Sophos identifies new trends in viruses and spam
Sophos, a world leader in protecting businesses against spam and
viruses, has revealed that the Sobig-F worm has accounted for
almost a fifth of all reports to Sophos during 2003, making it the
hardest hitting virus of the year. The mass-mailing Sobig-F worm
shrugged off stiff competition for the top spot from the infamous
Blaster worm, which attempted to knock a Microsoft website off the
internet. Both these viruses - plus the third-placed Nachi worm -
hit businesses and home users during August 2003, making it the
worst single month in virus history.
The top ten viruses of the year are as follows:
"Sobig-F unquestionably wins the dubious title of 'Worm of the
year'. It spread more ferociously than any virus ever seen before,
swamping email inboxes. Some companies reported seeing hundreds of
thousands of infected emails every day," said Graham Cluley, senior
technology consultant for Sophos. "Throughout the year, in the
run-up to Sobig-F, the worm's author released new variants of Sobig
almost as if he were seeing which techniques would be the most
"Ironically some of the people worst impacted by Sobig-F were
the spammers. They found that they could not send their millions of
spams as easily because their email gateways were deluged by Sobig
traffic. Microsoft has issued a substantial financial reward for
evidence leading to the arrest and conviction of Sobig's author,
but we seem to be no closer to identifying him or her," continued
Blaster, the year's second most prevalent worm, did not use
email to distribute itself, but spread like wildfire across the
internet, exploiting - to Microsoft's embarrassment - a critical
security hole in versions of Windows. Containing a mocking message
for Microsoft's chairman Bill Gates, it attempted to blast one of
Microsoft's websites off the internet, leading the industry giant
to take evasive action. Ironically, the third placed Nachi worm
tried to undo the damage done to computers infected by the Blaster
worm; in reality it only added to the chaos. Both Blaster and Nachi
continue to infect unprotected computers four months later.
Sophos has detected 7,064 new viruses, worms and Trojan horses
to date this year, bringing the total protected against to more
Many other virus and spam developments have taken place during
2003. Sophos predicts that the following trends will continue to
affect users well into the future:
Spammers find new tricks; disparate legislative approach is a
Spammers have been adopting complicated techniques to get their
messages through scanners, including mixing innocent and bad text
and using invalid HTML code or random characters to break up spammy
words. New adaptive filtering techniques are combating the problem,
and companies are increasingly looking for a consolidated solution
which protects against both spam and viruses.
Comprehensive international legislation is needed to discourage
those companies considering spam email marketing. Whilst the EU is
introducing tough 'opt in' spam legislation, the US House of
Representatives' new anti-spam law is comparatively lax, placing
the responsibility on the recipient to 'opt out' and allowing much
commercial spam to continue largely unaffected. This has wide
reaching consequences on UK businesses as most of the world's spam
originates in the USA.
Continued dominance of Windows 32 viruses in 2003
All of the 2003 top ten viruses are Windows 32 viruses. These
only affect Microsoft users, using email or the internet to spread.
Motivated by the thought of getting their code to spread as far and
wide as possible, virus writers are likely to continue targeting
the ubiquitous Microsoft in 2004 and beyond.
More backdoor Trojan horses and RATs detected
Sophos has seen a significant rise in the number of Backdoor
Trojans, which open up holes in operating systems enabling hackers
to implant Remote Access Tools (RATs). These RATs enable hackers to
take remote control of the infected PC. The most prevalent Trojans
of 2003 included Graybird, which posed as a patch for a security
hole in Microsoft Windows, and Sysbug, which was spammed to
thousands of users posing as smutty photographs of an erotic
Evidence that spammers and virus writers are working in
2003 saw growing evidence that spammers and virus authors are
joining forces, with the Mimail-E and Mimail-H worms using infected
computers as a launch pad from which to start denial of service
attacks on several anti-spam websites. Some Trojan horses,
including the new Regate-A and Dmomize-A Trojans, allow spammers to
take over third party computers belonging to innocent parties and
use them for sending spam without the users' knowledge.
Sophos estimates that 30 percent of the world's spam is sent
from compromised computers.
Money makes the worm go around: virus attempt to defraud
In 2003, virus writers recognised that there was money to be
made from their viral code, with several worms attempting to
extract financial information from infected users. The most
prolific of these was Mimail-J, a worm that disguised itself as a
message from the PayPal online payment website and duped users into
disclosing confidential credit card and PIN details.
Courts, law enforcement agencies treating cybercrime more
A number of high profile virus writer arrests peppered 2003,
with youths apprehended in the USA, UK, Spain, Italy and Romania.
Cybercrime is increasingly taking place across national boundaries,
and international law enforcement agencies have responded by
working together to bring virus writers and hackers to book.
Businesses got tough on virus writers too, with Microsoft offering
a reward fund of $5 million to encourage their capture.
Virus hoaxes continue to cause confusion
The JDBGMGR virus hoax - an email duping users into deleting a
legitimate file from their PCs - was, for the second year running,
the most widely reported hoax. Although not viral, hoaxes waste
bandwidth, clog up mail servers and confuse users, much in the same
way as true viruses. Users can find out more about hoaxes, and
how to implement an anti-hoax policy.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.