FREE GALA BINGO E-MAIL LOTTERY PROMO

The 419 scammers have a decided to use Gala, a UK Bingo and on-line gaming company as their latest one to impersonate, they do this to try and get you to swallow their scam as real.

Here's a couple of screen shots showing one copy of the emails I've seen so far today:





The use of a "trusted" brand name is to try and make it more believable, so that you will be willing to actually contact them to try and get the alleged winnings.

However, you'll end up being put on a suckers list; receiving even more of these scams, even via the postal service and over the phone too. Not only that you will also be asked to pay some administrative or legal fees to release the money to you...there is no money, you haven't won anything except the chance to be less gullible in the future.

If you want to find out more about these scams and how they work you can find other postings on the subject on this blog, and also on my published papers and articles page here: http://momusings/com/papers

If you get an email claiming that you've won something in a competition you never entered be very skeptical. If you want to know if it is real or not then please feel free to contact me.

Gala do appear to have a lottery game, but it is online at their website, they don't do e-mail lottery at all....you have been warned ;-)

McDonald's Survey

I'd like to start this post with an apology [yes, again] as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won't be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here's a new one I've not seen before, the following e-mail arrived in my 'Phish' inbox late last night [screenshot below]:



That's nice if I answer just seven questions in a simple survey I will get £25.....I smell a phish, so what do we see when I click on the link?



Hmmmmm.....looks pretty good, quite believable wouldn't you say?

So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the survey and then click on submit. This is where I'm taken too next:



Aha.....Just as I suspected, this is a phish, as it wants personal data and my credit card data, including the CVV so that the promised £25 can be credited to my card, yeah right. So, let me enter in some more bogus data and click on the Submit button again.

I particularly like the mis-use of the MasterCard SecureCode,VeriSign and Verified by Visa logos, just trying to make you feel secure, how reassuring, eh?




The final page [shown above]informs me that my data has been entered correctly [yeah right!] and that I should see my £25 credit payment on my credit card within 3-5 businees days. More like my credit card will be misused or sold on to others to misuse within 3-5 businees days! Oh, and then I get taken to the real McDonalds UK website, nice ;-)

So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I've seen one targeting McDonalds in the UK.

So, if you are an McDonald's customer, or think that you'd like £25 for free, be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details....

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!

Financial In-Fidelity, Yours For 72.5 Million US Dollars!

Here's an offer I received via e-mail that seems to be the answer to most peoples prayers; a large pile of money just for helping out someone move some money. Of course in reality it isn't as simple as that, but I'm getting ahead of myself.

Here's a screenshot of the e-mail in full:



It says it was sent by Tim McCarron of Fidelity Investments here in the UK. He is a fund manager for them. It seems that Tim, allegedly, has acquired over 145 Million US Dollars from his employers without their knowledge. Moreover he wants my help to move the funds, and for my trouble he will give me 50 percent; very generous. That is over 72.5 Million US Dollars.....tempting, isn't it? ;-)

All he wants from me are some personal details, some proof of identity, such as a copy of my drivers licence or passport, and a bank account number to use for the transaction.

To prove that he really exists, Tim has even included a link to some details about himself and his performance which is available on the Fidelity Investments website.  How thoughtful!

Here's a screenshot of the webpage in the first link:



See, there's Tim's name and various other detals about him and the funds he manages. Yes, this is the real Fidelity Investments website.

Let's look in to this in more detail.

OK, the email reply address seems odd, it is timmacarron@superposta.com (seems Tim can't even spell his surname correctly) but the From: address header in the email tells me his email address is tmcarron@ymail.com......hmmm, I'm confused. I know he is trying to cover his tracks, but why use two free webmail addresses?

So, what does this tell me?

Well for one this email is not from the real Tim McCarron, or from anyone at Fidelity Investments. Furthermore, there is NO MONEY; sorry to disappoint you.

If it was real, then the person responsible would have committed fraud; as they have stolen money from their employers and potentially customers too. Furthermore, if you took part in this, if it was real, you would also be committing fraud as well as money laundering....lucky there is no money then, eh? ;-)

Yes, this is yet another 419 scam [aka the Nigerian scam, also known as Advance-Fee-Fraud]. If you were foolish enough to reply to the email you would be assured that the money was real, but somehwere along the way you would be asked to part with money to pay for things such as, handling fees, taxes, shipping fees, and maybe even bribes! So, instead
of getting the alleged money you were promised, you would end up losing money, or worse. You would also end up on a so-called "suckers list" and get more 419s, not only via e-mail, but also through your letterbox.

So next time you receive such a tempting offer, remember the old adage "if something seems too good to be true, it probably is....too good to be true". Also, think very carefully before
you click on any links or contact anyone mentioned in these email, at the very least you could end up on a phishing site, you could lose some of your money, or worse, as there have been cases of beatings and even murders linked to these scams.

Oh, and just in case you were wondering, the links in the email were included by the scammer to try and give extra credence to their outlandish financial proposal.

If you want to read more on the subject of 419s then I have written several articles which were published in the Virus Bulletin magazine, reprints of these can be found here, [http://momusings.com/papers] along with all my other published articles and papers.

Oh yes, and the personal details you supply them will almost certainly be used for identity theft and/or in another 419 scam, using your personal details and proofs to attempt to make it more believable.

Amazon Marketplace Listing Canceled...

How many of you out there use Amazon's Marketplace to sell items?

Well, if you do then this posting should be of some interest and I'd also be interested in how many of you have received similar emails to the one shown in the screenshot below:



Looks like a typical notification from Amazon that your item listed on Amazon Marketplace has been canceled; for those that use this Amazon service this usually happens when your item listing has expired, and is quite normal.

So, let me see where I end up when I click on the link contained in the e-mail; screenshot below:

 

Is this Amazon.co.uk? Looks genuine doesn't it? would you sign-in via this page, or not?

For the moment, let us assume [quite rightly] that I'm suspicious of this page, let me have a look at the source HTML for the page above; I'm especially interested in the FORM section (the bit that deals with the login credentials; your e-mail address and Amazon.co.uk password). Here's a screenshot of the related part of the HTML source for that function:




Hmmm.....notice anything odd?

Surely the real Amazon.co.uk doesn't use a generic mailto CGI script [in this case a PERL script] to handle login routines, does it?

No, of course it doesn't, the code in the screenshot above sends your now stolen Amazon.co.uk login details to the bad guys and girls via e-mail using the mailto.pl script hosted on http://www-cgi.paonline. It then goes onto send you to the real Amazon.co.uk page, sneaky huh?

So, this is another phishing scam, in this case they want to steal you Amazon login credentials, so that they can steal any personal details, including and stored credit-card data, or maybe they just want to buy things using your account, and have them sent to a drop-box to then be turned into cash. Such as ordering themselves a new MP3 player, phone, some CD's or DVD's or whatever, leaving you to pick up the bill and deal with the resulting mess.

Of course this type of attack is not just limited to Amazon, it would in theory work with any e-commerce site, so be careful out there especially where you have sites that store you credit-card details, as in most cases this is what the bad-guys and girls are after. If they can't get that then they will just buy things from the site using your stored card data instead.

yet again, as with other recent examples I've blogged about it shows that phishers are not just interested in getting you bank details, they are just as happy to get e-commerce site credentials, game login credentials (such as WoW) or webmail account details (how many of you store e-mails which contain personal or financial  details?), amongst many others. Furthermore, do you you the same password for more than a single site? If you do then you are making it easier for the bad guys and girls to compromise your other accounts wherever they may be.

Walmart Survey Worth $150 US Dollars...

I received an e-mail yesterday asking me to take part in a survey that Walmart were apparently carrying out to gauge customer satisfaction. A screenshot of the e-mail I received appears below:



So, even though I am not and never have been a Walmart customer, let me see where we go if I click on the link provided, as if I were a Walmart customer. This is where I ended up:



Looks like a very typical web based survey, so what happens when I fill in the details and then click on the proceed button at the foot of the survey page? This is where I ended up next:



OK, so they want some more personal details now, they already have my phone number and e-mail address. Now they want my credit card number, expiry date for it and.......my CVV and ATM pin.....hmmmmm; can anyone smell something 'phishy' yet? ;-)

Yes, this is a phishing scam, squarely targetted at Walmart customers that will be fooled into believing that they will recive 150 US Dollars for filling out the survey and supplying their credit card details. In a few days they will get a surprise, but not the pleasent one they were expecting. Instead of having money credited to their account, they will have lost money through bogus purchases. It may even be worse, their account could be cleared out via ATM withdrawals, or even overdrawn, leaving them with a large bill to pay [unless their bank covers phishing scams and related things] . In the worst case scenario the personal details they gave could be used for identity theft so that loans or mortgages could be set up using the stolen details, leaving the victim with the bills and the resulting damage to their credit rating.

Yahoo Calendar Invites Trouble...

Well, I received a rather interesting invite sent to me via the Yahoo! Calendar service. Have a look at it [screenshot below], what do you think?

 

Hands up all those that are tempted to respond to this?

OK

Now, hands up all those that are NOT tempted to respond to this?

Hmmm....

So, before I cover this in more detail, let me see what happens when I click on the RSVP to this invitation text, which is a hyperlink. This is where we end up [screenshot below]



This is the real Yahoo! Calendar website, so it isn't a phishing scam, is it? Is it real, does someone really want to give me a cheque for 1.5 Million US Dollars, or is it some other form of scam?

OK, time to tell you what is going on here, and what the e-mail is all about, and why the sender used Yahoo! Calendar to send it.

The email really was sent via the Yahoo! Calendar service, and clicking on the link contained in the e-mail really does take you to the genuine Yahoo! Calendar site and a real Yahoo! Calendar invite. But why?

The answer to the why, is that this enabled the e-mail sender to have a better chance of getting the email, seen in the first screenshot, to the intended recipients, yes I said recipients, not recipient. Did you notice that in the web site screenshot the 90 undecided text? Yes, this invite was sent to 90 intended recipients, not just me. Does this mean that this was sent by someone with over 135 Million US Dollars to give away?

Of course not, this is just a new twist on the old 419 scam [aka the Nigerian scam, also known as Advance-Fee-Fraud]. The sender just used the Yahoo! Calendar service to try and increase the chances of his invite [the scam text in the invite] getting past any anti-spam defences that the intended recipients might have in place.

There is no money [sorry!], there never was, if you were foolish enough to contact Mr Luke Yayi, you would be assured that the money was real, but somewhere along the way you would be asked to part with money to pay for things such as, handling fees, taxes, shipping fees, and maybe even bribes! So, instead of getting the alleged money you were promised, you would end up losing money, or worse. You would also end up on a so-called "suckers list" and get more 419s, not only via e-mail, but also through your letterbox.

So next time you receive such an invite, not only ones from a calendar service; it could be from any online service, such as: news groups, blogs, social-networking sites, feedback forms, mailing lists and so on. Think very carefully before you click on any links or contact anyone mentioned in the invites/e-mail body, at the very least you could end up on a phishing site, at worst you could lose money, or worse, as there have been cases of beatings and even murders linked to these scams.

If you want to read more on the subject of 419s then I have written several articles which were published in the Virus Bulletin magazine, reprints of these can be found here, [http://momusings.com/papers] along with all my other published articles and papers.

Right, I need to put together another presentation for yet another conference, this time I'm covering penetration testing and ethical hacking.

Virus Bulletin 2008 Conference Review

As previously mentioned on this blog, I was going to attend the Virus Bulletin 2008 conference as just a delegate, for the very first time; I usually attend as a speaker. The conference was held at the Westin Ottawa, in Ottawa, Canada [surprisingly ;-)] between the 1st and 3rd of October.

However, I ended up being a speaker again, which I don't mind, but I was actually looking forward to having a more relaxed conference than I usually do, but that's life!



This posting is a quick review of the conference:

Day 1 - Wednesday 1st October 2008

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by the Keynote address "The AV industry: Quo Vadis?" presented by Alex Eckelberry of Sunbelt Software. This was a very interesting speech and contained lots of useful information, as well as a general overview of what the bad guys [and girls] are up to, as well as what the good guys [and girls] are up to.

You can find a recording of it here, along with the slides: http://sunbeltblog.blogspot.com/2008/10/virus-bulletin-2008-keynote-address.html

The final session on the Technical Stream before lunch was also interesting, a presentation by Morton Swimmer [who used to work for IBM] entitled:

• Towards integrated malware defence

It was a good presentation, however as Morton had moved to TREND just before the conference he no longer had access to all his data, which was a shame, as it seems to have been rather an effective solution.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream.

The first two presentation after lunch were:

• Your computer is now stoned (...again!). The rise of MBR rootkit - Kimmo Kasslin, F-Secure
• When the hammer falls - effects of successful widespread disinfection on malware development and direction - Matt McCormack, Microsoft

The presentation given by Kimmo was esepcially interesting as it covered the rebirth of MBR infectors; something that had almost died out when Windows NT, 2000 and XP came along [yes there have been some MBR infectors for those, but not many, and not with stealth capability].

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Applying user-mode memory scanning on Windows NT - Eric Uday Kumar, Authentium
• Packer visualisation: a fast entropy scanning algorithm that preserves local detail - Li Sun, RMIT University

I decided to sit in on the vendor presentation after the days main proceedings, this was given by my good friend David Harley, from Eset.

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

This was staged with a couple of Ice Hockey players; for those that wanted pictures, as well as a bit of fun from Ken Bechtel, who's hat did the rounds and photos were taken of those that ended up wearing it, including me. If you've ever met Ken, you'll know which hat I mean as he is rarely seen without it.

Day 2 - Thursday 2nd October 2008

Day two started early for me as I was informed when I arrived that I might be needed to present [I was the emergency reserve speaker; "in case of a missing speaker, break glass and grab Martin ;-)"], as one of the speakers for the morning session on the Technical Stream was unaccounted for; he never did turn up.

So, I had to go back to my hotel [I wasn't staying at the Westin], get changed, grab my laptop and get back to the conference by the morning tea break to check that my laptop worked fine with the projector, it did.

This meant that I effectively missed the first two presentations I had planned to attend, oh well.

To complicate matters, I was also supposed to be chairing the three sessions on the Corporate Stream between the morning tea break and lunch; which I couldn't now do, as I was presenting in the other stream at the same time. Luckily, my old friend from Nortel, John Morris, stepped into the void as the new session chair.

So after the morning tea-break I was back in the Technical Stream for the next three presentations, these were:

• The robustness of new email identification standards - Reza Rajabiun, COMDOM Software and York University
• Coordinated distributions method for tracking botnets sending out spam - Andrey Bakhmutov, Kaspersky Lab
• Malware forenscis: detecting the unknown - Martin Overton, IBM ISS

The presentation given by Andrey was extremely good, some excellent research which was well presented and explained. This led to a flurry of questions.

It seemed rather surreal when I gave my presentation, as it was designed for an audience on the Corporate Stream; so as an old English saying goes "it was like teaching my grandmother how to suck eggs". In other words the presentation was an overview of forensic techniques and tools for finding and analysing malware [known or new] on an infected system.

This was presented on the Technical Stream to about 70 or more of the worlds best malware researchers, hence my use of the saying.

The presentation was actually based on my EICAR 2008 paper which I was unable to present at the EICAR conference, ironically due to the fact I was tied up in a malware forensics case.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

I received some nice feedback from a few of those that sat in, and no awkward questions. In fact one of the guys who were running the audio-visual side of the conference said he thoroughly enjoyed my presentation and found it most useful and enlightening.

After lunch, once more I decided to sit in on the Technical Stream until the tea/coffee break, at least. The next four presentations, all last minute ones limited to 20 minutes each, were:

• VB testing - present status, future plans, John Hawes, Virus Bulletin
• Race to zero with online scanners, Boris Lau, Sophos
• There is (some) honour among South American authors of infostealer trojans!, Pedro Bueno, McAfee
• Apple iPhone programming with SDK, Marius van Oers, McAfee

This year these short technical presentation worked rather well, although it was hard for some of the presenters to keep to the 20 minute slot limit, yes, you know who you are.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Corporate Stream as I was chairing the last two presentations on that stream, these were:

• The NorTel Mailer: effective open-source spam filtering for enterprises - Chris Lewis, Nortel
• SCADA security - who is really in control of our control systems? - Peter Allor, IBM

Both of these were very interesting presentations and it was a shame that so few delegates had decided to sit in on them.

Before the day was over we also had our first panel session, this was:

• The state of anti-malware testing

Later we had the "pre-dinner drinks and the Gala dinner and entertainment".

As always the food was excellent and the entertainment this year differed quite a bit, it was a quiz, which was fun but took longer than expected to complete. As one delegate was heard to say "we have travelled 3,500 miles for a pub quiz!". Personally, I enjoyed it, it just needed to be shorter.


Day 3 - Friday 3rd October 2008

The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Understanding and teaching bots and botnets - Randy Abrams, ESET

This presentation covered a topic that I had presented on back at VB2005 in Dublin, but from a high-level perspective and more focussed on how to educate staff about these threats via using robot vacum cleaners known as Roombas.

As usual Randy was both informative and entertaining.

So, another quick tea and coffee break and then back to the Technical Stream until lunch, these were the next presentations I sat in on:

• Automatic rules-based binary analysis with IDA Pro and CLIPS - Ryan Hicks, AVG
• Rebuilding testing for the future - Igor Muttik
• Samples.malware.org: sample sharing for the next decade? - Richard Ford, Florida Institute of Technology

All of these were very good and interesting talks and all generated lots of discussion and questions.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all. However, I think I can honestly say that this years photo was the quickest ever as it took less than 5 minutes to organise all the speakers and take a number of photos.

After lunch I spent the first part of the afternoon on the Corporate Stream.These were the presentations I sat in on:

• Where do your users want to go today and can you stop them? - Bruce Hughes, AVG
• The name of the dose: does malware naming still matter? - Pierre-Marc Bureau and David Harley, ESET

Both of these were interesting and prompted a number of questions from the audience.

Then it was time for the final refreshments break. Yes, it was the very last VB2008 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference, were straight after the break and I decided that I'd sit in on the last one on the Technical Stream again. This was:

• Darwin inside the machines: malware evolution and the consequences for computer security - Peter Ször, Symantec
  Dimitris Iliopoulos, Keck Graduate Institute of Applied Life Science

This was a very interesting presentation, basically saying that malcode could in theory evolve following Darwinian principles. Not sure that we will see such malware any time soon, as there are a number of things that need to happen first.

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion on:

• Security in banking forum

Finally it was time for the Conference closing session, once more led by Helen Martin, the editor of Virus Bulletin.

It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be another case of "I'm Sparticus", as a lot of people seemed to be wearing Ken Bechtel's hat, including me, and no it wasn't him in varying disguises either!

My final impressions of VB2008 are mixed; I enjoyed it, but I [and others who I chatted with] seem to think it may have lost its edge. Is this a case of becoming too commercialised or due to a lack of the usual swathe of quality research papers [which may be due to security companies cutting research budgets], or is it just a sign of the times as the marketplace has matured and that threats have now converged?

If you attended VB2008 and have an opinion, then please let me know your thoughts, thanks.

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2008/slides

The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2008/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Ottawa, here: http://picasaweb.google.com/overtonm/OttawaCanada2008?authkey=SEeottY873o#

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Geneva, Switzerland at the end of September 2009. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Virus Bulletin 2008 International Conference

Next week the Virus Bulletin International Conference is being held in Ottawa, Canada [1st to the 3rd of October]. This is the premier conference for people involved with fighting malware and related security threats. The programme can be found here.

This year I was going to be there just as a delegate; normally when I attend this conference I attend as a speaker, which means I have to write a paper and present it at the conference to an audience of 50-200 uber-geeks from various industries as well as the world's best malware researchers.  This can be pretty daunting! This will be my 11th Virus Bulletin Conference since my very first I attended and presented at back in 1996.

However, I've now been asked to be a reserve speaker, so I have to have a presentation ready, just in case I'm needed. The last time I was a reserve speaker it was for VB2002 which was held in New Orleans that year, and was nearly washed away by a hurricane! Needless to say, I ended up presenting my paper that year.

If any of you ready this are going to be there, then please feel free to stop me and have a chat, or just to say hello. I don't bite, honest ;-)

The presentation I am working on for the conference is to do with malware forensics, so it should be fun to do, as well as interesting for any audience I get; if I get to present it, that is.

As usual, I will write a short review of the conference, including what I personally found interesting, and may also post some mini-reviews and updates via Twitter.

If you can make it, then I hope to see you there; if not then stay tuned and I'll post a review as soon as I can.

American Airlines Survey

I'd like to start this post with an apology as I have been rather slack in posting for quite a few weeks now. This has been due to a number of issues beyond my control including yet another change in my role. I still hope to post material here as often as I can, but it probably won't be as frequent as it has been. So, to try and start the ball rolling once more I have the following phishy tale for you to enjoy.

Here's a new one I've not seen before, the following e-mail arrived in my 'Phish' inbox late last night [screenshot below]:



That's nice if I answer five questions in a simple survey I will get $50.....I smell a phish, so what do we see when I click on the link?



So, let me see what happens when I fill out the details with bogus data. First let me enter some bogus data for the AAdvantage number and password, and then click on go. This is where I'm taken too next



As you can see, I'm now asked for my Bonus Code and the rest of the page is the alleged survey. So, I'll fill this in, again using bogus data. Interestingly the Bonus Code is the same in all the copies I've received, to multiple e-mail honeypot addresses too. So, now all the data has been entered, let me click on the continue button and see where we go next.



Aha.....Just as I suspected, this is a phish, as it not only asks for personal details, it also wants credit card data, including the CVV and an ATM PIN number too. So, let me enter in some more bogus data and click on the continue button again.

The final page shown informs me that my data has been entered correctly [yeah right!] and that I should see my bonus of $50 on my credit card within 72 hours. More like my credit card will be misused or sold on to others to misuse within 72 hours!

For those of you who like the detail behind the web-page, here is a screenshot of the first page, showing that the actual page is being rendered from two other sites. You may also notice that this phishing site is hosted on Yahoo servers.



Here is a screenshot showing part of the whois record for the phishy domain being used as a front for this scam.



So, it seems that I was right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I've seen one targeting an airline, in fact I'd go as far as saying that this may be a 'Spear Phishing' attempt as it seems to have been sent to a small number of people and in far smaller numbers that the more traditional bank phish I see day in and day out..

So, if you are an American Airlines customer be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details....

As a final note, the Netcraft toolbar plugin which works with Internet Explorer and Firefox now has the domains used for this phish in their database. So, install it and use it, it could save you from making an expensive mistake!

FREE Anti-Virus Software...

I thought it is about time for me to cover this again due to the current world-wide credit crunch and fuel, power and food costs soaring. This means many people are looking for ways to cut costs; including costs for protecting their computers. FREE isn't a bad word, but the bad guys and girls have started to make it feel like it ought to be. The phrase Caveat Emptor [Let The Buyer Beware] seems to be more pertinent than ever.

What do I mean by "the bad guys and girls have started to make it feel that it ought to be"? Let me explain:

Look at these for examples of the rather naughty ways that the bad guys and girls are trying to get you to download and use their anti-virus:

First they try scare tactics:



Then they try a little more direct approach:



If you are foolish enough to go to the sites, then this is what you'd currently see:



Looks very professional, doesn't it? Hard to believe that this is a bad site! Want proof? OK, here it is:



That is the very same site [URL] but visited using Firefox 3.x instead.

But that isn't all, this site is also being promoted by a botnet called Asprox. This botnet searches for sites using SQL, and it then tries to run exploit code, which if successful, overwrites all URLs in the database with a single link. If this now 'bogus' link is clicked on a website using the SQL injected database for content, it starts a chain reaction, which often ultimately ends up either on the site shown above, or it may infect vulnerable systems using exploit code that was run as part of the chain reaction. This may include infecting your system and making it part of the Asprox botnet.

But there's more.....

Here's a screenshot of another e-mail I received recently:



The link, if foolishly clicked on, takes you here:



Does it look familiar?

Here's a screenshot of the source of the above page:



Notice how it uses the REFRESH function to popup a download of the executable they offer; no it isn't anti-virus software, it is actually malware!

So, who can you trust if you want FREE anti-virus software?

These are the FREE ones I'd personally recommend include:

• AVG


• Avast


• AntiVir

Please be aware that there are a number of 'bogus' anti-spyware tools out there too and probably even 'bogus' personal firewalls.

You can find all the links mentioned above, and other useful tools, etc. here.

At the end of the day to help keep you system free of net nasties and their kin, you need to ensure that you have a personal firewall, up to date anti-virus installed, anti-spyware tool(s) installed, and last but not least practice 'Safe-Hex'.

Computer problems are bad enough most of the time which means the following anti-stress kit might be useful? However once you add malware to the more usual computer problems it becomes a must have piece of kit, well it stops the common hair-loss normally associated with stress! ;-)





Hopefully, this posting will help you retain your sanity, or at least reduce the cranial damage you may do to yourself using the above anti-stress kit.

Be careful out there, the web is a dangerous place without suitable protection...

If any of you out there in blog land have other security software that you recommend then please feel free to drop me a line or leave the details in a comment.Thanks!

Phishing for Feedback?

According to the e-mail I received this morning HSBC have a customer survey they would like me to take.

For starters here's a screenshot of the e-mail I received:



I'm always willing to give feedback to companies I use, but I am not an HSBC customer, so let us see where we go when the link is clicked?



Looks like a normal survey so far, apart from the dodgy website address [IP dotted]. So let me fake some data and click on the submit button, here goes:



Ah, now I smell something very phishy indeed [even if I didn't before ;-)]. They want some account details; Ker-ching!

Oh, yes and there is no prize money, so don't expect to win, just like the fake lottery notifications that you get, it is just a scam.

Each phishing e-mail I receive is checked; all links are tested against the Netcraft toolbar, and any new ones, that the Netcraft toolbar doesn't yet know about are submitted for inclusion in their database. Nothing too unusual there. However, once in a while I spot something that makes a new phish stand out from the crowd, such as this one.

At the time I tested these links to the bogus [phishy] HSBC survey site it was not detected by the Netcraft toolbar, or even the Firefox anti-phishing functions which are now built into the browser. As I finish up writing this post Netcraft should now have it in their database as I sent them the details.

Just be careful when acting on requests for participating in surveys for companies you use, as they may be phishy and you may get more than you bargained for. In those phishy cases it is likely that your personal data will be stolen and used to make fraudulent transactions on your account.

The Tax Man Giveth....

If you are anything like me you probably can't remember the last time the 'Tax Man' [those from HM Revenue and Customs] told you that you had paid too much tax and that he [or she] would like to return some money to you....Yeah right, like that is going to happen! I think I can honestly say that I have NEVER had any form of refund from them, ever, and I've been working for almost 30 years.

So, when I received the following e-mail [screenshot below] I was already rather sceptical:



The email looks quite believable, doesn't it? Even the link looks real.

If you are foolish/brave enough to click on the link, this is what you will see in your web browser:



Again, very believable, especially if you have no anti-phishing solutions in place.

If you are foolish/brave enough to fill in the requested data and then click on the link, this is what you will see in your web browser next:



Finally, if you are foolish/brave enough to fill in the requested financial data and then click on the link, this is what you will see in your web browser:



Yes, if you clicked on the final page you will be taken from the 'phishy' HMR&C site to the 'real' HMR&C site, none the wiser that you have been 'phished'. The final image [above] is the real HMR&C site.

Usual fare for the Phishers, they want your personal details so that they can steal money from your account or use the details to open new accounts or credit arrangements in your name, so when they default on the loan, you'll be the one being hassled or taken to court for non-payment.

Meanwhile your credit rating will nose-dive, and it will take you weeks, months or even years to recover from the effects. All because you were 'phooled by a phish'.

So, if you get an e-mail stating that you have a tax refund.....be warned as you may end up even more out of pocket than you would if you were dealing with the real HMR&C, at least they are up-front about it! So, to finish the second half of the line used for the title of this posting "The Tax Man Giveth [NOT] and the Phishers Fake it to Take it all!"

I'll Have a 419 With a Side Order of Malware, Please....

No this isn't about an order being placed at my local Chinese restaurant or takeaway; their menu item number don't go up that far, believe me I have checked ;-).

So for starters, let me show you a screenshot of an e-mail I received this morning:



Looks like a pretty typical 419 scam e-mail doesn't it? A little more terse than usual, I'll grant you, but still a 419 scam, hang on it has an attachment, most unusual! Here's a screenshot showing the attached file:



An executable file, very suspicious and most unusual for it to be attached to a 419 scam. I wonder what the Bad Guys and Girls from Lagos are up to now? I think a bit of testing and investigation is in order, don't you?

Some details on the executable file first:

FileName: 108 3386 8257.exe
FileDateTime: 26/06/2008 11:38:39
Filesize: 303842
MD5: 3e5480b34a38d2dc5e1f45f561c7d5f2
CRC32: F7A3CF76
File Type: PE Executable

Which is a WinRAR SFX [executable archive] and this contains the following files:

108 3386 8257.txt
gbt.exe
gbthk.dll
inst.dat
kw.dat
pk.bin
rinst.exe

So, let me extract the files, no not by running the RAR SFX file, as that would infect my system with the malware contained inside it.

Of these only one is a true executable file, this is:

FileName: rinst.exe
FileDateTime: 24/06/2007 21:08:18
Filesize: 19456
MD5: f3d0beef15eb987dbcec8e803bf6c89d
CRC32: 94F8865E
File Type: PE Executable

This file "rinst.exe" is packed using Armadillo and the executable itself appears to be written using Microsoft Visual C++.

This is the main installation file, and if you are foolish enough to run the attachment, all the enclosed files are dropped to "C:\WINDOWS\TEMP\RarSFX0" and then it proceeds to run "rinst.exe" to perform the install of the malcode; in this case it also tries to identify and kill any recognised anti-malware tools. Once installed it attempts to load the "108 3386 8257.txt" file which contains the following text:

MTCN CONTROL NUMBER 108 3386 8257
AMOUNT : $3,450USD
RECIEVER : JONATHAN NWEKE,LAGOS NIGERIA

The rest of the files appear to be obfuscated files that are part of the installation of a keylogger, so not only is this malware attempting to kill any security defences you have in place, it is also trying to record what you type, etc. Nasty!

So next time you receive a 419, have a closer look and see if the Bad Guys and Girls from Lagos have included an attachment to get you to infect your computer and steal your personal data. It seems that they have finally learned that this is now a multi-billion dollar business, and if they fail to adapt then they will either get left behind or other professional cyber-criminals will take their traditional business away from them.

If you want to know more about 419 scams and their genesis, then you can find more here.

Right, back to my analysis of this to find out what else it does...

Would You Rather Be A Mule [REDUX]?

How many of you out there have seen job offers [both part-time and full-time positions] that look like the following screenshots:








Tempted to apply, or do they seem too-good-to-be-true?

Well, they are too-good-to-be -true, all the screenshots of the e-mails are nothing more than an attempt to recruit staff to act as money launderers, also known as mules.

I've written about mules before on this blog, but I though it was time to revisit the area as the bad guys and girls have been very active in trying to recruit new mules just recently.

So, a quick recap

"We are not talking about four legged creatures that are half horse and half donkey….think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea hat what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc."

Next time you see a job advert on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule, or as the song goes:

"Would you like to swing on a star
carry moonbeams home in a jar
and be better off than you are
or would you rather be a mule

A mule is an animal with long funny ears
he kicks up at anything he hears
His back is brawny but his brain is weak
he's just plain stupid with a stubborn streak
and by the way if you hate to go to school
You may grow up to be a mule..."

The full lyrics can be found here.

By all means swing on a star, but not if it means you grow up to be a mule...to fund the lifestyle, and end up broken, saddled with a criminal record, and end up corralled in jail with numerous other mules, while those that run the scams get away with turning the endless train of desperate people [including students] into yet more mules.

Every Little Helps...

Is the catchphrase for Tesco [a very well known UK supermarket] who sent me an e-mail today informing me that I "have added an additional email address to my account", see below for the full e-mail:



The email address it was sent by was "customer@tesco.com" which is also the return address in the raw e-mail headers too. So, let's see where we end up when we click on one of the four links in the e-mail itself, shall we?

Here's a screenshot of the website that we end up on [using Opera 9.50].....Hmmmm...Tesco.com [according to the tab text]. Looks like the real thing, but is it?



How many of you spotted the red warning in the browsers address bar? It reads [!Fraud site]*. Bit of a giveaway, and also when I clicked on the link in the e-mail it actually goes to a dotted IP address, before being redirected [probably some form of click fraud] to the bogus Tesco.com site shown in the screenshot above. Yes, it is a Phishing site, not the real Tesco.com at all!

So, what is the site and what is it trying to achieve?

Well, this appears to be a Phishing scam, but instead of being targeted at a bank or other financial organisation, or Paypal, eBay, eGold, etc. it is targeting customers of a supermarket instead. This is the first time I've seen a supermarket being the target of a Phishing scam run, most unusual!

Not sure why the bad guys and girls are targeting Tesco customers, unless the stolen customer login details are just a way for them to gain access to any stored credit/debit card details on the Tesco.com account? Maybe they are just hungry ;-)

So, is this a new trend, can we expect similar Phishing scams for Sainsbury's, Waiterose, Marks and Spencer's and Morrisons? Unfortunately, I expect so, so please be very careful and if you have the option on any such service do NOT store your credit/debit card details, it may make shopping faster, but it also makes identity theft easier too.....as Tesco states "Every Little Helps", just don't let it be true for the bad guys and girls allowing them to gain access to your personal information and credit/debit card details.

* This is a new feature in the latest version of Opera.

The FBI Have Contacted Me!

I received the following e-mail [screenshot below] this morning which says it has come from the FBI, not only that, it states that it was sent by FBI Director Robert S.Mueller the Third of the Anti-terrorist and Monetary Crimes Division and if I don't respond and/or supply the requested information that I'll be charged!





It goes on to say that I have $10,500,000.00 being wired to me via a Secured Diplomatic Transit Account [S.D.T.A] and I need to prove that I have the required paperwork, including a Diplomatic Immunity Seal of Transfer [DIST] and an FBI Identification Record (aka a Rap Sheet or Criminal History Record) to prove I am who I claim to be and that I'm not a terrorist or drugs dealer. If I can supply these proofs, then the money is all mine!

OK, how many of you out there reading this would go along with this? Hands up, so I can count ;-)

Now, how many of the rest of you smell something fishy? Well, it isn't a Phish at all, it is just another new version of the so-called 419 scam.

The twist here, is that the Boys and Girls from Lagos [or almost anywhere else in the World now] are using fear as a new social engineering tactic to get you to part with personal data which they will then either mis-use or sell to others.

If you somehow, miraculously come up with the requested proofs, then guess what, you won't get any money at all, because there is no money in the first place, and the e-mail isn't from the FBI [or anyone in law-enforcement], surprise! ;-)

Whatever you do don't fall for this scam [or any of it's relations], it relies on what the Lagos boys call Wad [rich, greedy people]. They also use a less polite name for the people they dupe; Mgbada*.

To the Boys and Girls from Lagos [the 419ers that run these scams], it is a business, some say it should be considered an African cottage industry, however they want to try and justify it, it is still a crime, no more, no less.

Other unusual examples of 419s I've covered include

• Scam Victims Compensation Payments


• Barclays FIVE MILLION US Dollar Transfer


• A Google Product Too Far?


• Secret Intelligence Service SCAM ALERT!! E-mail

Lots of other examples have also been covered oer the years on this blog, and I have written several articles for Virus Bulletin on 419s, which can be found here.

* If anyone can tell me what this means in English, then please e-mail me, thanks.

Out of Office Notifications Are...

An accident waiting to happen!

In fact a number of these accidents have already happened. But I'm getting ahead of myself. So, why do I think that they are inherently bad?

Personally, I hate out of office notifications, not because it means that I can't get a reply from the person I sent an e-mail too in the first place, but because they can be misused by not just the person who is 'Out of the Office' but also by the 'Bad Guys and Girls'. Let me explain in more detail, what I mean...

1. Too Much Information
Often when people enable 'Out of Office' they offer too much information; such as when they are going and coming back, and where they are going to. They also often include a second person's details to contact in their absence; including their full e-mail address. This is then often enabled for all incoming e-mail to their e-mail address, which means that not only internal [company/organisation] colleagues are informed, but also, in many cases anyone on the internet that sends them e-mail. The next two points explain in more details why this is a 'bad' thing.

2. Confirmation that your e-mail address exists
As mentioned above, if you enable your 'Out of Office' notification to send an automatic response to all e-mail that is received, you are assisting spammers, scammers and malware authors by confirming that the e-mail address is in use [that makes it worth more]. If you also include another persons details to contact while you are away, then the 'Bad Guys and Girls' can also harvest that to either sell on for profit to others, misuse it themselves, or often both. The end result is more spam, scams and malware arriving in yours and anyone else's inbox that you kindly supplied in your 'Out of Office' notification, I'm sure that they will be quick to thank you for all the extra 'crud' they are now receiving ;-)

3. Physical and Cyber attacks while you are 'away'.
If you are unwise enough to indicate you are on holiday or just out of the country where you normally reside, then the 'Bad Guys and Girls' can do a number of things whilst you are not at home. If they have enough data on you, then you could come back to find your house burgled, full of squatters, vandalised or even worse.

If they don't have access to that level of information then can hack into your personal webspace, social networking and other web sites you may use. They could also perform a 'Joe Job' or a 'DDoS' to discredit you or damage your business or reputation. While you are away they may use your stolen identity to take out loans, credit cards and even mortgages in your name. If they already have some of your financial data, such as bank account or credit card data, you could suddenly find your bank account empty or unathorised charges [and ATM withdrawals] on your debit or credit cards.

In all these cases listed above, this is only likely to happen if you have come to their attention; such as being a thorn in their side, or making life difficult for them, or someone else is willing to pay for the information and/or attacks to take place.

If you don't believe that these things happen, then I can assure you that many of the cyber attacks happen to many of us who work in computer security, especially those that are widely published or who work for anti-malware companies or in law-enforcement.

Figure 1: Too Much Information is an Invitation for Trouble!

4. Bounced Spam
This is the latest way that 'Out of Office' notifications can be mis-used and it affects all of us who are already on spammers/scammers and malware authors lists (or soon will be).

Here is the scenario:
The Bad Guys or Girls sign up for a free webmail account, at say, Google, Yahoo, Live, etc. and then enable the 'Out of Office' feature. They then place the spam message they want to distribute in the 'Out of Office' e-mail body.

Next, the spammer sends this new webmail account with the enabled 'Out of Office' feature, lots of e-mails using spoofed 'From:' addresses so that the 'Out of Office' reply will be sent to the intended victim [the spoofed From: address].

Why do this? Well, e-mail sent from this booby-trapped spamming webmail account will contain anti-spam header information, such as DKIM, DomainKey, Sender ID or any of the other similar systems, which means that the mail server that deals with the intended victims email will be more likely to let the spam through as it has come from a trusted source.

This is now easier for the spammers to do, as the CAPTCHA systems used by Yahoo and Googlemail have been cracked; so that they can now automate the creation of these 'trusted' 'Out of Office' spam relays.

Figure 2: Out of Office Spam Setup

So, next time you go to enable your 'Out of Office' feature, think carefully about what information you provide, and if you can do not enable the respond to internet address option, as you may live to regret it!

A Right Royal Grant?

Wow, according to the e-mail I received today I have been awarded a grant of half-a-million pounds [£500,000.00], not just from any old society or company, but from one calling itself 'Queen Elizabeth's Foundation'!

I'm honoured, that I have personally come to the attention of our countries ruling monarch, and what's more she feels that I deserve half-a-million in cash with her head on it all...

Here's a screenshot of the e-mail, so that you can see it for yourself, and bask in my glory:



OK, yes I'm not really being serious, or getting too big for my boots, or thinking that I'm now above you all ;-) I know it is a scam and I'm just playing along.

So, let me start by checking out if the domain that the email claims to be sent from actually has a website:



Nope, no website, most odd! OK, so let me know check to see who the domain is registered with and to whom:



If I didn't already know that this was a 419 scam, then I would by now, so let me dig deeper. Next, let me check out the phone numbers, they look real and they are, but they are not registered to any charity or person, they are so-called 'personal' numbers being offered for FREE by the following company:



So, what do we know so far? There is no such society or organisation, the telephone numbers given are real but suspect, they have no website and the domain isn't even registered [so how could they send e-mail from it?], and finally they want me to reply to a different e-mail address, and they can't make their mind up as to who I should be replying to, is it:

Rooney James or Williams Anderson?

To get to the bottom of the mystery of where the e-mail was sent from, I took a quick peek at the raw headers, and what did I find? I found that the e-mail was actually sent via the webmail service of the company shown in the final screenshot, below:



Yes, they sent the e-mail using a webmail service based in Hawaii, for the United Kingdom monarch who's name is used for an organisation that doesn't exist, doesn't have a website or own a domain at all, and they want me to reply to an email account hosted on Microsoft Live, just so that they can send me half-a-million quid!

So, do you smell a rat now, or would you send them the data they ask for?

Just to be crystal clear about this: There is no money, as usual, this is a scam which has been around in one format or another for many years, all that happens if you get caught up with these scammers is that you will lose money, not gain any.

Just because they use the name of the Queen of the United Kingdom, and names of well known real organisations such as UNICEF, doesn't mean that this is real [even if the money actually existed, which it doesn't]. This is just another twist in 'The Game' that is collectively known as 419 or Advance-Fee-Fraud.

Sorry, Your Majesty, but I'm going to have to turn down your kind offer...

December 2007 Malware Review

December was another busy month for me as I was writing abstracts for conferences, doing presentations and trying to take some of my holiday entitlement as well as dealing with my usual workload. This meant that I didn't have quite as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals once more during the month.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 573 samples during December, which have been catalogued as just 27 distinct families and variants. In comparison during November I captured 476 samples which were also catalogued as 27 distinct families/variants. As you can see the captures in December are up once more, but this time of year is usually quite busy.

As shown, once more, by December's statistics the general trend is still downwards. It still appears that social-engineering has been the technique of choice and that 2007 should be now known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During December I reported 65 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 80 percent of the samples captured in December, just short of the high points of 82 percent it had in August.

As in the top tens for September, October, and November there are still eight members of the Opaserv.worm family in December's chart. These are variants: AE, D, AJ, K, AC, AD, AI and I in second, third, fourth, fifth, sixth, seventh, eighth and tenth places respectively.

The final slot left is occupied by a re-entry, this being our old friend Dupator who returns to the top ten in ninth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Netsky.q [aka P] is back into the top 10, straight back in at pole position, what a comeback! It is joined by another member of the family, AA which is also a re-entry back in at eighth place.

November's pole sitter, Scano.gen has had to settle for fifth place in December's chart after falling down the chart.

In the runner-up spot, we have a new entry, this being Diehard.dc, which is not the only member of this new family, as it is joined by Diehard.db and Diehard.dd which are also new entries, straight in to the chart in fourth and seventh place respectively.

Trojan-Spy.HTML.Fraud.ay has slipped further down the chart from fourth to ninth.

This month's chart is packed with new entries, the next one is Warezov.xd, straight in to the chart and stealing the final podium place; third.

And to complete the top ten, we have two more re-entries, these being, Bagle.gt and Nyxem.e [aka MyWife.D] in to the top ten in sixth and tenth places respectively.
Kaspersky had this to say about December's chart:

"At the end of the year, the mail traffic situation suddenly changed. In place of the traditional and somewhat dull domination of the rankings by old email worms, in December we encountered the explosive propagation of a new generation of programs. A new generation which are not worms.

It's true that first place this month is taken by the veteran NetSky.q worm. It returned with a leap and a bound from beyond the bottom of the rankings, having not figured in our November Top Twenty at all. It made up 20% of mail traffic - that's almost an epidemic, and it's unclear how a worm which has been in existence for almost 4 years, and which is known to all antivirus companies, has continued to survive and spread to the present day."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

IIn the SOPHOS chart we see a different pattern; Netksy has once more regained the runner-up position it last held in October's chart. Last months pole-sitter Troj/Pushdo has further managed to consolidate its hold on pole position.

Mytob has reversed its slide down the chart, once more climbing back up from sixth to third place. W32/Zafi has continued it progress sliding further down the chart from fifth to sixth place.

Mydoom which was a re-entry in October's chart has climbed up one place from eighth to seventh place.

There are two re-entries in December's chart, these are, Troj/Dloadr, back in to the chart in eighth place, and W32/Sality back in to the chart in tenth place.

W32/Bagle is up one place from tenth to ninth and to complete the chart we have W32/Strati up from ninth to the fourth and finally Mal/Dropper is down one place from fourth to fifth place.

Here is some commentary on December from Sophos:

"Overall, 0.09 percent of emails, or one in 1111, had malicious attachments in December 2007, with Pushdo retaining its position as the most prevalent email-based malware detected in December."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is once more occupied by our old friend Dupator.

Win32.Zhelatin has managed to consolidate its hold on the final place in the chart; tenth, Win32.Agent falls a single place down from eighth to ninth, and IRC.Zapchast has bucked the trend and climbs up from ninth to fourth place.

We have three re-entries in December's chart, these are: mIRC-Based back in to the chart in fifth, Hidrag grabs sixth place and W32.Tibs takes seventh place.

The final place in December's chart is occupied by our old friend Netsky, which has fallen from grace; down from third to eighth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of December] here. This clearly shows that December was busier than both October and November. As shown in the figures for December, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas; which can be seen in the What's New section of this blog postine.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 358,873 at the end of December. That's a growth of 136,400 new malware strains and/or variants for the whole of 2007. Just in December, the number of new malware found was 9,022.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during December 2007.

• Rent-a-Spammer [Wednesday, 5 December 2007]


• The Six Million Dollar Relative [Thursday, 6 December 2007]


• UPS Delivery of Over ONE MILLION US Dollars! [Wednesday, 12 December 2007]


• Don't Let Mrs. Santa Get Her Claus... [Monday, 24 December 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - November has continued during December, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer. In fact after Christmas the Storm Worm gang were working flat out producing new malware, web-sites and spam runs, but more on that, another time.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during December as they are still trying out other file formats which they hope will bypass anti-spam defences.

The phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during December, especially Natwest, Nationwide and Barclays, again.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this blog entry.

As expected December and the run up to Christmas and the New Year was a very busy time of the year for all the bad guys and girls as they took advantage of the season of goodwill to claim even more victims.

I would like to wish you all a very happy new year, stay safe!

Links:

• Virus Top Twenty for December 2007 [Kaspersky]


• Top ten viruses and hoaxes for December 2007 [Sophos]

Please note: December's report may well be the last one I do for the forseable future due to changes in my role.

New Year Phishes?

As a customer of Barclays Bank in the UK, I do occasionally receive e-mails from them, so I wasn't that surprised, or unduly alarmed when I received the e-mail shown in the screenshot below:



A quick look at it had my Phish Sense tingling, can you see why?

However, as usual I decided to take a look at the URL in the e-mail in more detail, as it was pretty believable, this is what I found:



This could easily be the real Barclays Bank site, it is very well done and very believable. In fact all the links, bar one, on the web page actually do go to the real Barclays web site. So, what happens if you enter data in the page and click on the Next button, where do you go next?

The next page shown is:



You are then prompted for the rest of your personal login details for Barclays. However, once filled in and having clicked on the Login button, you will end up on the real Barclays site, so this Phish, because that is what it is, no matter how good or believable it appears, is actually carrying out a Man-In-The-Middle attack by harvesting your real login data for your Barclay's internet banking account.

Last night I also started to see a similar attack aimed at the Halifax, here's a screenshot of the e-mail:



And here is the website the link takes you to:



This one uses the same technique, although it appears that not only is the page harvesting your Halifax credentials it also goes on to pass them to the real Halifax site, and so, if the data you gave was genuine, it should have logged you in, and you probably would be none the wiser that you have become the latest victim of a phishing attack.

If you put in fake data in the fake Halifax login page (shown above), the real Halifax site will show you an error message.

If you use an e-mail client that doesn't show you the bracketed e-mail address, then it is not surprising that customers of these banks, using these e-mail clients, actually fall for these latest phishing scams with disasterous results ranging from transferred funds, new loans or mortgages taken out in their name,to their whole identity being stolen.

Did you notice that the links in the e-mail claim to be HTTPS [SSL encrypted link to the website], when in fact they end up on a standard HTTP link which is NOT encrypted, so all data you enter is in CLEAR TEXT.

Please note: Do NOT go to the sites shown as they are real live phishing sites. You have been warned! Stay safe...

Whatever you do, don't take this threat lightly, as TV presenter and motor-mouth Jeremy Clarkson did after dismissing the threat of identity theft; he foolishly published his bank details and clues to other personal details in his column in The Sun newspaper. More details on this can be found here.

November 2007 Malware Review

November was another very busy month for me as I was involved in several projects for customer accounts, as well as dealing with my usual workload. This meant that I didn't have as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 476 samples during November, which have been catalogued as just 27 distinct families and variants. In comparison during October I captured 649 samples which were catalogued as 35 distinct families/variants. As you can see the captures in November are down once more and very close to September's total.

During November I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown, once more, by November's statistics the general trend is still downwards. It still appears that social-engineering is very much the technique of choice this year. I believe that 2007 should be known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During November I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 72 percent of the samples captured in November, down from the high points of 82 percent in August and 77 percent in October.

As in both September's and October's charts there are still eight members of the Opaserv.worm family in November's chart. These are variants: AE,AC, AJ, D, A, AH, AI and AD in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is once more occupied by our old friend Netsky.P who is static in the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

We have a new pole sitter in November's chart, this being Scano.gen which is a re-entry to the top ten.

In the runner-up spot, we has another re-entry, this being Mytob.t and as you can see the top 10 from Kaspersky [above] for November Mytob.c has reversed its slide down the chart in October to climb back up from tenth to fifth place.

Netsky.q [aka P] has dropped out of the top 10 however two [down from three] other family members, these being: Netsky.t, which has continued its slide down the chart has slipped from seventh to tenth spot. Netsky.x is a re-entry, back in to the chart to snatch the final podium place; third.

One of the new entries in last months Trojan-Spy.HTML.Fraud.ay has slipped down two places from second to fourth.

The next three places, sixth, seventh and eighth are all taken by re-entries. These are; IMG-WMF.y, Warezov.pk and Lovegate.W respectively.

The final free slot in November's chart is taken by a new entry, this being another member of the Warezov family; Warezov.um in ninth place.

Kaspersky had this to say about November's chart:

"The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.
There's only one program in this month's Top Twenty which barely changed its position, and that's Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It's not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has, rather surprisingly lost the runner-up position from Octobers chart and has to make do with the final step of the podium; third. Last months pole-sitter Troj/Pushdo has managed to consolidate its hold on pole position.

Mytob has lost more ground, sliding down the chart from fifth to sixth place. W32/Zafi has suffered a similar fate sliding down from fourth to fifth place.

Mydoom which was a re-entry in November's chart has once more consolidated its hold on eighth place.

There are three re-entries in November's chart, these are, W32/Flcss, back in to the chart in seventh place, W32/Strati back in to the chart in ninth and W32/Bagle grabbing the final place in tenth.

To complete the chart we have TraxG is up from ninth to the runner-up spot; second place. The final free place is occupied by Mal/Dropper in fourth place.
Here is some commentary on November from Sophos:

"Traxg hurtling into second position this month has come as a complete surprise, and the fact that unsophisticated worms are still slipping through the net at such a rate of knots is a clear indication that huge numbers of users, and potentially companies, are failing to install even basic anti-virus protection," said Graham Cluley, senior technology consultant at Sophos. "In first place, Pushdo continues to wreak havoc. A clear reason for its ongoing success is the guilty cybercriminal's ability to quickly create different variants, which are being spread voraciously in a range of spam messages. Each new piece of spam that harbours the trojan has been created to tempt users, and whether it's enticing them to watch videos of Britney or view naked pictures of Angelina, this fraudster's tactics are certainly working."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is still occupied by last months re-entry, this being Netsky.

Win32.Zhelatin falls five places to tenth, Win32.Agent falls four places down to eight and IRC.Zapchast is static in ninth place. Fifth place is occupied by W32.Funlove, which is up one place from sixth.

We have two new entries in November's chart, these are: Win32.Protoride straight in to the chart in sixth and W32.Heretic takes seventh place.

The final place in November's chart is occupied by our old friend Dupator up from seventh to fourth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of November] here. This clearly shows that November was about as active as October. As shown in the figures for November, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 349,851 at the end of November. That's a growth of 127,378 new malware strains and/or variants so far in 2007, in November the number jumped by 10,160. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 139,000. Things have certainly speeded up during the third and fourth quarters of 2007!

What's New?

Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during November 2007.

• Equifax Phish [Tuesday, 6 November 2007]


• Do You YouTube? [Monday, 12 November 2007]


• One MSUpdate You Don't Want! [Tuesday, 13 November 2007]

Conclusions:

The current trend of using social-engineering which has been widespread in January - September has continued during October and November, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during November as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays and also new targets such as Equifax, as shown above.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this report.

All in all, it looks like we could be in for a very interesting, and busy, final month of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for November 2007 [Kaspersky]


• Top ten viruses and hoaxes for November 2007 [Sophos]

Please note: December's report, which should be published in January 2008 may well be the last one I do for the forseable future due to changes in my role.

Amazon Adventures - Part Deux

Finally, here is the much promised second part of my recent Amazon Adventures. I warn you now, this is going to be a long post, you have been warned! ;-)

Part one can be found here.

This part is going to cover my recent adventures when trying to sell some things which were excess to requirements using the Amazon.co.uk Marketplace, which works a bit like eBay, but without scammers and con artists popping out of the woodwork every few seconds; or so I thought. How wrong I was to believe things would be any better on Amazon.co.uk's Marketplace than eBay.

The tale unfolds below:

So, as I mentioned above I had some electronic and other goods that were excess to requirements, these were in immaculate [almost new] condition as I had treated them with respect and care at all times. So, I created a Marketplace account on the Amazon.co.uk site so that I could offer these items for sale. This step was dead easy and I had a Marketplace shop open on Amazon.co.uk within five minutes. I confirmed this by searching for one of the items on Amazon.co.uk and it appeared [along with my Marketplace seller account name] in the new and used listings.

A few hours passed and I started to receive e-mails from prospective buyers of the most expensive of the electrical items I was trying to sell, here's a screenshot of one of the e-mails:



I replied promptly and gave the prospective buyer the benefit of the doubt, even though alarm bells were already starting to go off in my head. The next morning I received the following e-mail from 'Vannessa' [screenshot below]:



Hmmm.... I thought that is most interesting, especially as I had also received another e-mail which claimed to come from Amazon.co.uk payments e-mail address, or did it? Here's a screenshot of the e-mail below, notice anything odd?:





Looks real doesn't it, but is it really from Amazon or not, yes or no? [Hint look at the e-mail address shown between the '<' and '>' characters.

Anyway, even though by now I knew it wasn't really from Amazon.co.uk as the real e-mail address it came from was 'amazoncustoms@accountant.com', which is a FREE e-mail account from 'Mail.com' in the US. I decided to check my account on Amazon.co.uk Marketplace, and as expected the item was still listed as being available, not sold. At this point I decided to do a little more detective work.

So, to start my digging, I did a lookup on the UK Post Code given by the 'buyer', this being 'BL2 1LW' which resolved as the following address:

13 ST AUBINS ROAD
BOLTON
LANCASHIRE

Now, if you noticed the 'buyer' claimed her address was '13 st aubin road', notice not only the lower case, but also the missing 's' off the end of 'aubin'. By now I was fully convinced that this was a scammer trying to defraud me of my electronic device. So, I replied to her, see the screenshot below:



And 'Vanessa' replied thus:



In between the various e-mails, I did a bit more digging and found out that the address was the registered office for a company which has now been 'dissolved'. So, to turn the screw a little tighter I sent a reply which you can see below:



And 'Vanessa' replied thus:



And thus, about 15 minutes later
:


By now I think that 'Vanessa' knew that I had rumbled that this was a scam, or that she was getting desperate, so to try and string her along a little longer and see if I could extract a telephone number from 'her'. Here's the e-mail I sent:



I never expected to hear anything more from 'Vanessa', so I was rather surprised when I got the following reply:



Those of you that live in or know the phone number system in the UK will have immediately noticed that the phone number I had been given, was not in Bolton, or indeed anywhere near there. It was in fact a London telephone number, and a quick bit of digging unearthed the fact that it was a BT Pay Phone! Game, Set and Match to me, I think.

Further digging, seemed to indicate that the phone was on the West side of Lambeth Bridge, in Horseferry Road, which ironically, is less than 300m from New Scotland Yard!

My next move was to send all the data onto the fraud department of the London Metropolitan Police, as far as I was concerned, my job was now done, it was now down to the Police to apprehend the fraudster(s).

Over the next week, I received four other similar fake Amazon payments notices, needless to say, I played them along the same way and then sent the data onto the authorities to act on[*]. However, I'm not holding my breath, as these frauds are small fry in a world of sharks.

Needless to say, I finally decided that using Amazon.co.uk's Marketplace was not a good way to sell expensive electronic items, in fact I'd go as far as to say that it is only marginally better than eBay in this respect. I must make it clear that my comments are only about my personal experience of using the Marketplace feature of Amazon.co.uk, I have found all my other dealings with Amazon.co.uk to be safe and reliable and I generally trust them far more than other online stores. In fact they are one of the stores I use the most when I'm thinking of buying things, be it CDs, Books, Electronic Items or whatever.

[*] I also e-mailed and spoke to Amazon.co.uk's fraud team a number of times while these adventures unfolded, they were polite and efficient, but I was left feeling that they were not at all surprised about this level of fraud on their site, and seemed to have no answer to the problem. The problem seems to be worse when selling high value electronic items, such as phones, pdas or game consoles.

UPS Delivery of Over ONE MILLION US Dollars!

This posting is in the same vein as the last one [on this subject], as it seems to be a new tactic from the bad guys and girls from Lagos [aka the 419ers], take a look and let me know what you think:



Nice twist eh?

Instead of telling you that they want you to help them move trapped funds and you will get a percentage, or that you have won the lottery, that you didn't enter, this one simply states that you will need to pay $100 US Dollars up front. At least that bit is honest!

The trick here is that the victim who received the e-mail is going to think "Wow, if I pay $100 now, then I get over $1 MILLION US Dollars back in the box!" and "All the sender wants is $100 up front and my contact details, what can possibly go wrong?"

• Well, firstly, there is no money, so they will end up at least $100 out of pocket.


• Next, the data they send will be placed on a so-called 'suckers' list.


• Then, the victim will receive either more e-mails requesting more money to pay taxes, bribes, and so on, or they will get phone calls from the bad guys and girls behind this will try and get other personal details from them, such as bank account details, credit/debit card information, and so on.

Before they realise, the victims bank account or credit/debit card details are being used/mis-used to pay for things or to take out new loans, credit cards, or create a new bank account using the stolen data.

It does seem that the 419 scammers are once more trying out new techniques, I wonder what they will try next? Any suggestions ;-)

The Six Million Dollar Relative

This is a rather interesting e-mail which arrived in my inbox early this morning. It is interesting for a number of reasons, take a look at the screenshot below and see if you can spot the reasons I found it rather entertaining?:



OK, so what did you spot?

These are the points that caught my interest:

• Used part of my name, in this case my Surname.


• Used the name of someone who might be related to me.


• Used a Microsoft Word document attachment rather than the usual ASCII text or HTML body.

Right, let's now have a look at what the Word document contains [opened in OpenOffice, not Word, for security reasons]:



Here's a close-up of the text in the word document:



As you can see this is a missing-relative 419 scam, they want me to pose as a relative to the alleged deceased person, so that 'we' can claim the 32 MILLION US Dollars for ourselves instead of, and I quote "funds of this nature end up in the greedy pockets of some politicians due to our corrupt society". I get 20 percent, which they esitmate is almost 6.5 MILLION Us Dollars.

So, you heard it straight from the horses mouth [or at least one of the horses orifices] that these scams have nothing to do with corrupt and ethically bankrupt scammers like the one behind this version, it's all the politician and goverment officials who are to the 'bad guys'! Yeah, right! Although, this quote from Alfred E Newman, might swing your vote:

"Crime does not pay... as well as politics."

Sometimes these 419 scams contain links to real news stories or tragedies that have occurred, the scammers believe that you will be more willing to fall for their scam if some of the data can be verified.

There is no money, as usual, this is a scam which has been around in one format or another for many years, the names of the intended victim, deceased and scammer change frequently, but all that happens if you get caught up with these scammers is that you will lose money, not gain any.

Just because they use your name and link it with an allegedly deceased person with the same surname, doesn't mean that participating in this scheme [even if the money actually existed, which it doesn't] isn't fraud; it most definitely is!

Rent-a-Spammer

We are all used to seeing spam, usually lots of it, even if you have good anti-spam defences in place, some still gets through, as it is a game of cat and mouse between the spammers and anti-spam solutions. The spammers try a new technique which works for a while, the anti-spam brigade adapts and blocks it, and round-and-round we go, ad infinitum ;-)

Here's a spam e-mail that is actually offering "mass dispatch of electronic letters" also known to most of us as Spam or UCE.



The spammer(s) offering their services here are almost certainly using one or more botnets to send out the spam, this means that the chances of him/her/them getting caught and prosecuted is quite slim. As you can see the pickings [as far as the spammer is concerned] are far from slim!

To a potential spammer customer the costs are miniscule*, as shown below. These are the prices per e-mail:

• 1 Million = 0.012 cents each


• 5 Million = 0.01 cents each


• 10 Million = 0.008 cents each

No wonder that businesses who are desperate for new customers, or sales [or both] are tempted to use these types of services!

Although the fiscal [monetary] costs are small from the perspective of a customer of this type of spamming service, the potential cost in loss of business if you are a well known and previously respected company or brand can be immense.

Luckily these sort of companies/brands don't tend to use these sorts of services, this means that the companies/brands that do use them are, shall we say, not as ethical or concerned about alienating/annoying their customers, as the wares they offer tend to be considered to be somewhat grey; fake, illegal, stolen, of dubious quality, or just an outright scam to get you to part with your credit/debit card details. This often results in your data being mis-used or sold on to others to mis-use.

The really worrying thing about this, aside from the data theft/ID theft side of the coin, is that according to some sources, around 10 percent of people who receive spam, actually buy the goods offered. Even if they have been conned/scammed before! Talk about failing to learn from your mistakes!

So, if the 10 percent of people that do buy from spam would kindly refrain from doing so, then the spammers business model would quickly become unprofitable; the end result would be that spam would drop to levels that we can currently only dream about. It could get to the point where we see levels of less than 10 percent, compared to the 90+ percent we have today!

More details on the survey results can be found here.

I've also just found another survey, which claims, amongst other things that: "One in five Brits 'buy software from spam'"

Here's another that claims: "Spam Prompts 11 Percent of Computer Users to Buy"

My original posting on the survey mentioned above, was back in July of 2005, here's a link to it: 'Do You Like Spam?' It even contains details on how the name came about. Here's a link to the video mentioned...enjoy!

So, go on own up, have you ever bought anything from a spam e-mail, are you in the 10-25 percent of those that do? ;-)

* Assuming my maths are correct?

Footnote: Hormel [creators of the tinned meat product known as SPAM] have just lost a court case [another one] in which they tried to stop an anti-spam company using the word 'Spam' in their product name, as they claim that this is their trademark.

Barclays FIVE MILLION US Dollar Transfer

According to the e-mail I received today [3rd of December 2007] from Barclays Bank PLC I have over 5 Million US Dollars waiting to be transferred into my bank account. Here's a screenshot of the e-mail, so that you can see it for yourself:



Wow!!! Five Million, Two Hundred Thousand Dollars are all mine!

All I need to do is to obtain and complete a 'Non-Residential Clearance Form' and then contact 'Mrs.Nancy Webster' who heads-up the 'International Banking Division' at 'Barclays Bank PLC in London' and she will send me the release forms to fill in and Bingo, I will get the money, right?

Anyone smell a rat yet? Any alarm bells going off in your head? Do you actually believe a word written in the e-mail shown above?

Since when did Barclays outsource their e-mail servers to 'Google'?

If you do believe it, then if you followed up with 'Nancy' at 'Barclays', using her business e-mail account at 'Googlemail', then you would be entering into a relationship where you wouldn't end up with more money, you would actually lose money [at the very least], as this is nothing more than a 419 scam [also known as an Advance Fee Fraud].

I've written about these extensively over the years, and if you are interested in reading more on the subject then take a a look at my published papers and articles, which can be found here.

Just because it is coming up to the season of goodwill, don't lower your guard, as that is only playing straight into the hands of these fraudsters...

I have a number of things to share this week, so check back each day.

Amazon Adventures - Part 1

I haven't posted in a while, as I've been somewhat occupied with other things, however, I'm back now and I'm going to cover a few interesting things I saw/experienced first hand recently. So, let me begin.

No I'm not going to tell you about beating my way through tropical rainforest undergrowth or canoeing up the Amazon river, nor am I going to tell you stories about meeting Amazon native people who have never seen an outsider before. So, what am I going to tell you about I hear you ask.....Quickly followed by "I wish he'd get to the point!"

So, to cut to the chase, as they say, this is a screenshot of an e-mail I received a few days ago, from Amazon [see the link now? ;-)]:



Clicking on the link in the e-mail shown above, takes you here:



Looks like the Amazon.com website, in fact as shown in the next screenshot all the scripts on that site point to 'www.amazon.com' [look at the status line bar at the foot of the browser screenshot]:



Yes, all the popups, menus and other scripts on the page point to Amazon.com, however all is not what it seems, and to use a dreadful pun, we can't see the wood for the trees, or in this case we can't see the phish for the rainforest [Amazon] as the phish is very well camouflaged and unless you are very observant or had some mitigating technology in place [such as the Netcraft anti-phishing toolbar] then most people would easily fall 'phoul' of this 'phish'. Yes, it really is a phish, honest and the e-mail wasn't really from Amazon at all!

I had a quick peek at the HTML source for the page hosted on the fake Amazon.com site and it is rather long and complex, including numerous JavaScript functions, these include functions to record the following data:

• Browser used


• Browser version


• OS used


• Timezone


• Plugins installed

The most important part of the HTML source, as far as the phishers are concerned is the 'Form' code which tells the web server what to do with any data submitted in the form, in this case your Amazon.com details: e-mail address and password. The code in this fake Amazon.com page uses the 'POST' directive to send the data to a 'PHP' script on the server hosting the 'fake' Amazon.com site.

If you think that this is clever, just wait until you read part deux [2] of this tale, there is most than just phishing going on against the website jungle that is Amazon...

Right, back to the snakes, tarantulas, scorpions and other assorted wildlife.....no, not in the jungle, these are the pets in my house.

If you don't believe me then maybe you should take a look at one of the websites I run which is all about Tarantulas, Scorpions, Snakes and GALS [That is the acronym for Giant African Land Snails, not the other sort of gals ;-)]....Oh, nearly forget, the website is: The Tarantula's Burrow.

October 2007 Malware Review

October was another very busy month for me as I created and presented a double security lecture [one on malware and one on spam, scams, hoaxes, etc.] at one of the major universities in the UK, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 649 samples during October, which have been catalogued as 35 distinct families and variants. In comparison during September I captured 457 samples which were catalogued as just 27 distinct families/variants. As you can see the captures in October are slightly up from September's total.

During October I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by October's statistics the general trend is still downwards [although the Bad Guys and Girls are back at work after their summer break]. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During October I reported 105 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 77 percent of the samples captured in October, down from the high point of 82 percent in August but up almost 1 percent on September.

As in September's chart there are eight members of the Opaserv.worm family in October's chart. These are variants: AE, AJ, AI, D, I, AH, K and AC in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is taken by our old friend Netsky.P who is down who comes back into the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for October Mytob.c has once continued its slide back down the chart from sixth to just hang on in tenth place.

Netsky.q [aka P] has further consolidated its hold on the pole position it managed to grab back in June. It is joined by two [down from three] other family members, these being: Netsky.t, which has reversed its slide from last month, climbing back up one place from eighth to seventh spot. Netsky.aa has started to fall down the chart from the runner-up spot; second place it held in September to the final podium place in third.

Bagle.gt has speeded up its journey down the chart, falling from fourth to eighth place.

Unlike Bagle.gt, Worm.Win32.Feebs.gen has reversed direction, climbing once more, up from seventh to fourth place.

The final free places in October's chart are taken by two new entries, these are: Trojan-Spy.HTML.Fraud.ay straight in at the runners up spot; second and Exploit.Win32.PDF-URI.k straight in in sixth place.

We also have Email-Worm.Win32.Nyxem.e [aka Mywife.D] down from fifth to ninth, a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l down from third to fifth place.

Kaspersky had this to say about October's chart:

"If this month's Top Twenty had been prepared using data from the first 26 days of October, two important malware related events would have been missing.
We're talking about two mass mailings that took place right at the end of the month. They turned out to be among the biggest mass mailings we've seen in the last few months, especially on the Russian Internet.

The first pushed Fraud.ay, a phishing attack, into second place in the rankings.

The second attack, which started on Friday, October 26, was more interesting. Email traffic was flooded with messages that included a PDF file. This file contained a known and recently discovered exploit for a vulnerability in Adobe products. When the PDF file was opened, this resulted in malicious code being executed and a Trojan downloader being installed. The attack is in sixth place in our rankings: Exploit.Win32.PDF-URI.k"

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has, rather surprisingly lost pole position in Octobers chart and has to make do with the runner up spot; second. Last months runner-up Troj/Pushdo has managed to de-throne Netsky and steal its crown as it now head up the chart by grabbing pole position.

Mytob has lost ground, sliding down the chart from third to fifth place. W32/Zafi has suffered a similar fate sliding down from second to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, slipping down from seventh to eighth place.

There are just one re-entry in October's chart, this being Troj/Dloadr , back in to the chart in seventh place. One of last months re-entries has managed to remain in Octobers chart, this is Mal/IFrame slipping down one place from fifth to sixth.

To complete the chart we have one new entry, this being Troj/PDFex straight in to the chart in third place, and TraxG is up from tenth to ninth place. The place occupied by TraxG in last months chart is now the home of Mal/Dropper.

Here is some commentary on October from Sophos:

"PDFex only started to circulate at the very end of the month, but still managed to account for over 13 percent of all emailed malware during October. It was heavily spammed out between 26-28th October, and during that period, it accounted for a staggering two thirds, or 66 percent, of all malware spread via email," said Carole Theriault, senior security consultant at Sophos. "PDFs have long been used in business as a means of sharing information, so the social engineering trickery of using a PDF puts insufficiently protected businesses at risk. Adobe have issued an update to their Acrobat software that fixes the problem, and eyes are now turned to Microsoft to patch the underlying flaw in Windows which could also affect other vulnerable applications such as Skype and Firefox."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is occupied by a re-entry, this being Netsky.

Win32.Zhelatin falls one place to fifth, Win32.Agent climbs one place to fourth, IRC.Zapchast falls one place to ninth as does Win32.Tibs, falling to tenth. Sixth place is once more occupied by W32.Funlove, which was where it was in last months chart.

We have one new entry in October's chart, this is: Backdoor.Win32.mIRC-based straight in at eighth place.

The final place in October's chart is occupied by our old friend Dupator up from eighth to seventh place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of October] here. This clearly shows that October was quieter than the previous two months. As shown in the figures for October, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 339,691 at the end of October. That's a growth of 117,218 new malware strains and/or variants so far in 2007, in October the number jumped by almost 10,500. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 140,700. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Warnen, Bin Ich Ansteckend [Friday, 5 October 2007]


• Stealthed Spam [Wednesday, 17 October 2007]


• Watch Out, Watch Out... [Thursday, 18 October 2007]


• Trick, But NO Treat! [Wednesday, 31 October 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - September has continued during October, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam are back to their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during October as they are still trying out other file formats which they hope will bypass anti-spam defences, as can be clearly seen by the MP3 spam example covered above.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last couple of months of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for October 2007 [Kaspersky]


• Top ten viruses and hoaxes for October 2007 [Sophos]
  

Equifax Phish

Somebody very kindly forwarded to me an e-mail that they were suspicious of, which claimed to come from Equifax.

Here is a screenshot of the e-mail:



So, should they have been suspicious, or not?

Well, here is a screenshot of the website that the link in the e-mail above would have taken you to; note that the link shown isn't the one you end up on:



Does it look real to you, or not?

Let's call in the Cavalry and see what the FREE anti-phishing tools make of the site?

Here is a screenshot of the warning given by the FREE McAfee SiteAdvisor browser plugin:



Here is a screenshot of the warning given by the FREE Netcraft Anti-Phishing Toolbar browser plugin:



So, it seems that they were right to be suspicious, in fact a quick look at the link in the original e-mail made it obvious to me that this was a phishing scam.

The interesting thing about this Phishing attempt is that this is the first time I've seen one targeting Equifax, in fact I'd go as far as saying that this appears to be a 'Spear Phishing' attempt as it seems to have been sent to a small number of people.

So, if you are an Equifax customer be on your guard as it seems that the phishers are now spending significant amounts of their time to finely target their potential victims and try and get you to disclose your details....

Both the browser plugins mentioned work on both Internet Explorer and Firefox, install them and use them, it could save you from making an expensive mistake!

Who's the Weakest Link?

This posting discusses the findings of an online survey carried out by Sophos.

"The research shows that 31 percent of companies believe remote or mobile users expose their networks to the greatest threat, compared to 25 percent that consider guests or external contractors the greater danger. In contrast, an additional 44 percent of companies believe standard employees are actually more likely to expose the network."

The problem is somewhat more fundamental than this survey would have you believe; the problem isn't just that employees [whichever group they fall into] are a risk, the real root of the problem is that people are the weakest link in security[1]...let me explain how I know this:


You only have to look around to see people that are taking risks either with their personal and/or computer security.

It's even worse when they behave the same way on their employers computers or network. Whether it is ignoring security policy/rules; opening attachments they shouldn't, visiting websites to retrieve e-cards or view questionable or illegal material, disable security tools to speed up the computer, giving away personal or proprietary information, or possibly hacking into systems for either fun or profit.

The worst of it all is when 'good' people fall for the tricks used by the bad guys and girls, such as social engineering. [I've included links to a number of the risks mentioned, in the material below.]

The bad guys and girls have long known that social engineering is the most effective way to get their malware installed on a victims computer, just as the scammers know that social engineering makes them the most money; as more victims fall for this approach than any other. I have already blogged about the 'human element' in security [or should that be insecurity?;-)] a number of times before; be it 'click-a-holics', e-cards, lottery/grant notifications, 419 and Phishing scams, lost friends or relatives and hoaxes, in fact the whole enchilada.

This year has seen the bad guys and girls use social engineering as their number one infection vector; rarely do they now include a coded infection routine in their malware, they just get the recipient to infect their own computer, it works very well and means they have less work to do to create new malware.

Here's a good and timely example:
Adobe Acrobat [PDF] vulnerability which was first disclosed on September 20th, 2007. Here's some data from Symantec about what the bad guys and girls did with it:

"One day later, we have discovered a new Trojan named Trojan.Pidief.A that actually exploits this vulnerability to compromise an unpatched computer. So far we have seen a fair number of emails containing this new Trojan in the wild. It is likely that Trojan.Pidief.A has been spammed out in targeted attacks on specific business organizations.

The Trojan will most likely arrive through email with a subject such as "invoice", "statement" or "bill" of some description, and just containing the .pdf file. So far we have seen the following file names used:

- INVOICE.pdf
- YOUR_BILL.pdf
- BILL.pdf
- STATEMET.pdf

If the .pdf file is opened and the vulnerability exploited, it will run code that will download an executable named ldr.exe."

In other words, once you have been socially engineered and you've opened the PDF, the exploit code will execute and your system will get infected unless you have other mitigating technologies/methodologies in place to stop it. From then on your computer is no longer yours, it belongs to the bad guys and girls.

So, what can you do to stop this particular threat [not social engineering in general]?

You can install the 'official' patch for Acrobat Reader from here or the 'official 'Acrobat Reader update from here here. Trust me I'm a security specialist ;-)

Maybe humans need to learn from the mistakes of others; history is littered with such material, so that they are less likely to repeat them, ad nauseum. Although I wouldn't bet on it happening anytime soon!

What do you think is the best way to stop people falling for social engineering?

Links to other stories/surveys on Social Engineering:

• Firms warned they are failing to block social engineering attacks


• Office workers give away passwords for a cheap pen


• What's the greatest security risk?


• You are the Weakest Link, Goodbye! - Passwords, Malware and You


• You are the Weakest Link, Goodbye! - Malware Social Engineering Comes of Age

[1] In security, computer or otherwise, a system is only considered to be as strong as its weakest link; as that is the place where it is most likely to fail. Just like a real chain

September 2007 Malware Review

September was a very busy month for me as I wrote and presented a paper at the Virus Bulletin conference in Vienna, Austria, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 457 samples during September, which have been catalogued as 27 distinct families and variants. In comparison during August I captured 566 samples which were catalogued as just 20 distinct families/variants. As you can see the captures in September are slightly down from August's total.

During September I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by September's statistics the general trend is still downwards. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During September I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 76 percent of the samples captured in September, down from almost 82 percent in August.

There are eight [up from seven] members of the Opaserv.worm family in September's chart. These are variants: AI, AE, D, AJ, E, I, AD and AH in second, third, fourth, fifth, sixth, seventh, ninth and tenth places respectively.

The final slot left is taken by our old friend Dupator who is down one place from seventh to eighth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for September Mytob.c has once more started to slide back down the chart from fourth to sixth place.

Netsky.q [aka P] has consolidated its hold on pole position it managed to grab back in June. It is joined by three [same as in August] other family members, these being: Netsky.t, which has slipped down one place seventh to eighth spot. Netsky.aa continues its upward climb, up from third to the runner-up spot; second place. The final Netsky family member is Netsky.b which is static in tenth place.

Bagle.gt has reversed once more restarted its slow journey down the chart, falling from second to fourth place.

Like Bagle.gt, Worm.Win32.Feebs.gen is slipping down the chart once more, from fifth to seventh place.

The final free places in September's chart are taken by one re-entry, this being Email-Worm.Win32.Nyxem.e [aka Mywife.D], a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l up from sixth to the final podium step; third.

Kaspersky had this to say about September's chart:

"Our forecasts for September turned out not to be spot on. Trojan-Downloader.Win32.Agent.brk, which was spreading actively in August, didn't extend the botnet that it builds, and as a result, there's not a single Warezov variant in September's Top Twenty.
However, the authors of another email worm, Zhelatin (aka the Storm worm) stepped up their activity. Throughout August security companies provided regular reports and estimates on the scale of the botnet created by the worm. Some estimates were as high as 2 million infected computers around the world - indicating that a new epidemic was on the horizon. However, September was remarkably calm from this point of view. Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has consolidated its grip on third place. The runner-up spot has been taken by Troj/Pushdo which climbs up from the fourth place it held in August. Last month's runner-up spot sitter, W32/Zafi has fallen down to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to seventh from fifth.

Bagle also slipped down the chart during September, from eighth to ninth place.

There are two re-entries in September's chart, these being Mal/IFrame and Mal/Behav in fifth and sixth place respectively.

To complete the chart we have one new entry, this being Mal/Basine and the final place is occupied by TraxG static in tenth.

Here is some commentary on September from Sophos:

"The figures, compiled by Sophos's global network of monitoring stations, have shown a rise in the percentage of infected email. Overall in September, 0.12 percent of emails were carrying malicious email attachments, or 1 in every 833, compared to 1 in every 1000 during August. This is primarily due to a coordinated campaign by hackers to spam out the Pushdo Trojan horse en masse during the second half of September. The emails, which pose as naked pictures of Hollywood actresses such as Angelina Jolie and "Holly Berry" [sic], carry a malicious payload designed to give criminal hackers control over infected PCs. During a single 24-hour period in the last week of September, Sophos reports that the Pushdo Trojan accounted for almost 4 in every 5 infected emails."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again and the final step of the podium, third place, is occupied by Dupator which is where it was in August's chart.

We have five re-entries in the chart in September; these are Win32.Zhelatin, Win32.Agent, Trojan.BAT.Runner, IRC.Zapchast and Win32.Tibs back in the chart in fourth, sixth, seventh, eight and ninth place respectively. Sixth place is occupied once more by W32.Funlove.

The final place in September's chart is occupied by Lorez down from seventh to tenth.

The more astute of you may have noticed that the top ten for September, once more contains ten entries rather than the seven we had in August.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of September] here. This clearly shows that September was quieter than the previous two months. As shown in the figures for September, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 329,196 at the end of September. That's a growth of 106,723 new malware strains and/or variants so far in 2007, in September the number once more jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just almost 142,300. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• New Storm Worm Run... [6th September]


• NFL = Nuwar File Link? [9th September]


• You SPIM Me Round... [11th September]


• Oh, Vienna...Update [25th September]

Conclusions:
The current trend of using social-engineering which has been widespread in January - August has continued during September, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam seen are almost back to their usual levels after the slight drop in the level of spam during August. The spammers haven't been idle during September as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during September. This is clearly shown in the massive jump in the percentage of phishing scams we've seen during both August and September.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last quarter of the year! Typically the last quarter of the year and specifically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Links:

• Virus Top Twenty for September 2007 [Kaspersky]


• Top ten viruses and hoaxes for September 2007 [Sophos]
  

Watch Out, Watch Out...

There's MP3 spam about!

Yes, you read that right, I started to receive spam e-mails that only have an MP3 [Audio] file attached, no body text.

At first I thought it was a new ploy by the malware authors, but after a quick check, the attachments were real MP3 files [LAME encoded].

So, I bit the bullet and played it, and lo and behold it was an audio version of the 'Pump-n-Dump' scams that we have been used to seeing. The one I listened too was of poor audio quality, in fact the woman sounded a bit like a Dalek! ;-)

Although as far as I can remember there were no lady Daleks, well not in the one-eyed motorised dustbin version, that came complete with kitchen utensils [egg whisk], plumbing tools [sink plunger] and a built-in CO2 fire extinguisher anyway [see picture].

More on this later when I'm back in the office.

UPDATE:
I didn't have anytime yesterday to follow-up on this posting as I was out all day giving a couple of guest lectures at a UK University. However, it now seems that I was the first one to report this new move by the spammers, as the other reports and news items about it didn't start to appear until around mid-day [UK time] on the 18th.

The gangs behind these 'pump-n-dump' scam spam runs have been very inventive so far, as they have already used graphical spam, animated graphical spam, subliminal animated graphical spam, Word document spam, Excel spreadsheet spam and finally PDF/FDF [Adobe Acrobat] spam. This list doesn't include the basic ASCII [Text] and HTML spam they still use, as well as the ZIP and RAR files used as containers for many of the file formats they have used.

I wonder what they'll try next? Video spam?

Here are some links to some of the other coverage of this move to using Audio spam:

• Kaspersky's Blog


• McAfee Blog


• SOPHOS Blog

There are also lots of news items appearing based on information supplied from the above, especially from my friend Graham Cluley who works for Sophos.

Addendum: Here's a link to one of the MP3 spam audio files I received, so that you can hear it yourself. However, please don't fall for the scam, you won't buy the stock offered will you?

For the techies out there, the file is encoded at 16Kbps. Most MP3 music files are encoded between 128-256Kbps.

As a final thought, I suppose you could call this a genuine product of a spam robot? ;-)

Cyber-Laundry?

No, this isn't about the place you take your 'virtual clothes' to be cleaned in 'cyber-space' or 'virtual worlds' such as 'Second-Life'. It is about something quite different.

I have recently been seeing e-mails claiming to be from a firm called 'Draper Investment Company LLC'. A screenshot of one of the many e-mails I have so far received from them appears below:



Clicking on the link in the e-mail takes you to the following very professional looking site, complete with a 'Flash' [SWF] banner:



If you click on the second link in the e-mail, the one that claims to take you to the 'application form', then this is what you'll see:



If you were in need of a part-time job, to fit around your family, or if you were a starving student, you may well be tempted to apply. I mean, the rates look 'very' good for very little of your time, in fact they seem almost 'too good to be true', and that should be setting off little alarm-bells in your head. But, just in case it hasn't done so, what does the 'Site Advisor' from 'McAfee' make of the site, let's see:



Well, are you still tempted now? can you hear the alarm-bells now? No? Well, let's see what 'Netcraft' has to say about the site, shall we?:



Still interested? Nope, I thought not. But, just in case you were, you should be aware of the following, as you are not only aiding and abetting cyber-criminals in laundering money stolen from accounts acquired via Phishing, you may also be helping to fund 'International Terrorists' too! Yes, that's right, you could be unwittingly helping 'Terrorist' groups, like 'Al Qaeda' and others of their ilk.

Both the Netcraft Anti-Phishing-Toolbar and the McAfee SiteAdvisor are FREE browser plugins which work with not only IE [Internet Explorer] but also Firefox. Neither are a 'Silver Bullet' for the Phishing and related Cyber-crime problem, but they are useful in the fight against the scumbags that try to either steal your identity or try and get you to work for them. In other words, these tools just might help to stop you being taken to the cleaners, or being one of the cleaners.

So, in summary, you would be working as a 'Mule' and 'Laundering' stolen funds, you do know what a 'Mule' is don't you?

The answer is this:
We are not talking about four legged creatures that are half horse and half donkey....think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea what what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc.

There have been a number of people who have recently been recruited as Mules by the Phishers to help process the funds stolen during the latest Phishing Trawl, but the Mule doesn't know that they are helping criminals... They believe that they have a 'real' job helping financial companies with 'excess' workload or helping to test the companies security by logging in using the stolen credentials and moving money to other accounts...scary huh?

In fact, because the cyber-criminals behind the Phishing and other Identity-Theft crimes have been so successful, they have more data than they can easily deal with. This is why they are now trying so hard to recruit 'you' as a money-mule or cyber-launderer.

Of course, when the authorities catch up with the Mules and they are arrested and charged, they are often shocked that they had been so naive and feel rather 'used'.

So next time you see a job ad on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule...

Yahoo Mail Lottery Win!

Wow, look at this e-mail I've just been sent. According to it I've won FIVE HUNDRED AND TWENTY THOUSAND DOLLARS!




So, it claims to have come from 'Yahoo', but on closer inspection it has actually come from a 'Freemail.de' account. Obviously things are getting tough at 'Yahoo' if they can't afford to run their own mail servers and domains anymore, but they can afford to give me FIVE HUNDRED AND TWENTY THOUSAND DOLLARS as a prize? Doesn't add up, does it?

OK, I'll let you in to a secret, there is no such lottery, there is no 'FIVE HUNDRED AND TWENTY THOUSAND DOLLARS' waiting for me (more's the pity ;-)) Yes, the e-mail is nothing more than another variant of the 419 Lottery scam which I've covered many times before on this blog.

This one isn't as ingenious as the ones I blogged about before, but it is a good try and people will get sucked in and believe that they have won a large pile of money, so you have been warned. As I often state "If something seems too good to be true, it probably is [too good to be true]". In other words "There ain't no such thing as a free lunch!"

This seemed a rather timely post as a major 419 gang has been arrested in Nigeria. Here's a snippet from the BBC news item:

"Thousands of fake cheques worth some £8m ($16.2m) have been seized in an attack on international e-mail scams.

The cheques, offered as prizes in exchange for a fee and destined for the UK, were recovered in Nigeria by the Serious Organised Crime Agency (Soca).

The month-long investigation into the fraud uncovered more than 4,500 forged and fraudulent documents.
UK officials are working with agencies in the US, the Netherlands, Canada and Spain to tackle "mass marketing fraud".
A handful of people have been arrested in the UK with almost 70 more held overseas. "

The really interesting thing about this story is that Internet Dating sites were also being used to 'hook' victims. Those who were behind the scheme were pretending to be Nigerian women, when in fact they were all men. It only goes to show just how careful you have to be when chatting/e-mailing people you haven't met in real-life. As the saying goes "On the internet, nobody knows you're a dog.".

On the dating theme, it appears that the picture used [of the bogus Dr. Moore] has been 'borrowed' from CupidBay.com, very spooky!

Right, time for my walkies, now where's my collar and lead ;-)

Virus Bulletin 2007 Conference Review

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2007 conference, which was held at the Hilton Hotel in Vienna, Austria, between the 19th and 21st of September.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:


"A warm and friendly welcome to Vienna, unless you're a Kangaroo!" ;-)

Day 1 - Wednesday 19th September 2007
The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by "A road to big money: evolution of automation methods in malware development" presented by Maksym Schipka from MessageLabs on the Technical Stream. As always Maksym's talk was both interesting and contained lots of useful information.

The final session on the Corporate Stream before lunch was also interesting, a presentation by Abhilash Sonwane of Cyberoam entitled "Changing battleground: security against targeted, low-profile attacks ". This talk touched on cyber-crime and targeted attacks which would be mentioned throughout most of the rest of the conference presentations; from different perspectives.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream. The first two presentation after lunch were:

• DSD Tracer - implementation and experimentation - Boris Lau, Sophos


• Pimp my PE: taming malicious and malformed executables - Casey Sheehan, Sunbelt Software

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Anti-rootkit safeguards: welcome Vista - Aleksander Czarnowski, Avet


• Patching. Is it always with the best intentions? - Alex Hinchliffe, McAfee

I decided to sit in on one of the two vendor presentations after the days main proceedings, I decided to choose my good friend Larry Bridwell from Grisoft [AVG]. It was a great presentation, instead of the dry marketing material he was given, he gave a very entertaining one instead. This rounded of the day wonderfully!

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

Day 2 - Thursday 20th September 2007
Day two started early for me as I was the first speaker to present on the Corporate Stream, so I had to get there early to check that my laptop worked fine with the projector, it did.

So, promptly at 09:00 I gave my own presentation based on my paper entitled "The journey so far: trends, graphs and statistics". Instead of trying to cover everything in the paper, all 30,000 words of it. I decided to just cover the key statistics, trends and a few examples, such as Brain, Casino and Ambulance.A, as well as some e-mail worms, such as Sircam, Loveletter and MyParty. When I was researching the paper I noticed that quite a few myths existed about the early days of malware, so I covered a number of these too.

I even finished on time and got asked several questions.

Next up, straight after me was the following presentation:

• What a waste - the AV community DoS-ing itself - Joe Telafici, Dmitry Gryaznov, McAfee

This was an interesting look at sample sharing between security companies and researchers, the end result is often lots of duplicated samples and sets; these can easily be in excess of 500GB. In fact the guys from McAfee are seriously looking at drives that have a larger capacity than 1TB.

The it was time for a quick tea/coffee break. During this I received quite a lot of very positive feedback on my presentation, as well as discussing several issues that I had mentioned with some of the original researchers who were there when the events I covered happened. The results from these discussions have enabled me to update my paper to be more accurate and to offer yet another set of first-hand witnesses to those events.

After the break I decided to stay on the Corporate Stream for the rest of the morning. These were the next batch of presentations:

• The WildList is dead, long live the WildList! - Andreas Marx, Frank Dessmann, AV-Test.org


• Have you got anything without spam in it? - Tim Ebringer, CA


• A testing methodology for rootkit removal effectiveness - Josh Harriman, Symantec
  

Although all of these were interesting I found the presentation by Josh Harriman very interesting and engaging. He covered the results of tests with rootkits against cleaning/removal tools and showed that fairly often they don't remove all the components of the rootkit and/or the other system changes made by them.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

After lunch, once more I decided to sit in on the Corporate Stream until the tea/coffee break, at least. The next two presentations were:

• Transforming victims into cyber-border guards: education as a defence strategy - Jeannette Jarvis, Microsoft


• Phish phodder: is user education helping or hindering? - Andrew Lee, Eset David Harley, Small Blue-Green World

Both of these were interesting, and in the case of the latter one also quite amusing as David and Andy's presentation included a 'Game Show'.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Technical Stream as I was chairing the next two 'Last-minute' presentations, these were:

• Andrew Walenstein, University of Louisiana at Lafayette


• Erik Wu and Feike Hacquebord, Trend Micro

This is a new section of the conference, and it seemed to work reasonably well, although in some cases the presenters appeared to have submitted presentations that were originally meant for the normal 40 minute slots, rather than the 20 minute slots they tried to shoe-horn their longer presentation into. I think this area still needs a little tweaking. In fact, although this was only being tried out on the Technical Stream it may well be better suited to the Corporate Stream instead.

After these, I made a quick dash back to the final presentation on the Corporate Stream. This was:

• Pump-n-dump for fun & profit: an in-depth look into stock spam and brokerage account compromise operations - Dmitri Alperovitch, Secure Computing

This was a very interesting presentation as it suggested that the so-called Pump-n-Dump scams didn't work the way many of us had imagined. It was less Pump-n-Dump and more just dump the stock they had acquired by creating an artificial market for it.

As on the first day of the conference, I decided to sit in on a vendor presentations after the days main proceedings. This time is was Vinny Gulloto from Microsoft, as with Larry's it was an entertaining one with very little marketing. Vinny also let slip that he had a waiting list of malware/anti-malware researchers who wanted to join him at Microsoft. This immediately put me in mind of the song "As some day it may happen" from Gilbert and Sullivan's "The Mikado" where the song is sung by Ko-Ko (The Lord High Executioner) as he goes through an imaginary list. So much so, that I found it hard not to whistle the tune! ;-)

Later we had the "pre-dinner drinks and the Gala dinner and cabaret". As always the food was excellent and the entertainment was typically Viennese; two couples performing various types of waltzes. This was followed up after desert, by our own private casino.



Day 3 - Friday 21st September 2007
The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Menace 2 the wires: advances in the business models of cybercriminals - Guillaume Lovet, Fortinet

This presentation expanded on the one that Guillaume had given last year; which included a quote that claimed that "Cyber-crime was now more profitable than running drugs". Once more he had some very interesting material to share. Including a fax from the CEO of e-Gold.

So, another quick tea and coffee break and then more from the Corporate Stream:

• The trojan money spinner - Mika Ståhlberg, F-Secure


• Once upon a time a trojan... - Luis Corrons, Panda


• New approaches to categorising economically-motivated digital threats - Anthony Arrott, David Perry, Trend Micro

All of these were very good and interesting talks and all covered cyber-crime in one form or another.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all, especially by those who were trying to trick Jeanette Jarvis of Microsoft.

After lunch I spent the first part of the afternoon on the Technical Stream.These were the presentations I sat in on:

• A deeper look at malware - the whole story - Bryan Lu, Fortinet


• Malware removal - beyond content and context scanning - Tom Brosch, Maik Morgenstern, AV-Test.org

Both of these were interesting if a little obscure in parts. Both talks prompted a number of questions from the audience. Then it was time for the final refreshments break. Yes, it was the very last VB2007 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference were straight after the break and I decided that I'd sit in on the last one on the Corporate Stream. This was:

• Future threats - John Aycock, Department of Computer Science, University of Calgary Alana Maurushat, Faculty of Law, University of New South Wales

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion:

• The fight against international cyber crime - enforcing the law - David Thomas, FBI, Stacy Arruda, FBI, Kevin Zuccato, Australian Federal Police, Mark Oram, CPNI

Finally it was time for the Conference closing session, once more led by Helen martin, the editor of Virus Bulletin. It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be a case of "I'm Sparticus", as a lot of people seemed to be wearing Dr. Vesselin Bontchev's name badge and no it wasn't him in varying disguises either!

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2007/slides/index.xml The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2007/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Vienna, here: http://www.flickr.com/photos/14178057@N07/sets/72157602179472057/detail/

Yes, the pictures include the "welcoming statue", along with details on where in Vienna the picture was taken.

Oh yes, before I sign off, I really ought to own up that I, rather ironically, caught a virus whilst attending the Virus Bulletin conference! No, not a computer virus, a cold/flu variant. At least it waited for me to get back home before it knocked me off my feet and left me sounding like Barry White (after gargling bricks and broken glass). Back in Chicago [VB2004] I wasn't so lucky, I went down with almost the same thing whilst travelling to Chicago and tortured everyone that came to my presentation with my 'interesting' vocal range; from deep-bass, to Kermit-the-frog-a-like, to loss-of-signal. I don't know who suffered more, the audience or me ;-)

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Ottawa, Canada at the start of October 2008. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

August 2007 Malware Review

Well at least in August it was drier than both June and July; towards the end of the month it seemed that summer had at last returned, for a few days at least. Just as well as otherwise our summer, in the UK, occurred during April this year.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 566 samples during August, which have been catalogued as just 20 distinct families and variants. In comparison during July I captured 499 samples which were catalogued as 25 distinct families/variants. As you can see the captures in August are slightly up from July's total.

During August I captured and submitted just one brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention, such as my VB2007 paper.

Even though August's statistics were up on July's, I still feel that the general trend is downwards. It appears that social-engineering is still the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During August I reported 77 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April. It now accounts for almost 82 percent of the samples captured in August.

There are seven [up from six] members of the Opaserv.worm family in August's chart. These are variants: AE, AI, D, AJ [is a New entry], AC, AD and AH [AH is a New entry] in second, third, fourth, fifth, sixth, eighth and tenth places respectively.

The Netsky family is hanging on in the top ten again after dropping out of the chart completely in May. In August's chart we still have only one survivor [down from three in June] this is: Q [aka P] down seven places from the runners up spot in July to ninth.

The final slot left is taken by a re-entry, this being seventh place and the malware is our old friend Dupator.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for August Mytob.c has finally managed to climb up the chart from seventh to fourth place. We also have another member of the Mytob family in August's top 10, this being Mytob.t, in at ninth place.

Netsky.q [aka P] has also climbed back up the chart from second place back to the pole position it managed to grab back in June. It is joined by three [up from two in July] other family members, these being: Netsky.t, which has slipped down three places from fourth to seventh spot. Netsky.aa has reversed its direction, climbing once more, from sixth to third place. The final Netsky family member is Netsky.b which grabs tenth place.

Bagle.gt has reversed its slow journey down the chart, climbing back up one place from third to second.

Worm.Win32.Feebs.gen is static in August's chart, in fifth place.

The final free places in August's chart are taken by IMG-WMF.y moving up two places from tenth to eighth, and finally we have Mydoom.l up from eighth to sixth place in August's chart.
Kaspersky had this to say about August's chart:

"August once again turned out to be "dead season" for virus epidemics in 2007. Since August 2003, when the Lovesan worm caused the biggest epidemic in history, the final month of summer has typically been the quietest and most uneventful, as it is a period when both virus writers and antivirus professionals often go on holiday.
Even the waves of mass-mailings sent out by the Warezov and Zhelatin worms were missing in action in August. Warezov.pk, the leader in July, disappeared suddenly from our virus radar screens. However, it's worth remembering that the launching pad for Warezov.pk was created back in May by Trojan-Downloader.Win32.Agent.bcs. August's Top Twenty features a new program used to create botnets and the conditions for new epidemics: Trojan-Downloader.Win32.Agent.brk. It looks as though a significant new outbreak of email threats will be strike in September."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has slipped down one place from the runners-up place, to third. The runner-up spot has been taken by Zafi which climbs up from the third place it held in July.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to fifth from fourth.

According to SOPHOS Sality is a new entry in August, in at ninth place; although according to my records it was in sixth place in July's chart. Most odd! Other new entries include, Troj/Pushdo straight into the chart in fourth place and Mal/Dropper straight in at seventh place.

Bagle also slipped down the chart during August, from sixth to eighth place.

There is one re-entry in August, this being Troj/Dloadr back into the chart in fifth place.

To complete the chart we have Mydoom in sixth, down one place from fifth and TraxG down three places from seventh to tenth.

Here is some commentary on August from Sophos:

"The figures, compiled by Sophos's global network of monitoring stations, show a dramatic drop in malware spreading in the form of email attachments, with just one infected message in every 1,000 emails in August, compared to one in 322 during the first six months of 2007.
Spam, however, has continued to be a problem - much of it linking to malicious websites designed to infect users. A series of large-scale attacks have been made via spam email, directing users to infected webpages with the promise of ecards, pictures of nude celebrities, YouTube movies, and pop music videos. People visiting the sites are running the risk of having their PCs infected by malicious code which can then steal personal information, spam out more malware and junk email, or launch distributed denial of service attacks against innocent parties."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again.

The final step of the podium, third place, is occupied by Dupator which is up two places from fifth place in July.

Netsky has slipped from third to fourth place in August's chart,

We have one new entry in the chart in August; this is none other than IRCBot, straight in at fifth place.

As with the new entries, we have just one re-entry to the chart in August, this being, Lorez back into the chart in seventh.

The rest of the chart is made up of the following malware: Funlove, up four places from tenth to sixth place.

The more astute of you may have noticed that the top ten for August, contains only seven entries. This is because there are only seven families present in the captures for August.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of August] here. This clearly shows that August was busier than July. As shown in the figures for August, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards. The reason for the jumps during July and August is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected. This change in classification makes the figures look like the largest since October 2005.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 316,723 at the end of August. That's a growth of 94,250 new malware strains and/or variants so far in 2007, in August the number jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 125,600. Things have certainly speeded up during the second and third quarters of 2007!


What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Q: When Is A ZIP file Not A ZIP file? [6th August 2007]


• Do You Know Joe... [7th August 2007]


• Doing It By The Numbers [8th August 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - July has continued during August, if anything it has accelerated. Otherwise, on the malware front, as confirmed by Kaspersky it was a rather 'dead' month with regard to major outbreaks.

We have surprisingly seen a slight drop in the level of spam during August and a move by the spammers towards using other file formats to try and bypass anti-spam defences.
The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during August. This is clearly shown in the massive jump in the percentage of phishing scams I've seen during August.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, rest of the year!

Links:

• Virus Top Twenty for August 2007 [Kaspersky]


• Top ten viruses and hoaxes for August 2007 [Sophos]

You SPIM Me Round...

Yes, that wasn't a 'spelly' [spelling mistake], I did write SPIM rather than SPIN, why? Well, read on and all will hopefully become clear, or at least slightly clearer?

No, I not going to blog about the record entitled: "You Spin Me Round (Like a record)" from the group "Dead or Alive" [fronted by "Pete Burns"] that was a number one hit for them back in 1985. Instead first I'm going to tell you about SPIM and what it is, and then I'll show you the latest twist in SPIM that I received this very morning.

All set? Sitting comfortably? Good, then I'll begin.

What is SPIM?
SPIM is simply SPAM sent via Instant Messaging [Yahoo, MSN, ICQ, AIM, etc.] instead of by e-mail. Someone though that if they fused the name SPAM and IM, creating SPIM that it would be a 'cool' name. The same naming technique was also applied to SPAM sent via VoIP, creating SPIT, yes it makes me want to, I can tell you! ;-)

So, now you know what SPIM is, I will cover the latest twist the spimmers are using. You can see an example I received this morning in the screenshot below:



I expect that many of you have seen something similar arriving via e-mail? Yes, it is a so-called "Pump-n-Dump" spam/scam. The Bad Guys and Girls buy stock at rock bottom prices and then SPAM [or SPIM] out messages about the stock to encourage people to buy it, shortly after they sell their stocks making a tidy profit in the process. This leaves the other stock holders [who acted on the stock tip] with stock that is quickly de-valued once more, and they usually then have to sell it at a loss.

So, in summary this particular use of SPIM [for Pump-n-Dump] is new. I just hope that this is not being generated by a botnet, as is the case with the equivalent SPAM that I see by the bucket-load. If it is being generated via botnets, then this is a new technique that I haven't seen used before, for SPIM, at least.

If anyone has seen any other interesting SPIM then please feel free to send me a screenshot and I'll post the most interesting ones here in a few weeks time.

BTW, the lyrics for the song can be found here, for those of you that like that sort of thing. ;-)

July 2007 Malware Review

July has come and gone and like June in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from more flash or prolonged flooding for parts of the month.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 499 samples during July, which have been catalogued as 25 distinct families and variants. In comparison during June I only captured 209 samples which were catalogued as 31 distinct families/variants. As you can see the captures in July are significantly up from June's total.

During July I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is partly due to other work requiring my attention.

Even though July's statistics were up on May's, I still feel that the general trend is downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During July I reported 90 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are six [up from five] members of the Opaserv.worm family in July's chart. These are variants: D, AE, AI [AI is a New entry], AC, AD and K [AD and K are Re-entries] in third, fourth, sixth, seventh, eighth and ninth places respectively.

The Netsky family is hanging on in the top ten again after dropping out of the chart completely in May. In July's chart we have only one survivor [down from three in June] this is: Q [aka P] up two places from fourth to the runners up spot.

Zapchast which managed to steal the final podium position in June has fallen on hard times and slipped down the chart to the final place; tenth.

The final slot left is taken by a new entry, this being fifth place and the malware is also a new one, in this case it is: Packed.Win32.PolyCrypt.b which is spreading via open shares in much the same way that the Opaserv family does.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for July once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has slipped back down from the pole position it managed in June to the runner-up spot it last held in March. It is joined by two [down from three in June] other family members, these being: Netsky.t, which has slipped down one place from third to fourth spot, and Netsky.aa, slipped back down to the position is last held in May's chart; slipping two places from fourth to sixth place.

Bagle.gt has restarted its slow journey down the chart, slipping back down one place from second to third.

Worm.Win32.Feebs.gen has reversed last month slippage and climbed back up one place from sixth to fifth.

We have two new entries in July's chart, these are: Warezov.pk straight in at number one, Nyxem.e in at ninth and finally IMG-WMF.y grabbing the final place in July's chart.

Kaspersky had this to say about July's chart:

"On the whole, despite the blast-off of Warezov.pk, which was first detected on June 26 and peaked in early July, the situation remains stable (it is actually quite rare for the rankings to be so stable, with Warezov.pk being one of only two newcomers to the Top Twenty). The conditions are not favorable for new global epidemics, so the main threat is posed by local attacks targeting users from individual countries."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has consolidated its grip on pole position which it lost during May.

Mytob has also managed to consolidate its hold on the runners-up place it grabbed in June after being static in third place back in April and May.

The final step of the podium; third, is taken by Zafi which climbs up from the sixth place it held in June.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to fifth from fourth.

November's new entry, Sality has reversed its progress up the chart, slipping down one place from fifth to sixth during July.

Bagle also slipped down the chart during July, from sixth to eighth place. Meanwhile Nyxem.D [has fallen right out of the top ten during July and Mal/Iframe has slipped one place from third to fourth.

There is one re-entry in July, this being Mal/Clagger back into the chart in ninth place.

To complete the chart we have two new entries, these are: Troj/Agent in at the seventh spot, and W32/Strati which just scrapes into the chart in tenth.

Here is some commentary on July from Sophos:

"Interestingly"The security dangers of the web still aren't fully registering with a great many businesses - this is providing rich pickings for hackers hell-bent on gaining access to sensitive information," said Carole Theriault, senior security consultant at Sophos. "It's no surprise to see legitimate webpages targeted for these attacks - businesses generally aren't too strict about stopping their employees accessing these websites, while the sites themselves will already have their own daily flow of user traffic, saving hackers the trouble of trying to entice unenlightened web surfers."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is headed up by the September 2005 leader, Tenga which has once more regained the crown it lost in June when Opaserv stole it. Operserv has had to settle for the runner-up spot; second.

The final step of the podium, third place, is once more occupied by Netsky which is static in July.

Zapchast which stormed up the chart from ninth to fourth place in June has once more slipped back down the chart, however, this time it is only two places from fourth to sixth place.

W32.Dupator has consolidated the fifth place it managed to claim in June's chart.

We have one new entry in the chart in July; this is none other than Polycrypt, straight in at fourth place.

As with the new entries, we have just one re-entry to the chart in July, this being, Zhelatin back into the chart in seventh.

The rest of the chart is made up of the following malware: Spaces, down one place to eighth, MyDoom, down one place to ninth and finally Funlove, static in tenth place.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of July] here. This clearly shows that July was busier than June which was the quietest month since I started keeping these statistics. As shown in the figures for July, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards. The reason for the jump during July is that I've adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers. This makes the figures look like the largest since January 2006.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 304,153 at the end of July. That's a growth of 81,680 new malware strains and/or variants so far in 2007, in July the number jumped by over 28,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 122,500. Things have certainly speeded up during the second and third quarters of 2007!


What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Watch Out, Watch Out, There's an E-card About! [3rd July]


• How Not To Spam [10th July]


• Have You Got Anything Without Spam? [11th July]


• Experiments In Spam [25th July]

Conclusions:
The current trend of using social-engineering which has been widespread in January - June has continued during July, if anything it has accelerated.

We have surprisingly seen a slight drop in the level of spam during July and a move by the spammers towards using other file formats to try and bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during July. This is clearly shown in the jump in the percentage of phishing scams I've seen during July.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, rest of the year!

Links:

• Virus Top Twenty for Jule 2007 [Kaspersky]


• Top ten viruses and hoaxes for Jule 2007 [Sophos]

Detecting Phishing Scams Just Got Easier, For Me...

Why?

Well for once this posting is not just about scams [or malware for that matter], but also about another topic close to my heart, that of customer service. To cut a long and painful story short, I've just closed both my 'eBay' and 'PayPal' accounts due to bad experiences on both!

So, the upshot of this, for me at least, is that spotting phishing scams claiming to come from 'eBay' or 'PayPal' just got a whole lot easier because I no longer have an account on either of those services.

You want to know why I closed them?

My recent experience has shown very clearly to me, that:

1. eBay seem intent on protecting their sellers rather than their customers.

2. Some eBay sellers are openly and actively selling goods that make claims that when tested, fail, and therefore breach the UK's Sale of Goods act, especially those to do with being 'fit for purpose' and 'as described'. What's worse is that when eBay is informed of this, they do nothing!

3. PayPal behaves the same way, as they seem to be more interested in looking after the retailers who use their services, rather than looking after the customers who 'trust' them by using their services, and who foolishly believe that they will be protected from 'bad' vendors by the 'guarantees' and 'protection' that PayPal offer.

4. PayPal accusing a customer with a genuine dispute that they have lied and supplied 'invalid tracking data' and then close the dispute in favour of the 'vendor', is easier than dealing with the bad 'vendor'. When in fact it is the 'vendor' that is refusing to sign for a 'recorded delivery parcel' so that the 'customer' can't easily prove the goods have been returned even though the customer has documented proof of posting.

Now, if you want to see good customer service, then look at 'Amazon', they seem to realise that without satisfied customers they do not have a business, shame that 'eBay' and 'PayPal' don't seem to have grasped that yet. That is why 'Amazon' will continue to get my business but both 'eBay' and 'PayPal' won't see any further business from me, ever.

Maybe I should award them both [eBay and PayPal] a 'Basil Fawlty 'How Not To Do' Customer Service Award'?

As I'm handing out awards, maybe 'Amazon' should get a 'Polly Sherman Award For 'REAL' Customer Service'?

What do you think?

Links:
Fawlty Towers - Complete Fawlty Towers [DVD, UK]
Fawlty Towers - The Complete Series [DVD, US]

Asked By A Reader...

The following question was asked by a reader of this blog, and I informed the reader that as it was a good question and that the answer is quite involved, that I'd cover it later as a separate blog entry, so here we go.

Here's the question:

"Since you are discussing Spam I will ask a question that I've had for some time. Why can't email vendors (google, AOL, MSN, etc.) setup on one of their gateways to return emails as undeliverable, if their customer puts the mail in a Spam folder. Won't that result in the Spammer removing the email from their distribution list after a few undeliverable messages?"

And here's the answer:

Nice idea, if the vast majority of spammers:

• Didn't fake [spoof] the address that the e-mail appears to be from, so the real spammer rarely sees any bounces as all bounced mail ends up going to the e-mail address that the spammers stole, this type of attack is known as a 'Joe Job'. In some cases this is intentional to try and discredit a company or individual.


• Didn't totally ignore unsubscribe requests, in fact this only makes the e-mail address you try and unsubscribe more valuable to the spammers as it means it is active. You will get more, not less spam if you insist on using them.


• Weren't criminals using botnets to send 90 percent of their 'crud' and as these criminals are using computers that they have infected with malware to allow them to send their 'crud' through, they have little to fear from their own ISPs.


• So, the bottom line is, nice idea, but it is completely unworkable using the current SMTP standards. SMTP2 anyone?

A quick update on my latest anti-spam experiment:

Since my last posting I've received just 12 spam/malware e-mails which managed to sidestep the new defences. To put this in context , before I put these new techniques in place I usually received around 1,000 e-mails a day, of those about 90 percent was spam, so instead of around 900 spam e-mails a day, I'm now getting about 6!

So, does anyone have any other questions they would like me to try and answer, or have anything to say about this one?

* I'll cover this in detail in another posting.

Experiments In Spam

No. This doesn't mean I've been dabbling in creating or sending spam...Quite the opposite, in fact.

Last night I took a step into the unknown, I made major changes to the way I deal with spam arriving at my personal mail server. Why?

Well, at the moment I use a mix of Bayesian filtering, custom filtering rules and a DNS Blacklist to tag known spam. This works well, as I still get to see the spam so that I can analyse it, generate statistics, etc. which I use for trend analysis, in reports [such as my Monthly Malware Reviews], presentations and so on.

However, I just don't have the spare capacity to manage this at the moment as I have other commitments that need to be given 90 percent or more of my time so that I can complete them.

To this end I thought I'd try a different approach to spam.

What I put in place last night are a number of techniques which I'm using to no longer just flag [tag with custom headers] spam [so they can be filtered out and analysed later]. Instead I'm actively rejecting it at my mail server using a mixture of custom Content Control/Compliance rules, DNS blacklists [such as Spamhaus and Spamcop], and Graylisting.

My Bayesian classifier will still be used to deal with anything that gets through. I estimate that using Graylisting and aggressive DNS blacklisting will drop the amount of spam I have to process down to around 10 percent, rather than the 90 percent it stands at now, as you can see from the following graph:



Early results seem to confirm my estimates, as overnight my usual haul of spam* has dropped from the typical 400-600 to just 12, quite an effect!

Furthermore it appears from these early results that several spammers, scammers and malware authors have already adapted their tools/techniques to handle Graylisting. This can be seen as instead of the mail being sent, being rejected [temporarily], and never being seen again [as happens with most spam/scams/malware distributed via e-mail]. The 'Bad Guys and Girls' appear to have added a 'retry' feature to enable them to slip past Graylisting as if they were a real 'mail server' which fully supports the relevant RFCs [SMTP standards].

To check this, I have investigated the raw e-mail headers and I can confirm that not one of these 'spammy' e-mails that managed to get past the Graylisting tool used a third party MX, they ALL came directly from the infected [bot controlled] system or spammers own system, usually a DSL connected PC.

So, it looks like Graylisting may only be useful for a while, as usual I suspect it will be my usual approach that will cope best, this being Defence in Depth.

No doubt I'll make some changes to the current configuration, tweaking it, maybe adding/removing things, either way, I'll keep you posted...In the meantime, a question for you:
"How do you deal with spam?"

On the spam front there have been a couple of new developments, but that's another posting ;-)

* In this case spam refers to not only UCE [Unsolicited Commercial E-mail], but also Malware and Scams [Phishing and 419s] too.

June 2007 Malware Review

'Flaming June' has come and gone, however in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from flash or prolonged flooding for parts of the month.
We are now past the halfway point of 2007 and I'll include some comments on trends, etc. that have occurred during the first half of the year.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured only 209 samples during June, which have been catalogued as 31 distinct families and variants. In comparison during May I captured 800 samples which were catalogued as 35 distinct families/variants. As you can see the captures in June are significantly down from May's total.

During June I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The June statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During June I reported just 26 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are just four [down from five] members of the Opaserv.worm family in June's chart. These are variants: AE, D, I and AC in second, seventh, eighth and tenth places respectively.

The Netsky family is back in the top ten again after dropping out of the chart completely in May. We have a trio of family members in June's chart, these are: Q [aka P] back in at fourth place, Y back in in fifth and finally X back in at sixth place. Looks a bit like the London Bus affect, wait for ages for one to appear, and then three appear at the same time!

As with Netsky, we have one final re-entry in June's top ten, this being Zapchast which has managed to steal the final podium position coming back in to the third spot.

The final slot left is taken by Dupator, which is up one place from tenth to ninth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for June once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has climbed up from the runner-up spot it held in March and lost in April to snatch pole position in June's chart. It is joined by three other family members, these being: Netsky.t, February's pole sitter which slipped down to fourth during March and the pole sitter in first place in May, has fallen two places to occupy the final step of the podium; third place and to mirror that change, Netsky.aa, has gained two places, up from sixth to fourth place.

Bagle.gt has further reversed its slow journey down the chart, climbing back up the chart one more place from third to take the runner-up spot; second.

Worm.Win32.Feebs.gen has fallen back down one place from fifth to sixth effectively reversing its progress from May.

We have three new entries in June's chart, these are all members of the same family, this being Warezov. We have variant OZ straight in to the chart in fifth place, variant OV occupying the eight spot, and finally variant OP in ninth place.

To complete the top ten, we have a re-entry, this being an oldie; Mydoom-L which takes the final slot in tenth place.

Kaspersky had this to say about June's chart:

"After a long break, first place was again taken by the all-time leader of 2004 and 2005: the NetSky.q worm. Right on its heels is a worm from an equally old family, Bagle.gt. Meanwhile, NetSky.t, the leader in May, slipped very slightly down the table, ending up in third place.

Probably the most noteworthy event this month was the disappearance of May's rabble-rouser, Sober.aa. This virus appeared after a six-month stint in the shadows, suddenly taking fourth place before disappearing again. Will we be seeing this family in our reports again? I suspect not".

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has regained its grip on pole position which it lost during May, and is back as the pole sitter. May's pole sitter, Sober, has once more dropped out of the top ten.

Mytob has managed to climb up the chart one place, to steal the runners-up place on the podium after being static in third place back in April and May.

The final step of the podium; third, is taken by a new entry which has only appeared in SOPHOS's web threat chart before. This new entry is Mal/Iframe.

Here is some commentary on it from Sophos:

"Interestingly, Mal/Iframe's appearance in the email-based chart demonstrates that it is not limited to only infecting via the web. Hackers can embed the malware into emails using HTML to exploit users".

Mydoom which was a re-entry in November's chart has recovered more ground during June after falling to seventh place in April and climbing to fifth in May, it is now up one more place to fourth.

November's new entry, Sality has reversed its slide down the chart, jumping up three places from effectively eighth place in May to fifth in June.

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April has now halted its slide, and is sitting in sixth place as it was in May.

Bagle is up a single place in June's chart from eighth to seventh place. Meanwhile Nyxem.D [aka MyWife] is likewise static in tenth place.

To complete the chart we have two re-entries, these are: Mal/DownLdr in eighth and W32/Stratio in ninth.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is not headed up by the September 2005 leader, Tenga. Its crown has been stolen once more, this time by Opaserv. Tenga has been forced to accept the runners-up spot; second in June.

The final step of the podium, third place, has been occupied by Netsky which is up from the fifth place it held in May.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March then suffered a setback, slipping down to eighth place in April and to ninth in May, has experienced a major turn around, storming back up the chart and taking fourth place in June.

W32.Dupator has moved up one place in June from sixth to fifth place.

The rest of June's chart is made up by re-entries, these are: Tibs, Spaces, MyDoom, Small and finally Funlove, in sixth, seventh, eighth, ninth and tenth places respectively.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of June] here. This clearly shows that June was busier than May which was the quietest month since I started keeping these statistics. As shown in the figures for June, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 275,995 at the end of June. That's a growth of 53,522 new malware strains and/or variants in the first half of 2007, in June the number jumped by over 10,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 107,044. Things have certainly speeded up during the second quarter of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• Marks and Spencer Vouchers Hoax [5th June]


• Can you spot the difference? [8th June]


• Father's Day Surprise! [19th June]

Conclusions:
The current trend of using social-engineering which has been widespread in January - May has continued in June, if anything it has accelerated.

We have seen another rise in the level of spam during June and this may have dented the figures for both 419s, Phishes and Malware arriving via e-mail, only time will tell.

The Phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity [as can be seen in the article I have included in this months report]. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Another trend which has made itself very obvious during the first half of the year is that of the malware authors relying on social engineering to get victims to infect their computers, rather than having to use exploit code or include mass-mailing or other infection routines into their creations.

The final trend I wish to mention that has become prevalent this year, and ties up with the social engineering comments above, is that the malware authors and cyber-criminals are increasing their use of web sites to hold their malware and sending e-mails that contain nothing more than a link to it. In many cases this is not just a single web site, but can be as many as 10,000.

Looks like we could be in for a very interesting second half of the year!

Links:

• Virus Top Twenty for June 2007 [Kaspersky]


• Top ten viruses and hoaxes for June 2007 [Sophos]

Surf or Turf? The Verdicts Are In!

Here's a follow-up to my 'Surf or Turf' posting which challenged you to work out whether ten screen shots of e-mails I had received were from who they claim to be from [Turf - The Real Beef] or from imposters [Surf - A Phoul Phish]?

So, to recap and to give any of you out there one final chance to take the challenge, here they are again:

Mug shot 1: Surf or Turf?



Mug shot 2: Surf or Turf?



Mug shot 3: Surf or Turf?



Mug shot 4: Surf or Turf?



Mug shot 5: Surf or Turf?



Mug shot 6: Surf or Turf?



Mug shot 7: Surf or Turf?



Mug shot 8: Surf or Turf?



Mug shot 9: Surf or Turf?



And last but not least....

Mug shot 10: Surf or Turf?



Your answers should be in the following format:

Mug Shot x [1-10] is [Surf|Turf]

---

SPOILER WARNING - DO NOT PROCEED BELOW THIS LINE - UNLESS YOU WANT TO KNOW THE ANSWERS

YOU HAVE BEEN WARNED!

---

For those of you that sent me your detective work or were brave enough to leave your findings/guesses as comments instead, I'd like to say thank you for joining in.

For those that took part, and those of you who didn't [shame on you! ;-)] here are the answers, and the pointers to show why it is Surf or Turf.:

• Mug shot 1:.: The Verdict :. 'Surf' - Did you notice the spelling mistakes and grammatical errors?


• Mug shot 2:.: The Verdict :. 'Surf' - Did you notice the spelling mistakes, grammatical errors and unusual choice of font?


• Mug shot 3:.: The Verdict :. 'Surf' - Threats and tight deadlines, dated 1987 and from 'Lana Staton'.


• Mug shot 4:.: The Verdict :. 'Surf' - Did you notice the grammatical errors and the technical update?


• Mug shot 5:.: The Verdict :. 'Surf' - Did you notice the grammatical errors and the technical update?


• Mug shot 6:.: The Verdict :. 'Surf' - Did you notice the odd phrasing and grammatical errors?


• Mug shot 7:.: The Verdict :. 'Surf' - Did you notice the odd phrasing and grammatical errors?


• Mug shot 8:.: The Verdict :. 'Surf' - Did you notice the grammatical errors and the technical update?


• Mug shot 9:.: The Verdict :. 'Surf' - Threats and tight deadlines, validation required once a month.


• Mug shot 10:.: The Verdict :. 'Surf' - Threats and tight deadlines.

So, yes they were all 'Surf' after all, well done to those of you that correctly worked it out.

As some of you mentioned the URLs shown in the screenshots of the e-mails usually did not go to the same place they say they would. Of all of the ones I used for this challenge, number 6 was the most convincing and number 3 would have probably fooled some of you until the threat at the end and the date error.

Are you up for another challenge some time?

BTW, did any of you check out the 'McAfee SiteAdvisor Phishing Challenge'. If you did and scored 8 or more then consider yourself a 'Phishing' sleuth.

Have You Been Invited?

How many of you out there in 'Blogland' use eBay?

Of those that do or have used eBay, how many of you have been either taken for a ride by the 'Seller' and have never received the goods you payed for or have been supplied faulty, damaged or counterfeit goods?

Now, how many of you are or have been invited to become a 'PowerSeller'?

Well, I got the following e-mail recently:



Because I hardly ever use eBay and therefore I'm not eligible to become a power-seller, I was, not surprisingly rather suspicious [more than usual, anyway ;-)] of the e-mail. Having clicked on the link I was taken to here:



Well, it looks like the eBay site, uses the same fonts, template, logo, etc. But, guess what?

It is a 'fake', this is a site trying to use social-engineering to get you to disclose your eBay credentials; logon details in this case, so the 'Bad Guys and Girls' can mis-use it.

So, after all this, the e-mail was actually a 'Phishing' scam, so all you eBayers out there be careful not to fall for this.

BTW, I get many other more normal eBay Phishing scam e-mails as well.

So, another question for you all, "Do you feel safe using eBay and do you think that eBay take security seriously enough?" [Yes, I know that this is effectively two questions, not one.]

Alliance & Leicester Phish

Continuing the recent 'Phishing' theme, here is an example of just one of the many 'Alliance & Leicester' phishing e-mails that are currently arriving in their hundreds at my personal mail server:



And if you are foolish/brave enough to click on the link, this is what you will see in your web browser:



Usual fare for the Phishers, they want your personal details so that they can steal money from your account or use the details to open new accounts or credit arrangements in your name, so when they default on the loan, you'll be the one being hassled or taken to court for non-payment.

If you are unwise enough to enter your 'real' details and click on the 'Click to Confirm' button at the bottom right corner, then you will be taken from the 'phishy' Alliance & Leicester site to the 'real' Alliance & Leicester site, none the wiser that you have been 'phished'.



Meanwhile your credit rating will nose-dive, and it will take you weeks, months or even years to recover from the effects. All because you were 'phooled by a phish'.

So, if you are up for a challenge then check out the 'McAfee SiteAdvisor Phishing Challenge'. At least with that one you won't end up losing any personal details and you might learn a thing or two in the process.

While you are there, why not install the free SiteAdvisor plugin, you'll be somewhat safer while browsing than without it.

BTW, I report all the phishing, malware and spam sites I see each and everyday to SiteAdvisor, see if you can work out which reporter I am? ;-)

3 Million Pound T-Mobile Lottery Win!

Wow, look at this e-mail I've just been sent. According to it I've won THREE MILLION POUNDS!



So, it claims to have come from 'T-Mobile International Lottery', but on closer inspection it has actually come from a 'Hotmail' account. Obviously things are getting tough at 'T-Mobile' if they can't afford to run their own mail servers and domains anymore, but they can afford to give me THREE MILLION POUNDS as a prize? Doesn't add up, does it?

OK, I'll let you in to a secret, there is no such lottery, there is no 'THREE MILLION POUNDS' waiting for me (more's the pity ;-)) Yes, the e-mail is nothing more than another variant of the 419 Lottery scam which I've covered many times before on this blog.

This one isn't as ingenious as the one I blogged about on Friday, but it is a good try and people will get sucked in and believe that they have won a large pile of money, so you have been warned. As I often state "If something seems too good to be true, it probably is [too good to be true]". In other words "There ain't no such thing as a free lunch!"

Talking of lunch, I hope you enjoy/enjoyed yours?

Scam Victims Compensation Payments

Oh joy! I just had the following e-mail drop into my e-mail client, it has made my day. Read it all and I'll think you'll agree that it is a wonderful e-mail for anyone to receive, especially anyone that has been the victim of scammers.



Isn't it a wonderful e-mail?

What a lovely new twist from the 'Boys and Girls from Lagos' to try on potential victims. Yes, if you haven't already 'sussed', the e-mail is nothing more than the latest from those criminals who run the '419 scams' [aka Nigerian scams or Advanced Fee Fraud scams].

As usual there is NO MONEY, anyone falling for this would actually lose money, possibly lots of it, or worse their liberty or life!

For those of you that are not 'clued-up' on '419 scams', I'd suggest reading two articles I've had published in the ''Virus Bulletin' magazine. Links below:

• Out of Africa


• An African A-F-F-air...

Have a pleasent and safe weekend.

RBS Phish Run

Continuing the current 'Phishing' theme, here is an example of just one of the many RBS phishing e-mails that are currently arriving in their hundreds at my personal mail server:



And if you are foolish/brave enough to click on the link, this is what you will see in your web browser:



Usual fare for the Phishers, they want your personal details so that they can steal money from your account or use the details to open new accounts or credit arrangements in your name, so when they default on the loan, you'll be the one being hassled or taken to court for non-payment.

If you are unwise enough to enter your 'real' details and click on the 'Confirm & Exit' link at the bottom right corner, then you will be taken from the 'phishy' RBS site to the 'real' RBS site, none the wiser that you have been 'phished'.



Meanwhile your credit rating will nose-dive, and it will take you weeks, months or even years to recover from the effects. All because you were 'phooled by a phish'.

So, if you are up for a challenge then check out my 'Surf or Turf' posting. At least with my challenge you won't end up losing any personal details and you might learn a thing or two in the process.

Surf or Turf?

I have set several challenges over the last six months on this blog, and I think it is time for a new one. So, as Phishing is one of the major problems at the moment I thought that it would make a good challenge, hope you agree?

Below are ten screen shots of e-mails I have received, are they from who they claim to be from [Turf - The Real Beef] are or they from imposters [Surf - A Phoul Phish]?

Mug shot 1: Surf or Turf?



Mug shot 2: Surf or Turf?



Mug shot 3: Surf or Turf?



Mug shot 4: Surf or Turf?



Mug shot 5: Surf or Turf?



Mug shot 6: Surf or Turf?






Mug shot 7: Surf or Turf?



Mug shot 8: Surf or Turf?



Mug shot 9: Surf or Turf?



And last but not least....

Mug shot 10: Surf or Turf?



Your answers should be in the following format:

Mug Shot x [1-10] is [Surf|Turf]

Those of you who are brave enough are welcome to leave your answers as feedback to this entry, anyone that would prefer to e-mail their answers to me can do so using the following e-mail address: Phish-Quiz at arachnid.homeip.net [replace ' at ' with '@']

Now chow down and bon appetit!

I'll post a summary [names withheld] of the results after the closing date for submissions, which will be the 19th of July 2007. Oh, and I'll post the answers at the same time too! ;-)

May 2007 Malware Review

The 'Darling Buds of May' have now finished blossoming and we are almost halfway through 2007, now that 'Flaming June' is upon us.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 800 samples during May, which have been catalogued as 35 distinct families and variants. In comparison during April I captured 736 samples which were catalogued as 40 distinct families/variants. As you can see the captures in May are very slightly up from April's total.

During May I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The May statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

During Mayl I reported 70 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has consolidated the pole position it took back last month after after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart. In contrast to Tenga, W32.Kasper.A has completely fallen out of the top ten in May along with W32.Sality.AD which grabbed the final podium place, in third.

So, because of that we have two members of the Opaserv.worm family [ae which is up 3 places and d which is a re-entry] in second and third places respectively.

There are five other members of the Opaserv.worm family in May's chart, up from just three representatives in April's chart. These are variants ah, ai, I, ac and k in fifth, sixth, seventh, eighth and ninth places respectively. Quite a turn-around in fortunes for this family!

Other casualties in May's chart include: IRC.Zapchast, Virus.Win32.Virut.a, W32/Netsky.P and Zhelatin.cq.

The last two places are claimed by Trojan-Downloader.Win32.Agent.bjo which a new entry, straight in in fourth place and W32.Dupator which is a re-entry back in the chart in tenth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for May still has Mytob.c in seventh place which it managed to climb to in February, it seems to have setup home there.

Netsky.q has regained the runner-up spot it held in March and lost in April. It is joined by three other family members, these being: Netsky.aa, regained the sixth place it claimed in March after falling down to eighth spot in April. Netsky.t, February's pole sitter which slipped down to fourth during March is back as the pole sitter in first place in May, and finally Netsky.b is has slipped one place from ninth to tenth.

Bagle.gt has reversed its slow journey down the chart, climbing back up the chart one place from fourth to third. Worm.Win32.Feebs.gen has also climbed up one place from sixth to fifth place.

We have two new entries in May's chart, these are: Email-Worm.Win32.Sober.aa straight in the chart in fourth place and Trojan-Downloader.Win32.Agent.bqs four places below it in eighth place.

To complete the top ten, we have Scano.gen which has managed to climb one place from tenth to ninth place.

Kaspersky had this to say about May's chart:

"A first look at the top of the table for May might give the impression that we've slipped back in time to the end of 2005. You can rub your eyes as hard as you want but it won't change anything - Netsky, Bagle and Sober are topping the rankings again, just as they were a few years ago. "

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has finally lost its grip on pole position during May and we have a new pole sitter, this being Sober, which is a re-entry into the top ten.

Here is some commentary on it from Sophos:

"In May, Sober was the most prevalent email-borne attack, toppling Netsky from its top position and accounting for almost one third of all threats. Sober's dominance in the chart is primarily due to a huge outbreak on May 1st that coincided with May Day across Europe. During this 24-hour period, Sober accounted for nearly 70 percent of all infected email identified by Sophos."

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April is on the slide again, slipping down one place to sixth in May.
Meanwhile Nyxem.D [aka MyWife] has dropped another place in May; down from ninth to tenth place.

Stratio-Zip has consolidated its grip on fourth place, after falling out of the chart in February and Mytob has dropped likewise remained static in third place, which it grabbed back in December 2006.

Mydoom which was a re-entry in November's chart has recovered some ground after falling to seventh place in April; it is now up two places to fifth. November's new entry, Sality has lost one more place in May, down from sixth to joint seventh place in May's chart.

We have just one new entry in May's chart, this being Mal/Behav sharing seventh place with Sality.

To complete this month's top ten Bagle drops a single place from eighth to ninth place.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is once more headed up by the September 2005 leader, Tenga. March's new 'pretender', W32/Kasper [aka MyWife] which stole Tenga's crown in March has completely disappeared from the chart in May.

Mytob has dropped out of the chart during April from the sixth spot it held during March. Opaserv has managed to climb one place from the final step on the podium up to the runner-up spot; second.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March has fallen on hard times after slipping down to eighth place in April it has lost more ground and slides down one more place to ninth. Netsky is static in fifth place.

We have two re-entries in May, these are: Email-Worm.Win32.Warezov and W32.Dupator in fourth and sixth places respectively.

One of March's new entries, Virut has consolidated its hold on seventh place in May's chart. Talking of new entries, we have three in the top ten for May, these are: Trojan-Downloader.Win32.Agent, Trojan-Spy.Win32.Banker and Trojan.BAT.Runner.b coming into the top ten in third, eighth and tenth places respectively.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.



Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of May] here. This clearly shows that May was the quietest month since I started keeping these statistics. As shown in the figures for May, the overall trend is still downwards and that we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 265,284 at the end of May. That's a growth of 42,811 new malware strains and/or variants in the first five months of 2007, in May the number jumped by 12,126. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 102,700.

Things have certainly speeded up during April and May!
What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• A Death Phish? [Wednesday, 2 May 2007]


• Would You Rather Be A Mule? [Thursday, 31 May 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - April has continued in May, as seen by continuing high numbers of fake e-cards notifications being trapped.

We have seen an unexpected recovery in the level of spam in May this may have dented the figures for both 419s and Malware arriving via e-mail, only time will tell.

The phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Links:

• Virus Top Twenty for May 2007 [Kaspersky]


• Top ten viruses and hoaxes for May 2007 [Sophos]
  

Can you spot the difference?

Here's a little test for you all, can you spot the difference between these screenshots of e-mails I've recently received?







Found any/many?

Well, truth be told these screenshots are adverts trying to recruit mules to launder stolen money, etc. All three claim to be separate companies, these are: TriVision Global, Barden Systems and finally Batterman Group. Isn't it also amazing that all three of these companies can't afford their own mail systems, web servers or domains and are forced to use 'googlemail' instead? ;-)

It seems that the mule recruiters are very busy at the moment looking for new idiots^H^H^H^H^H^H, er I mean naive or desperate individuals to turn into mules.

Currently I'm getting around 20 mule recruiting e-mails like these each and every day. These ones and the ones I've already blogged about are by far the most professional looking, in these cases created by professional criminals.

If you see an interesting one then please feel free to send me a copy, or even if you are not sure about something you've been sent, including chain e-mails, hoaxes, urban legends and so on.

Would You Rather Be A Mule?

How many of you out there have seen job offers [both part time and full time positions] that look like the following screenshots:

Feeling charitable or are you a budding humanitarian? Try these ones:

[Donation Europe]



[Leap Forward International Donation Association]



Or are you just looking to make some cash, whatever it takes? Try these ones:

[TRI-VISION GLOBAL INC]



[Aegic Capital Group LLC]



Tempted to apply?

Well, let's see where we end up if we click on the web link in the e-mail from Aegis:





Looks very professional doesn't it? All of these all seem too good to be true, don't they?

Well, they are too-good-to-be -true, all the screenshots of the e-mails [including the 'charity' ones] are nothing more than an attempt to recruit staff to act as money launderers, also known as mules.

I've written about mules before on this blog, but I though it was time to revisit the area as the bad guys and girls have been very active in trying to recruit new mules just recently.

So, a quick recap

"We are not talking about four legged creatures that are half horse and half donkey….think more of drug couriers who are more usually referred to as Mules!

Now, in most cases Mules are those that either carry things for others [hence the use of the term] or act as laundering points, such as in organized crime syndicates, they do the dirty work of moving material from A to B and usually have little or no idea hat what they are doing is illegal. They may even be acting as a Mule under duress, such as blackmail, etc."

So next time you see a job ad on the web, in the local paper or receive a job offer via e-mail, stop and think is this really legit, or am I about to be turned into a mule, or as the song goes:

"Would you like to swing on a star
carry moonbeams home in a jar
and be better off than you are
or would you rather be a mule

A mule is an animal with long funny ears
he kicks up at anything he hears
His back is brawny but his brain is weak
he's just plain stupid with a stubborn streak
and by the way if you hate to go to school
You may grow up to be a mule..."

The full lyrics can be found here.

By all means swing on a star, but not if it means you grow up to be a mule...to fund the lifestyle, and end up broken, saddled with a criminal record, and end up corralled in jail with numerous other mules, while those that run the scams get away with turning the endless train of desperate people [including students]into yet more mules.

April 2007 Malware Review

Just about managed to get this finished before the end of the month.

April has come and gone and we are already well into second quarter of the year, this year seems to be flying by! However, on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 736 samples during April, which have been catalogued as 40 distinct families and variants. In comparison during March I captured 638 samples which were catalogued as 38 distinct families/variants. As you can see the captures in April are slightly up from March's total.

During April I captured and submitted 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The April statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

During April I reported 48 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] is back in pole position after having to settle for the runner-up position during March, as W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart during March.

W32.Kasper.A has had to settle for the runner-up spot in April. This means that the top two have swapped places in April's chart.

W32/Sality.AD [Frisk] is back in the top ten again having dropped out of the chart in March, it has stormed back in to grab the final podium place, in third.

The Opaserv.worm family which completely failed to turn up in the chart in February and then stormed back in to the chart in March with four representatives has suffered a loss. In April's chart we have lost one of the Opaserv clan from the top ten, the remaining family members are; variants ae, d, and ac in fifth, eighth and tenth places respectively.

IRC.Zapchast which managed to climb up the chart from the final slot in January's chart, stealing fourth place in February and finally climbing one place to third in March's chart has suffered a fall, down three places to sixth.

Virus.Win32.Virut.a [which was a new entry in March's chart] has managed to consolidate the fourth place is managed to grab when it entered the chart in March.

We have two re-entries in April's chart, these are: W32/Netsky.P which has been in and out of the top ten for more than two years now, and Zhelatin.cq which is somewhat more recent, having only been created since the end of 2006.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for April still has Mytob.c in seventh place which it managed to climb to in February, it seems to have setup home there.

Netsky.q has once more fallen off the runner-up spot, this time it has slipped just one place to third. It is joined by three other family members, these being: Netsky.aa, which has lost its sixth place from March, falling down to eight spot in April. Netsky.t, February's pole sitter which slipped down to fourth during March is back as the pole sitter in first place, and finally Netsky.b is has consolidated its hold on ninth place.

Bagle.gt continues its slow journey down the chart, slipping one place to fourth.

We have three new entries in April's chart, these are: Email-Worm.Win32.Warezov.ms straight in the chart in second place, Trojan-Spy.HTML.Bankfraud.ri in a fifth place and finally Worm.Win32.Feebs.gen just below it in sixth place.

To complete the top ten, we have Scano.gen which is holding on tight to the final place; tenth spot.

Kaspersky had this to say about April's chart:

"It's getting more and more interesting looking at the statistics on malicious code in mail traffic. Warezov and Zhelatin regularly cause virus outbreaks, hit the headlines, and create a huge amount of work for virus labs around the world, but it's NetSky.t, an old email worm, which grabbed first place this month. In the three years since NetSky.t appeared, its highest ranking ever was fourth place in February 2006. It subsequently disappeared from the rankings, but returned to lurk close to the top of the table. And this month it has taken first place by storm, pushing aside all the new generation worms.

This was probably the result of a new tactic: virus writers are now spamming multiple variants of their latest creation within a very short space of time. Many of these variants make it to the Top Twenty, but sometimes the sheer number of variants prevents them from gaining a high position: NetSky.t, a single variant which spread extremely widely, is proof of this."

In the SOPHOS chart we see a different pattern; Netksy.p has consolidated its grip on pole position during April and we have a re-entry in the runner-up spot, Dref-AF.

Here is some commentary on it from Sophos:

"Sophos has also revealed that while Netsky has held onto the number one spot for email-borne threats, Dref has shot back into the chart at number two, accounting for 24% of all malware spread via email"

Zafi-D has dropped from February's fourth to sixth place in March and has reversed its slide down the chart, ending up in fifth place in April . Meanwhile Nyxem.D [aka MyWife] has dropped one place in April; down from eighth place to ninth which was where is was back in February.

Stratio-Zip has managed to claw its way up from seventh to fourth place, after falling out of the chart in February. Mytob-C has dropped back down the chart from second to third place, which it grabbed back in December 2006.

Mydoom-O which was a re-entry in November's top drops three places from fourth to seventh place and November's new entry, W32/Sality.AA has likewise dropped three places from third place to sixth in April's chart.

The last remaining member of the Bagle family, Bagle-qw also drops three places from fifth to eighth place.

To complete this month's top ten we have a new entry Troj/Small-EIV in at tenth place.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is once more headed up by the September 2005 leader, Tenga. March's new 'pretender', W32/Kasper [aka MyWife] which stole Tenga's crown in March has had to make do with the runner-up spot once more.

Mytob has dropped out of the chart during April from the sixth spot it held during March . Opaserv has managed to consolidate its hold on the final step on the podium; third place.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March has fallen on hard times and slipped down to eight place in April.

Sality is up three place to sixth place, and we have two re-entries these are: Zhelatin and Netsky in back into the chart in fourth and fifth places respectively.

March's new entries, Virut and Cloner which came in to the chart in fifth and eighth places respectively have both dropped two places during April, falling to seventh and tenth respectively. New entry Hidrag completes April's top ten, coming into the top ten in ninth place.



If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of April] here. This clearly shows that April was slightly up on the December 2006 total and slightly down on the first two month of 2007. As shown in the figures for April, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 253,158 at the end of April. That's a growth of 30,685 new malware strains and/or variants in the first third of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 92,000. Things have certainly speeded up during April!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in April 2007.

• A Police Website Line-up - The Verdict [2nd April]


• Secret Intelligence Service SCAM ALERT!! E-mail [11th April]


• Don't Look... [20th April]

Conclusions:
The current trend of using social-engineering which has been widespread in January , February and March has continued in April, as seen by the vast numbers of fake e-cards notifications being trapped.

What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

As mentioned elsewehere it seems that the scammers are upping their game by creating fake sites for key crime-fighting organisations in the UK, such as the Metropolitan Police and the Secret Intelligence Service. I wonder how long it will be before Interpol or the FBI sites have 'bogus' copies of their websites created by the scammers?

Links:

• Virus Top Twenty for April 2007 [Kaspersky]


• Top ten viruses and hoaxes for April 2007 [Sophos]

A Death Phish?

No, I'm not talking about the film based on the book by 'Brian Garfield' which depicts the conversion of 'Paul Kersey' from an average, caring, family man and general nice-guy to a death dealing vigilante.

In the film 'Death Wish' released in 1974 [and the many sequels that followed] the lead character 'Paul Kersey' was played by 'Charles Bronson'.

What I'm talking about is almost the opposite, a hired assassin deciding not to just take the money, but to warn the intended victim that they have been 'hired' to 'rub-them-out' and offering them a chance to 'buy-back' their life, and find out who 'hired' the assassin. This would make a wonderful movie plot!

why am I mentioning a 'Film' on a blog about malware and related security threats/risks? Well, it is because of a couple of very disturbing e-mails that are currently circulating on the internet and turning up in numerous inboxes. Here are a couple of screenshots of the actual e-mails that claim that someone has paid an assassin to kill you!

Here's the original version that was seen back in January of this year:



Sophos put out a press release about this, and here is some comment from them about this particular variant:

"This is surely one of the sickest phishes yet seen - the intention of this email is quite clearly to frighten the recipient into coughing up a substantial amount of money or, at the very least, their bank account details," said Graham Cluley, senior technology consultant for Sophos. "Innocent, vulnerable people could be scared into believing that the contents of the email are truthful, while the not-so-innocent are arguably even more likely to be hoodwinked. It may be hugely unnerving to receive such threats, but the only way to stop the distribution of these messages is for users to stop responding."

This particular variant became such a problem in the US that the F.B.I posted a warning about it on their website.

In the last few days, a new variant has appeared which is being sent to people in Europe, this is what the new variant looks like:



As you can see the similarities between them are striking.

So, what should you do if you receive one of these e-mails? Simply this, delete it, it is just a scam.

I suspect that this is the latest output from the twisted minds of the 'Boys and Girls from Lagos', also known as the 419, Advance-Fee-Fraud, or Nigerian scammers. So, although I agree with most of the quote from Sophos, I don't agree with 'Graham Cluley' that this is a phishing scam at all, it is really a 'Cyber-Ransom E-mail' or an 'Extortion 419'. Do you have another suggestion for a more suitable name for these? If so, then leave me a comment or drop me an e-mail.

For those of you that are interested in more details on 419 and related scams; I've just had another article on 419s published by Virus Bulletin, you can find a copy of the article here. Older articles on this subject, along with many others, and all my published papers, can be found here.

March 2007 Malware Review

Just about managed to get this finished before the end of the month.

March has come and gone and already we have used up the first quarter of the year. However, some things don't change; it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with yet more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again! We have also seen an awful lot of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 638 samples during March, which have been catalogued as 38 distinct families and variants. In comparison during February I captured 894 samples which were catalogued as 43 distinct families/variants. As you can see the captures in March are significantly down from February's total.

During March I captured and submitted 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The March statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is the technique of choice so far this year.

During March I reported 58 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:


W32/Tenga.3666 [Frisk] had to settle for the runner-up position during March, as W32.Kasper.A [aka MyWife.D] forced its way to the top of the chart ousting February's pole sitter in the process by less than half a percentage point. Bear in mind that W32.Kasper.A wasn't even in the top ten in February, so it is a re-entry, which makes its position in March's chart even more incredible.

Mytob.J, which was the runner-up in February's chart and seriously threatening Tenga's hold on pole position, has slipped down the chart to sixth place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November 2006, fell on hard times in January and February only managing to fill one place in the chart, the survivor was Tenga.3666. What a difference a month makes, the Opaserv.worm family which completely failed to turn up in the chart in February, is back. Not just one or two, but four representatives are back in the top then. These are variants ae, d, ac and ai, in fifth, seventh, ninth and tenth places respectively.

IRC.Zapchast has managed to climb up the chart from the final slot in January's chart, stealing fourth place in February and finally climbing one place to third in March's chart.

A new entry in March's chart [in 4th place] is Virus.Win32.Virut.a which is a bit of a throw-back, being a real 'virus', an appending one, as well as being a Bot. We also have another new entry, even though it is a real oldie [Pate.B in 8th place], as it has been around for a long time but never managed to get in to the top ten, until now.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for March still has Mytob.c in seventh place which it managed to climb to in February, up from ninth in January.

Netsky.q has managed to climb back up to the runner-up spot in March, having fallen down the chart from second place in January to fourth in February. It is joined by three other family members, these being: Netsky.aa, which recovers its sixth place from the drop to tenth it suffered in February, Netsky.t, February's pole sitter slips back down to fourth and Netsky.b is a re-entry in at ninth place.

Bagle.gt continues its slow journey down the chart, slipping one place to third.

As seen in my own top 10 chart, the Zhelatin family which stormed the Kaspersky chart during February have disappeared from the top ten just as fast as they arrived.
We have three new entries in March's chart, these are: Bankfraud.ra straight in the chart in pole position, Warezov.jx in at fifth place, and to complete the top ten, we have Scano.gen a new entry in at eighth place and Mydoom.l which is a re-entry taking the final place; tenth spot.

Kaspersky had this to say about March's pole sitter:

"This month's leader, Trojan-Spy.HTML.Bankfraud.ra is also the result of recent virus epidemics. This Trojan is a typical phishing email, and millions of copies have been sent around the world. We've also noticed that this malicious program has been mass mailed several times. Bankfraud.ra was first detected on 27th February 2007, and in the space of a single month reached such a volume that this month it accounts for more than 30% of all malicious programs detected in mail traffic.
The Trojan targets clients of the Branch Banking and Trust Company (BB&T). It attempts to lure them to fake web sites registered by their undoubtedly malicious users in Croatia and the Cocos (Keeling) Islands."

In the SOPHOS chart we see a different pattern; Netksy.p has once more raised its game and stolen pole postion once more in March. Fenruary's pole position sitter, HckPk has completely dropped out of the top ten.

Here is some commentary on it from Sophos:

"Unwanted emails hiding copies of Netsky are still spreading like weeds in an untended garden, showing how well seeded these mass-mailing threats are," said Carole Theriault, senior security consultant at Sophos.

Zafi has dropped from February's fourth to sixth place in March. Meanwhile Nyxem.D [aka MyWife] has gained one place in March, up from ninth to eighth place.

Stratio has managed to claw its way back into the top ten, to seventh place, after falling out of the chart in February. Mytob has improved upon the third place it grabbed back in December 2006, and is up one place to be March's top ten runner-up.

Mydoom-O which was a re-entry in November's top climbs two places from sixth place to fourth and November's new entry, W32/Sality.AA has climbed another two more places from fifth place to third in March's chart.

The last remaining member of the Bagle family, Bagle-qw crawls further up the chart from seventh to fifth place.

To complete this month's top ten we have Clagger.a which is down one place from ninth to eighth spot and a new entry DwnLdr.GFX in at tenth place.

SOPHOS also noted the following:

"It's frustrating to think that there are a bunch of new threats out there that are much more targeted and devious in their approach, yet how can we expect the average computer user to protect against them when the Netskys and Mytobs remain so rooted? Users need to roll up their sleeves and commit to keeping their PCs secure both for their sake and the sake of everyone else connected to the web."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is not headed up by the September 2005 leader Tenga. This month a new 'pretender' has stolen its crown in March, so Tenga has had to make do with the runner-up spot once more. This 'pretender' is W32.Kasper [aka MyWife].

Mytob has dropped from third place in February's chart to sixth spot during March

Zapchast which stormed up the chart from ninth to fifth place in February has managed to move up to fourth place in March. Opaserv has also climbed up the chart in March from sixth to the final step on the podium; third place.

February's new entries Parite [aka Pate] is static in seventh and Sality is up one place to ninth place respectively. New entries include Virut and Cloner in at fifth and eighth places respectively. Dupator completes March's top ten, in tenth.




If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of March] here. This clearly shows that March was slightly down on the December 2006 total and significantly down on the first two month of 2007. As shown in the March figures, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 241,959 at the end of March. That's a growth of 19,486 new malware strains and/or variants in the first quarter of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just under 78,000.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in March 2007.

• A Police Website Line-up, Who's The Imposter? [March 12th, 2007]


• Bogus IE7 Being Spammed Out [March 30th, 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January and February has continued in March, as seen by the IE7 'fake' download detailed elsewhere in this report.

The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

Links:

• Virus Top Twenty for March 2007 [Kaspersky]


• Top ten viruses and hoaxes for March 2007 [Sophos]

A Google Product Too Far?

There are now so many 'Google' products and services out there that it is easy to believe that 'Google' have a finger in every pie; a bit like the 'Virgin' empire, well almost.

We have 'Google Search, Google Mail, Google Talk, Google Reader, Google Adwords and Adsense, Google Docs and Spreadsheets, Google Notebook and the latest ones I know about are Google Checkout and Google's answer to Powerpoint'. The list is almost endless!

So with that in mind, how many of you out there have received an e-mail that reads like this one for 'Google Lottery'?:



Excellent, a 'Million Euros' would be most welcome...

OK, now how many of you have believed you have actually won something?

Go on, hands up, yes that includes you hiding at the back there! ;-)

If it was really from 'Google', why oh why does the named agent use an 'AIM' e-mail account? Surely they should use a 'Gmail' or 'Googlemail' one?

Yes, this is another 419, aka Nigerian or Advance-Fee-Fraud. More details on these can be found here, and I'll have an new article on 419s which I wrote for Virus Bulletin and was published in the April edition available here shortly.

I'm still waiting for 'Google' to make swimmimg goggles...that would be almost as ironic as 'Virgin condoms*'.


(*Yes, I know they exist!)

Secret Intelligence Service SCAM ALERT!! E-mail

Here's an interesting e-mail I received today. The following screenshots show the complete e-mail. Read it all the way through. What do you think, real or fake?






Hands up all those that said real?

All of you who said 'real' are in detention, write out, in full 100 times, my blog post covering 419 scams [here] and the recent blog entry on the 'Police Website Line-up' [here]. ;-)

Hands up all those that said fake?
Well done! Give yourself a pat on the back, it does indeed seem to be a fake. Details below:

Hmmm... the e-mail comes from [or so it claims], 'anti.scam-dpt@sis.gov.uk', SIS.GOV.UK is the domain owned and used by the SIS [Secret Intelligence Service, which is also known as MI6 in the UK.] However, the reply to address in the e-mail body is: 'hollace_fwilliam@britishsecretservice-uk.org', that sounds 'phishy'. So let's look at the domain details for it, shall we?

Here's the DNS entries:

britishsecretservice-uk.org. 600 IN SRV 1 1 5061 federation.messenger.msn.com.
britishsecretservice-uk.org. 600 IN MX 10 pamx1.hotmail.com.
britishsecretservice-uk.org. 600 IN A 65.54.132.254
britishsecretservice-uk.org. 86398 IN NS pdomns1.msn.com.
britishsecretservice-uk.org. 86398 IN NS pdomns2.msn.com.

The MX [e-mail] record is pointing to a 'hotmail.com' MX server, I can't see the SIS using Hotmail as their primary e-mail server, can you? Or, for that matter, MSN DNS servers as their primary and secondary DNS.

Let's look at the WHOIS record, shall we?

Domain ID:D106558818-LROR
Domain Name:BRITISHSECRETSERVICE-UK.ORG
Created On:08-Jun-2005 09:07:00 UTC
Last Updated On:01-Jul-2006 03:55:43 UTC
Expiration Date:08-Jun-2007 09:07:00 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:C338EEA0092FC35F
Registrant Name:MR. HOLLACE WILLIAM FRANCIS
Registrant Organization:MR. HOLLACE WILLIAM FRANCIS
Registrant Street1:3840 Fishcreek Rd
Registrant City:Stow
Registrant State/Province:OH
Registrant Postal Code:44224
Registrant Country:US
Registrant Phone:+1.3306282938
Registrant Email:hollace_fwilliam@britishsecretservice-uk.org
Admin ID:C338EEA0092FC35F
Admin Name:MR. HOLLACE WILLIAM FRANCIS
Admin Organization:MR. HOLLACE WILLIAM FRANCIS
Admin Street1:3840 Fishcreek Rd
Admin City:Stow
Admin State/Province:OH
Admin Postal Code:44224
Admin Country:US
Admin Phone:+1.3306282938
Admin Email:hollace_fwilliam@britishsecretservice-uk.org

Now why would the SIS or MI6 use someone living in Ohio in the US to register a domain for them?

And where is this domain being hosted?

5.54.132.254[Querying whois.arin.net]
[whois.arin.net]

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 65.52.0.0 - 65.55.255.255
CIDR: 65.52.0.0/14
NetName: MICROSOFT-1BLK
NetHandle: NET-65-52-0-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.MSFT.NET
NameServer: NS5.MSFT.NET
NameServer: NS2.MSFT.NET
NameServer: NS3.MSFT.NET
NameServer: NS4.MSFT.NET
Comment:
RegDate: 2001-02-14
Updated: 2004-12-09

Hmmmm.... I wonder if Microsoft know they are hosting a potential 419 scammer on their servers?

If you type 'http://britishsecretservice-uk.org' in to your web browser, after a small pause you end up here:



This is the 'REAL' MI5 website, seems that the domain owner for 'britishsecretservice-uk.org' is currently redirecting all web traffic to the MI5 site. I bet he isn't doing the same with the e-mail traffic, very sneaky!

The final proof that this is a fake, if you really needed any more, is that the SIS is part of MI6, but the fake domain redirects to the MI5 site which the SIS are not part of, and did you notice the use of an MI5 logo in the foot of the e-mail?

Back to the drawing board you 'Bad Guys and Gals from Lagos'....

A Police Website Line-up - The Verdict

As promised, [finally] here is my posting with the verdict on which one of the following suspects in my Metropolitan Police website line-up is the real one, and more importantly which is the fake one. I will also reveal what the fake one was set up for, and by who.

Just to refresh your memory, I originally asked:

"Do you think you can tell the difference between a real website and a copy which is a fake? Yes? Well, let's see how good you are, here's a test for you. Which of the following screenshots is from the real Metropolitan Police Service web site, and which is the fake?"

[Mug-shot 1]


A larger version of this screen-shot can be found here.

OR

[Mug-shot 2]


A larger version of this screen-shot can be found here.

I did get some responses, and those that did respond got it right!

Oh, you want the answer? OK, here's your starter for 10:

The real Metropolitan Police Service web site was 'Mug-shot 2', and the fake must be, by a process of elimination, 'Mug-shot 1'. I did leave one obvious clue to help you, did you spot it?

Take another look, look at the' McAfee Site Advisor' indicator in the status bar at the foot of the browser window; the real Met site shows as 'Green' which means it has been tested and is probably the real thing. Whereas the fake site, shows as 'Grey' which means it hasn't been tested yet, and probably should be treated as suspicious, for now.

Other clues that give the fake away include:

The two e-mail addreses and the domain name used, as in:

• new.scotland.yard@metpoliceuk-gov.com


• clarence.c.vernon@metpoliceuk-gov.com

And

The telephone and fax numbers given:

• Call us +442071936470 (24 hour switchboard)


• Fax us +448717200341

Why include an international dialling prefix, when the police force is only responsible for the London Metropolitan area? Bit of a give away!

Let's dig a bit deeper now; starting with the Whois record for the fake domain:

Domain Name: METPOLICEUK-GOV.COM
Name Server: NS.PIPNI.CZ
Name Server: NS2.PIPNI.CZ
Status: clientTransferProhibited
Updated Date: 13-mar-2007
Creation Date: 05-mar-2007
Expiration Date: 05-mar-2008

Name servers in the Czech Republic for a UK Police Force, I think not, and the domain was only created on the 5th of March 2007.

And here are the registrant details, which are probably spoofed.

Registrant:
Jennfier Mcsorley
74 Jermyn St
London, LONDON SW1Y6NP
Great Britain
( )442079305321
sn.tosin@yahoo.com

Of course, it must be a real, the London Metropolitan Police force all use free web mail services, such as Yahoo, don't they? ;-)

OK, enough detective work for now. But we still need to know the purpose behind setting up such a site, here are some suggestions. which one[s] seem most likely to you?

1. Nigerian (aka 419) scammers?


2. Terrorists?


3. Phishing scammers?


4. Other Organised criminal gang?

The answer, according to The Register is:

"Nigerian scammers have launched a fake London Metropolitan Police website, which includes a fake anti-terrorist hotline number.

According to anti-advance fee fraud organisation Ultrascan Advanced Global Investigations, the scam refers victims to an "official" website that sells so-called "anti-terrorist certificates" which are needed to secure payments from abroad. In the past, fraudulent Anti-Terrorist Stop Order letters were purportedly issued by the Financial Crimes Enforcement Network (FinCEN)."

The full article from the Register can be found here.

So now you know the which, the why, the when and the how of the crime... Book 'em Danno!

Up for another challenge some time?

February 2007 Malware Review

February has come and gone and although the months and seasons change, some things don't change, it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again! We have also seen an awful lot of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer


• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4.5 years, Malware Bayesian Filter 3.5 years.

In total I captured 894 samples during February, which have been catalogued as 43 distinct families and variants. In comparison during January I captured 991 samples which were catalogued as 54 distinct families/variants. As you can see the captures in February are down slightly from January's total.

During February I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As you can clearly see February's captures are up from December 2006, but fell slightly from January's haul. The February statistics consolidate my view that the general trend is still downwards. It seems that social-engineering is the technique of choice so far this year.

During February I reported 78 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] yet again retained the pole position during February. However, it has gained back some of the ground it lost in January; its percentage has increased from over 36 percent in January to over 42 percent in February. Once again, Tenga.3666 seems very intent in keeping pole position for itself, although it had very strong competition again during February, this time from Mytob.J.

Netsky.P [aka Netsky.q] has disappeared from the chart again in February after being the only representative of the family left in January's chart.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November 2006, have fallen on hard times in January and February only managing to fill one place in the chart, the survivor, yet again, is Tenga.3666 in pole. There are yet again no Opaserv.worm family representatives in the chart in February. IRC.Zapchast has managed to climb up the chart from the final slot in January's chart, up to fourth place.

It has been another bumper month for new entries, in January's chart we had seven new entries, in February's we have eight, these being: Five members of the Zhelatin [aka Nuwar] family [u, o, m, r and ab] in third, fifth, seventh, eighth and tenth respectively. Next up are two members of the Tibs family [kj and jr] in sixth and ninth places respectively. The final new entry is Mytob.J which has stormed into the chart in second place. All in all another very hectic month!

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] February has seen the Mytob family gain a little of the ground it lost in January. The only survivor of the Mytob clan is Mytob.c bouncing up from ninth to seventh place to February.

Netsky.q has managed fallen down the chart from second place in January to fourth. It is joined by two other family members, these being: Netsky.aa, which drops from all the way down to tenth and Netsky.t is up from fourth and has stolen pole position from January's pole sitter, Bagle.gt which slips down one place to second.

As seen in my own top 10 chart, the Zhelatin family have stormed the Kaspersky chart account for four of the top ten spots. These are Zhelatin [dam, o, u and m] in third, fifth, eighth and ninth respectively. All of these are new entries.

Kaspersky had this to say about Zhelatin:

"During February we issued three virus alerts with a 'medium' threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants."

Finally we have another new entry, this being Warezov.ls in at sixth place.



In the SOPHOS chart we see a different pattern; Netksy.p has yet again consolidated its grip on second place in February. Pole position has been stolen by HckPk which is sort of a new entry as it is a 'generic[ label for malware that uses HckPk to obfuscate itself, such as Dorf and Dref.

Here is some commentary on it from Sophos:

"Hackers are increasingly using encryption and packer tools - such as those belonging to the HckPk family - to camouflage their malicious code. January's hardest-hitting worm, Dorf, plus the prevalent Dref mass-mailing worms are just two examples of the malware currently being hidden within HckPk programs. Sophos has also found that cybercriminals are constantly modifying their HckPk disguises in an attempt to bypass IT defences."

SOPHOS also noted the following:

"HckPk is a bit like Mr Potato Head - it uses disguises to bamboozle anti-virus protection into thinking the attachment is safe when, in reality, malicious code lies within," said Carole Theriault, senior security consultant at Sophos. "Today's most widespread threats, such as Dref and Dorf, use HckPk, so by blocking it, we zap the nasty threats lurking inside. Users need to check that their anti-virus protection can proactively detect against previously unseen malware, otherwise they could be next in a long line of victims."

Zafi.d has managed to climb up from fifth place in January's chart to fourth in February's. Meanwhile Nyxem.D [aka MyWife] has further consolidated its place in ninth.

The downloader variant of Stratio [StraDl]has managed to claw its way back into the top ten, to ninth, after falling out of the chart in January.

Mytob.C has further consolidated its third place it grabbed back in December 2006. Netsky [D] has disappeared from the top ten again. Mydoom-O which was a re-entry in November's top ten remains in sixth place in February's chart.

November's new entry, W32/Sality.AA has climbed another two more places from seventh to fifth place in February's chart.

The last remaining member of the Bagle family, Bagle-qw crawls back up the chart from eighth to seventh place.

To complete this month's top ten we have Clagger.i which was is a re-entry in tenth.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is once more headed up by the September 2005 leader Tenga. This month the 'pretender' that stole its crown in January has had to make do with the runner-up spot. This 'pretender' is Zhelatin [aka Nuwar, Tibs]. Operserv has once more slipped down the chart, from fifth to sixth spot during February. Netsky has managed to halt its slide down the chart and has consolidated its position in eighth.

Tibs has managed to grab fourth place, and we have Mytob which has stolen the final step of the podium, in third spot.

Zapchast has stormed up the chart from ninth to fifth place and Small is down from sixth to ninth.

New entries include Parite and Sality in at seventh and tenth places respectively.



If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of February] here. This clearly shows that February was only slightly less busy than January, but still up on the December 2006 total. This jump can be attributed to the Tibs [aka Dorf, Nuwar, Zhelatin] mass-mailers which were widespread during February. Even allowing for this significant rise, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 233,084 at the end of February. That's a growth of 10,611 new malware strains and/or variants in the first two months of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 63,500.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in February 2007.

• Stupid Cupid, Stop Picking On Me... [13th of Feb 2007]


• The Valentine's Day Massacre... [14th of Feb 2007]

Conclusions:
The use of social-engineering has made life somewhat more troublesome during January and February than we have seen during most of 2006. This has been somewhat compounded by the event that happened on the 14th of February. The use of social engineering around that time was quite excessive, as indicated by the two articles listed above.

The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

Note: EICAR have informed me that the EICAR 2007 conference to be held in Budapest, Hungary between the 3rd and the 8th of May has been cancelled.

Links:

• Virus Top Twenty for February 2007 [Kaspersky]


• Top ten viruses and hoaxes for February 2007 [Sophos]
  

Another Lottery Win!

Hot on the heels of my being informed that I'd won a BMW and 550,000 Euros, comes another e-mail telling me I've won another lottery. I must be the luckiest person alive!

This time, according to an e-mail I've just received, I've won '500,000 US Dollars' !

Hang on, this is a lottery that is allegedly sponsored by the United Nations, I didn't know they were even in the lottery business? Yet again I don't remember entering any lottery!

Here are a couple of screenshots, showing the whole e-mail in all its glory:




Looks very professional and believable doesn't it?

However, it seems that the United Nations are also so short of money that they can't afford their own e-mail system and have to rely on AOL accounts too. If so then why are they running this lottery and giving me 500,000 US Dollars, surely that money would pay for a 'real' e-mail system? ;-)

Just to make it crystal clear, this is a scam, there is no money, and I haven't really won anything....Again!

I'm sure that the United Nations will be delighted to know their name is being used to help make a scam [in this case it is an Advance-Fee Fraud also known as a 419 or Nigerian scam] more believable?

Oh, and have any of you reading this ever met or known someone with a first name of 'Happy' or 'Stillwant', I mean they cannot be serious, can they?

I've Won a BMW Car and 550,000 Euros...

Wow, must be my lucky day (again), according to an e-mail I've just received, I've won '550,000 Euros and a new BMW Car' !

Hang on, this is a lottery that is allegedly sponsored by BMW, I don't drive [maybe it is time to learn as they are giving me a free car?], and yet again I don't remember entering any lottery!

Here are a couple of screenshots, showing the whole e-mail in all its glory:




Are BMW really that hard up that they can't afford their own e-mail system and have to rely on AOL? No, of course they are not, this is a scam.

Just to make it crystal clear, this is a scam, there is no money, and I haven't really won anything....Damn, I suppose I better cancel that order for those new guitars now? ;-)

Blimey, they are using a picture of some poor unsuspecting guy to try and give more credence to the e-mail. In this case they have used an image from www.rotary.org and the picture is of the president [Carl-Wilhelm Stenhammer] of that society.

I'm sure he will be delighted to know that a picture of him is being used to help make a scam [in this case it is an Advance-Fee Fraud also known as a 419 or Nigerian scam] more believable?