Sep 01 2005   |   comment

Alexander Gostev Aleks has headed the Global Research and Analysis Team at Kaspersky Lab since 2008, and specializes in all aspects of information security, including mobile malware. His responsibilities include detecting and analyzing new malware. His research and analytical articles are published both on dedicated IT sites and in the mass media. He has been with the company since 2002, and is based in Moscow.

Position	Change in position	Name	Percentage
1.	+1	Net-Worm.Win32.Mytob.c	16.28
2.	-1	Email-Worm.Win32.NetSky.q	11.38
3.	-	Email-Worm.Win32.Zafi.b	8.49
4.	-	Email-Worm.Win32.Zafi.d	5.98
5.	+1	Net-Worm.Win32.Mytob.bk	4.45
6.	+3	Email-Worm.Win32.NetSky.b	3.79
7.	-	Email-Worm.Win32.NetSky.aa	3.51
8.	+7	Email-Worm.Win32.LovGate.w	3.38
9.	-4	Net-Worm.Win32.Mytob.be	3.37
10.	-	Net-Worm.Win32.Mytob.bi	2.72
11.	+5	Net-Worm.Win32.Mytob.q	2.60
12.	+5	Net-Worm.Win32.Mytob.t	2.22
13.	New	Net-Worm.Win32.Mytob.h	2.04
14.	-1	Net-Worm.Win32.Mytob.u	1.68
15.	Return	Email-Worm.Win32.NetSky.t	1.52
16.	-5	Net-Worm.Win32.Mytob.au	1.51
17.	-9	Net-Worm.Win32.Mytob.bt	1.25
18.	Return	Net-Worm.Win32.Mytob.r	1.17
19.	New	Net-Worm.Win32.Mytob.a	1.15
20.	New	Net-Worm.Win32.Mytob.bw	1.15
Other malicious programs			20.36

Cyberwars are visibly affecting our ratings. These days, cyberwars occur fairly regularly on the Internet. Some cyberwars are caused by competing groups of virus writers trying to remove malware written by other groups from infected machines: each group is striving to be the sole owner of any given zombie. And sometimes these groups hack each others' sites or hackers from one country try to break into government servers in another country.

NetSky.q and Mytob.c have been fighting for first place in our ratings for several months now. These worms are very different: they exploit different vulnerabilities and were created a year apart. NetSky.q was fighting for supremacy against Mydoom and Bagle versions: judging by the results, NetSky seems to have won this war. A year later came Mytob, based on the source code of the very first Mydoom. Mytob is following the trail blazed by NetSky, and is NetSky.q's main competitor. We are witnessing an ongoing struggle between these two families with 13 versions of Mytob and 4 versions of NetSky in the rankings. Although it seems that Mytob is gaining the upper hand, a closer look shows that with 4 Mytobs and 3 NetSkys in the top 10 – neither worm is totally dominant.

July saw an offensive launched by older worms – Bagle, Mydoom and Zafi, but the momentum was lost in August with Bagle and Mydoom versions disappearing completely from the ratings. The two Zafi versions did retain their previous position, but time will tell whether or not they will be able to maintain them. In the meantime Mytob recovered its leading position with 3 new versions entering the ratings.

Interestingly enough, one of the newcomers to the ratings is Mytob.a. In spite of the success of its offspring, this original version had never previously entered the ratings. This may be because the original version probably wasn't spread using spammer techniques, but instead Mytob.a infected a small number of machines and has been spreading slowly but steadily. This is not a new strategy – LovGate.w, now in 8th place, recovered 7 places. This was after the worm dropped to 15th place in July, leading us to predict that this worm was on its way out.

Mytob.h is another surprising entrant. It was first detected back on March 25th and, like Mytob.a, was not very active on a global scale. And suddenly we have this version in 13th place. In this case, we believe that packers played the key role in this change. Originally, Mytob.h was double-packed using Morphine and MEW. This time the worm was packed using Upack, UPX and FSG – thus 3 purportedly new versions appeared on the Internet. All three of these repacked versions are detected as Mytob.h.

The case of the so-called Zotob is also worth some attention. We do not call these worms Zotob because this name has been used by other antivirus vendors to identify a range of worms and bots, some of which are often not even related. After in-depth analysis, Kaspersky Lab has classified the Zotob worms as new versions of Mytob with the following correlations with Zotob: Zotob.a - Mytob.cg, Zotob.b – Mytob.cf, Zotob.c – Mytob.ch. Only versions .ch and cg are capable of replicating via email, while version .cf spreads by exploiting the MS05-039 vulnerability.

The presumed author of the latest Mytob worms has been arrested in Morocco. He was allegedly working with a partner in Turkey who has also been arrested. The division of labor between the two suspects was clear: one person wrote the viruses, the second one concentrated on distributing them. There were numerous media reports that the Zotob-Mytob worm caused virus outbreaks in ABC and CNN. We believe that these outbreaks were caused by the Bozori worms which also exploit the MS05-039 vulnerability.

It's unclear whether we would have seen any of these worms in the Top Twenty if they had replicated via email. Even though Mytob.cg and .ch do have this ability, they weren't even in the top 40 viruses spreading via email this August.

This month other malware made up slightly more than 20% of all malicious programs intercepted. This demonstrates that there is a significant number of other worms and Trojans currently active.

Summary: