Virus writing on the up as average time to infection spirals down

July 01, 2005 Sophos Press Release

Sophos charts virus activity for first six months of 2005

Sophos, a world leader in protecting businesses against viruses and spam, has revealed results of its comprehensive research into the last six months of virus activity. In 2005 so far, Sophos has detected and protected against 7,944 new viruses - up 59% from the first six months of last year.

In line with this substantial increase in virus writing, is the rapidly decreasing average time to infection. There is now a 50% chance of being infected by an internet worm in just 12 minutes of being online using an unprotected, unpatched Windows PC.

For the first six months of 2005, the top ten viruses, as recorded by SophosLabs, are as follows, with the most frequently occurring virus at number one:

Position Malware Percentage of reports
1W32/Zafi-D
   25.3%
2W32/Netsky-P
   17.5%
3W32/Sober-N
   10.3%
4W32/Zafi-B
   4.7%
5W32/Netsky-D
   3.8%
6W32/Mytob-BE
   2.6%
7W32/Netsky-Z
   2.3%
8W32/Mytob-AS
   2.0%
9W32/Netsky-B
   1.9%
10W32/Sober-K
   1.7%
Others27.9%

The longstanding Zafi-D worm accounts for more than a quarter of all viruses reported to Sophos so far this year. Dominating the top of the monthly virus charts for the first four months, this Hungarian worm uses the guise of a Christmas greeting to trick users into opening its infected attachment.

"Most surprising is that Zafi-D managed to hang around long after the festive season and well into the Spring," said Graham Cluley, senior technology consultant at Sophos. "It's only in the last two months that Zafi-D has started to lose its stranglehold on the chart, but it's still a significant threat."

The bilingual Sober-N, which takes third place on the six-month chart having first emerged in May, stormed to the top of the virus chart last month - finally knocking Zafi-D from the top spot. Posing as tickets to the 2006 World cup in Germany, Sober-N compromised thousands of PCs in 40 countries.

Sober-N waited silently in the background of infected PCs, before upgrading itself to a newer version in order to churn out German nationalistic spam from the compromised, 'zombie' computers.

"The Sober family of worms show just how much damage can now be done through a zombie machine," said Cluley. "The combined effort of spammers, virus writers and their zombie armies are certainly a force to be reckoned with. Increasingly, legitimate organisations are being thrown into the firing line - finding themselves being identified as sources of spam."

"The threats are consolidating - its becoming more blurred as to whether something is a spam, a spyware, a phish, or a virus problem. Businesses must ensure they are protected against all of these threats," continued Cluley. "Furthermore, it makes sense to source your security solution from a vendor who has expertise in all of these areas in-house - allowing nothing to slip through the net."

Another old-timer, Netsky-P, which was the hardest-hitting virus of 2004, has enjoyed an extremely long reign near the top of the virus chart so far in 2005. German teenager Sven Jaschan, who admitted writing the Netsky and Sasser worms more than a year ago, will face trial next week for computer sabotage, data manipulation and disruption of public systems.

"Even though Jaschan's worms continue to spread and cause problems for many computer users, he's likely to avoid a prison sentence because of his age," said Cluley. "When comparing a dumb teenager with other internet criminals who plot to steal millions of credit card details or bank account information from infected PCs, it's clear who should get the harsher sentences."

2005 has so far seen several highly publicised arrests relating to computer crime. In May, Israeli police managed to track down a London based couple, who were arrested for writing malicious software that was used by Israeli companies to spy on their competitors. The previous month saw the arrest of a Cypriot man who spied on a 17-year old girl via her webcam after infecting her PC with a Trojan horse. A similar scenario resulted in a Spanish student being fined.

Sophos has seen a threefold increase in the number of keylogging Trojans so far this year. Trojans are delivered to target organisations via email attachments or links to websites. They are often used by remote hackers to steal privileged information and very often, to launch further attacks. In June, an NISCC investigation, which Sophos assisted with, found that nearly 300 UK government departments and businesses have been the subject of Trojan horse attacks.

"What we are witnessing is a stampede of new Trojan horses every day," said Cluley. "Although some familiar worms have a tight grip on the charts, the growth in Trojan horses is perhaps the most significant development in malware-writing. Trojans don't normally make the charts because they don't spread under their own steam, and are increasingly being used for targeted attacks designed to make money or steal information."

The prevalence of organised computer crime is higher than ever. The attempted breach at the Sumitomo Mitsui bank in London and the MasterCard hack are prime examples of the continued trend towards financially motivated computer crime.

Variants of the Mytob worm are also prevalent in the chart at sixth and eighth places. More recent versions of the worm have adopted a new trick, most commonly used by phishers, which includes a faked web link pointing to the malicious code. Each new Mytob variant has been tweaked slightly differently, which indicates that the authors may be searching for the elements of their malicious code that will help them create a super worm. Sophos believes that it is unlikely that we have seen the last of this family of worms.

The total number of viruses protected against by Sophos now stands at 106,218.

Graphics of the above top ten virus chart are available here.