Virus Bulletin 2008 Conference Review

As previously mentioned on this blog, I was going to attend the Virus Bulletin 2008 conference as just a delegate, for the very first time; I usually attend as a speaker. The conference was held at the Westin Ottawa, in Ottawa, Canada [surprisingly ;-)] between the 1st and 3rd of October.

However, I ended up being a speaker again, which I don't mind, but I was actually looking forward to having a more relaxed conference than I usually do, but that's life!



This posting is a quick review of the conference:

Day 1 - Wednesday 1st October 2008

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by the Keynote address "The AV industry: Quo Vadis?" presented by Alex Eckelberry of Sunbelt Software. This was a very interesting speech and contained lots of useful information, as well as a general overview of what the bad guys [and girls] are up to, as well as what the good guys [and girls] are up to.

You can find a recording of it here, along with the slides: http://sunbeltblog.blogspot.com/2008/10/virus-bulletin-2008-keynote-address.html

The final session on the Technical Stream before lunch was also interesting, a presentation by Morton Swimmer [who used to work for IBM] entitled:

• Towards integrated malware defence

It was a good presentation, however as Morton had moved to TREND just before the conference he no longer had access to all his data, which was a shame, as it seems to have been rather an effective solution.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream.

The first two presentation after lunch were:

• Your computer is now stoned (...again!). The rise of MBR rootkit - Kimmo Kasslin, F-Secure
• When the hammer falls - effects of successful widespread disinfection on malware development and direction - Matt McCormack, Microsoft

The presentation given by Kimmo was esepcially interesting as it covered the rebirth of MBR infectors; something that had almost died out when Windows NT, 2000 and XP came along [yes there have been some MBR infectors for those, but not many, and not with stealth capability].

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Applying user-mode memory scanning on Windows NT - Eric Uday Kumar, Authentium
• Packer visualisation: a fast entropy scanning algorithm that preserves local detail - Li Sun, RMIT University

I decided to sit in on the vendor presentation after the days main proceedings, this was given by my good friend David Harley, from Eset.

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

This was staged with a couple of Ice Hockey players; for those that wanted pictures, as well as a bit of fun from Ken Bechtel, who's hat did the rounds and photos were taken of those that ended up wearing it, including me. If you've ever met Ken, you'll know which hat I mean as he is rarely seen without it.

Day 2 - Thursday 2nd October 2008

Day two started early for me as I was informed when I arrived that I might be needed to present [I was the emergency reserve speaker; "in case of a missing speaker, break glass and grab Martin ;-)"], as one of the speakers for the morning session on the Technical Stream was unaccounted for; he never did turn up.

So, I had to go back to my hotel [I wasn't staying at the Westin], get changed, grab my laptop and get back to the conference by the morning tea break to check that my laptop worked fine with the projector, it did.

This meant that I effectively missed the first two presentations I had planned to attend, oh well.

To complicate matters, I was also supposed to be chairing the three sessions on the Corporate Stream between the morning tea break and lunch; which I couldn't now do, as I was presenting in the other stream at the same time. Luckily, my old friend from Nortel, John Morris, stepped into the void as the new session chair.

So after the morning tea-break I was back in the Technical Stream for the next three presentations, these were:

• The robustness of new email identification standards - Reza Rajabiun, COMDOM Software and York University
• Coordinated distributions method for tracking botnets sending out spam - Andrey Bakhmutov, Kaspersky Lab
• Malware forenscis: detecting the unknown - Martin Overton, IBM ISS

The presentation given by Andrey was extremely good, some excellent research which was well presented and explained. This led to a flurry of questions.

It seemed rather surreal when I gave my presentation, as it was designed for an audience on the Corporate Stream; so as an old English saying goes "it was like teaching my grandmother how to suck eggs". In other words the presentation was an overview of forensic techniques and tools for finding and analysing malware [known or new] on an infected system.

This was presented on the Technical Stream to about 70 or more of the worlds best malware researchers, hence my use of the saying.

The presentation was actually based on my EICAR 2008 paper which I was unable to present at the EICAR conference, ironically due to the fact I was tied up in a malware forensics case.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

I received some nice feedback from a few of those that sat in, and no awkward questions. In fact one of the guys who were running the audio-visual side of the conference said he thoroughly enjoyed my presentation and found it most useful and enlightening.

After lunch, once more I decided to sit in on the Technical Stream until the tea/coffee break, at least. The next four presentations, all last minute ones limited to 20 minutes each, were:

• VB testing - present status, future plans, John Hawes, Virus Bulletin
• Race to zero with online scanners, Boris Lau, Sophos
• There is (some) honour among South American authors of infostealer trojans!, Pedro Bueno, McAfee
• Apple iPhone programming with SDK, Marius van Oers, McAfee

This year these short technical presentation worked rather well, although it was hard for some of the presenters to keep to the 20 minute slot limit, yes, you know who you are.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Corporate Stream as I was chairing the last two presentations on that stream, these were:

• The NorTel Mailer: effective open-source spam filtering for enterprises - Chris Lewis, Nortel
• SCADA security - who is really in control of our control systems? - Peter Allor, IBM

Both of these were very interesting presentations and it was a shame that so few delegates had decided to sit in on them.

Before the day was over we also had our first panel session, this was:

• The state of anti-malware testing

Later we had the "pre-dinner drinks and the Gala dinner and entertainment".

As always the food was excellent and the entertainment this year differed quite a bit, it was a quiz, which was fun but took longer than expected to complete. As one delegate was heard to say "we have travelled 3,500 miles for a pub quiz!". Personally, I enjoyed it, it just needed to be shorter.


Day 3 - Friday 3rd October 2008

The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Understanding and teaching bots and botnets - Randy Abrams, ESET

This presentation covered a topic that I had presented on back at VB2005 in Dublin, but from a high-level perspective and more focussed on how to educate staff about these threats via using robot vacum cleaners known as Roombas.

As usual Randy was both informative and entertaining.

So, another quick tea and coffee break and then back to the Technical Stream until lunch, these were the next presentations I sat in on:

• Automatic rules-based binary analysis with IDA Pro and CLIPS - Ryan Hicks, AVG
• Rebuilding testing for the future - Igor Muttik
• Samples.malware.org: sample sharing for the next decade? - Richard Ford, Florida Institute of Technology

All of these were very good and interesting talks and all generated lots of discussion and questions.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all. However, I think I can honestly say that this years photo was the quickest ever as it took less than 5 minutes to organise all the speakers and take a number of photos.

After lunch I spent the first part of the afternoon on the Corporate Stream.These were the presentations I sat in on:

• Where do your users want to go today and can you stop them? - Bruce Hughes, AVG
• The name of the dose: does malware naming still matter? - Pierre-Marc Bureau and David Harley, ESET

Both of these were interesting and prompted a number of questions from the audience.

Then it was time for the final refreshments break. Yes, it was the very last VB2008 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference, were straight after the break and I decided that I'd sit in on the last one on the Technical Stream again. This was:

• Darwin inside the machines: malware evolution and the consequences for computer security - Peter Ször, Symantec
  Dimitris Iliopoulos, Keck Graduate Institute of Applied Life Science

This was a very interesting presentation, basically saying that malcode could in theory evolve following Darwinian principles. Not sure that we will see such malware any time soon, as there are a number of things that need to happen first.

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion on:

• Security in banking forum

Finally it was time for the Conference closing session, once more led by Helen Martin, the editor of Virus Bulletin.

It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be another case of "I'm Sparticus", as a lot of people seemed to be wearing Ken Bechtel's hat, including me, and no it wasn't him in varying disguises either!

My final impressions of VB2008 are mixed; I enjoyed it, but I [and others who I chatted with] seem to think it may have lost its edge. Is this a case of becoming too commercialised or due to a lack of the usual swathe of quality research papers [which may be due to security companies cutting research budgets], or is it just a sign of the times as the marketplace has matured and that threats have now converged?

If you attended VB2008 and have an opinion, then please let me know your thoughts, thanks.

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2008/slides

The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2008/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Ottawa, here: http://picasaweb.google.com/overtonm/OttawaCanada2008?authkey=SEeottY873o#

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Geneva, Switzerland at the end of September 2009. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Virus Bulletin 2008 International Conference

Next week the Virus Bulletin International Conference is being held in Ottawa, Canada [1st to the 3rd of October]. This is the premier conference for people involved with fighting malware and related security threats. The programme can be found here.

This year I was going to be there just as a delegate; normally when I attend this conference I attend as a speaker, which means I have to write a paper and present it at the conference to an audience of 50-200 uber-geeks from various industries as well as the world's best malware researchers.  This can be pretty daunting! This will be my 11th Virus Bulletin Conference since my very first I attended and presented at back in 1996.

However, I've now been asked to be a reserve speaker, so I have to have a presentation ready, just in case I'm needed. The last time I was a reserve speaker it was for VB2002 which was held in New Orleans that year, and was nearly washed away by a hurricane! Needless to say, I ended up presenting my paper that year.

If any of you ready this are going to be there, then please feel free to stop me and have a chat, or just to say hello. I don't bite, honest ;-)

The presentation I am working on for the conference is to do with malware forensics, so it should be fun to do, as well as interesting for any audience I get; if I get to present it, that is.

As usual, I will write a short review of the conference, including what I personally found interesting, and may also post some mini-reviews and updates via Twitter.

If you can make it, then I hope to see you there; if not then stay tuned and I'll post a review as soon as I can.

Paper Selected For The EICAR 2008 Conference

EICAR have informed me that my abstract has been selected for the EICAR 2008 conference to be held in Laval, France between the 3rd and the 6th of May.

The abstract for the paper appears below:

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn't a week ago and that they can't access the Windows 'Task Manager' or open a command prompt any more.

Is this caused by malware or is it a 'user' problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the 'suspect' system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for 'odd' system or network behaviour.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months. However, as usual they need the completed paper by the 17th of March!

I've several other ideas for abstracts already sketched out ready for to submit for this years Virus Bulletin conference. Any topics that you think should be covered are most welcome, just drop me a note or leave a comment.

December 2007 Malware Review

December was another busy month for me as I was writing abstracts for conferences, doing presentations and trying to take some of my holiday entitlement as well as dealing with my usual workload. This meant that I didn't have quite as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals once more during the month.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 573 samples during December, which have been catalogued as just 27 distinct families and variants. In comparison during November I captured 476 samples which were also catalogued as 27 distinct families/variants. As you can see the captures in December are up once more, but this time of year is usually quite busy.

As shown, once more, by December's statistics the general trend is still downwards. It still appears that social-engineering has been the technique of choice and that 2007 should be now known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During December I reported 65 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 80 percent of the samples captured in December, just short of the high points of 82 percent it had in August.

As in the top tens for September, October, and November there are still eight members of the Opaserv.worm family in December's chart. These are variants: AE, D, AJ, K, AC, AD, AI and I in second, third, fourth, fifth, sixth, seventh, eighth and tenth places respectively.

The final slot left is occupied by a re-entry, this being our old friend Dupator who returns to the top ten in ninth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Netsky.q [aka P] is back into the top 10, straight back in at pole position, what a comeback! It is joined by another member of the family, AA which is also a re-entry back in at eighth place.

November's pole sitter, Scano.gen has had to settle for fifth place in December's chart after falling down the chart.

In the runner-up spot, we have a new entry, this being Diehard.dc, which is not the only member of this new family, as it is joined by Diehard.db and Diehard.dd which are also new entries, straight in to the chart in fourth and seventh place respectively.

Trojan-Spy.HTML.Fraud.ay has slipped further down the chart from fourth to ninth.

This month's chart is packed with new entries, the next one is Warezov.xd, straight in to the chart and stealing the final podium place; third.

And to complete the top ten, we have two more re-entries, these being, Bagle.gt and Nyxem.e [aka MyWife.D] in to the top ten in sixth and tenth places respectively.
Kaspersky had this to say about December's chart:

"At the end of the year, the mail traffic situation suddenly changed. In place of the traditional and somewhat dull domination of the rankings by old email worms, in December we encountered the explosive propagation of a new generation of programs. A new generation which are not worms.

It's true that first place this month is taken by the veteran NetSky.q worm. It returned with a leap and a bound from beyond the bottom of the rankings, having not figured in our November Top Twenty at all. It made up 20% of mail traffic - that's almost an epidemic, and it's unclear how a worm which has been in existence for almost 4 years, and which is known to all antivirus companies, has continued to survive and spread to the present day."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

IIn the SOPHOS chart we see a different pattern; Netksy has once more regained the runner-up position it last held in October's chart. Last months pole-sitter Troj/Pushdo has further managed to consolidate its hold on pole position.

Mytob has reversed its slide down the chart, once more climbing back up from sixth to third place. W32/Zafi has continued it progress sliding further down the chart from fifth to sixth place.

Mydoom which was a re-entry in October's chart has climbed up one place from eighth to seventh place.

There are two re-entries in December's chart, these are, Troj/Dloadr, back in to the chart in eighth place, and W32/Sality back in to the chart in tenth place.

W32/Bagle is up one place from tenth to ninth and to complete the chart we have W32/Strati up from ninth to the fourth and finally Mal/Dropper is down one place from fourth to fifth place.

Here is some commentary on December from Sophos:

"Overall, 0.09 percent of emails, or one in 1111, had malicious attachments in December 2007, with Pushdo retaining its position as the most prevalent email-based malware detected in December."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is once more occupied by our old friend Dupator.

Win32.Zhelatin has managed to consolidate its hold on the final place in the chart; tenth, Win32.Agent falls a single place down from eighth to ninth, and IRC.Zapchast has bucked the trend and climbs up from ninth to fourth place.

We have three re-entries in December's chart, these are: mIRC-Based back in to the chart in fifth, Hidrag grabs sixth place and W32.Tibs takes seventh place.

The final place in December's chart is occupied by our old friend Netsky, which has fallen from grace; down from third to eighth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of December] here. This clearly shows that December was busier than both October and November. As shown in the figures for December, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas; which can be seen in the What's New section of this blog postine.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 358,873 at the end of December. That's a growth of 136,400 new malware strains and/or variants for the whole of 2007. Just in December, the number of new malware found was 9,022.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during December 2007.

• Rent-a-Spammer [Wednesday, 5 December 2007]


• The Six Million Dollar Relative [Thursday, 6 December 2007]


• UPS Delivery of Over ONE MILLION US Dollars! [Wednesday, 12 December 2007]


• Don't Let Mrs. Santa Get Her Claus... [Monday, 24 December 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - November has continued during December, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer. In fact after Christmas the Storm Worm gang were working flat out producing new malware, web-sites and spam runs, but more on that, another time.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during December as they are still trying out other file formats which they hope will bypass anti-spam defences.

The phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during December, especially Natwest, Nationwide and Barclays, again.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this blog entry.

As expected December and the run up to Christmas and the New Year was a very busy time of the year for all the bad guys and girls as they took advantage of the season of goodwill to claim even more victims.

I would like to wish you all a very happy new year, stay safe!

Links:

• Virus Top Twenty for December 2007 [Kaspersky]


• Top ten viruses and hoaxes for December 2007 [Sophos]

Please note: December's report may well be the last one I do for the forseable future due to changes in my role.

November 2007 Malware Review

November was another very busy month for me as I was involved in several projects for customer accounts, as well as dealing with my usual workload. This meant that I didn't have as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 476 samples during November, which have been catalogued as just 27 distinct families and variants. In comparison during October I captured 649 samples which were catalogued as 35 distinct families/variants. As you can see the captures in November are down once more and very close to September's total.

During November I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown, once more, by November's statistics the general trend is still downwards. It still appears that social-engineering is very much the technique of choice this year. I believe that 2007 should be known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During November I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 72 percent of the samples captured in November, down from the high points of 82 percent in August and 77 percent in October.

As in both September's and October's charts there are still eight members of the Opaserv.worm family in November's chart. These are variants: AE,AC, AJ, D, A, AH, AI and AD in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is once more occupied by our old friend Netsky.P who is static in the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

We have a new pole sitter in November's chart, this being Scano.gen which is a re-entry to the top ten.

In the runner-up spot, we has another re-entry, this being Mytob.t and as you can see the top 10 from Kaspersky [above] for November Mytob.c has reversed its slide down the chart in October to climb back up from tenth to fifth place.

Netsky.q [aka P] has dropped out of the top 10 however two [down from three] other family members, these being: Netsky.t, which has continued its slide down the chart has slipped from seventh to tenth spot. Netsky.x is a re-entry, back in to the chart to snatch the final podium place; third.

One of the new entries in last months Trojan-Spy.HTML.Fraud.ay has slipped down two places from second to fourth.

The next three places, sixth, seventh and eighth are all taken by re-entries. These are; IMG-WMF.y, Warezov.pk and Lovegate.W respectively.

The final free slot in November's chart is taken by a new entry, this being another member of the Warezov family; Warezov.um in ninth place.

Kaspersky had this to say about November's chart:

"The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.
There's only one program in this month's Top Twenty which barely changed its position, and that's Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It's not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has, rather surprisingly lost the runner-up position from Octobers chart and has to make do with the final step of the podium; third. Last months pole-sitter Troj/Pushdo has managed to consolidate its hold on pole position.

Mytob has lost more ground, sliding down the chart from fifth to sixth place. W32/Zafi has suffered a similar fate sliding down from fourth to fifth place.

Mydoom which was a re-entry in November's chart has once more consolidated its hold on eighth place.

There are three re-entries in November's chart, these are, W32/Flcss, back in to the chart in seventh place, W32/Strati back in to the chart in ninth and W32/Bagle grabbing the final place in tenth.

To complete the chart we have TraxG is up from ninth to the runner-up spot; second place. The final free place is occupied by Mal/Dropper in fourth place.
Here is some commentary on November from Sophos:

"Traxg hurtling into second position this month has come as a complete surprise, and the fact that unsophisticated worms are still slipping through the net at such a rate of knots is a clear indication that huge numbers of users, and potentially companies, are failing to install even basic anti-virus protection," said Graham Cluley, senior technology consultant at Sophos. "In first place, Pushdo continues to wreak havoc. A clear reason for its ongoing success is the guilty cybercriminal's ability to quickly create different variants, which are being spread voraciously in a range of spam messages. Each new piece of spam that harbours the trojan has been created to tempt users, and whether it's enticing them to watch videos of Britney or view naked pictures of Angelina, this fraudster's tactics are certainly working."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is still occupied by last months re-entry, this being Netsky.

Win32.Zhelatin falls five places to tenth, Win32.Agent falls four places down to eight and IRC.Zapchast is static in ninth place. Fifth place is occupied by W32.Funlove, which is up one place from sixth.

We have two new entries in November's chart, these are: Win32.Protoride straight in to the chart in sixth and W32.Heretic takes seventh place.

The final place in November's chart is occupied by our old friend Dupator up from seventh to fourth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of November] here. This clearly shows that November was about as active as October. As shown in the figures for November, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 349,851 at the end of November. That's a growth of 127,378 new malware strains and/or variants so far in 2007, in November the number jumped by 10,160. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 139,000. Things have certainly speeded up during the third and fourth quarters of 2007!

What's New?

Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during November 2007.

• Equifax Phish [Tuesday, 6 November 2007]


• Do You YouTube? [Monday, 12 November 2007]


• One MSUpdate You Don't Want! [Tuesday, 13 November 2007]

Conclusions:

The current trend of using social-engineering which has been widespread in January - September has continued during October and November, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during November as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays and also new targets such as Equifax, as shown above.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this report.

All in all, it looks like we could be in for a very interesting, and busy, final month of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for November 2007 [Kaspersky]


• Top ten viruses and hoaxes for November 2007 [Sophos]

Please note: December's report, which should be published in January 2008 may well be the last one I do for the forseable future due to changes in my role.

October 2007 Malware Review

October was another very busy month for me as I created and presented a double security lecture [one on malware and one on spam, scams, hoaxes, etc.] at one of the major universities in the UK, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 649 samples during October, which have been catalogued as 35 distinct families and variants. In comparison during September I captured 457 samples which were catalogued as just 27 distinct families/variants. As you can see the captures in October are slightly up from September's total.

During October I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by October's statistics the general trend is still downwards [although the Bad Guys and Girls are back at work after their summer break]. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During October I reported 105 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 77 percent of the samples captured in October, down from the high point of 82 percent in August but up almost 1 percent on September.

As in September's chart there are eight members of the Opaserv.worm family in October's chart. These are variants: AE, AJ, AI, D, I, AH, K and AC in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is taken by our old friend Netsky.P who is down who comes back into the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for October Mytob.c has once continued its slide back down the chart from sixth to just hang on in tenth place.

Netsky.q [aka P] has further consolidated its hold on the pole position it managed to grab back in June. It is joined by two [down from three] other family members, these being: Netsky.t, which has reversed its slide from last month, climbing back up one place from eighth to seventh spot. Netsky.aa has started to fall down the chart from the runner-up spot; second place it held in September to the final podium place in third.

Bagle.gt has speeded up its journey down the chart, falling from fourth to eighth place.

Unlike Bagle.gt, Worm.Win32.Feebs.gen has reversed direction, climbing once more, up from seventh to fourth place.

The final free places in October's chart are taken by two new entries, these are: Trojan-Spy.HTML.Fraud.ay straight in at the runners up spot; second and Exploit.Win32.PDF-URI.k straight in in sixth place.

We also have Email-Worm.Win32.Nyxem.e [aka Mywife.D] down from fifth to ninth, a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l down from third to fifth place.

Kaspersky had this to say about October's chart:

"If this month's Top Twenty had been prepared using data from the first 26 days of October, two important malware related events would have been missing.
We're talking about two mass mailings that took place right at the end of the month. They turned out to be among the biggest mass mailings we've seen in the last few months, especially on the Russian Internet.

The first pushed Fraud.ay, a phishing attack, into second place in the rankings.

The second attack, which started on Friday, October 26, was more interesting. Email traffic was flooded with messages that included a PDF file. This file contained a known and recently discovered exploit for a vulnerability in Adobe products. When the PDF file was opened, this resulted in malicious code being executed and a Trojan downloader being installed. The attack is in sixth place in our rankings: Exploit.Win32.PDF-URI.k"

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has, rather surprisingly lost pole position in Octobers chart and has to make do with the runner up spot; second. Last months runner-up Troj/Pushdo has managed to de-throne Netsky and steal its crown as it now head up the chart by grabbing pole position.

Mytob has lost ground, sliding down the chart from third to fifth place. W32/Zafi has suffered a similar fate sliding down from second to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, slipping down from seventh to eighth place.

There are just one re-entry in October's chart, this being Troj/Dloadr , back in to the chart in seventh place. One of last months re-entries has managed to remain in Octobers chart, this is Mal/IFrame slipping down one place from fifth to sixth.

To complete the chart we have one new entry, this being Troj/PDFex straight in to the chart in third place, and TraxG is up from tenth to ninth place. The place occupied by TraxG in last months chart is now the home of Mal/Dropper.

Here is some commentary on October from Sophos:

"PDFex only started to circulate at the very end of the month, but still managed to account for over 13 percent of all emailed malware during October. It was heavily spammed out between 26-28th October, and during that period, it accounted for a staggering two thirds, or 66 percent, of all malware spread via email," said Carole Theriault, senior security consultant at Sophos. "PDFs have long been used in business as a means of sharing information, so the social engineering trickery of using a PDF puts insufficiently protected businesses at risk. Adobe have issued an update to their Acrobat software that fixes the problem, and eyes are now turned to Microsoft to patch the underlying flaw in Windows which could also affect other vulnerable applications such as Skype and Firefox."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is occupied by a re-entry, this being Netsky.

Win32.Zhelatin falls one place to fifth, Win32.Agent climbs one place to fourth, IRC.Zapchast falls one place to ninth as does Win32.Tibs, falling to tenth. Sixth place is once more occupied by W32.Funlove, which was where it was in last months chart.

We have one new entry in October's chart, this is: Backdoor.Win32.mIRC-based straight in at eighth place.

The final place in October's chart is occupied by our old friend Dupator up from eighth to seventh place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of October] here. This clearly shows that October was quieter than the previous two months. As shown in the figures for October, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 339,691 at the end of October. That's a growth of 117,218 new malware strains and/or variants so far in 2007, in October the number jumped by almost 10,500. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 140,700. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Warnen, Bin Ich Ansteckend [Friday, 5 October 2007]


• Stealthed Spam [Wednesday, 17 October 2007]


• Watch Out, Watch Out... [Thursday, 18 October 2007]


• Trick, But NO Treat! [Wednesday, 31 October 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - September has continued during October, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam are back to their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during October as they are still trying out other file formats which they hope will bypass anti-spam defences, as can be clearly seen by the MP3 spam example covered above.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last couple of months of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for October 2007 [Kaspersky]


• Top ten viruses and hoaxes for October 2007 [Sophos]
  

September 2007 Malware Review

September was a very busy month for me as I wrote and presented a paper at the Virus Bulletin conference in Vienna, Austria, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 457 samples during September, which have been catalogued as 27 distinct families and variants. In comparison during August I captured 566 samples which were catalogued as just 20 distinct families/variants. As you can see the captures in September are slightly down from August's total.

During September I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by September's statistics the general trend is still downwards. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During September I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 76 percent of the samples captured in September, down from almost 82 percent in August.

There are eight [up from seven] members of the Opaserv.worm family in September's chart. These are variants: AI, AE, D, AJ, E, I, AD and AH in second, third, fourth, fifth, sixth, seventh, ninth and tenth places respectively.

The final slot left is taken by our old friend Dupator who is down one place from seventh to eighth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for September Mytob.c has once more started to slide back down the chart from fourth to sixth place.

Netsky.q [aka P] has consolidated its hold on pole position it managed to grab back in June. It is joined by three [same as in August] other family members, these being: Netsky.t, which has slipped down one place seventh to eighth spot. Netsky.aa continues its upward climb, up from third to the runner-up spot; second place. The final Netsky family member is Netsky.b which is static in tenth place.

Bagle.gt has reversed once more restarted its slow journey down the chart, falling from second to fourth place.

Like Bagle.gt, Worm.Win32.Feebs.gen is slipping down the chart once more, from fifth to seventh place.

The final free places in September's chart are taken by one re-entry, this being Email-Worm.Win32.Nyxem.e [aka Mywife.D], a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l up from sixth to the final podium step; third.

Kaspersky had this to say about September's chart:

"Our forecasts for September turned out not to be spot on. Trojan-Downloader.Win32.Agent.brk, which was spreading actively in August, didn't extend the botnet that it builds, and as a result, there's not a single Warezov variant in September's Top Twenty.
However, the authors of another email worm, Zhelatin (aka the Storm worm) stepped up their activity. Throughout August security companies provided regular reports and estimates on the scale of the botnet created by the worm. Some estimates were as high as 2 million infected computers around the world - indicating that a new epidemic was on the horizon. However, September was remarkably calm from this point of view. Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has consolidated its grip on third place. The runner-up spot has been taken by Troj/Pushdo which climbs up from the fourth place it held in August. Last month's runner-up spot sitter, W32/Zafi has fallen down to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to seventh from fifth.

Bagle also slipped down the chart during September, from eighth to ninth place.

There are two re-entries in September's chart, these being Mal/IFrame and Mal/Behav in fifth and sixth place respectively.

To complete the chart we have one new entry, this being Mal/Basine and the final place is occupied by TraxG static in tenth.

Here is some commentary on September from Sophos:

"The figures, compiled by Sophos's global network of monitoring stations, have shown a rise in the percentage of infected email. Overall in September, 0.12 percent of emails were carrying malicious email attachments, or 1 in every 833, compared to 1 in every 1000 during August. This is primarily due to a coordinated campaign by hackers to spam out the Pushdo Trojan horse en masse during the second half of September. The emails, which pose as naked pictures of Hollywood actresses such as Angelina Jolie and "Holly Berry" [sic], carry a malicious payload designed to give criminal hackers control over infected PCs. During a single 24-hour period in the last week of September, Sophos reports that the Pushdo Trojan accounted for almost 4 in every 5 infected emails."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again and the final step of the podium, third place, is occupied by Dupator which is where it was in August's chart.

We have five re-entries in the chart in September; these are Win32.Zhelatin, Win32.Agent, Trojan.BAT.Runner, IRC.Zapchast and Win32.Tibs back in the chart in fourth, sixth, seventh, eight and ninth place respectively. Sixth place is occupied once more by W32.Funlove.

The final place in September's chart is occupied by Lorez down from seventh to tenth.

The more astute of you may have noticed that the top ten for September, once more contains ten entries rather than the seven we had in August.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of September] here. This clearly shows that September was quieter than the previous two months. As shown in the figures for September, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 329,196 at the end of September. That's a growth of 106,723 new malware strains and/or variants so far in 2007, in September the number once more jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just almost 142,300. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• New Storm Worm Run... [6th September]


• NFL = Nuwar File Link? [9th September]


• You SPIM Me Round... [11th September]


• Oh, Vienna...Update [25th September]

Conclusions:
The current trend of using social-engineering which has been widespread in January - August has continued during September, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam seen are almost back to their usual levels after the slight drop in the level of spam during August. The spammers haven't been idle during September as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during September. This is clearly shown in the massive jump in the percentage of phishing scams we've seen during both August and September.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last quarter of the year! Typically the last quarter of the year and specifically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Links:

• Virus Top Twenty for September 2007 [Kaspersky]


• Top ten viruses and hoaxes for September 2007 [Sophos]
  

Virus Bulletin 2007 Conference Review

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2007 conference, which was held at the Hilton Hotel in Vienna, Austria, between the 19th and 21st of September.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:


"A warm and friendly welcome to Vienna, unless you're a Kangaroo!" ;-)

Day 1 - Wednesday 19th September 2007
The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by "A road to big money: evolution of automation methods in malware development" presented by Maksym Schipka from MessageLabs on the Technical Stream. As always Maksym's talk was both interesting and contained lots of useful information.

The final session on the Corporate Stream before lunch was also interesting, a presentation by Abhilash Sonwane of Cyberoam entitled "Changing battleground: security against targeted, low-profile attacks ". This talk touched on cyber-crime and targeted attacks which would be mentioned throughout most of the rest of the conference presentations; from different perspectives.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream. The first two presentation after lunch were:

• DSD Tracer - implementation and experimentation - Boris Lau, Sophos


• Pimp my PE: taming malicious and malformed executables - Casey Sheehan, Sunbelt Software

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Anti-rootkit safeguards: welcome Vista - Aleksander Czarnowski, Avet


• Patching. Is it always with the best intentions? - Alex Hinchliffe, McAfee

I decided to sit in on one of the two vendor presentations after the days main proceedings, I decided to choose my good friend Larry Bridwell from Grisoft [AVG]. It was a great presentation, instead of the dry marketing material he was given, he gave a very entertaining one instead. This rounded of the day wonderfully!

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

Day 2 - Thursday 20th September 2007
Day two started early for me as I was the first speaker to present on the Corporate Stream, so I had to get there early to check that my laptop worked fine with the projector, it did.

So, promptly at 09:00 I gave my own presentation based on my paper entitled "The journey so far: trends, graphs and statistics". Instead of trying to cover everything in the paper, all 30,000 words of it. I decided to just cover the key statistics, trends and a few examples, such as Brain, Casino and Ambulance.A, as well as some e-mail worms, such as Sircam, Loveletter and MyParty. When I was researching the paper I noticed that quite a few myths existed about the early days of malware, so I covered a number of these too.

I even finished on time and got asked several questions.

Next up, straight after me was the following presentation:

• What a waste - the AV community DoS-ing itself - Joe Telafici, Dmitry Gryaznov, McAfee

This was an interesting look at sample sharing between security companies and researchers, the end result is often lots of duplicated samples and sets; these can easily be in excess of 500GB. In fact the guys from McAfee are seriously looking at drives that have a larger capacity than 1TB.

The it was time for a quick tea/coffee break. During this I received quite a lot of very positive feedback on my presentation, as well as discussing several issues that I had mentioned with some of the original researchers who were there when the events I covered happened. The results from these discussions have enabled me to update my paper to be more accurate and to offer yet another set of first-hand witnesses to those events.

After the break I decided to stay on the Corporate Stream for the rest of the morning. These were the next batch of presentations:

• The WildList is dead, long live the WildList! - Andreas Marx, Frank Dessmann, AV-Test.org


• Have you got anything without spam in it? - Tim Ebringer, CA


• A testing methodology for rootkit removal effectiveness - Josh Harriman, Symantec
  

Although all of these were interesting I found the presentation by Josh Harriman very interesting and engaging. He covered the results of tests with rootkits against cleaning/removal tools and showed that fairly often they don't remove all the components of the rootkit and/or the other system changes made by them.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

After lunch, once more I decided to sit in on the Corporate Stream until the tea/coffee break, at least. The next two presentations were:

• Transforming victims into cyber-border guards: education as a defence strategy - Jeannette Jarvis, Microsoft


• Phish phodder: is user education helping or hindering? - Andrew Lee, Eset David Harley, Small Blue-Green World

Both of these were interesting, and in the case of the latter one also quite amusing as David and Andy's presentation included a 'Game Show'.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Technical Stream as I was chairing the next two 'Last-minute' presentations, these were:

• Andrew Walenstein, University of Louisiana at Lafayette


• Erik Wu and Feike Hacquebord, Trend Micro

This is a new section of the conference, and it seemed to work reasonably well, although in some cases the presenters appeared to have submitted presentations that were originally meant for the normal 40 minute slots, rather than the 20 minute slots they tried to shoe-horn their longer presentation into. I think this area still needs a little tweaking. In fact, although this was only being tried out on the Technical Stream it may well be better suited to the Corporate Stream instead.

After these, I made a quick dash back to the final presentation on the Corporate Stream. This was:

• Pump-n-dump for fun & profit: an in-depth look into stock spam and brokerage account compromise operations - Dmitri Alperovitch, Secure Computing

This was a very interesting presentation as it suggested that the so-called Pump-n-Dump scams didn't work the way many of us had imagined. It was less Pump-n-Dump and more just dump the stock they had acquired by creating an artificial market for it.

As on the first day of the conference, I decided to sit in on a vendor presentations after the days main proceedings. This time is was Vinny Gulloto from Microsoft, as with Larry's it was an entertaining one with very little marketing. Vinny also let slip that he had a waiting list of malware/anti-malware researchers who wanted to join him at Microsoft. This immediately put me in mind of the song "As some day it may happen" from Gilbert and Sullivan's "The Mikado" where the song is sung by Ko-Ko (The Lord High Executioner) as he goes through an imaginary list. So much so, that I found it hard not to whistle the tune! ;-)

Later we had the "pre-dinner drinks and the Gala dinner and cabaret". As always the food was excellent and the entertainment was typically Viennese; two couples performing various types of waltzes. This was followed up after desert, by our own private casino.



Day 3 - Friday 21st September 2007
The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Menace 2 the wires: advances in the business models of cybercriminals - Guillaume Lovet, Fortinet

This presentation expanded on the one that Guillaume had given last year; which included a quote that claimed that "Cyber-crime was now more profitable than running drugs". Once more he had some very interesting material to share. Including a fax from the CEO of e-Gold.

So, another quick tea and coffee break and then more from the Corporate Stream:

• The trojan money spinner - Mika Ståhlberg, F-Secure


• Once upon a time a trojan... - Luis Corrons, Panda


• New approaches to categorising economically-motivated digital threats - Anthony Arrott, David Perry, Trend Micro

All of these were very good and interesting talks and all covered cyber-crime in one form or another.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all, especially by those who were trying to trick Jeanette Jarvis of Microsoft.

After lunch I spent the first part of the afternoon on the Technical Stream.These were the presentations I sat in on:

• A deeper look at malware - the whole story - Bryan Lu, Fortinet


• Malware removal - beyond content and context scanning - Tom Brosch, Maik Morgenstern, AV-Test.org

Both of these were interesting if a little obscure in parts. Both talks prompted a number of questions from the audience. Then it was time for the final refreshments break. Yes, it was the very last VB2007 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference were straight after the break and I decided that I'd sit in on the last one on the Corporate Stream. This was:

• Future threats - John Aycock, Department of Computer Science, University of Calgary Alana Maurushat, Faculty of Law, University of New South Wales

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion:

• The fight against international cyber crime - enforcing the law - David Thomas, FBI, Stacy Arruda, FBI, Kevin Zuccato, Australian Federal Police, Mark Oram, CPNI

Finally it was time for the Conference closing session, once more led by Helen martin, the editor of Virus Bulletin. It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be a case of "I'm Sparticus", as a lot of people seemed to be wearing Dr. Vesselin Bontchev's name badge and no it wasn't him in varying disguises either!

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2007/slides/index.xml The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2007/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Vienna, here: http://www.flickr.com/photos/14178057@N07/sets/72157602179472057/detail/

Yes, the pictures include the "welcoming statue", along with details on where in Vienna the picture was taken.

Oh yes, before I sign off, I really ought to own up that I, rather ironically, caught a virus whilst attending the Virus Bulletin conference! No, not a computer virus, a cold/flu variant. At least it waited for me to get back home before it knocked me off my feet and left me sounding like Barry White (after gargling bricks and broken glass). Back in Chicago [VB2004] I wasn't so lucky, I went down with almost the same thing whilst travelling to Chicago and tortured everyone that came to my presentation with my 'interesting' vocal range; from deep-bass, to Kermit-the-frog-a-like, to loss-of-signal. I don't know who suffered more, the audience or me ;-)

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Ottawa, Canada at the start of October 2008. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Oh, Vienna...Update

As promised in my last posting, I have now created a PDF version of the paper I presented last week [Thursday the 20th of September] at the Virus Bulletin 2007 international conference in Vienna, Austria.



Karlskirche, Karlsplatz, Vienna
[Picture (c) Copyright, Martin Overton 2007, All Rights Reserved]

Here's the abstract:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

The paper is now available on my web site, and one of my other mirror sites. Here and here. Also, later this week I will post a short review of the conference, as I have done for the last 3 or 4 years.

Oh, Vienna...

Walked in the cold air
Freezing breath on a window plane
Lying and waiting
A man in the dark in a picture frame
So mystic and soulful
A voice reaching out in a piercing cry
It stays with you until

The feeling has gone only you and I
It means nothing to me
This means nothing to me
Oh, Vienna...

Those are just part of the lyrics to the song 'Vienna' by 'Ultravox'. Their lead singer is none other than 'Midge Ure'. It seemed a nice link to this post, hope you agree?'

Why am I waffling on about Ultravox and their song Vienna? Well, I'm travelling to Vienna today so that I can attend, and present at the premier anti-malware and anti-spam conference of the year; this being Virus Bulletin's international conference.

This year it is back in Europe, which means that travel is easier, for me and the other Europeans that attend, although it is harder on those from the US, Canada and Asia-pacific.

I was informed that my paper is now on the main agenda and I get to 'do-my-thing' on Thursday morning [20th of September] on the corporate stream. This is the seventeenth time the conference has run, and the tenth time I have attended and presented at it.

For those of you that have forgotten, [shame on you! ;-)] my paper and presentation is on malware history and statistics. Here's the abstract:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

The paper will be made available on my web site early next week. I will post an entry with a link to it once I have got back from Vie