.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for April still has Mytob.c in seventh place which it managed to climb to in February, it seems to have setup home there.

Netsky.q has once more fallen off the runner-up spot, this time it has slipped just one place to third. It is joined by three other family members, these being: Netsky.aa, which has lost its sixth place from March, falling down to eight spot in April. Netsky.t, February's pole sitter which slipped down to fourth during March is back as the pole sitter in first place, and finally Netsky.b is has consolidated its hold on ninth place.

Bagle.gt continues its slow journey down the chart, slipping one place to fourth.

We have three new entries in April's chart, these are: Email-Worm.Win32.Warezov.ms straight in the chart in second place, Trojan-Spy.HTML.Bankfraud.ri in a fifth place and finally Worm.Win32.Feebs.gen just below it in sixth place.

To complete the top ten, we have Scano.gen which is holding on tight to the final place; tenth spot.

Kaspersky had this to say about April's chart:

"It's getting more and more interesting looking at the statistics on malicious code in mail traffic. Warezov and Zhelatin regularly cause virus outbreaks, hit the headlines, and create a huge amount of work for virus labs around the world, but it's NetSky.t, an old email worm, which grabbed first place this month. In the three years since NetSky.t appeared, its highest ranking ever was fourth place in February 2006. It subsequently disappeared from the rankings, but returned to lurk close to the top of the table. And this month it has taken first place by storm, pushing aside all the new generation worms.

This was probably the result of a new tactic: virus writers are now spamming multiple variants of their latest creation within a very short space of time. Many of these variants make it to the Top Twenty, but sometimes the sheer number of variants prevents them from gaining a high position: NetSky.t, a single variant which spread extremely widely, is proof of this."

In the SOPHOS chart we see a different pattern; Netksy.p has consolidated its grip on pole position during April and we have a re-entry in the runner-up spot, Dref-AF.

Here is some commentary on it from Sophos:

"Sophos has also revealed that while Netsky has held onto the number one spot for email-borne threats, Dref has shot back into the chart at number two, accounting for 24% of all malware spread via email"

Zafi-D has dropped from February's fourth to sixth place in March and has reversed its slide down the chart, ending up in fifth place in April . Meanwhile Nyxem.D [aka MyWife] has dropped one place in April; down from eighth place to ninth which was where is was back in February.

Stratio-Zip has managed to claw its way up from seventh to fourth place, after falling out of the chart in February. Mytob-C has dropped back down the chart from second to third place, which it grabbed back in December 2006.

Mydoom-O which was a re-entry in November's top drops three places from fourth to seventh place and November's new entry, W32/Sality.AA has likewise dropped three places from third place to sixth in April's chart.

The last remaining member of the Bagle family, Bagle-qw also drops three places from fifth to eighth place.

To complete this month's top ten we have a new entry Troj/Small-EIV in at tenth place.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is once more headed up by the September 2005 leader, Tenga. March's new 'pretender', W32/Kasper [aka MyWife] which stole Tenga's crown in March has had to make do with the runner-up spot once more.

Mytob has dropped out of the chart during April from the sixth spot it held during March . Opaserv has managed to consolidate its hold on the final step on the podium; third place.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March has fallen on hard times and slipped down to eight place in April.

Sality is up three place to sixth place, and we have two re-entries these are: Zhelatin and Netsky in back into the chart in fourth and fifth places respectively.

March's new entries, Virut and Cloner which came in to the chart in fifth and eighth places respectively have both dropped two places during April, falling to seventh and tenth respectively. New entry Hidrag completes April's top ten, coming into the top ten in ninth place.



If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of April] here. This clearly shows that April was slightly up on the December 2006 total and slightly down on the first two month of 2007. As shown in the figures for April, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 253,158 at the end of April. That's a growth of 30,685 new malware strains and/or variants in the first third of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 92,000. Things have certainly speeded up during April!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in April 2007.

• A Police Website Line-up - The Verdict [2nd April]


• Secret Intelligence Service SCAM ALERT!! E-mail [11th April]


• Don't Look... [20th April]

Conclusions:
The current trend of using social-engineering which has been widespread in January , February and March has continued in April, as seen by the vast numbers of fake e-cards notifications being trapped.

What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

As mentioned elsewehere it seems that the scammers are upping their game by creating fake sites for key crime-fighting organisations in the UK, such as the Metropolitan Police and the Secret Intelligence Service. I wonder how long it will be before Interpol or the FBI sites have 'bogus' copies of their websites created by the scammers?

Links:

• Virus Top Twenty for April 2007 [Kaspersky]


• Top ten viruses and hoaxes for April 2007 [Sophos]

March 2007 Malware Review

Just about managed to get this finished before the end of the month.

March has come and gone and already we have used up the first quarter of the year. However, some things don't change; it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with yet more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again! We have also seen an awful lot of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 638 samples during March, which have been catalogued as 38 distinct families and variants. In comparison during February I captured 894 samples which were catalogued as 43 distinct families/variants. As you can see the captures in March are significantly down from February's total.

During March I captured and submitted 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The March statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is the technique of choice so far this year.

During March I reported 58 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:


W32/Tenga.3666 [Frisk] had to settle for the runner-up position during March, as W32.Kasper.A [aka MyWife.D] forced its way to the top of the chart ousting February's pole sitter in the process by less than half a percentage point. Bear in mind that W32.Kasper.A wasn't even in the top ten in February, so it is a re-entry, which makes its position in March's chart even more incredible.

Mytob.J, which was the runner-up in February's chart and seriously threatening Tenga's hold on pole position, has slipped down the chart to sixth place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November 2006, fell on hard times in January and February only managing to fill one place in the chart, the survivor was Tenga.3666. What a difference a month makes, the Opaserv.worm family which completely failed to turn up in the chart in February, is back. Not just one or two, but four representatives are back in the top then. These are variants ae, d, ac and ai, in fifth, seventh, ninth and tenth places respectively.

IRC.Zapchast has managed to climb up the chart from the final slot in January's chart, stealing fourth place in February and finally climbing one place to third in March's chart.

A new entry in March's chart [in 4th place] is Virus.Win32.Virut.a which is a bit of a throw-back, being a real 'virus', an appending one, as well as being a Bot. We also have another new entry, even though it is a real oldie [Pate.B in 8th place], as it has been around for a long time but never managed to get in to the top ten, until now.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for March still has Mytob.c in seventh place which it managed to climb to in February, up from ninth in January.

Netsky.q has managed to climb back up to the runner-up spot in March, having fallen down the chart from second place in January to fourth in February. It is joined by three other family members, these being: Netsky.aa, which recovers its sixth place from the drop to tenth it suffered in February, Netsky.t, February's pole sitter slips back down to fourth and Netsky.b is a re-entry in at ninth place.

Bagle.gt continues its slow journey down the chart, slipping one place to third.

As seen in my own top 10 chart, the Zhelatin family which stormed the Kaspersky chart during February have disappeared from the top ten just as fast as they arrived.
We have three new entries in March's chart, these are: Bankfraud.ra straight in the chart in pole position, Warezov.jx in at fifth place, and to complete the top ten, we have Scano.gen a new entry in at eighth place and Mydoom.l which is a re-entry taking the final place; tenth spot.

Kaspersky had this to say about March's pole sitter:

"This month's leader, Trojan-Spy.HTML.Bankfraud.ra is also the result of recent virus epidemics. This Trojan is a typical phishing email, and millions of copies have been sent around the world. We've also noticed that this malicious program has been mass mailed several times. Bankfraud.ra was first detected on 27th February 2007, and in the space of a single month reached such a volume that this month it accounts for more than 30% of all malicious programs detected in mail traffic.
The Trojan targets clients of the Branch Banking and Trust Company (BB&T). It attempts to lure them to fake web sites registered by their undoubtedly malicious users in Croatia and the Cocos (Keeling) Islands."

In the SOPHOS chart we see a different pattern; Netksy.p has once more raised its game and stolen pole postion once more in March. Fenruary's pole position sitter, HckPk has completely dropped out of the top ten.

Here is some commentary on it from Sophos:

"Unwanted emails hiding copies of Netsky are still spreading like weeds in an untended garden, showing how well seeded these mass-mailing threats are," said Carole Theriault, senior security consultant at Sophos.

Zafi has dropped from February's fourth to sixth place in March. Meanwhile Nyxem.D [aka MyWife] has gained one place in March, up from ninth to eighth place.

Stratio has managed to claw its way back into the top ten, to seventh place, after falling out of the chart in February. Mytob has improved upon the third place it grabbed back in December 2006, and is up one place to be March's top ten runner-up.

Mydoom-O which was a re-entry in November's top climbs two places from sixth place to fourth and November's new entry, W32/Sality.AA has climbed another two more places from fifth place to third in March's chart.

The last remaining member of the Bagle family, Bagle-qw crawls further up the chart from seventh to fifth place.

To complete this month's top ten we have Clagger.a which is down one place from ninth to eighth spot and a new entry DwnLdr.GFX in at tenth place.

SOPHOS also noted the following:

"It's frustrating to think that there are a bunch of new threats out there that are much more targeted and devious in their approach, yet how can we expect the average computer user to protect against them when the Netskys and Mytobs remain so rooted? Users need to roll up their sleeves and commit to keeping their PCs secure both for their sake and the sake of everyone else connected to the web."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is not headed up by the September 2005 leader Tenga. This month a new 'pretender' has stolen its crown in March, so Tenga has had to make do with the runner-up spot once more. This 'pretender' is W32.Kasper [aka MyWife].

Mytob has dropped from third place in February's chart to sixth spot during March

Zapchast which stormed up the chart from ninth to fifth place in February has managed to move up to fourth place in March. Opaserv has also climbed up the chart in March from sixth to the final step on the podium; third place.

February's new entries Parite [aka Pate] is static in seventh and Sality is up one place to ninth place respectively. New entries include Virut and Cloner in at fifth and eighth places respectively. Dupator completes March's top ten, in tenth.




If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of March] here. This clearly shows that March was slightly down on the December 2006 total and significantly down on the first two month of 2007. As shown in the March figures, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 241,959 at the end of March. That's a growth of 19,486 new malware strains and/or variants in the first quarter of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just under 78,000.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in March 2007.

• A Police Website Line-up, Who's The Imposter? [March 12th, 2007]


• Bogus IE7 Being Spammed Out [March 30th, 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January and February has continued in March, as seen by the IE7 'fake' download detailed elsewhere in this report.

The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

Links:

• Virus Top Twenty for March 2007 [Kaspersky]


• Top ten viruses and hoaxes for March 2007 [Sophos]

Don't Look...

I told you not to look!

Too late, if the following screenshot was an e-mail you had previewed or opened on your system, and you hadn't patched or had other mitigating technologies or methodologies in place*, then your computer would now be infected. Yes, it would now belong to the 'Bad Guys and Girls'! You would be '0wn3d'.

Game over!

Here's the screenshot of the e-mail you might have already received:



Yes, I have doctored this screenshot, the real one is a little 'too risque' to post here!

The first picture, the one of 'Paris Hilton', barely wearing anything, is not 'bad'; what I mean is that this picture is not the problem in this spam e-mail, it is the 'bait'. The one to worry about is the second picture, which won't render [the one with the red diamond in the screenshot], as it isn't a real picture at all. It is a 'trojanised Windows MetaFile [WMF]' which has exploit code embedded in it to try and infect or take over your computer.

This e-mail arrived at my mail server just after midnight last night, and was quite rightly flagged as spam.

So, why am I flagging this now, I mean the exploit code used is old, and you should all be patched by now, you are patched, right? The reason I'm flagging this now is that this may well be a new phase of 'image' exploitation [in both senses of the word], such as this one using the 'WMF exploit', but I suspect we will see the same social engineering techniques used with other exploit code and droppers. In fact I know we will!

So, be careful out there when opening or even previewing e-mails, you may start a chain reaction which ends up with your system being turned into a zombie, and it's all downhill from then on...adware, spyware, malware, identity theft, keylogger, spam relay, phishing site hoster....You get the idea, don't you?

The site hosting the real and fake image files is still active as I write this, you have been warned!

Links to more WMF exploit information:

• http://momusings.blogsome.com/2005/12/30/lotus-notes-vulnerable-to-wmf-exploit/


• http://momusings.blogsome.com/2005/12/31/wmf-im-out-to-get-you/


• http://momusings.blogsome.com/2006/01/02/more-wmf-exploits/


• http://momusings.blogsome.com/2006/01/03/wmf-exploit-patches-and-workarounds/


• http://momusings.blogsome.com/2006/01/05/more-wmf-malware-developments/

* Such as a good up-to-date, and enabled, anti-malware solution and/or fully patched system or one not using Windows.

February 2007 Malware Review

February has come and gone and although the months and seasons change, some things don't change, it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again! We have also seen an awful lot of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer


• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4.5 years, Malware Bayesian Filter 3.5 years.

In total I captured 894 samples during February, which have been catalogued as 43 distinct families and variants. In comparison during January I captured 991 samples which were catalogued as 54 distinct families/variants. As you can see the captures in February are down slightly from January's total.

During February I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As you can clearly see February's captures are up from December 2006, but fell slightly from January's haul. The February statistics consolidate my view that the general trend is still downwards. It seems that social-engineering is the technique of choice so far this year.

During February I reported 78 new Phishing sites which are now included in the Netcraft phishing site database used by the