Authentium Virus Blog

We used to have one mail server that processed all our incoming email for the viruslab. It also served as our email honepot.

I have written several other blog entries on the amount of email we process and concluded every time that it is insane. We do process an immense amount of email every day. Several log analysis products we tried simply gave up or gave wildly inaccurate results when it tried to process our email logs.

Due to the volume of email we had to upgrade our infrastructure. We currently have multiple email servers handling the viruslab email. One of the servers are dedicated to incoming malware samples, the rest to spam. The server managing the malware samples do see some spam but it is probably a thousand times less than what the rest of the infrastructure is seeing.

To provide some scale: We process around 400,000 spam messages a day. What is surprising is that it only represents around 700 MB of email a day. So where did we get the 1 TB of email we processed last year? Did spam suddenly become smaller? The spam for this year may account for around 250 GB of mail if it stays at current levels.

My prediction for the amount of email we will process for this year is around 2 TB.

The difference is malware samples. We expect to receive 1.75 TB of samples this year by email. If you make the wild assumptions that the average piece of malware is around 200 kB in size and it is 40% larger as an email, then it would imply that we will receive and process around 6.7 million malware samples for this year from email.

Did I mention that our definition files now list more than 1 million signatures? And as can be seen from my previous blog about useless statistics the signatures only represents about half of what we detect. We have been and will keep on focusing very strongly in making the 50% into 70% or better.

I even include pictures in this blog entry.

The first picture illustrates the number of emails processed by the original email server for the year. Look at the sudden drop in April. That is when we introduced the new infrastructure.

The second picture shows the total size of the messages being processed. Note how there is virtually no change even though the volume has decreased significantly.

We saw significant numbers of W32/Trojan2.ASYX in our honeypot. We released definition files for it around an hour ago.

If you were using version 5.1.0 or later you would have been proactively protected against this outbreak. Customers using earlier versions of our scan engine would have had to wait for the release of the definition files. The wait was much less than one hour from the time we received the first sample.

This piece of malware was distributed by email using a variety of subjects like “Paris Hilton” or “Something Hot”.

The contents of the text part of the email is also relatively consistent. It was something alone the lines of:

Good afternoon[or day].

Wanted!
Do you look this film? Do you wanna see more?
Censored cadrs from it where James McAvoy [censored] Angelina Jolie!

Bye.[ or regards]

Comments in [] is my edits.

Yes, I fell for it, I downloaded and installed Firefox 3 and I have to admit to being impressed.

All my favorite cartoon sites still load, and they load faster than usual and the browser is more responsive whilst doing it.

My main machine at home is a Mac and I have to admit that the Mac version of Firefox 3 is just amazingly beautiful.

Well done Firefox team.

I have been making a very unscientific and impatient survey of our malware collection as seen by our latest 5.1.0 scanner.

What I basically did was to scan our samples with version 5.1.0 and sort the detections by name and type. This process is still running but here are some statistics that I collected 2 days ago when it had already categorized more than 2 million samples.

One of the interesting statistics that jumped out at me was that 50.7% of all samples categorized by this process was detected by “traditional” definitions. 49.3% of all the samples were detected heuristically using heuristic definitions. I think that is pretty impressive.

Other useless statistics: 94.7% of samples where Windows PE executables. Mobile malware were 0.00851%. Unix malware (including Mac OS X and Linux) were 0.15% of the samples.

5.2% of the samples were categorized as potentially unwanted applications. That includes Dialers and Adware.

What does this really say? Seeing that this process is incomplete and has very little scientific merit behind it I would not put too much weight behind it.

But it does sound quite nice, does it not?

This weekend I was quite amazed to several thousand of these captured in our honeypot. You can see the statistics for the last 24 hours at our ThreatMatrix page.

I have previously posted about something similar: When is something malware and when is it SPAM?

This specific detection is for a PayPal phishing run and there was obviously a massive one this weekend. What makes this very strange is that this specific signature is very old. It is very strange to see the same attack tried twice. We have seen just short of 5,000 emails of this nature in our email honeypot since Friday. If this was a PE executable it could have classified as a rather major outbreak.

Other similar signatures that are also popping up in our statistics are: HTML/Bankphish.H, HTML/IFrame and EML/Phishing.A!Camelot.

We are seeing a very significant shift to more HTML or Javascript based malware and in some of our own internal statistics it is becoming as prevalent as some of our larger Windows PE malware families.

Most of these threats are targeted at the browser, but some are targeted at the email client. Most of them depend on social engineering. There is however no lack of attempts to also add browser based exploits to the list of techniques to deliver malware to the desktop without too much social engineering.

The computer security field is becoming more blurred by the hour. 2 Years ago I would have recommended a good anti-spam solution to deal with this type of issue. Now I am talking about a possible outbreak of a specific email… If that is even possible?

There was this post at ZDnet today:Microsoft blames users for Vista infections

This takes you to a blog entry from Microsoft.

Again there is something very quotable: The number of virus infections found by a virus vendor does not necessarily equal poor security. In many cases (though not all) it equals poor user behaviour. Why?

So in case you were wondering: All you users out there, it is now official, Microsoft said it, it is all your fault.

People that have read a few of my previous blog entries will probably know that I disagree with that.

My view of this issue: IF you believe Wikipedia then you will see the following statistics for the distribution for the two OS’s:

Windows 2000: 3.2%

Windows Vista: 14.02%

So there are more than 4 times more Vista machines out there than Windows 2000 machines. The majority of Windows 2000 machines are most likely also servers or inside managed environments, while the majority of Vista machines are in the hands of home users. Let us all be surprised that there are more infected Vista machines than Windows 2000 machines.

But to get back to the statement by Microsoft. As I have repeatedly stated in the past we can not blame all users for not being security experts. It is not their job to be security experts. It is our job. By blaming the user we are not taking responsibility for our failures and/or limitations.

Yes, security is hard. Writing secure software that users will actually like and use is even harder if not impossible. Take a classic example: Vista’s User Account Control feature. It is a security feature that will most likely be disabled by most people within a few weeks of getting Vista. Is that the users fault for disabling something that irritates him or the authors fault for writing something that irritating? Before somebody think I just like to jump on Microsoft and on Vista I need to share my opinion about a similar feature in Mac OS X: It actually forces you to type in your user name and password and caches the credentials for the user for 5 minutes, but it never gives you a clear idea why you have to type in your credentials. At least Vista did that slightly better: It gives you a better idea of why the dialog is appearing and it will pop up a dialog every single time.

I prefer to fault the author, as the user is just trying to get on with his life and do his job. That is a very important factor we have to keep in mind when we design and implement security mechanisms.

It is also obvious that security is a question of compromises. Traditional belief is that the perfectly secure computing environment is not usable and that a perfectly usable computing environment is not secure. Whether that is really true or not can be debated, but what we as security professionals have to do is to find the perfectly usable system that is also perfectly secure. It may be impossible, but we are not helping our cause by not taking responsibility and blaming our customers.

I nearly did a dance in the office when I saw this. This makes me very happy. Hopefully we will see a lot more of this happening.

The quotable part for me is:

The two related cases marked the latest example of what the Justice Department describes as a growing worldwide threat posed by organized crime.

I feel like a prophet that has finally been vindicated. I am sure a lot of my colleagues in the security field feels the same way.

Malware is no longer about some kid sitting in his room writing a virus because he can, or because it is cool. It is about organized criminals that want to make money.

Much, much later…

I should probably have posted this earlier. But I had a great day 2 in Amsterdam with some very good presentations. Congratulations to the organizers: A wonderful event. I will do my best to be there next year.

The first day of the conference presentations are over and what a day.

I enjoyed several very good and very technical presentations.

The only activity left for today is the official dinner. I think sleep will be optional today, but then we can debate whether sleep is an activity or not.

There were some papers on unpacking, either automated or by hand.
Tomorrow promises to be just as good as today.

One of the more frustrating experiences for me over the last year or two has been exploits, mostly in Microsoft Office documents.

Let me try to explain why it is frustrating. Most of the time the first time you hear about it is through some news story or some blog entry, just like this one. You don’t have access to a sample and your customers immediately panic and wants to be protected against that exploit and all others that may have existed in the past or will exist in the future.

I can understand people being concerned about exploits. You tend to trust companies like Microsoft that have produced software that have been used as critical components of many businesses for many years. Microsoft has even started earning some of that trust as they are probably the one OS company that takes security seriously. Whether they do it well or not is an opinion that is nearly impossible to comment on accurately.

What is specifically difficult about Microsoft Office exploits is the utter lack of information. You are working with a proprietary application using a proprietary file format that is in theory documented. The problem is that they can not document the format well enough to be of much use to people trying to understand the exploits.

What drives me to total distraction is that if Microsoft provides you with guidance on how to detect the exploit, it is mostly way to late to make your customers feel safe and there has been several cases where if we followed the guidance the problems caused by that would far outweigh the benefits derived from it.

What made me writes this blog entry?

Well, we may have a new PowerPoint exploit that works perfectly in Microsoft Office 2003 and probably later versions. Microsoft Office 2000 does not recognize the document. It may drop a nice little downloader that is quite effective at hiding itself. We already detect it with our version 4 and 5 scan engines. Our new version 5.1.0 engine has some heuristic capability to detect these types of exploits.

PS: Did I mention that I may be traveling the next two weeks and nobody will be able to reach me?

PS2: Something even more helpful: It seems like a similar sample was submitted to the VirusTotal service by somebody else.  (SHA1: 4F4AF9E009661468913D90ABD493CA2D671C582A)