Virus Bulletin 2008 Conference Review

As previously mentioned on this blog, I was going to attend the Virus Bulletin 2008 conference as just a delegate, for the very first time; I usually attend as a speaker. The conference was held at the Westin Ottawa, in Ottawa, Canada [surprisingly ;-)] between the 1st and 3rd of October.

However, I ended up being a speaker again, which I don't mind, but I was actually looking forward to having a more relaxed conference than I usually do, but that's life!



This posting is a quick review of the conference:

Day 1 - Wednesday 1st October 2008

The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by the Keynote address "The AV industry: Quo Vadis?" presented by Alex Eckelberry of Sunbelt Software. This was a very interesting speech and contained lots of useful information, as well as a general overview of what the bad guys [and girls] are up to, as well as what the good guys [and girls] are up to.

You can find a recording of it here, along with the slides: http://sunbeltblog.blogspot.com/2008/10/virus-bulletin-2008-keynote-address.html

The final session on the Technical Stream before lunch was also interesting, a presentation by Morton Swimmer [who used to work for IBM] entitled:

• Towards integrated malware defence

It was a good presentation, however as Morton had moved to TREND just before the conference he no longer had access to all his data, which was a shame, as it seems to have been rather an effective solution.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream.

The first two presentation after lunch were:

• Your computer is now stoned (...again!). The rise of MBR rootkit - Kimmo Kasslin, F-Secure
• When the hammer falls - effects of successful widespread disinfection on malware development and direction - Matt McCormack, Microsoft

The presentation given by Kimmo was esepcially interesting as it covered the rebirth of MBR infectors; something that had almost died out when Windows NT, 2000 and XP came along [yes there have been some MBR infectors for those, but not many, and not with stealth capability].

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Applying user-mode memory scanning on Windows NT - Eric Uday Kumar, Authentium
• Packer visualisation: a fast entropy scanning algorithm that preserves local detail - Li Sun, RMIT University

I decided to sit in on the vendor presentation after the days main proceedings, this was given by my good friend David Harley, from Eset.

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

This was staged with a couple of Ice Hockey players; for those that wanted pictures, as well as a bit of fun from Ken Bechtel, who's hat did the rounds and photos were taken of those that ended up wearing it, including me. If you've ever met Ken, you'll know which hat I mean as he is rarely seen without it.

Day 2 - Thursday 2nd October 2008

Day two started early for me as I was informed when I arrived that I might be needed to present [I was the emergency reserve speaker; "in case of a missing speaker, break glass and grab Martin ;-)"], as one of the speakers for the morning session on the Technical Stream was unaccounted for; he never did turn up.

So, I had to go back to my hotel [I wasn't staying at the Westin], get changed, grab my laptop and get back to the conference by the morning tea break to check that my laptop worked fine with the projector, it did.

This meant that I effectively missed the first two presentations I had planned to attend, oh well.

To complicate matters, I was also supposed to be chairing the three sessions on the Corporate Stream between the morning tea break and lunch; which I couldn't now do, as I was presenting in the other stream at the same time. Luckily, my old friend from Nortel, John Morris, stepped into the void as the new session chair.

So after the morning tea-break I was back in the Technical Stream for the next three presentations, these were:

• The robustness of new email identification standards - Reza Rajabiun, COMDOM Software and York University
• Coordinated distributions method for tracking botnets sending out spam - Andrey Bakhmutov, Kaspersky Lab
• Malware forenscis: detecting the unknown - Martin Overton, IBM ISS

The presentation given by Andrey was extremely good, some excellent research which was well presented and explained. This led to a flurry of questions.

It seemed rather surreal when I gave my presentation, as it was designed for an audience on the Corporate Stream; so as an old English saying goes "it was like teaching my grandmother how to suck eggs". In other words the presentation was an overview of forensic techniques and tools for finding and analysing malware [known or new] on an infected system.

This was presented on the Technical Stream to about 70 or more of the worlds best malware researchers, hence my use of the saying.

The presentation was actually based on my EICAR 2008 paper which I was unable to present at the EICAR conference, ironically due to the fact I was tied up in a malware forensics case.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

I received some nice feedback from a few of those that sat in, and no awkward questions. In fact one of the guys who were running the audio-visual side of the conference said he thoroughly enjoyed my presentation and found it most useful and enlightening.

After lunch, once more I decided to sit in on the Technical Stream until the tea/coffee break, at least. The next four presentations, all last minute ones limited to 20 minutes each, were:

• VB testing - present status, future plans, John Hawes, Virus Bulletin
• Race to zero with online scanners, Boris Lau, Sophos
• There is (some) honour among South American authors of infostealer trojans!, Pedro Bueno, McAfee
• Apple iPhone programming with SDK, Marius van Oers, McAfee

This year these short technical presentation worked rather well, although it was hard for some of the presenters to keep to the 20 minute slot limit, yes, you know who you are.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Corporate Stream as I was chairing the last two presentations on that stream, these were:

• The NorTel Mailer: effective open-source spam filtering for enterprises - Chris Lewis, Nortel
• SCADA security - who is really in control of our control systems? - Peter Allor, IBM

Both of these were very interesting presentations and it was a shame that so few delegates had decided to sit in on them.

Before the day was over we also had our first panel session, this was:

• The state of anti-malware testing

Later we had the "pre-dinner drinks and the Gala dinner and entertainment".

As always the food was excellent and the entertainment this year differed quite a bit, it was a quiz, which was fun but took longer than expected to complete. As one delegate was heard to say "we have travelled 3,500 miles for a pub quiz!". Personally, I enjoyed it, it just needed to be shorter.


Day 3 - Friday 3rd October 2008

The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Understanding and teaching bots and botnets - Randy Abrams, ESET

This presentation covered a topic that I had presented on back at VB2005 in Dublin, but from a high-level perspective and more focussed on how to educate staff about these threats via using robot vacum cleaners known as Roombas.

As usual Randy was both informative and entertaining.

So, another quick tea and coffee break and then back to the Technical Stream until lunch, these were the next presentations I sat in on:

• Automatic rules-based binary analysis with IDA Pro and CLIPS - Ryan Hicks, AVG
• Rebuilding testing for the future - Igor Muttik
• Samples.malware.org: sample sharing for the next decade? - Richard Ford, Florida Institute of Technology

All of these were very good and interesting talks and all generated lots of discussion and questions.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all. However, I think I can honestly say that this years photo was the quickest ever as it took less than 5 minutes to organise all the speakers and take a number of photos.

After lunch I spent the first part of the afternoon on the Corporate Stream.These were the presentations I sat in on:

• Where do your users want to go today and can you stop them? - Bruce Hughes, AVG
• The name of the dose: does malware naming still matter? - Pierre-Marc Bureau and David Harley, ESET

Both of these were interesting and prompted a number of questions from the audience.

Then it was time for the final refreshments break. Yes, it was the very last VB2008 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference, were straight after the break and I decided that I'd sit in on the last one on the Technical Stream again. This was:

• Darwin inside the machines: malware evolution and the consequences for computer security - Peter Ször, Symantec
  Dimitris Iliopoulos, Keck Graduate Institute of Applied Life Science

This was a very interesting presentation, basically saying that malcode could in theory evolve following Darwinian principles. Not sure that we will see such malware any time soon, as there are a number of things that need to happen first.

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion on:

• Security in banking forum

Finally it was time for the Conference closing session, once more led by Helen Martin, the editor of Virus Bulletin.

It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be another case of "I'm Sparticus", as a lot of people seemed to be wearing Ken Bechtel's hat, including me, and no it wasn't him in varying disguises either!

My final impressions of VB2008 are mixed; I enjoyed it, but I [and others who I chatted with] seem to think it may have lost its edge. Is this a case of becoming too commercialised or due to a lack of the usual swathe of quality research papers [which may be due to security companies cutting research budgets], or is it just a sign of the times as the marketplace has matured and that threats have now converged?

If you attended VB2008 and have an opinion, then please let me know your thoughts, thanks.

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2008/slides

The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2008/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Ottawa, here: http://picasaweb.google.com/overtonm/OttawaCanada2008?authkey=SEeottY873o#

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Geneva, Switzerland at the end of September 2009. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Virus Bulletin 2008 International Conference

Next week the Virus Bulletin International Conference is being held in Ottawa, Canada [1st to the 3rd of October]. This is the premier conference for people involved with fighting malware and related security threats. The programme can be found here.

This year I was going to be there just as a delegate; normally when I attend this conference I attend as a speaker, which means I have to write a paper and present it at the conference to an audience of 50-200 uber-geeks from various industries as well as the world's best malware researchers.  This can be pretty daunting! This will be my 11th Virus Bulletin Conference since my very first I attended and presented at back in 1996.

However, I've now been asked to be a reserve speaker, so I have to have a presentation ready, just in case I'm needed. The last time I was a reserve speaker it was for VB2002 which was held in New Orleans that year, and was nearly washed away by a hurricane! Needless to say, I ended up presenting my paper that year.

If any of you ready this are going to be there, then please feel free to stop me and have a chat, or just to say hello. I don't bite, honest ;-)

The presentation I am working on for the conference is to do with malware forensics, so it should be fun to do, as well as interesting for any audience I get; if I get to present it, that is.

As usual, I will write a short review of the conference, including what I personally found interesting, and may also post some mini-reviews and updates via Twitter.

If you can make it, then I hope to see you there; if not then stay tuned and I'll post a review as soon as I can.

Paper Selected For The EICAR 2008 Conference

EICAR have informed me that my abstract has been selected for the EICAR 2008 conference to be held in Laval, France between the 3rd and the 6th of May.

The abstract for the paper appears below:

The increasing speed of new malware strains being written and released means that security professionals are more likely than ever before to see new malware.

This means new malware which is not detected by the anti-malware solutions they have deployed in their infrastructure, be it workstation, server, PDA or at the gateway.

Imagine this scenario: An end-user calls the helpdesk and reports that their system is running very sluggishly when it wasn't a week ago and that they can't access the Windows 'Task Manager' or open a command prompt any more.

Is this caused by malware or is it a 'user' problem? The virus scanner is right up to date and active, and it says the system is clean, the personal firewall is active too. Where do you go from here? Investigate or rebuild the box?

How can you tell if the machine is clean or infected by a new malware, with a reasonable level of confidence for your conclusion?

This paper will look at what tricks, tools and techniques you can use to help establish the true state of the 'suspect' system. It will focus on a step by step approach of what tools to use, what to look for and what to do with any suspicious files. It will also discuss the use of forensic tools in such a scenario, as a last port of call.

The paper will draw on real scenarios where new [undetected] malware has been responsible for 'odd' system or network behaviour.

All I have to do now, is carry out all the required research and write the paper; should only take me about 3 months. However, as usual they need the completed paper by the 17th of March!

I've several other ideas for abstracts already sketched out ready for to submit for this years Virus Bulletin conference. Any topics that you think should be covered are most welcome, just drop me a note or leave a comment.

December 2007 Malware Review

December was another busy month for me as I was writing abstracts for conferences, doing presentations and trying to take some of my holiday entitlement as well as dealing with my usual workload. This meant that I didn't have quite as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals once more during the month.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 573 samples during December, which have been catalogued as just 27 distinct families and variants. In comparison during November I captured 476 samples which were also catalogued as 27 distinct families/variants. As you can see the captures in December are up once more, but this time of year is usually quite busy.

As shown, once more, by December's statistics the general trend is still downwards. It still appears that social-engineering has been the technique of choice and that 2007 should be now known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During December I reported 65 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 80 percent of the samples captured in December, just short of the high points of 82 percent it had in August.

As in the top tens for September, October, and November there are still eight members of the Opaserv.worm family in December's chart. These are variants: AE, D, AJ, K, AC, AD, AI and I in second, third, fourth, fifth, sixth, seventh, eighth and tenth places respectively.

The final slot left is occupied by a re-entry, this being our old friend Dupator who returns to the top ten in ninth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

Netsky.q [aka P] is back into the top 10, straight back in at pole position, what a comeback! It is joined by another member of the family, AA which is also a re-entry back in at eighth place.

November's pole sitter, Scano.gen has had to settle for fifth place in December's chart after falling down the chart.

In the runner-up spot, we have a new entry, this being Diehard.dc, which is not the only member of this new family, as it is joined by Diehard.db and Diehard.dd which are also new entries, straight in to the chart in fourth and seventh place respectively.

Trojan-Spy.HTML.Fraud.ay has slipped further down the chart from fourth to ninth.

This month's chart is packed with new entries, the next one is Warezov.xd, straight in to the chart and stealing the final podium place; third.

And to complete the top ten, we have two more re-entries, these being, Bagle.gt and Nyxem.e [aka MyWife.D] in to the top ten in sixth and tenth places respectively.
Kaspersky had this to say about December's chart:

"At the end of the year, the mail traffic situation suddenly changed. In place of the traditional and somewhat dull domination of the rankings by old email worms, in December we encountered the explosive propagation of a new generation of programs. A new generation which are not worms.

It's true that first place this month is taken by the veteran NetSky.q worm. It returned with a leap and a bound from beyond the bottom of the rankings, having not figured in our November Top Twenty at all. It made up 20% of mail traffic - that's almost an epidemic, and it's unclear how a worm which has been in existence for almost 4 years, and which is known to all antivirus companies, has continued to survive and spread to the present day."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

IIn the SOPHOS chart we see a different pattern; Netksy has once more regained the runner-up position it last held in October's chart. Last months pole-sitter Troj/Pushdo has further managed to consolidate its hold on pole position.

Mytob has reversed its slide down the chart, once more climbing back up from sixth to third place. W32/Zafi has continued it progress sliding further down the chart from fifth to sixth place.

Mydoom which was a re-entry in October's chart has climbed up one place from eighth to seventh place.

There are two re-entries in December's chart, these are, Troj/Dloadr, back in to the chart in eighth place, and W32/Sality back in to the chart in tenth place.

W32/Bagle is up one place from tenth to ninth and to complete the chart we have W32/Strati up from ninth to the fourth and finally Mal/Dropper is down one place from fourth to fifth place.

Here is some commentary on December from Sophos:

"Overall, 0.09 percent of emails, or one in 1111, had malicious attachments in December 2007, with Pushdo retaining its position as the most prevalent email-based malware detected in December."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is once more occupied by our old friend Dupator.

Win32.Zhelatin has managed to consolidate its hold on the final place in the chart; tenth, Win32.Agent falls a single place down from eighth to ninth, and IRC.Zapchast has bucked the trend and climbs up from ninth to fourth place.

We have three re-entries in December's chart, these are: mIRC-Based back in to the chart in fifth, Hidrag grabs sixth place and W32.Tibs takes seventh place.

The final place in December's chart is occupied by our old friend Netsky, which has fallen from grace; down from third to eighth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of December] here. This clearly shows that December was busier than both October and November. As shown in the figures for December, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas; which can be seen in the What's New section of this blog postine.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 358,873 at the end of December. That's a growth of 136,400 new malware strains and/or variants for the whole of 2007. Just in December, the number of new malware found was 9,022.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during December 2007.

• Rent-a-Spammer [Wednesday, 5 December 2007]


• The Six Million Dollar Relative [Thursday, 6 December 2007]


• UPS Delivery of Over ONE MILLION US Dollars! [Wednesday, 12 December 2007]


• Don't Let Mrs. Santa Get Her Claus... [Monday, 24 December 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - November has continued during December, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer. In fact after Christmas the Storm Worm gang were working flat out producing new malware, web-sites and spam runs, but more on that, another time.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during December as they are still trying out other file formats which they hope will bypass anti-spam defences.

The phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during December, especially Natwest, Nationwide and Barclays, again.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this blog entry.

As expected December and the run up to Christmas and the New Year was a very busy time of the year for all the bad guys and girls as they took advantage of the season of goodwill to claim even more victims.

I would like to wish you all a very happy new year, stay safe!

Links:

• Virus Top Twenty for December 2007 [Kaspersky]


• Top ten viruses and hoaxes for December 2007 [Sophos]

Please note: December's report may well be the last one I do for the forseable future due to changes in my role.

November 2007 Malware Review

November was another very busy month for me as I was involved in several projects for customer accounts, as well as dealing with my usual workload. This meant that I didn't have as much time to blog and do trend and sample analysis as I usually do.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 476 samples during November, which have been catalogued as just 27 distinct families and variants. In comparison during October I captured 649 samples which were catalogued as 35 distinct families/variants. As you can see the captures in November are down once more and very close to September's total.

During November I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown, once more, by November's statistics the general trend is still downwards. It still appears that social-engineering is very much the technique of choice this year. I believe that 2007 should be known as the year of the social engineer.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During November I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for over 72 percent of the samples captured in November, down from the high points of 82 percent in August and 77 percent in October.

As in both September's and October's charts there are still eight members of the Opaserv.worm family in November's chart. These are variants: AE,AC, AJ, D, A, AH, AI and AD in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is once more occupied by our old friend Netsky.P who is static in the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

We have a new pole sitter in November's chart, this being Scano.gen which is a re-entry to the top ten.

In the runner-up spot, we has another re-entry, this being Mytob.t and as you can see the top 10 from Kaspersky [above] for November Mytob.c has reversed its slide down the chart in October to climb back up from tenth to fifth place.

Netsky.q [aka P] has dropped out of the top 10 however two [down from three] other family members, these being: Netsky.t, which has continued its slide down the chart has slipped from seventh to tenth spot. Netsky.x is a re-entry, back in to the chart to snatch the final podium place; third.

One of the new entries in last months Trojan-Spy.HTML.Fraud.ay has slipped down two places from second to fourth.

The next three places, sixth, seventh and eighth are all taken by re-entries. These are; IMG-WMF.y, Warezov.pk and Lovegate.W respectively.

The final free slot in November's chart is taken by a new entry, this being another member of the Warezov family; Warezov.um in ninth place.

Kaspersky had this to say about November's chart:

"The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.
There's only one program in this month's Top Twenty which barely changed its position, and that's Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It's not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has, rather surprisingly lost the runner-up position from Octobers chart and has to make do with the final step of the podium; third. Last months pole-sitter Troj/Pushdo has managed to consolidate its hold on pole position.

Mytob has lost more ground, sliding down the chart from fifth to sixth place. W32/Zafi has suffered a similar fate sliding down from fourth to fifth place.

Mydoom which was a re-entry in November's chart has once more consolidated its hold on eighth place.

There are three re-entries in November's chart, these are, W32/Flcss, back in to the chart in seventh place, W32/Strati back in to the chart in ninth and W32/Bagle grabbing the final place in tenth.

To complete the chart we have TraxG is up from ninth to the runner-up spot; second place. The final free place is occupied by Mal/Dropper in fourth place.
Here is some commentary on November from Sophos:

"Traxg hurtling into second position this month has come as a complete surprise, and the fact that unsophisticated worms are still slipping through the net at such a rate of knots is a clear indication that huge numbers of users, and potentially companies, are failing to install even basic anti-virus protection," said Graham Cluley, senior technology consultant at Sophos. "In first place, Pushdo continues to wreak havoc. A clear reason for its ongoing success is the guilty cybercriminal's ability to quickly create different variants, which are being spread voraciously in a range of spam messages. Each new piece of spam that harbours the trojan has been created to tempt users, and whether it's enticing them to watch videos of Britney or view naked pictures of Angelina, this fraudster's tactics are certainly working."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is still occupied by last months re-entry, this being Netsky.

Win32.Zhelatin falls five places to tenth, Win32.Agent falls four places down to eight and IRC.Zapchast is static in ninth place. Fifth place is occupied by W32.Funlove, which is up one place from sixth.

We have two new entries in November's chart, these are: Win32.Protoride straight in to the chart in sixth and W32.Heretic takes seventh place.

The final place in November's chart is occupied by our old friend Dupator up from seventh to fourth place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of November] here. This clearly shows that November was about as active as October. As shown in the figures for November, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular events, such as Christmas.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 349,851 at the end of November. That's a growth of 127,378 new malware strains and/or variants so far in 2007, in November the number jumped by 10,160. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 139,000. Things have certainly speeded up during the third and fourth quarters of 2007!

What's New?

Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during November 2007.

• Equifax Phish [Tuesday, 6 November 2007]


• Do You YouTube? [Monday, 12 November 2007]


• One MSUpdate You Don't Want! [Tuesday, 13 November 2007]

Conclusions:

The current trend of using social-engineering which has been widespread in January - September has continued during October and November, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs. In fact I think it would be fair to say that 2007 has been the year of the Social Engineer.

Levels of spam are back to around their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during November as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays and also new targets such as Equifax, as shown above.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer. It seems that the malware authors are taking lessons from the phishers as we have seen several phishing quality 'fake' websites used to get people to infect their own computers. I have shown two examples of this new method being used, in this report.

All in all, it looks like we could be in for a very interesting, and busy, final month of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for November 2007 [Kaspersky]


• Top ten viruses and hoaxes for November 2007 [Sophos]

Please note: December's report, which should be published in January 2008 may well be the last one I do for the forseable future due to changes in my role.

October 2007 Malware Review

October was another very busy month for me as I created and presented a double security lecture [one on malware and one on spam, scams, hoaxes, etc.] at one of the major universities in the UK, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 649 samples during October, which have been catalogued as 35 distinct families and variants. In comparison during September I captured 457 samples which were catalogued as just 27 distinct families/variants. As you can see the captures in October are slightly up from September's total.

During October I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by October's statistics the general trend is still downwards [although the Bad Guys and Girls are back at work after their summer break]. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During October I reported 105 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 77 percent of the samples captured in October, down from the high point of 82 percent in August but up almost 1 percent on September.

As in September's chart there are eight members of the Opaserv.worm family in October's chart. These are variants: AE, AJ, AI, D, I, AH, K and AC in second, third, fourth, fifth, sixth, eighth, ninth and tenth places respectively.

The final slot left is taken by our old friend Netsky.P who is down who comes back into the chart in seventh place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for October Mytob.c has once continued its slide back down the chart from sixth to just hang on in tenth place.

Netsky.q [aka P] has further consolidated its hold on the pole position it managed to grab back in June. It is joined by two [down from three] other family members, these being: Netsky.t, which has reversed its slide from last month, climbing back up one place from eighth to seventh spot. Netsky.aa has started to fall down the chart from the runner-up spot; second place it held in September to the final podium place in third.

Bagle.gt has speeded up its journey down the chart, falling from fourth to eighth place.

Unlike Bagle.gt, Worm.Win32.Feebs.gen has reversed direction, climbing once more, up from seventh to fourth place.

The final free places in October's chart are taken by two new entries, these are: Trojan-Spy.HTML.Fraud.ay straight in at the runners up spot; second and Exploit.Win32.PDF-URI.k straight in in sixth place.

We also have Email-Worm.Win32.Nyxem.e [aka Mywife.D] down from fifth to ninth, a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l down from third to fifth place.

Kaspersky had this to say about October's chart:

"If this month's Top Twenty had been prepared using data from the first 26 days of October, two important malware related events would have been missing.
We're talking about two mass mailings that took place right at the end of the month. They turned out to be among the biggest mass mailings we've seen in the last few months, especially on the Russian Internet.

The first pushed Fraud.ay, a phishing attack, into second place in the rankings.

The second attack, which started on Friday, October 26, was more interesting. Email traffic was flooded with messages that included a PDF file. This file contained a known and recently discovered exploit for a vulnerability in Adobe products. When the PDF file was opened, this resulted in malicious code being executed and a Trojan downloader being installed. The attack is in sixth place in our rankings: Exploit.Win32.PDF-URI.k"

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has, rather surprisingly lost pole position in Octobers chart and has to make do with the runner up spot; second. Last months runner-up Troj/Pushdo has managed to de-throne Netsky and steal its crown as it now head up the chart by grabbing pole position.

Mytob has lost ground, sliding down the chart from third to fifth place. W32/Zafi has suffered a similar fate sliding down from second to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, slipping down from seventh to eighth place.

There are just one re-entry in October's chart, this being Troj/Dloadr , back in to the chart in seventh place. One of last months re-entries has managed to remain in Octobers chart, this is Mal/IFrame slipping down one place from fifth to sixth.

To complete the chart we have one new entry, this being Troj/PDFex straight in to the chart in third place, and TraxG is up from tenth to ninth place. The place occupied by TraxG in last months chart is now the home of Mal/Dropper.

Here is some commentary on October from Sophos:

"PDFex only started to circulate at the very end of the month, but still managed to account for over 13 percent of all emailed malware during October. It was heavily spammed out between 26-28th October, and during that period, it accounted for a staggering two thirds, or 66 percent, of all malware spread via email," said Carole Theriault, senior security consultant at Sophos. "PDFs have long been used in business as a means of sharing information, so the social engineering trickery of using a PDF puts insufficiently protected businesses at risk. Adobe have issued an update to their Acrobat software that fixes the problem, and eyes are now turned to Microsoft to patch the underlying flaw in Windows which could also affect other vulnerable applications such as Skype and Firefox."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to once more settle for the runner-up spot; second. The final step of the podium, third place, is occupied by a re-entry, this being Netsky.

Win32.Zhelatin falls one place to fifth, Win32.Agent climbs one place to fourth, IRC.Zapchast falls one place to ninth as does Win32.Tibs, falling to tenth. Sixth place is once more occupied by W32.Funlove, which was where it was in last months chart.

We have one new entry in October's chart, this is: Backdoor.Win32.mIRC-based straight in at eighth place.

The final place in October's chart is occupied by our old friend Dupator up from eighth to seventh place.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of October] here. This clearly shows that October was quieter than the previous two months. As shown in the figures for October, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 339,691 at the end of October. That's a growth of 117,218 new malware strains and/or variants so far in 2007, in October the number jumped by almost 10,500. If I extrapolate this my guesstimate for the growth in malware in 2007 would be almost 140,700. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Warnen, Bin Ich Ansteckend [Friday, 5 October 2007]


• Stealthed Spam [Wednesday, 17 October 2007]


• Watch Out, Watch Out... [Thursday, 18 October 2007]


• Trick, But NO Treat! [Wednesday, 31 October 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - September has continued during October, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam are back to their usual levels after the slight drop in the level of spam during September. The spammers haven't been idle during October as they are still trying out other file formats which they hope will bypass anti-spam defences, as can be clearly seen by the MP3 spam example covered above.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during October, especially RBS, Nationwide and Barclays.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last couple of months of the year! Typically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Stay safe!

Links:

• Virus Top Twenty for October 2007 [Kaspersky]


• Top ten viruses and hoaxes for October 2007 [Sophos]
  

September 2007 Malware Review

September was a very busy month for me as I wrote and presented a paper at the Virus Bulletin conference in Vienna, Austria, as well as dealing with my usual workload.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 457 samples during September, which have been catalogued as 27 distinct families and variants. In comparison during August I captured 566 samples which were catalogued as just 20 distinct families/variants. As you can see the captures in September are slightly down from August's total.

During September I captured and submitted three brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As shown by September's statistics the general trend is still downwards. It appears that social-engineering is very much the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During September I reported 49 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has continued to hold on to the pole position it took back in April. It now accounts for almost 76 percent of the samples captured in September, down from almost 82 percent in August.

There are eight [up from seven] members of the Opaserv.worm family in September's chart. These are variants: AI, AE, D, AJ, E, I, AD and AH in second, third, fourth, fifth, sixth, seventh, ninth and tenth places respectively.

The final slot left is taken by our old friend Dupator who is down one place from seventh to eighth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for September Mytob.c has once more started to slide back down the chart from fourth to sixth place.

Netsky.q [aka P] has consolidated its hold on pole position it managed to grab back in June. It is joined by three [same as in August] other family members, these being: Netsky.t, which has slipped down one place seventh to eighth spot. Netsky.aa continues its upward climb, up from third to the runner-up spot; second place. The final Netsky family member is Netsky.b which is static in tenth place.

Bagle.gt has reversed once more restarted its slow journey down the chart, falling from second to fourth place.

Like Bagle.gt, Worm.Win32.Feebs.gen is slipping down the chart once more, from fifth to seventh place.

The final free places in September's chart are taken by one re-entry, this being Email-Worm.Win32.Nyxem.e [aka Mywife.D], a new entry Trojan-Spy.HTML.Paylap.bg in at ninth place, and finally we have Mydoom.l up from sixth to the final podium step; third.

Kaspersky had this to say about September's chart:

"Our forecasts for September turned out not to be spot on. Trojan-Downloader.Win32.Agent.brk, which was spreading actively in August, didn't extend the botnet that it builds, and as a result, there's not a single Warezov variant in September's Top Twenty.
However, the authors of another email worm, Zhelatin (aka the Storm worm) stepped up their activity. Throughout August security companies provided regular reports and estimates on the scale of the botnet created by the worm. Some estimates were as high as 2 million infected computers around the world - indicating that a new epidemic was on the horizon. However, September was remarkably calm from this point of view. Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has consolidated its grip on third place. The runner-up spot has been taken by Troj/Pushdo which climbs up from the fourth place it held in August. Last month's runner-up spot sitter, W32/Zafi has fallen down to fourth place.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to seventh from fifth.

Bagle also slipped down the chart during September, from eighth to ninth place.

There are two re-entries in September's chart, these being Mal/IFrame and Mal/Behav in fifth and sixth place respectively.

To complete the chart we have one new entry, this being Mal/Basine and the final place is occupied by TraxG static in tenth.

Here is some commentary on September from Sophos:

"The figures, compiled by Sophos's global network of monitoring stations, have shown a rise in the percentage of infected email. Overall in September, 0.12 percent of emails were carrying malicious email attachments, or 1 in every 833, compared to 1 in every 1000 during August. This is primarily due to a coordinated campaign by hackers to spam out the Pushdo Trojan horse en masse during the second half of September. The emails, which pose as naked pictures of Hollywood actresses such as Angelina Jolie and "Holly Berry" [sic], carry a malicious payload designed to give criminal hackers control over infected PCs. During a single 24-hour period in the last week of September, Sophos reports that the Pushdo Trojan accounted for almost 4 in every 5 infected emails."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is still headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again and the final step of the podium, third place, is occupied by Dupator which is where it was in August's chart.

We have five re-entries in the chart in September; these are Win32.Zhelatin, Win32.Agent, Trojan.BAT.Runner, IRC.Zapchast and Win32.Tibs back in the chart in fourth, sixth, seventh, eight and ninth place respectively. Sixth place is occupied once more by W32.Funlove.

The final place in September's chart is occupied by Lorez down from seventh to tenth.

The more astute of you may have noticed that the top ten for September, once more contains ten entries rather than the seven we had in August.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of September] here. This clearly shows that September was quieter than the previous two months. As shown in the figures for September, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards or targeting particular interests, such as sport.

The reason for the jumps during July-September is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 329,196 at the end of September. That's a growth of 106,723 new malware strains and/or variants so far in 2007, in September the number once more jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just almost 142,300. Things have certainly speeded up during the second and third quarters of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• New Storm Worm Run... [6th September]


• NFL = Nuwar File Link? [9th September]


• You SPIM Me Round... [11th September]


• Oh, Vienna...Update [25th September]

Conclusions:
The current trend of using social-engineering which has been widespread in January - August has continued during September, if anything it has accelerated as can be seen by the examples covered above of the Storm Worm spam runs.

Levels of spam seen are almost back to their usual levels after the slight drop in the level of spam during August. The spammers haven't been idle during September as they are still trying out other file formats which they hope will bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during September. This is clearly shown in the massive jump in the percentage of phishing scams we've seen during both August and September.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, last quarter of the year! Typically the last quarter of the year and specifically the run up to Christmas is the most active time of the year for all the bad guys and girls.

Links:

• Virus Top Twenty for September 2007 [Kaspersky]


• Top ten viruses and hoaxes for September 2007 [Sophos]
  

Virus Bulletin 2007 Conference Review

As previously mentioned on this blog, I had a paper selected for the Virus Bulletin 2007 conference, which was held at the Hilton Hotel in Vienna, Austria, between the 19th and 21st of September.

This posting is a quick review of the conference and as promised a link to the full paper which I wrote for, and presented at, the conference:


"A warm and friendly welcome to Vienna, unless you're a Kangaroo!" ;-)

Day 1 - Wednesday 19th September 2007
The first day of the conference started at 10:30 with Helen Martin’s opening address, this was followed at 11:00 by "A road to big money: evolution of automation methods in malware development" presented by Maksym Schipka from MessageLabs on the Technical Stream. As always Maksym's talk was both interesting and contained lots of useful information.

The final session on the Corporate Stream before lunch was also interesting, a presentation by Abhilash Sonwane of Cyberoam entitled "Changing battleground: security against targeted, low-profile attacks ". This talk touched on cyber-crime and targeted attacks which would be mentioned throughout most of the rest of the conference presentations; from different perspectives.

Then it was time for lunch.

After lunch, the conference continued in its normal two stream mode; Corporate stream and Technical steam. Normally I spend most of the conference in the technical stream, and on this first day that was pretty much the case. I spent the whole afternoon in the Technical Stream. The first two presentation after lunch were:

• DSD Tracer - implementation and experimentation - Boris Lau, Sophos


• Pimp my PE: taming malicious and malformed executables - Casey Sheehan, Sunbelt Software

Then we had a short break for Tea and coffee before the attending the final pair of presentations on the technical stream. These were:

• Anti-rootkit safeguards: welcome Vista - Aleksander Czarnowski, Avet


• Patching. Is it always with the best intentions? - Alex Hinchliffe, McAfee

I decided to sit in on one of the two vendor presentations after the days main proceedings, I decided to choose my good friend Larry Bridwell from Grisoft [AVG]. It was a great presentation, instead of the dry marketing material he was given, he gave a very entertaining one instead. This rounded of the day wonderfully!

Later we had the "Welcome drinks reception" which is a nice ice-breaker, especially for those that have not been to a VB Conference before as it is very informal and relaxed.

Day 2 - Thursday 20th September 2007
Day two started early for me as I was the first speaker to present on the Corporate Stream, so I had to get there early to check that my laptop worked fine with the projector, it did.

So, promptly at 09:00 I gave my own presentation based on my paper entitled "The journey so far: trends, graphs and statistics". Instead of trying to cover everything in the paper, all 30,000 words of it. I decided to just cover the key statistics, trends and a few examples, such as Brain, Casino and Ambulance.A, as well as some e-mail worms, such as Sircam, Loveletter and MyParty. When I was researching the paper I noticed that quite a few myths existed about the early days of malware, so I covered a number of these too.

I even finished on time and got asked several questions.

Next up, straight after me was the following presentation:

• What a waste - the AV community DoS-ing itself - Joe Telafici, Dmitry Gryaznov, McAfee

This was an interesting look at sample sharing between security companies and researchers, the end result is often lots of duplicated samples and sets; these can easily be in excess of 500GB. In fact the guys from McAfee are seriously looking at drives that have a larger capacity than 1TB.

The it was time for a quick tea/coffee break. During this I received quite a lot of very positive feedback on my presentation, as well as discussing several issues that I had mentioned with some of the original researchers who were there when the events I covered happened. The results from these discussions have enabled me to update my paper to be more accurate and to offer yet another set of first-hand witnesses to those events.

After the break I decided to stay on the Corporate Stream for the rest of the morning. These were the next batch of presentations:

• The WildList is dead, long live the WildList! - Andreas Marx, Frank Dessmann, AV-Test.org


• Have you got anything without spam in it? - Tim Ebringer, CA


• A testing methodology for rootkit removal effectiveness - Josh Harriman, Symantec
  

Although all of these were interesting I found the presentation by Josh Harriman very interesting and engaging. He covered the results of tests with rootkits against cleaning/removal tools and showed that fairly often they don't remove all the components of the rootkit and/or the other system changes made by them.

Then it was time for Lunch, not only to refuel with food, but also to discuss and digest what we'd seen so far.

After lunch, once more I decided to sit in on the Corporate Stream until the tea/coffee break, at least. The next two presentations were:

• Transforming victims into cyber-border guards: education as a defence strategy - Jeannette Jarvis, Microsoft


• Phish phodder: is user education helping or hindering? - Andrew Lee, Eset David Harley, Small Blue-Green World

Both of these were interesting, and in the case of the latter one also quite amusing as David and Andy's presentation included a 'Game Show'.

Then it was time for another caffeine break ;-)

After the tea/coffee break I moved to the Technical Stream as I was chairing the next two 'Last-minute' presentations, these were:

• Andrew Walenstein, University of Louisiana at Lafayette


• Erik Wu and Feike Hacquebord, Trend Micro

This is a new section of the conference, and it seemed to work reasonably well, although in some cases the presenters appeared to have submitted presentations that were originally meant for the normal 40 minute slots, rather than the 20 minute slots they tried to shoe-horn their longer presentation into. I think this area still needs a little tweaking. In fact, although this was only being tried out on the Technical Stream it may well be better suited to the Corporate Stream instead.

After these, I made a quick dash back to the final presentation on the Corporate Stream. This was:

• Pump-n-dump for fun & profit: an in-depth look into stock spam and brokerage account compromise operations - Dmitri Alperovitch, Secure Computing

This was a very interesting presentation as it suggested that the so-called Pump-n-Dump scams didn't work the way many of us had imagined. It was less Pump-n-Dump and more just dump the stock they had acquired by creating an artificial market for it.

As on the first day of the conference, I decided to sit in on a vendor presentations after the days main proceedings. This time is was Vinny Gulloto from Microsoft, as with Larry's it was an entertaining one with very little marketing. Vinny also let slip that he had a waiting list of malware/anti-malware researchers who wanted to join him at Microsoft. This immediately put me in mind of the song "As some day it may happen" from Gilbert and Sullivan's "The Mikado" where the song is sung by Ko-Ko (The Lord High Executioner) as he goes through an imaginary list. So much so, that I found it hard not to whistle the tune! ;-)

Later we had the "pre-dinner drinks and the Gala dinner and cabaret". As always the food was excellent and the entertainment was typically Viennese; two couples performing various types of waltzes. This was followed up after desert, by our own private casino.



Day 3 - Friday 21st September 2007
The final day of the conference had arrived, I'm still not sure where the first two days had gone, but they sure went quickly!

As we started slightly later on the last day, to allow for those that had partied hard until the small-hours to get some sleep, and maybe quite a bit of black coffee, there was only a single presentation before the first coffee/tea break of the day. The one I decided to attend was on the Corporate Stream, again:

• Menace 2 the wires: advances in the business models of cybercriminals - Guillaume Lovet, Fortinet

This presentation expanded on the one that Guillaume had given last year; which included a quote that claimed that "Cyber-crime was now more profitable than running drugs". Once more he had some very interesting material to share. Including a fax from the CEO of e-Gold.

So, another quick tea and coffee break and then more from the Corporate Stream:

• The trojan money spinner - Mika Ståhlberg, F-Secure


• Once upon a time a trojan... - Luis Corrons, Panda


• New approaches to categorising economically-motivated digital threats - Anthony Arrott, David Perry, Trend Micro

All of these were very good and interesting talks and all covered cyber-crime in one form or another.

Then it was time for the final lunch of the conference, but before that, all the speakers had to get together for the traditional "Speakers Photo". As usual, much hilarity was had by all, especially by those who were trying to trick Jeanette Jarvis of Microsoft.

After lunch I spent the first part of the afternoon on the Technical Stream.These were the presentations I sat in on:

• A deeper look at malware - the whole story - Bryan Lu, Fortinet


• Malware removal - beyond content and context scanning - Tom Brosch, Maik Morgenstern, AV-Test.org

Both of these were interesting if a little obscure in parts. Both talks prompted a number of questions from the audience. Then it was time for the final refreshments break. Yes, it was the very last VB2007 Tea and coffee break of the whole conference.

The final presentations of the day, and the conference were straight after the break and I decided that I'd sit in on the last one on the Corporate Stream. This was:

• Future threats - John Aycock, Department of Computer Science, University of Calgary Alana Maurushat, Faculty of Law, University of New South Wales

Although all the conference papers presentations had finished there was a very interesting and lively panel discussion:

• The fight against international cyber crime - enforcing the law - David Thomas, FBI, Stacy Arruda, FBI, Kevin Zuccato, Australian Federal Police, Mark Oram, CPNI

Finally it was time for the Conference closing session, once more led by Helen martin, the editor of Virus Bulletin. It included the usual selection of scenic photos as well as general candid shots taken during the conference, including some 'comic' ones. This year it seemed to be a case of "I'm Sparticus", as a lot of people seemed to be wearing Dr. Vesselin Bontchev's name badge and no it wasn't him in varying disguises either!

Copies of the slides used by the speakers during the presentations can be found here: http://www.virusbtn.com/conference/vb2007/slides/index.xml The full agenda for the conference can be found here: http://www.virusbtn.com/conference/vb2007/programme/index

Finally, if you are really curious and want something to put you to sleep, then you can also find a selection of scenic photos I took whilst in Vienna, here: http://www.flickr.com/photos/14178057@N07/sets/72157602179472057/detail/

Yes, the pictures include the "welcoming statue", along with details on where in Vienna the picture was taken.

Oh yes, before I sign off, I really ought to own up that I, rather ironically, caught a virus whilst attending the Virus Bulletin conference! No, not a computer virus, a cold/flu variant. At least it waited for me to get back home before it knocked me off my feet and left me sounding like Barry White (after gargling bricks and broken glass). Back in Chicago [VB2004] I wasn't so lucky, I went down with almost the same thing whilst travelling to Chicago and tortured everyone that came to my presentation with my 'interesting' vocal range; from deep-bass, to Kermit-the-frog-a-like, to loss-of-signal. I don't know who suffered more, the audience or me ;-)

Well, that's another VB conference covered, I'm already looking forward to the possibility of attending next year, where it will be in Ottawa, Canada at the start of October 2008. Right, now I need to find some ideas for a few abstracts to submit....any suggestions?

Oh, Vienna...Update

As promised in my last posting, I have now created a PDF version of the paper I presented last week [Thursday the 20th of September] at the Virus Bulletin 2007 international conference in Vienna, Austria.



Karlskirche, Karlsplatz, Vienna
[Picture (c) Copyright, Martin Overton 2007, All Rights Reserved]

Here's the abstract:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

The paper is now available on my web site, and one of my other mirror sites. Here and here. Also, later this week I will post a short review of the conference, as I have done for the last 3 or 4 years.

Oh, Vienna...

Walked in the cold air
Freezing breath on a window plane
Lying and waiting
A man in the dark in a picture frame
So mystic and soulful
A voice reaching out in a piercing cry
It stays with you until

The feeling has gone only you and I
It means nothing to me
This means nothing to me
Oh, Vienna...

Those are just part of the lyrics to the song 'Vienna' by 'Ultravox'. Their lead singer is none other than 'Midge Ure'. It seemed a nice link to this post, hope you agree?'

Why am I waffling on about Ultravox and their song Vienna? Well, I'm travelling to Vienna today so that I can attend, and present at the premier anti-malware and anti-spam conference of the year; this being Virus Bulletin's international conference.

This year it is back in Europe, which means that travel is easier, for me and the other Europeans that attend, although it is harder on those from the US, Canada and Asia-pacific.

I was informed that my paper is now on the main agenda and I get to 'do-my-thing' on Thursday morning [20th of September] on the corporate stream. This is the seventeenth time the conference has run, and the tenth time I have attended and presented at it.

For those of you that have forgotten, [shame on you! ;-)] my paper and presentation is on malware history and statistics. Here's the abstract:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

The paper will be made available on my web site early next week. I will post an entry with a link to it once I have got back from Vienna. I will also try and post one of my usual conference reviews.

The video of the song can be found here. Enjoy!

BTW, for anyone reading this that is attending the conference please feel free to say hello or have a chat with me, I don't bite, honest! ;-)

August 2007 Malware Review

Well at least in August it was drier than both June and July; towards the end of the month it seemed that summer had at last returned, for a few days at least. Just as well as otherwise our summer, in the UK, occurred during April this year.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 566 samples during August, which have been catalogued as just 20 distinct families and variants. In comparison during July I captured 499 samples which were catalogued as 25 distinct families/variants. As you can see the captures in August are slightly up from July's total.

During August I captured and submitted just one brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention, such as my VB2007 paper.

Even though August's statistics were up on July's, I still feel that the general trend is downwards. It appears that social-engineering is still the technique of choice this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During August I reported 77 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April. It now accounts for almost 82 percent of the samples captured in August.

There are seven [up from six] members of the Opaserv.worm family in August's chart. These are variants: AE, AI, D, AJ [is a New entry], AC, AD and AH [AH is a New entry] in second, third, fourth, fifth, sixth, eighth and tenth places respectively.

The Netsky family is hanging on in the top ten again after dropping out of the chart completely in May. In August's chart we still have only one survivor [down from three in June] this is: Q [aka P] down seven places from the runners up spot in July to ninth.

The final slot left is taken by a re-entry, this being seventh place and the malware is our old friend Dupator.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for August Mytob.c has finally managed to climb up the chart from seventh to fourth place. We also have another member of the Mytob family in August's top 10, this being Mytob.t, in at ninth place.

Netsky.q [aka P] has also climbed back up the chart from second place back to the pole position it managed to grab back in June. It is joined by three [up from two in July] other family members, these being: Netsky.t, which has slipped down three places from fourth to seventh spot. Netsky.aa has reversed its direction, climbing once more, from sixth to third place. The final Netsky family member is Netsky.b which grabs tenth place.

Bagle.gt has reversed its slow journey down the chart, climbing back up one place from third to second.

Worm.Win32.Feebs.gen is static in August's chart, in fifth place.

The final free places in August's chart are taken by IMG-WMF.y moving up two places from tenth to eighth, and finally we have Mydoom.l up from eighth to sixth place in August's chart.
Kaspersky had this to say about August's chart:

"August once again turned out to be "dead season" for virus epidemics in 2007. Since August 2003, when the Lovesan worm caused the biggest epidemic in history, the final month of summer has typically been the quietest and most uneventful, as it is a period when both virus writers and antivirus professionals often go on holiday.
Even the waves of mass-mailings sent out by the Warezov and Zhelatin worms were missing in action in August. Warezov.pk, the leader in July, disappeared suddenly from our virus radar screens. However, it's worth remembering that the launching pad for Warezov.pk was created back in May by Trojan-Downloader.Win32.Agent.bcs. August's Top Twenty features a new program used to create botnets and the conditions for new epidemics: Trojan-Downloader.Win32.Agent.brk. It looks as though a significant new outbreak of email threats will be strike in September."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has further consolidated its grip on pole position.

Mytob has slipped down one place from the runners-up place, to third. The runner-up spot has been taken by Zafi which climbs up from the third place it held in July.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to fifth from fourth.

According to SOPHOS Sality is a new entry in August, in at ninth place; although according to my records it was in sixth place in July's chart. Most odd! Other new entries include, Troj/Pushdo straight into the chart in fourth place and Mal/Dropper straight in at seventh place.

Bagle also slipped down the chart during August, from sixth to eighth place.

There is one re-entry in August, this being Troj/Dloadr back into the chart in fifth place.

To complete the chart we have Mydoom in sixth, down one place from fifth and TraxG down three places from seventh to tenth.

Here is some commentary on August from Sophos:

"The figures, compiled by Sophos's global network of monitoring stations, show a dramatic drop in malware spreading in the form of email attachments, with just one infected message in every 1,000 emails in August, compared to one in 322 during the first six months of 2007.
Spam, however, has continued to be a problem - much of it linking to malicious websites designed to infect users. A series of large-scale attacks have been made via spam email, directing users to infected webpages with the promise of ecards, pictures of nude celebrities, YouTube movies, and pop music videos. People visiting the sites are running the risk of having their PCs infected by malicious code which can then steal personal information, spam out more malware and junk email, or launch distributed denial of service attacks against innocent parties."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is headed up by the September 2005 leader, Tenga. Operserv has had to settle for the runner-up spot; second, yet again.

The final step of the podium, third place, is occupied by Dupator which is up two places from fifth place in July.

Netsky has slipped from third to fourth place in August's chart,

We have one new entry in the chart in August; this is none other than IRCBot, straight in at fifth place.

As with the new entries, we have just one re-entry to the chart in August, this being, Lorez back into the chart in seventh.

The rest of the chart is made up of the following malware: Funlove, up four places from tenth to sixth place.

The more astute of you may have noticed that the top ten for August, contains only seven entries. This is because there are only seven families present in the captures for August.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of August] here. This clearly shows that August was busier than July. As shown in the figures for August, the overall trend is still downwards [as far as e-mails with malware attachments are concerned] and we will continue to see less malware being seeded via e-mail. Instead we will continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards. The reason for the jumps during July and August is that I adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers, also the web pages they link to contain a number of exploits to try and automatically infect visitors that are not patched or otherwise protected. This change in classification makes the figures look like the largest since October 2005.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 316,723 at the end of August. That's a growth of 94,250 new malware strains and/or variants so far in 2007, in August the number jumped by over 12,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 125,600. Things have certainly speeded up during the second and third quarters of 2007!


What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Q: When Is A ZIP file Not A ZIP file? [6th August 2007]


• Do You Know Joe... [7th August 2007]


• Doing It By The Numbers [8th August 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - July has continued during August, if anything it has accelerated. Otherwise, on the malware front, as confirmed by Kaspersky it was a rather 'dead' month with regard to major outbreaks.

We have surprisingly seen a slight drop in the level of spam during August and a move by the spammers towards using other file formats to try and bypass anti-spam defences.
The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during August. This is clearly shown in the massive jump in the percentage of phishing scams I've seen during August.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, rest of the year!

Links:

• Virus Top Twenty for August 2007 [Kaspersky]


• Top ten viruses and hoaxes for August 2007 [Sophos]

July 2007 Malware Review

July has come and gone and like June in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from more flash or prolonged flooding for parts of the month.

As usual on the malware related security threats front it has been an interesting month with yet more malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 499 samples during July, which have been catalogued as 25 distinct families and variants. In comparison during June I only captured 209 samples which were catalogued as 31 distinct families/variants. As you can see the captures in July are significantly up from June's total.

During July I captured and submitted two brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is partly due to other work requiring my attention.

Even though July's statistics were up on May's, I still feel that the general trend is downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During July I reported 90 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are six [up from five] members of the Opaserv.worm family in July's chart. These are variants: D, AE, AI [AI is a New entry], AC, AD and K [AD and K are Re-entries] in third, fourth, sixth, seventh, eighth and ninth places respectively.

The Netsky family is hanging on in the top ten again after dropping out of the chart completely in May. In July's chart we have only one survivor [down from three in June] this is: Q [aka P] up two places from fourth to the runners up spot.

Zapchast which managed to steal the final podium position in June has fallen on hard times and slipped down the chart to the final place; tenth.

The final slot left is taken by a new entry, this being fifth place and the malware is also a new one, in this case it is: Packed.Win32.PolyCrypt.b which is spreading via open shares in much the same way that the Opaserv family does.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for July once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has slipped back down from the pole position it managed in June to the runner-up spot it last held in March. It is joined by two [down from three in June] other family members, these being: Netsky.t, which has slipped down one place from third to fourth spot, and Netsky.aa, slipped back down to the position is last held in May's chart; slipping two places from fourth to sixth place.

Bagle.gt has restarted its slow journey down the chart, slipping back down one place from second to third.

Worm.Win32.Feebs.gen has reversed last month slippage and climbed back up one place from sixth to fifth.

We have two new entries in July's chart, these are: Warezov.pk straight in at number one, Nyxem.e in at ninth and finally IMG-WMF.y grabbing the final place in July's chart.

Kaspersky had this to say about July's chart:

"On the whole, despite the blast-off of Warezov.pk, which was first detected on June 26 and peaked in early July, the situation remains stable (it is actually quite rare for the rankings to be so stable, with Warezov.pk being one of only two newcomers to the Top Twenty). The conditions are not favorable for new global epidemics, so the main threat is posed by local attacks targeting users from individual countries."

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has consolidated its grip on pole position which it lost during May.

Mytob has also managed to consolidate its hold on the runners-up place it grabbed in June after being static in third place back in April and May.

The final step of the podium; third, is taken by Zafi which climbs up from the sixth place it held in June.

Mydoom which was a re-entry in November's chart has once more lost ground, falling back down to fifth from fourth.

November's new entry, Sality has reversed its progress up the chart, slipping down one place from fifth to sixth during July.

Bagle also slipped down the chart during July, from sixth to eighth place. Meanwhile Nyxem.D [has fallen right out of the top ten during July and Mal/Iframe has slipped one place from third to fourth.

There is one re-entry in July, this being Mal/Clagger back into the chart in ninth place.

To complete the chart we have two new entries, these are: Troj/Agent in at the seventh spot, and W32/Strati which just scrapes into the chart in tenth.

Here is some commentary on July from Sophos:

"Interestingly"The security dangers of the web still aren't fully registering with a great many businesses - this is providing rich pickings for hackers hell-bent on gaining access to sensitive information," said Carole Theriault, senior security consultant at Sophos. "It's no surprise to see legitimate webpages targeted for these attacks - businesses generally aren't too strict about stopping their employees accessing these websites, while the sites themselves will already have their own daily flow of user traffic, saving hackers the trouble of trying to entice unenlightened web surfers."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is headed up by the September 2005 leader, Tenga which has once more regained the crown it lost in June when Opaserv stole it. Operserv has had to settle for the runner-up spot; second.

The final step of the podium, third place, is once more occupied by Netsky which is static in July.

Zapchast which stormed up the chart from ninth to fourth place in June has once more slipped back down the chart, however, this time it is only two places from fourth to sixth place.

W32.Dupator has consolidated the fifth place it managed to claim in June's chart.

We have one new entry in the chart in July; this is none other than Polycrypt, straight in at fourth place.

As with the new entries, we have just one re-entry to the chart in July, this being, Zhelatin back into the chart in seventh.

The rest of the chart is made up of the following malware: Spaces, down one place to eighth, MyDoom, down one place to ninth and finally Funlove, static in tenth place.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of July] here. This clearly shows that July was busier than June which was the quietest month since I started keeping these statistics. As shown in the figures for July, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards. The reason for the jump during July is that I've adjusted my filters to classify the e-card notifications used by the 'Storm Worm' gang as malware, even though there are no attachments. This is due to the fact that these e-mails contain links to malware files being hosted on web servers. This makes the figures look like the largest since January 2006.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 304,153 at the end of July. That's a growth of 81,680 new malware strains and/or variants so far in 2007, in July the number jumped by over 28,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 122,500. Things have certainly speeded up during the second and third quarters of 2007!


What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences during July 2007.

• Watch Out, Watch Out, There's an E-card About! [3rd July]


• How Not To Spam [10th July]


• Have You Got Anything Without Spam? [11th July]


• Experiments In Spam [25th July]

Conclusions:
The current trend of using social-engineering which has been widespread in January - June has continued during July, if anything it has accelerated.

We have surprisingly seen a slight drop in the level of spam during July and a move by the spammers towards using other file formats to try and bypass anti-spam defences.

The Phishers have been busy both with new versions of their scams, as shown by the mass of attacks aimed at many of the UK banks during July. This is clearly shown in the jump in the percentage of phishing scams I've seen during July.

Malware being seeded via e-mail is back, however as we have seen it is different than the malware that used to arrive via e-mail as an attachment. Now they just get you to download the malware and infect your own computer, works just as well and without the need for extra coding as they aim for the weakest link in the security chain; the person using the computer.

All in all, it looks like we could be in for a very interesting, and busy, rest of the year!

Links:

• Virus Top Twenty for Jule 2007 [Kaspersky]


• Top ten viruses and hoaxes for Jule 2007 [Sophos]

Asked By A Reader...

The following question was asked by a reader of this blog, and I informed the reader that as it was a good question and that the answer is quite involved, that I'd cover it later as a separate blog entry, so here we go.

Here's the question:

"Since you are discussing Spam I will ask a question that I've had for some time. Why can't email vendors (google, AOL, MSN, etc.) setup on one of their gateways to return emails as undeliverable, if their customer puts the mail in a Spam folder. Won't that result in the Spammer removing the email from their distribution list after a few undeliverable messages?"

And here's the answer:

Nice idea, if the vast majority of spammers:

• Didn't fake [spoof] the address that the e-mail appears to be from, so the real spammer rarely sees any bounces as all bounced mail ends up going to the e-mail address that the spammers stole, this type of attack is known as a 'Joe Job'. In some cases this is intentional to try and discredit a company or individual.


• Didn't totally ignore unsubscribe requests, in fact this only makes the e-mail address you try and unsubscribe more valuable to the spammers as it means it is active. You will get more, not less spam if you insist on using them.


• Weren't criminals using botnets to send 90 percent of their 'crud' and as these criminals are using computers that they have infected with malware to allow them to send their 'crud' through, they have little to fear from their own ISPs.


• So, the bottom line is, nice idea, but it is completely unworkable using the current SMTP standards. SMTP2 anyone?

A quick update on my latest anti-spam experiment:

Since my last posting I've received just 12 spam/malware e-mails which managed to sidestep the new defences. To put this in context , before I put these new techniques in place I usually received around 1,000 e-mails a day, of those about 90 percent was spam, so instead of around 900 spam e-mails a day, I'm now getting about 6!

So, does anyone have any other questions they would like me to try and answer, or have anything to say about this one?

* I'll cover this in detail in another posting.

Experiments In Spam

No. This doesn't mean I've been dabbling in creating or sending spam...Quite the opposite, in fact.

Last night I took a step into the unknown, I made major changes to the way I deal with spam arriving at my personal mail server. Why?

Well, at the moment I use a mix of Bayesian filtering, custom filtering rules and a DNS Blacklist to tag known spam. This works well, as I still get to see the spam so that I can analyse it, generate statistics, etc. which I use for trend analysis, in reports [such as my Monthly Malware Reviews], presentations and so on.

However, I just don't have the spare capacity to manage this at the moment as I have other commitments that need to be given 90 percent or more of my time so that I can complete them.

To this end I thought I'd try a different approach to spam.

What I put in place last night are a number of techniques which I'm using to no longer just flag [tag with custom headers] spam [so they can be filtered out and analysed later]. Instead I'm actively rejecting it at my mail server using a mixture of custom Content Control/Compliance rules, DNS blacklists [such as Spamhaus and Spamcop], and Graylisting.

My Bayesian classifier will still be used to deal with anything that gets through. I estimate that using Graylisting and aggressive DNS blacklisting will drop the amount of spam I have to process down to around 10 percent, rather than the 90 percent it stands at now, as you can see from the following graph:



Early results seem to confirm my estimates, as overnight my usual haul of spam* has dropped from the typical 400-600 to just 12, quite an effect!

Furthermore it appears from these early results that several spammers, scammers and malware authors have already adapted their tools/techniques to handle Graylisting. This can be seen as instead of the mail being sent, being rejected [temporarily], and never being seen again [as happens with most spam/scams/malware distributed via e-mail]. The 'Bad Guys and Girls' appear to have added a 'retry' feature to enable them to slip past Graylisting as if they were a real 'mail server' which fully supports the relevant RFCs [SMTP standards].

To check this, I have investigated the raw e-mail headers and I can confirm that not one of these 'spammy' e-mails that managed to get past the Graylisting tool used a third party MX, they ALL came directly from the infected [bot controlled] system or spammers own system, usually a DSL connected PC.

So, it looks like Graylisting may only be useful for a while, as usual I suspect it will be my usual approach that will cope best, this being Defence in Depth.

No doubt I'll make some changes to the current configuration, tweaking it, maybe adding/removing things, either way, I'll keep you posted...In the meantime, a question for you:
"How do you deal with spam?"

On the spam front there have been a couple of new developments, but that's another posting ;-)

* In this case spam refers to not only UCE [Unsolicited Commercial E-mail], but also Malware and Scams [Phishing and 419s] too.

June 2007 Malware Review

'Flaming June' has come and gone, however in the UK it wasn't 'Flaming' as in hot, it was instead 'Flaming Wet' as large parts of the UK suffered from flash or prolonged flooding for parts of the month.
We are now past the halfway point of 2007 and I'll include some comments on trends, etc. that have occurred during the first half of the year.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured only 209 samples during June, which have been catalogued as 31 distinct families and variants. In comparison during May I captured 800 samples which were catalogued as 35 distinct families/variants. As you can see the captures in June are significantly down from May's total.

During June I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The June statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:

During June I reported just 26 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has further consolidated the pole position it took back in April after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart.

There are just four [down from five] members of the Opaserv.worm family in June's chart. These are variants: AE, D, I and AC in second, seventh, eighth and tenth places respectively.

The Netsky family is back in the top ten again after dropping out of the chart completely in May. We have a trio of family members in June's chart, these are: Q [aka P] back in at fourth place, Y back in in fifth and finally X back in at sixth place. Looks a bit like the London Bus affect, wait for ages for one to appear, and then three appear at the same time!

As with Netsky, we have one final re-entry in June's top ten, this being Zapchast which has managed to steal the final podium position coming back in to the third spot.

The final slot left is taken by Dupator, which is up one place from tenth to ninth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for June once more has Mytob.c in seventh place which it managed to climb to back in February, it seems to have setup home there and put down roots!

Netsky.q [aka P] has climbed up from the runner-up spot it held in March and lost in April to snatch pole position in June's chart. It is joined by three other family members, these being: Netsky.t, February's pole sitter which slipped down to fourth during March and the pole sitter in first place in May, has fallen two places to occupy the final step of the podium; third place and to mirror that change, Netsky.aa, has gained two places, up from sixth to fourth place.

Bagle.gt has further reversed its slow journey down the chart, climbing back up the chart one more place from third to take the runner-up spot; second.

Worm.Win32.Feebs.gen has fallen back down one place from fifth to sixth effectively reversing its progress from May.

We have three new entries in June's chart, these are all members of the same family, this being Warezov. We have variant OZ straight in to the chart in fifth place, variant OV occupying the eight spot, and finally variant OP in ninth place.

To complete the top ten, we have a re-entry, this being an oldie; Mydoom-L which takes the final slot in tenth place.

Kaspersky had this to say about June's chart:

"After a long break, first place was again taken by the all-time leader of 2004 and 2005: the NetSky.q worm. Right on its heels is a worm from an equally old family, Bagle.gt. Meanwhile, NetSky.t, the leader in May, slipped very slightly down the table, ending up in third place.

Probably the most noteworthy event this month was the disappearance of May's rabble-rouser, Sober.aa. This virus appeared after a six-month stint in the shadows, suddenly taking fourth place before disappearing again. Will we be seeing this family in our reports again? I suspect not".

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a similar pattern; Netksy has regained its grip on pole position which it lost during May, and is back as the pole sitter. May's pole sitter, Sober, has once more dropped out of the top ten.

Mytob has managed to climb up the chart one place, to steal the runners-up place on the podium after being static in third place back in April and May.

The final step of the podium; third, is taken by a new entry which has only appeared in SOPHOS's web threat chart before. This new entry is Mal/Iframe.

Here is some commentary on it from Sophos:

"Interestingly, Mal/Iframe's appearance in the email-based chart demonstrates that it is not limited to only infecting via the web. Hackers can embed the malware into emails using HTML to exploit users".

Mydoom which was a re-entry in November's chart has recovered more ground during June after falling to seventh place in April and climbing to fifth in May, it is now up one more place to fourth.

November's new entry, Sality has reversed its slide down the chart, jumping up three places from effectively eighth place in May to fifth in June.

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April has now halted its slide, and is sitting in sixth place as it was in May.

Bagle is up a single place in June's chart from eighth to seventh place. Meanwhile Nyxem.D [aka MyWife] is likewise static in tenth place.

To complete the chart we have two re-entries, these are: Mal/DownLdr in eighth and W32/Stratio in ninth.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots.

This month the table is not headed up by the September 2005 leader, Tenga. Its crown has been stolen once more, this time by Opaserv. Tenga has been forced to accept the runners-up spot; second in June.

The final step of the podium, third place, has been occupied by Netsky which is up from the fifth place it held in May.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March then suffered a setback, slipping down to eighth place in April and to ninth in May, has experienced a major turn around, storming back up the chart and taking fourth place in June.

W32.Dupator has moved up one place in June from sixth to fifth place.

The rest of June's chart is made up by re-entries, these are: Tibs, Spaces, MyDoom, Small and finally Funlove, in sixth, seventh, eighth, ninth and tenth places respectively.




If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of June] here. This clearly shows that June was busier than May which was the quietest month since I started keeping these statistics. As shown in the figures for June, the overall trend is still downwards and we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 275,995 at the end of June. That's a growth of 53,522 new malware strains and/or variants in the first half of 2007, in June the number jumped by over 10,000. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 107,044. Things have certainly speeded up during the second quarter of 2007!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• Marks and Spencer Vouchers Hoax [5th June]


• Can you spot the difference? [8th June]


• Father's Day Surprise! [19th June]

Conclusions:
The current trend of using social-engineering which has been widespread in January - May has continued in June, if anything it has accelerated.

We have seen another rise in the level of spam during June and this may have dented the figures for both 419s, Phishes and Malware arriving via e-mail, only time will tell.

The Phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity [as can be seen in the article I have included in this months report]. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Another trend which has made itself very obvious during the first half of the year is that of the malware authors relying on social engineering to get victims to infect their computers, rather than having to use exploit code or include mass-mailing or other infection routines into their creations.

The final trend I wish to mention that has become prevalent this year, and ties up with the social engineering comments above, is that the malware authors and cyber-criminals are increasing their use of web sites to hold their malware and sending e-mails that contain nothing more than a link to it. In many cases this is not just a single web site, but can be as many as 10,000.

Looks like we could be in for a very interesting second half of the year!

Links:

• Virus Top Twenty for June 2007 [Kaspersky]


• Top ten viruses and hoaxes for June 2007 [Sophos]

May 2007 Malware Review

The 'Darling Buds of May' have now finished blossoming and we are almost halfway through 2007, now that 'Flaming June' is upon us.

Once more on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection. We've also seen lots of activity from scammers and cyber-criminals again, more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 800 samples during May, which have been catalogued as 35 distinct families and variants. In comparison during April I captured 736 samples which were catalogued as 40 distinct families/variants. As you can see the captures in May are very slightly up from April's total.

During May I captured and submitted no brand new malware strains/variants [unknown to all or most AV companies at the time of submission]. This is due to other work requiring my attention.

The May statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

During Mayl I reported 70 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] has consolidated the pole position it took back last month after after having to settle for the runner-up position during March when W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart. In contrast to Tenga, W32.Kasper.A has completely fallen out of the top ten in May along with W32.Sality.AD which grabbed the final podium place, in third.

So, because of that we have two members of the Opaserv.worm family [ae which is up 3 places and d which is a re-entry] in second and third places respectively.

There are five other members of the Opaserv.worm family in May's chart, up from just three representatives in April's chart. These are variants ah, ai, I, ac and k in fifth, sixth, seventh, eighth and ninth places respectively. Quite a turn-around in fortunes for this family!

Other casualties in May's chart include: IRC.Zapchast, Virus.Win32.Virut.a, W32/Netsky.P and Zhelatin.cq.

The last two places are claimed by Trojan-Downloader.Win32.Agent.bjo which a new entry, straight in in fourth place and W32.Dupator which is a re-entry back in the chart in tenth place.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for May still has Mytob.c in seventh place which it managed to climb to in February, it seems to have setup home there.

Netsky.q has regained the runner-up spot it held in March and lost in April. It is joined by three other family members, these being: Netsky.aa, regained the sixth place it claimed in March after falling down to eighth spot in April. Netsky.t, February's pole sitter which slipped down to fourth during March is back as the pole sitter in first place in May, and finally Netsky.b is has slipped one place from ninth to tenth.

Bagle.gt has reversed its slow journey down the chart, climbing back up the chart one place from fourth to third. Worm.Win32.Feebs.gen has also climbed up one place from sixth to fifth place.

We have two new entries in May's chart, these are: Email-Worm.Win32.Sober.aa straight in the chart in fourth place and Trojan-Downloader.Win32.Agent.bqs four places below it in eighth place.

To complete the top ten, we have Scano.gen which has managed to climb one place from tenth to ninth place.

Kaspersky had this to say about May's chart:

"A first look at the top of the table for May might give the impression that we've slipped back in time to the end of 2005. You can rub your eyes as hard as you want but it won't change anything - Netsky, Bagle and Sober are topping the rankings again, just as they were a few years ago. "

Please note: SOPHOS are now effectively only using family names for their top ten malware and because of this I will now use the same method for analysing their data.

In the SOPHOS chart we see a different pattern; Netksy has finally lost its grip on pole position during May and we have a new pole sitter, this being Sober, which is a re-entry into the top ten.

Here is some commentary on it from Sophos:

"In May, Sober was the most prevalent email-borne attack, toppling Netsky from its top position and accounting for almost one third of all threats. Sober's dominance in the chart is primarily due to a huge outbreak on May 1st that coincided with May Day across Europe. During this 24-hour period, Sober accounted for nearly 70 percent of all infected email identified by Sophos."

Zafi-D which dropped from February's fourth to sixth place in March and which reversed its slide down the chart, ending up in fifth place in April is on the slide again, slipping down one place to sixth in May.
Meanwhile Nyxem.D [aka MyWife] has dropped another place in May; down from ninth to tenth place.

Stratio-Zip has consolidated its grip on fourth place, after falling out of the chart in February and Mytob has dropped likewise remained static in third place, which it grabbed back in December 2006.

Mydoom which was a re-entry in November's chart has recovered some ground after falling to seventh place in April; it is now up two places to fifth. November's new entry, Sality has lost one more place in May, down from sixth to joint seventh place in May's chart.

We have just one new entry in May's chart, this being Mal/Behav sharing seventh place with Sality.

To complete this month's top ten Bagle drops a single place from eighth to ninth place.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is once more headed up by the September 2005 leader, Tenga. March's new 'pretender', W32/Kasper [aka MyWife] which stole Tenga's crown in March has completely disappeared from the chart in May.

Mytob has dropped out of the chart during April from the sixth spot it held during March. Opaserv has managed to climb one place from the final step on the podium up to the runner-up spot; second.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March has fallen on hard times after slipping down to eighth place in April it has lost more ground and slides down one more place to ninth. Netsky is static in fifth place.

We have two re-entries in May, these are: Email-Worm.Win32.Warezov and W32.Dupator in fourth and sixth places respectively.

One of March's new entries, Virut has consolidated its hold on seventh place in May's chart. Talking of new entries, we have three in the top ten for May, these are: Trojan-Downloader.Win32.Agent, Trojan-Spy.Win32.Banker and Trojan.BAT.Runner.b coming into the top ten in third, eighth and tenth places respectively.



If you wish to see the current top 10, then see my external website at http://momusings.com. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day.



Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of May] here. This clearly shows that May was the quietest month since I started keeping these statistics. As shown in the figures for May, the overall trend is still downwards and that we will continue to see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments, such as fake e-cards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 265,284 at the end of May. That's a growth of 42,811 new malware strains and/or variants in the first five months of 2007, in May the number jumped by 12,126. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 102,700.

Things have certainly speeded up during April and May!
What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in May 2007.

• A Death Phish? [Wednesday, 2 May 2007]


• Would You Rather Be A Mule? [Thursday, 31 May 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January - April has continued in May, as seen by continuing high numbers of fake e-cards notifications being trapped.

We have seen an unexpected recovery in the level of spam in May this may have dented the figures for both 419s and Malware arriving via e-mail, only time will tell.

The phishers have been busy both with new versions of their scams, but also trying to recruit new 'staff' to launder the proceeds of their criminal activity. It seems that they have more material [stolen accounts/credentials/credit card data] than they can handle, which is both gratifying [as they can't deal with more than a percentage of what they have acquired] and worrying [that they have managed to amass so much personal/financial data in the first place].

Links:

• Virus Top Twenty for May 2007 [Kaspersky]


• Top ten viruses and hoaxes for May 2007 [Sophos]
  

Virus Bulletin 2007 Abstract Selected

Virus Bulletin have just informed me that my abstract entitled: 'The Journey So Far: Trends, Graphs and Statistics.' has been selected for the Virus Bulletin 2007 international conference to be held from the 19th to the 21st September 2007 at the Vienna Hilton, Vienna, Austria.

The abstract for the paper appears below:

Abstract:
This paper will discuss the observed trends that have emerged since the start of the malware problem on DOS and Windows and how things have changed over the years.

The paper will discuss examples of the following:

• Malware types.


• Targets; file formats and operating systems.


• Obfuscation and related tricks and counter techniques.


• The use of social-engineering by malware authors.


• The cat and mouse game between the malware authors and vendors.


• The challenges of classification of malware.


• Changes in motivations.

The paper will discuss the changes witnessed in the malware/anti-malware arena seen since the start of it all with Brain. This will cover the emergence of stealth, polymorphism, macro and script malware and go on to cover the growth of mass-mailing worms, bots and the rebirth of stealth as rootkits.

This paper will include clear trend analysis showing the major shifts in malware over the years using a consistent data source which I have compiled. Key shifts from both sides of the problem will be covered, such as polymorphism [including TPE and DAME] and the resulting move to emulation and generic decryption to counter the threat. The growth in the use of packers, compressors and social engineering will also be covered.

Finally, the paper will cover the change in motivation for the malware authors, not just covering the excuses/reasons that they offer, but also the real reasons. It will also cover the changing landscapes of types or malware used and the now often confused classification situation.

I haven't blogged about this until now as I wanted to make sure I had approval for not only writing the paper, but also attending the conference and getting approval for the travel, hotel and other expenses. Also, VB contacted me rather late as they have asked me to be a reserve speaker. Last time I was a reserve speaker for them was back in 2003, in New Orleans, and I ended up presenting anyway due to a hurricane causing chaos. Hopefully, we won't see a hurricane, or any other disaster in Vienna?

All I have to do now is carry out all the required research and write the paper, piece of cake, NOT!

This will be the tenth time I've written a paper for the Virus Bulletin International Conference. I've also written a number of articles for the Virus Bulletin periodical as well, including a book review which is published in this months edition [June 2007].

The value to me personally in attending this conference is the knowledge I gain each and every time I attend, that in itself is priceless. It is also a chance to finally meet some of the people I converse with via e-mail, and catch up with like minded people I've met before, some of whom I would now consider to be friends.

If you have never been to a Virus Bulletin conference and you work in the information security field, then it is about time you did, you won't regret it!

The full paper will be made available after the conference. I'll post an announcement here shortly after the conference has finished.

April 2007 Malware Review

Just about managed to get this finished before the end of the month.

April has come and gone and we are already well into second quarter of the year, this year seems to be flying by! However, on the malware and related security threats front it has been an interesting month with another load of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 736 samples during April, which have been catalogued as 40 distinct families and variants. In comparison during March I captured 638 samples which were catalogued as 38 distinct families/variants. As you can see the captures in April are slightly up from March's total.

During April I captured and submitted 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The April statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is still the technique of choice so far this year.

During April I reported 48 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] is back in pole position after having to settle for the runner-up position during March, as W32.Kasper.A [aka MyWife.D] had forced its way to the top of the chart during March.

W32.Kasper.A has had to settle for the runner-up spot in April. This means that the top two have swapped places in April's chart.

W32/Sality.AD [Frisk] is back in the top ten again having dropped out of the chart in March, it has stormed back in to grab the final podium place, in third.

The Opaserv.worm family which completely failed to turn up in the chart in February and then stormed back in to the chart in March with four representatives has suffered a loss. In April's chart we have lost one of the Opaserv clan from the top ten, the remaining family members are; variants ae, d, and ac in fifth, eighth and tenth places respectively.

IRC.Zapchast which managed to climb up the chart from the final slot in January's chart, stealing fourth place in February and finally climbing one place to third in March's chart has suffered a fall, down three places to sixth.

Virus.Win32.Virut.a [which was a new entry in March's chart] has managed to consolidate the fourth place is managed to grab when it entered the chart in March.

We have two re-entries in April's chart, these are: W32/Netsky.P which has been in and out of the top ten for more than two years now, and Zhelatin.cq which is somewhat more recent, having only been created since the end of 2006.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for April still has Mytob.c in seventh place which it managed to climb to in February, it seems to have setup home there.

Netsky.q has once more fallen off the runner-up spot, this time it has slipped just one place to third. It is joined by three other family members, these being: Netsky.aa, which has lost its sixth place from March, falling down to eight spot in April. Netsky.t, February's pole sitter which slipped down to fourth during March is back as the pole sitter in first place, and finally Netsky.b is has consolidated its hold on ninth place.

Bagle.gt continues its slow journey down the chart, slipping one place to fourth.

We have three new entries in April's chart, these are: Email-Worm.Win32.Warezov.ms straight in the chart in second place, Trojan-Spy.HTML.Bankfraud.ri in a fifth place and finally Worm.Win32.Feebs.gen just below it in sixth place.

To complete the top ten, we have Scano.gen which is holding on tight to the final place; tenth spot.

Kaspersky had this to say about April's chart:

"It's getting more and more interesting looking at the statistics on malicious code in mail traffic. Warezov and Zhelatin regularly cause virus outbreaks, hit the headlines, and create a huge amount of work for virus labs around the world, but it's NetSky.t, an old email worm, which grabbed first place this month. In the three years since NetSky.t appeared, its highest ranking ever was fourth place in February 2006. It subsequently disappeared from the rankings, but returned to lurk close to the top of the table. And this month it has taken first place by storm, pushing aside all the new generation worms.

This was probably the result of a new tactic: virus writers are now spamming multiple variants of their latest creation within a very short space of time. Many of these variants make it to the Top Twenty, but sometimes the sheer number of variants prevents them from gaining a high position: NetSky.t, a single variant which spread extremely widely, is proof of this."

In the SOPHOS chart we see a different pattern; Netksy.p has consolidated its grip on pole position during April and we have a re-entry in the runner-up spot, Dref-AF.

Here is some commentary on it from Sophos:

"Sophos has also revealed that while Netsky has held onto the number one spot for email-borne threats, Dref has shot back into the chart at number two, accounting for 24% of all malware spread via email"

Zafi-D has dropped from February's fourth to sixth place in March and has reversed its slide down the chart, ending up in fifth place in April . Meanwhile Nyxem.D [aka MyWife] has dropped one place in April; down from eighth place to ninth which was where is was back in February.

Stratio-Zip has managed to claw its way up from seventh to fourth place, after falling out of the chart in February. Mytob-C has dropped back down the chart from second to third place, which it grabbed back in December 2006.

Mydoom-O which was a re-entry in November's top drops three places from fourth to seventh place and November's new entry, W32/Sality.AA has likewise dropped three places from third place to sixth in April's chart.

The last remaining member of the Bagle family, Bagle-qw also drops three places from fifth to eighth place.

To complete this month's top ten we have a new entry Troj/Small-EIV in at tenth place.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is once more headed up by the September 2005 leader, Tenga. March's new 'pretender', W32/Kasper [aka MyWife] which stole Tenga's crown in March has had to make do with the runner-up spot once more.

Mytob has dropped out of the chart during April from the sixth spot it held during March . Opaserv has managed to consolidate its hold on the final step on the podium; third place.

Zapchast which stormed up the chart from ninth to fifth place in February and managed to move up to fourth place in March has fallen on hard times and slipped down to eight place in April.

Sality is up three place to sixth place, and we have two re-entries these are: Zhelatin and Netsky in back into the chart in fourth and fifth places respectively.

March's new entries, Virut and Cloner which came in to the chart in fifth and eighth places respectively have both dropped two places during April, falling to seventh and tenth respectively. New entry Hidrag completes April's top ten, coming into the top ten in ninth place.



If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of April] here. This clearly shows that April was slightly up on the December 2006 total and slightly down on the first two month of 2007. As shown in the figures for April, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail although we may continue to see more malware being seeded via links in e-mails, rather than as attachments.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 253,158 at the end of April. That's a growth of 30,685 new malware strains and/or variants in the first third of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 92,000. Things have certainly speeded up during April!

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in April 2007.

• A Police Website Line-up - The Verdict [2nd April]


• Secret Intelligence Service SCAM ALERT!! E-mail [11th April]


• Don't Look... [20th April]

Conclusions:
The current trend of using social-engineering which has been widespread in January , February and March has continued in April, as seen by the vast numbers of fake e-cards notifications being trapped.

What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

As mentioned elsewehere it seems that the scammers are upping their game by creating fake sites for key crime-fighting organisations in the UK, such as the Metropolitan Police and the Secret Intelligence Service. I wonder how long it will be before Interpol or the FBI sites have 'bogus' copies of their websites created by the scammers?

Links:

• Virus Top Twenty for April 2007 [Kaspersky]


• Top ten viruses and hoaxes for April 2007 [Sophos]

March 2007 Malware Review

Just about managed to get this finished before the end of the month.

March has come and gone and already we have used up the first quarter of the year. However, some things don't change; it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with yet more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again! We have also seen an awful lot of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter. I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 5 years, Malware Bayesian Filter 4 years.

In total I captured 638 samples during March, which have been catalogued as 38 distinct families and variants. In comparison during February I captured 894 samples which were catalogued as 43 distinct families/variants. As you can see the captures in March are significantly down from February's total.

During March I captured and submitted 1 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

The March statistics further consolidate my view that the general trend is still downwards. It seems that social-engineering is the technique of choice so far this year.

During March I reported 58 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:


W32/Tenga.3666 [Frisk] had to settle for the runner-up position during March, as W32.Kasper.A [aka MyWife.D] forced its way to the top of the chart ousting February's pole sitter in the process by less than half a percentage point. Bear in mind that W32.Kasper.A wasn't even in the top ten in February, so it is a re-entry, which makes its position in March's chart even more incredible.

Mytob.J, which was the runner-up in February's chart and seriously threatening Tenga's hold on pole position, has slipped down the chart to sixth place.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November 2006, fell on hard times in January and February only managing to fill one place in the chart, the survivor was Tenga.3666. What a difference a month makes, the Opaserv.worm family which completely failed to turn up in the chart in February, is back. Not just one or two, but four representatives are back in the top then. These are variants ae, d, ac and ai, in fifth, seventh, ninth and tenth places respectively.

IRC.Zapchast has managed to climb up the chart from the final slot in January's chart, stealing fourth place in February and finally climbing one place to third in March's chart.

A new entry in March's chart [in 4th place] is Virus.Win32.Virut.a which is a bit of a throw-back, being a real 'virus', an appending one, as well as being a Bot. We also have another new entry, even though it is a real oldie [Pate.B in 8th place], as it has been around for a long time but never managed to get in to the top ten, until now.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] for March still has Mytob.c in seventh place which it managed to climb to in February, up from ninth in January.

Netsky.q has managed to climb back up to the runner-up spot in March, having fallen down the chart from second place in January to fourth in February. It is joined by three other family members, these being: Netsky.aa, which recovers its sixth place from the drop to tenth it suffered in February, Netsky.t, February's pole sitter slips back down to fourth and Netsky.b is a re-entry in at ninth place.

Bagle.gt continues its slow journey down the chart, slipping one place to third.

As seen in my own top 10 chart, the Zhelatin family which stormed the Kaspersky chart during February have disappeared from the top ten just as fast as they arrived.
We have three new entries in March's chart, these are: Bankfraud.ra straight in the chart in pole position, Warezov.jx in at fifth place, and to complete the top ten, we have Scano.gen a new entry in at eighth place and Mydoom.l which is a re-entry taking the final place; tenth spot.

Kaspersky had this to say about March's pole sitter:

"This month's leader, Trojan-Spy.HTML.Bankfraud.ra is also the result of recent virus epidemics. This Trojan is a typical phishing email, and millions of copies have been sent around the world. We've also noticed that this malicious program has been mass mailed several times. Bankfraud.ra was first detected on 27th February 2007, and in the space of a single month reached such a volume that this month it accounts for more than 30% of all malicious programs detected in mail traffic.
The Trojan targets clients of the Branch Banking and Trust Company (BB&T). It attempts to lure them to fake web sites registered by their undoubtedly malicious users in Croatia and the Cocos (Keeling) Islands."

In the SOPHOS chart we see a different pattern; Netksy.p has once more raised its game and stolen pole postion once more in March. Fenruary's pole position sitter, HckPk has completely dropped out of the top ten.

Here is some commentary on it from Sophos:

"Unwanted emails hiding copies of Netsky are still spreading like weeds in an untended garden, showing how well seeded these mass-mailing threats are," said Carole Theriault, senior security consultant at Sophos.

Zafi has dropped from February's fourth to sixth place in March. Meanwhile Nyxem.D [aka MyWife] has gained one place in March, up from ninth to eighth place.

Stratio has managed to claw its way back into the top ten, to seventh place, after falling out of the chart in February. Mytob has improved upon the third place it grabbed back in December 2006, and is up one place to be March's top ten runner-up.

Mydoom-O which was a re-entry in November's top climbs two places from sixth place to fourth and November's new entry, W32/Sality.AA has climbed another two more places from fifth place to third in March's chart.

The last remaining member of the Bagle family, Bagle-qw crawls further up the chart from seventh to fifth place.

To complete this month's top ten we have Clagger.a which is down one place from ninth to eighth spot and a new entry DwnLdr.GFX in at tenth place.

SOPHOS also noted the following:

"It's frustrating to think that there are a bunch of new threats out there that are much more targeted and devious in their approach, yet how can we expect the average computer user to protect against them when the Netskys and Mytobs remain so rooted? Users need to roll up their sleeves and commit to keeping their PCs secure both for their sake and the sake of everyone else connected to the web."

The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is not headed up by the September 2005 leader Tenga. This month a new 'pretender' has stolen its crown in March, so Tenga has had to make do with the runner-up spot once more. This 'pretender' is W32.Kasper [aka MyWife].

Mytob has dropped from third place in February's chart to sixth spot during March

Zapchast which stormed up the chart from ninth to fifth place in February has managed to move up to fourth place in March. Opaserv has also climbed up the chart in March from sixth to the final step on the podium; third place.

February's new entries Parite [aka Pate] is static in seventh and Sality is up one place to ninth place respectively. New entries include Virut and Cloner in at fifth and eighth places respectively. Dupator completes March's top ten, in tenth.




If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of March] here. This clearly shows that March was slightly down on the December 2006 total and significantly down on the first two month of 2007. As shown in the March figures, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 241,959 at the end of March. That's a growth of 19,486 new malware strains and/or variants in the first quarter of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just under 78,000.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in March 2007.

• A Police Website Line-up, Who's The Imposter? [March 12th, 2007]


• Bogus IE7 Being Spammed Out [March 30th, 2007]

Conclusions:
The current trend of using social-engineering which has been widespread in January and February has continued in March, as seen by the IE7 'fake' download detailed elsewhere in this report.

The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

Links:

• Virus Top Twenty for March 2007 [Kaspersky]


• Top ten viruses and hoaxes for March 2007 [Sophos]

February 2007 Malware Review

February has come and gone and although the months and seasons change, some things don't change, it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again! We have also seen an awful lot of malware using social-engineering to get the victim to infect their computer without the need for the malware author to have to code routines to automate infection.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer


• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4.5 years, Malware Bayesian Filter 3.5 years.

In total I captured 894 samples during February, which have been catalogued as 43 distinct families and variants. In comparison during January I captured 991 samples which were catalogued as 54 distinct families/variants. As you can see the captures in February are down slightly from January's total.

During February I captured and submitted 4 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As you can clearly see February's captures are up from December 2006, but fell slightly from January's haul. The February statistics consolidate my view that the general trend is still downwards. It seems that social-engineering is the technique of choice so far this year.

During February I reported 78 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] yet again retained the pole position during February. However, it has gained back some of the ground it lost in January; its percentage has increased from over 36 percent in January to over 42 percent in February. Once again, Tenga.3666 seems very intent in keeping pole position for itself, although it had very strong competition again during February, this time from Mytob.J.

Netsky.P [aka Netsky.q] has disappeared from the chart again in February after being the only representative of the family left in January's chart.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November 2006, have fallen on hard times in January and February only managing to fill one place in the chart, the survivor, yet again, is Tenga.3666 in pole. There are yet again no Opaserv.worm family representatives in the chart in February. IRC.Zapchast has managed to climb up the chart from the final slot in January's chart, up to fourth place.

It has been another bumper month for new entries, in January's chart we had seven new entries, in February's we have eight, these being: Five members of the Zhelatin [aka Nuwar] family [u, o, m, r and ab] in third, fifth, seventh, eighth and tenth respectively. Next up are two members of the Tibs family [kj and jr] in sixth and ninth places respectively. The final new entry is Mytob.J which has stormed into the chart in second place. All in all another very hectic month!

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] February has seen the Mytob family gain a little of the ground it lost in January. The only survivor of the Mytob clan is Mytob.c bouncing up from ninth to seventh place to February.

Netsky.q has managed fallen down the chart from second place in January to fourth. It is joined by two other family members, these being: Netsky.aa, which drops from all the way down to tenth and Netsky.t is up from fourth and has stolen pole position from January's pole sitter, Bagle.gt which slips down one place to second.

As seen in my own top 10 chart, the Zhelatin family have stormed the Kaspersky chart account for four of the top ten spots. These are Zhelatin [dam, o, u and m] in third, fifth, eighth and ninth respectively. All of these are new entries.

Kaspersky had this to say about Zhelatin:

"During February we issued three virus alerts with a 'medium' threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants."

Finally we have another new entry, this being Warezov.ls in at sixth place.



In the SOPHOS chart we see a different pattern; Netksy.p has yet again consolidated its grip on second place in February. Pole position has been stolen by HckPk which is sort of a new entry as it is a 'generic[ label for malware that uses HckPk to obfuscate itself, such as Dorf and Dref.

Here is some commentary on it from Sophos:

"Hackers are increasingly using encryption and packer tools - such as those belonging to the HckPk family - to camouflage their malicious code. January's hardest-hitting worm, Dorf, plus the prevalent Dref mass-mailing worms are just two examples of the malware currently being hidden within HckPk programs. Sophos has also found that cybercriminals are constantly modifying their HckPk disguises in an attempt to bypass IT defences."

SOPHOS also noted the following:

"HckPk is a bit like Mr Potato Head - it uses disguises to bamboozle anti-virus protection into thinking the attachment is safe when, in reality, malicious code lies within," said Carole Theriault, senior security consultant at Sophos. "Today's most widespread threats, such as Dref and Dorf, use HckPk, so by blocking it, we zap the nasty threats lurking inside. Users need to check that their anti-virus protection can proactively detect against previously unseen malware, otherwise they could be next in a long line of victims."

Zafi.d has managed to climb up from fifth place in January's chart to fourth in February's. Meanwhile Nyxem.D [aka MyWife] has further consolidated its place in ninth.

The downloader variant of Stratio [StraDl]has managed to claw its way back into the top ten, to ninth, after falling out of the chart in January.

Mytob.C has further consolidated its third place it grabbed back in December 2006. Netsky [D] has disappeared from the top ten again. Mydoom-O which was a re-entry in November's top ten remains in sixth place in February's chart.

November's new entry, W32/Sality.AA has climbed another two more places from seventh to fifth place in February's chart.

The last remaining member of the Bagle family, Bagle-qw crawls back up the chart from eighth to seventh place.

To complete this month's top ten we have Clagger.i which was is a re-entry in tenth.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is once more headed up by the September 2005 leader Tenga. This month the 'pretender' that stole its crown in January has had to make do with the runner-up spot. This 'pretender' is Zhelatin [aka Nuwar, Tibs]. Operserv has once more slipped down the chart, from fifth to sixth spot during February. Netsky has managed to halt its slide down the chart and has consolidated its position in eighth.

Tibs has managed to grab fourth place, and we have Mytob which has stolen the final step of the podium, in third spot.

Zapchast has stormed up the chart from ninth to fifth place and Small is down from sixth to ninth.

New entries include Parite and Sality in at seventh and tenth places respectively.



If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of the period of 2005 - 2007 [up to the end of February] here. This clearly shows that February was only slightly less busy than January, but still up on the December 2006 total. This jump can be attributed to the Tibs [aka Dorf, Nuwar, Zhelatin] mass-mailers which were widespread during February. Even allowing for this significant rise, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 233,084 at the end of February. That's a growth of 10,611 new malware strains and/or variants in the first two months of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just over 63,500.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in February 2007.

• Stupid Cupid, Stop Picking On Me... [13th of Feb 2007]


• The Valentine's Day Massacre... [14th of Feb 2007]

Conclusions:
The use of social-engineering has made life somewhat more troublesome during January and February than we have seen during most of 2006. This has been somewhat compounded by the event that happened on the 14th of February. The use of social engineering around that time was quite excessive, as indicated by the two articles listed above.

The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

Note: EICAR have informed me that the EICAR 2007 conference to be held in Budapest, Hungary between the 3rd and the 8th of May has been cancelled.

Links:

• Virus Top Twenty for February 2007 [Kaspersky]


• Top ten viruses and hoaxes for February 2007 [Sophos]
  

January 2007 Malware Review

Welcome to a new year, 2006 is no more, say hello to 2007.

It may well be a new year but some things don't change, it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with the more mass-mailing malware, which many anti-virus firms were saying would be extinct by now, guess again!

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer


• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4.5 years, Malware Bayesian Filter 3.5 years.

In total I captured 991 samples during January, which have been catalogued as 54 distinct families and variants. In comparison during December 2006 I captured 711 samples which were catalogued as 36 distinct families/variants. As you can see the captures in January are up from December 2006, but still down from the November 2006 high.

During January I captured and submitted 7 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As you can clearly see January's captures are up from December 2006, but still down from the relative high of November 2006. The January statistics show that the general trend is still downwards. The main reason for this downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware, although the so-called 'Storm-Worm' family is trying to keep it alive.

During January I reported over 300 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] yet again retained the pole position during January. However, it has lost even more ground; its percentage has decreased from over 48.5 percent in December to almost 36 percent in January. Once again, Tenga.3666 seems very intent in keeping pole position for itself, although it has had very strong competition during January.

Netsky.P [aka Netsky.q] is back again after it disappeared from the chart in December, however the other two members of the Netsky family [Netsky.d and c] which held up the family name during its absence have now departed leaving Netsky.p once more as the only representative of the family in the January chart.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November, have fallen on hard times in January only managing to fill one place in the chart, the survivor is Tenga.3666 in pole. There are no Opaserv.worm family representatives in the chart in January. IRC.Zapchast has managed to hang on to the final slot in January's chart, down from the fifth spot it captured in December 2006.

We have seven new entries in January's chart, these being: Three members of the Zhelatin [aka Nuwar] family [a, h and k] in second, third and sixth respectively. Next up is Banwarum.I [aka Tibs] in fourth place, which is followed in fifth by a new Downloader [AYDY]. In seventh we have a new member of the Small family [ciw] followed by Lager.dp in eighth. All in all a very hectic month!

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] January has seen the Mytob family lose more ground, down from its modest comeback in November grabbing two places then, to just one in December. The only survivor of the Mytob clan is Mytob.c down from seventh place to ninth in January.

Netsky.q has managed to climb up from fifth spot in December to second place in Janaury. It is joined by thtree other family members, these being: Netsky.aa, in third [up from eighth] , Netsky.t in fourth [same as in December] and Netsky.b whixh is a new entry in seventh place.

One of the Bagle family [Bagle.gt] has managed to claw its way to the top of the chart [up from sixth], stealing pole. Another member of the family is in fifth place [Bagle.gen] which is a re-entry.

We have two members of the Small family in January's chart, these are: Small.dam which caused some confusion as many thought that this was a damaged variant, not variant dam, and Small.ciw; both are new entries.

Finally we have Mydoom.l bringing up the rear in tenth place which is also a re-entry.



In the SOPHOS chart we see a different pattern; Netksy.p has further consolidated its grip on second place in January. Pole position has been stolen by Dorf-fam [aka Small, Tibs, Zhelatin and Nuwar] which was a new entry in December's chart, in January's chart it accounts for 46 percent of the pie. Here is some commentary on it from Sophos:

"Spammed out with hard-hitting headlines and the promise of exclusive news content, the Dorf malware, or 'Storm Trojan', moved at gale force speeds and battered inboxes worldwide in an attempt to compromise users' PCs," said Carole Theriault, senior security consultant at Sophos. "Though not a particularly sophisticated form of attack, preying upon public interest by using breaking news events is a tried and trusted trick. It has proven to be a remarkably effective method of fooling recipients into lowering their guard."

SOPHOS also noted the following:

"The proportion of infected email, while substantially higher than in December 2006, is still small at just one in 238 (0.42%)"

Zafi.d has managed to grab fifth place in January's chart and Nyxem.D [aka MyWife] has managed to halt the slide it suffered in December and consolidate its place in ninth.

Stratiozip [aka Warezov] has consolidated its fourth place. The downloader variant of Stratio has fallen out of the top ten in January.

Mytob.C has consolidated its third place it grabbed in December. Netsky [D] has disappeared from the top ten again. Mydoom-O which made a re-entry in November's top ten remains has managed to climb from seventh place in December to sixth in January.

November's new entry, W32/Sality.AA has climbed another one place from eighth to seventh place in January's chart.

The last remaining member of the Bagle family, Bagle-qw slips down the chart from fifth to eighth.

To complete this month's top ten we have Wukill which was a new entry in December's chart, static in tenth.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month, surprisingly, the table is not headed up by the September 2005 leader Tenga. This month its crown has been stolen by Zhelatin [aka Nuwar, Tibs], forcing Tenga to settle for the runner-up slot. Operserv has managed to claw its way back up the chart, after its fall from grace in December, from sixth spot up to fifth. Netsky has had a bad month falling from fourth down to eighth.

It has been a good month for Downloader which recovered from its fall in December, down to tenth place, grabbing the final step of the podium, in third.

Zapchast moves up one spot from tenth place to ninth.

New entries include Banwarum, Small, Lager and Tiny, in at fourth, sixth, seventh and tenth places respectively.



If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 - 2007 [up to the end of January] here. This clearly shows that January was significantly up on December's figure. This jump can be attributed to the Tibs [aka Dorf, Nuwar, Zhelatin] mass-mailers which were widespread during January. Even allowing for this significant rise, I still believe that the overall trend is still downwards and that we will see less malware being seeded via e-mail.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2007, it grew from 222,473 [as at the end of 2006] to 226,207 at the end of Janaury. That's a growth of 3,734 new malware strains and/or variants in the first month of 2007. If I extrapolate this my guesstimate for the growth in malware in 2007 would be just short of 45,000.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in January 2007.

• Paper Selected For The EICAR 2007 Conference


• Storm Worm Gang Have Been 'Very, Very' Busy


• When is a Damaged Malware NOT a Damaged Malware...

Conclusions:
Malware [via e-mail] bucked the trend and rose significantly during January, mainly due to the so-called 'Storm-worm' gang.
The re-emergence of mass-mailing malware has caught many anti-virus vendors off-guard, especially as many of them had claimed that mass-mailing malware was almost extinct. What I find more worrying is how successful these new ones have been because of the use of social engineering. This clearly shows that 'typical-users' are still the weakest link in security. Many are still using anti-virus tools as a sort of authorisation/access-control tool and taking risks opening attachments, they know they shouldn't, because they believe that the technology in place will save them and if it doesn't it isn't their fault.

Links:

• Virus Top Twenty for January 2007 [Kaspersky]


• Top ten viruses and hoaxes for January 2007 [Sophos]

December 2006 Malware Review

Here you go, the final Monthly Malware Review for 2006...

Not only has December come and gone, but also 2006 has run its course. However some things don't change, it has been another very busy month for me. On the malware and related security threats front it has been an interesting month with the re-appearance of mass-mailing malware, somewhat of a rarity in 2006, but more on that later.

Like previous months, I will cover some statistics from my own sensors and compare those against those from a couple of major anti-virus companies, and finally I will cover new and interesting things that occurred during the month.

I have created some graphs and performed some trend analysis from the raw data from my WormCharmer and Bayesian filter.

I have included four sources of information for the graphs and pie-charts, these are:

• Kaspersky


• SOPHOS


• WormCharmer
• Malware Bayesian Filter

The last two are my own projects and all data is from the Internet, these systems are running on an aDSL link and are personal research projects that have been running for some time; WormCharmer 4 years, Malware Bayesian Filter 3 years.

In total I captured 711 samples during December, which have been catalogued as 36 distinct families and variants. In comparison during November I captured 1280 samples which were catalogued as 51 distinct families/variants. As you can see the captures in December are down from Novembers high.

During December I captured and submitted 2 brand new malware strains/variants [unknown to all or most AV companies at the time of submission].

As you can clearly see December was significantly down from the relative high of November. The December statistics show that the general trend is still downwards. The main reason for this downward trend is that the malware authors are using other methods to initially seed their offspring, such as Instant Messaging and e-mail using links instead of attachments, and where attachments are used these tend to be droppers or downloaders which are crafted to evade anti-virus tools. This trend which started as a trickle at the start of the year is now a torrent. This means that real e-mail worms which use attachments are fast becoming an endangered species of malware.

During December I reported over 500 new Phishing sites which are now included in the Netcraft phishing site database used by the Netcraft anti-phishing toolbar which I blogged about some time ago.

The first pie chart below shows the Top 10 distinct malware by percentage. Let us look at this in more detail:



W32/Tenga.3666 [Frisk] yet again retained the pole position during December. However, it has lost ground once more, as we also saw in October, its percentage has decreased from over 75 percent in November to just over 48.5 percent in December. Once again, Tenga.3666 seems very intent in keeping pole position for itself, although it has had stiff competition during December.

Netsky.P [aka Netsky.q] has disappeared from the chart in December, however, we have two other members of the Netsky family [Netsky.d] came into Novembers chart in seventh place and has risen to third place, and Netsky.c is in to the top ten taking the seventh place held by Netsky.d in November.

The share-crawling worms which suffered a decrease in their numbers from seven of the ten slots in August to just four in September, October and November, have managed to retain the four places again in December. The four are: Tenga.3666 in pole, Opaserv.worm.ae in sixth [up from eighth], Opaserv.worm.ai in eighth [up from ninth] and Opaserv.worm.d [a re-entry] in ninth.

IRC.Zapchast is back in the top ten in December, in fifth spot.

We have just two new entries in December's chart, these being Win32.Tibs.jy, straight in to the chart in second place and Sality.AD in fourth place.

Warezov fared badly in December, down from three variants in the top ten in November to just one, Warezov.fh being the only survivor of its family, just hanging on in tenth.

If you compare the above to the data from Kaspersky and also the data from SOPHOS you may see some marked differences. Why? Well, simply my sample capture systems collect data from multiple 'vectors' and combine the data, so I tend to get a more rounded picture of what is really running round the Internet in the way of net nasties.

As you can see the top 10 from Kaspersky [below] December has seen the Mytob family lose more ground, down from its modest comeback in November grabbing two places then, to just one in December. The only survivor of the Mytob clan is Mytob.c in seventh place.

In November Netsky.q slipped down to seventh, but managed to climb up two places to fifth spot in December. It is joined by two other family members, these being: Netsky.t, in fourth [same as in November] and Netsky.aa in eighth place up from ninth.

Pole position in December has been stormed by Warezov.fb [a new entry] with November pole position sitter, Warezov.gj falling out of the top ten. However, we have two new members of the Warezoz family in second [Warezov.dn] and third place [Warezov.hb] making it a clean sweep of the top three spots for Warezov.

Scano.gen has dropped down the chart from fifth to tenth allowing Zafi.b to move up one place to ninth.

One of the Bagle family [Bagle.gt] has managed to claw its way back in to the top ten, after November's failure to make an appearance at all in the top ten.



In the SOPHOS chart we see a different pattern; Netksy.p has consolidated its grip on second place in December. Pole position has been stolen by Dref-V [aka tibs.jy] which is a new entry in December's chart, just managing to squeeze in before the end of the month. Here is some commentary on it from Sophos:

"The Dref-V mass-mailing worm, which poses as a New Year e-card, was discovered on December 30, 2006, and by the following day accounted for 93.7% of infected emails."

Zafi.b has dropped down the chart in December from fourth to sixth. Nyxem.D [aka MyWife] has reversed direction and has fallen down the chart from sixth to ninth.

Stratiozip [aka Warezov] which was November's pole sitter has fallen down the chart to fourth place. The downloader variant of Stratio is in the tenth and final slot of December's top ten.

Only one member of the Mytob family has managed to stay in the top ten in December, this being Mytob.C, however, it has climbed back up from eighth to third place. Netsky [D] has disappeared from the top ten again. Mydoom-O which made a re-entry in November's top ten remains static in seventh place in December.

November's new entry, W32/Sality.AA is now up one place from ninth to eighth place.

To complete this month's top ten we have W32.Bagle-Zip which was a new entry in June's chart, dropping down the chart from third place to fifth spot.



The final pie chart below shows the Top 10 malware families trapped by percentage. As you can see this includes not only mass-mailers but also share-crawling worms and bots. This month the table is headed up once more by the September 2005 leader Tenga, which has dropped back from its high of over 75 percent of the November pie to just over 48.5 percent in December. Mytob has reappeared again after dropping out of November's chart, it is back in in eighth place. Operserv has lost the second place which it gained in November, dropping down to sixth spot. Netsky has further consolidated its hold on fourth. Dupator is up one space from seventh to sixth place.

Warezov jumps from fifth place up to third in November's chart and is making its presence felt as part of the reason for the massive increase in spam we are all seeing.

Bagle slips down the chart from sixth to seventh and Downloader slips from eighth to tenth place.

New entries include Tibs, Sality, Warezov, Zapchast and Small, in at second, third, fifth, seventh and ninth places respectively. IRC.Flood completes the chart, in tenth place.



If you wish to see the current top 10, then see my external website at http://arachnid.homeip.net. The data which feeds the WormCharmer stats is updated every 3 minutes 24 hours a day [barring power-cuts, internet connectivity issues or hardware faults].

Please feel free to ask questions if you need any clarification on the data, the setup or whatever.

Now, let's switch to a different method: The following graph shows the percentage of malware that I received and my Bayesian Filtering tool classified correctly. You can see the data for the whole of 2004, 2005 and 2006 [up to the end of December] here. This clearly shows that December was significantly up from November's relative low, this can be attributed to the Tibs.aj mass-mailer that we saw at the end of December. However, the overall trend is still downwards.



The raw statistics (both CSV and Graphed) can be found in the usual place on my site. If you feel you need access then please contact me to discuss.

If we look at the overall growth of malware in 2006, it grew from 168,807 [as at the end of December 2005] to 222,473 [as at the end of 2006]. That's a growth of 53,666 new malware strains and/or variants during 2006, just short of my guesstimate of 55,000.

What's New?
Instead of including commentary here about things I have already written about, I will offer links to other blog entries that may be of interest, topical, or cover some of the interesting occurrences in December 2006.

• 'Tis The Season To Be ... [Archived]


• An Honest Spammer?[Archived]

Conclusions:
Spam appeared to have recovered during December from the drop witnessed during November.419s seem to have dropped unexpectedly, and we've seen Phishing scams recovering further from their fall in October. Malware [via e-mail] bucked the trend and rose during December, mainly due to Tibs. As shown above the scammers have been out in force during December, the 'Savechilds.net' example included in this report is just one of a number of similar scams deployed during December.

Spammers are still increasing their use of graphical based spam, which is harder for anti-spam tools to identify without the use of OCR or other technologies; not only are they moving to graphical spam but to stop simple filtering based on hashing or check-summing of images, they are producing graphics that contain random micro-dots, colour maps and other graphical artefacts, such as geometric shapes and random borders. Looks like we are witnessing yet another arms-race, this time it is between the spammers and the spam fighting tools and community.

Links:

• Virus Top Twenty for December 2006 [Kaspersky]


• Top ten viruses and hoaxes for December 2006 [Sophos]