Mountain View, Calif. -- November 13, 2006 -- Speeding across the Internet and transforming at an unprecedented pace, the email-borne Stration malware continues to evade detection by leading anti-virus solutions, reported Commtouch (Nasdaq: CTCH).
“Stration attacks in a multi-variant, multi-wave pattern that peaks on average every three days. By continuously changing from one form to the next, it slips past anti-virus engines before the vendors can develop new signatures or modify the heuristics,” said Haggai Carmon, Commtouch Vice President of Products, head of its Virus Outbreak Detection (VOD) Lab and author of the new Malware Outbreak Trend Report: Stration/Warezov. “To date, Commtouch has detected and blocked 636 distinct variants of the Stration virus, and at its peak, 185 distinct variants in a single day.” he continued.
Stration is so fast that it is pummeling anti-virus solutions based on signatures or heuristics. The top AV engines lag behind the variants, updating their signatures on average between three and 10 hours after the outbreak begins. During this time, several new variants have already appeared, leaving customers who rely solely on these traditional anti-virus solutions exposed to the threats for hours or even days.
Zero Hour™ AV Complements Traditional AV
Traditional AV solutions work by either applying heuristic filters or by writing signature updates for each new threat. Signatures and heuristics are typically designed to protect against a specific malware variant or group of variants, so once the malicious code changes, the race is on again. Pre-emptive AV solutions based on real-time outbreak detection complement traditional AV solutions by protecting in the initial hours of an outbreak before signatures become available.
“Malicious code like Stration moves at breakneck speed and can do massive damage in just one hour,” said Michael Osterman, Principal of Osterman Research, a messaging research firm. “To protect against email-borne viruses you must be able to detect outbreaks as they occur, in real time. As viruses get smarter and faster, every second counts.”
“Even the best AV engine leaves a window of vulnerability,” said Jae Roh, Product Line Manager at Mirapoint, a leading secure messaging appliance vendor. “For this reason we offer our customers email defense with both traditional signature-based AV and our pro-active ‘Rapid AV’ for Zero-Hour virus outbreak protection. In this way we are sure to protect our customers against new viruses and other forms of malicious code during the critical first hours of a virus outbreak.”
Commtouch Zero-Hour Virus Outbreak Protection detects and blocks email-borne malware outbreaks, like the multiple Stration variants, within moments of their appearance on the Internet. Leading messaging and AV vendors license Commtouch technology to complement traditional AV technologies.
Stration Background
Stration (also known as Stratio or Warezov) is still going strong two months after it was first distributed around the world as a massive email-borne malware attack. Once the active code infects a computer, it establishes contact with a website where it downloads malicious software. It then installs the malware and searches for email addresses on the infected computer and spams itself to more email users. Some have suggested that Stration may have been a significant factor in the recent spike in total spam worldwide. On November 6 Commtouch labs detected an all-time high of over 4.3 million distinct spam outbreak patterns in a single 24-hour period
Detection of Stration is hampered by reliance on content-based technology that is fooled by the malware’s ability to randomly regenerate multiple characteristics of the carrier-email. Thus far it has generated 814 (and counting) distinct subject messages and 23,954 file attachment names. Every characteristic is constantly changing; sender IP, name, message subject and body, and malicious code itself.
Stration Data Summary (as of November 11, 2006)
|
Description |
Multi-variant, multi-wave email-borne worm; each wave lasts several days |
|
Status |
in progress |
|
Distinct variant count |
636 |
|
Distinct subject string count |
814 |
|
Sample subjects |
error mail transaction failed status hello picture good day server report this must be seen by everyone. livan war real pictures. this is not shown on tv. |
|
Distinct malware archive file count |
18,188 |
|
Sample archive file names |
update-kb9953-x86.zip docs.zip test.zip data.zip body.zip document.zip message.zip picture2375.zip readme.zip text.zip |
|
Distinct malware file name count |
23,954 |
|
Sample malware file names |
update-kb9328-x86.exe docs.txt.exe text.log.scr readme.txt.scr test.elm.bat data.txt.cmd doc.log.cmd message.log.exe readme.log.cmd body.msg.cmd |
Additional data – including statistics about leading AV engines -- is available in Commtouch’s Malware Outbreak Trends Report: Stration/Warezov, available from the Commtouch Virus Outbreak Detection Lab at http://www.commtouch.com/downloads/Stration-Warezov_MOTR.pdf.
About Commtouch
Commtouch Software Ltd. (NASDAQ: CTCH) is dedicated to protecting and preserving the integrity of the world's most important communications tool -- email. Commtouch has over 15 years of experience developing messaging software and is a global developer and provider of proprietary anti-spam, Zero-Hour virus protection and IP Reputation solutions. Using core technologies including RPD (Recurrent Pattern Detection™), the Commtouch Detection Center analyzes billions of email messages per month to identify new spam and malware outbreaks within minutes of their introduction into the Internet. Integrated by more than 50 OEM partners, Commtouch technology protects thousands of organizations, with over 50 million users in over 100 countries. Commtouch is headquartered in Netanya, Israel, and has a subsidiary in Mountain View, CA. For more information, see: www.commtouch.com, including the Commtouch online lab detailing spam statistics and charts.
Recurrent Pattern Detection, RPD and Zero-Hour are trademarks, and Commtouch is a registered trademark, of Commtouch Software Ltd. U.S. Patent No. 6,330,590 is owned by Commtouch.
Contact:
Rebecca Steinberg Herson
US: 650-864-2112
Int’l: +972-9-863-6877
rebeccah@commtouch.com
