Press Releases

Browse our press release archive

05 Jul 2006

Sophos Security Report reveals Trojan domination in first half of 2006

Malware statistics suggest it is time for home users to switch to Macs

Sophos Security Threat Management Report Update

Sophos, a world leader in protecting businesses against computer threats, has published new research into the past six months of cybercrime.

The Sophos Security Threat Management Report - which can be downloaded here - was compiled by the experts at SophosLabs™, and reveals that while there has been a vast drop in the number of new viruses and worms being written, this has been over-compensated by increases in other types of malware, as cybercriminals turn their attention to stealing information and money.

Most interestingly, new Trojans now outweigh viruses and worms by 4:1, compared to 2:1 in the first half of 2005. In addition, the continued dominance of Windows-based threats has prompted Sophos to suggest that many home users should consider switching to Apple Macs, to shield themselves from the malware onslaught.

Findings show that the most widespread threat from January to date is the Sober-Z worm, which, at its peak, accounted for one in every thirteen emails. This worm's dominance is evidence of trends moving away from email virus attacks, since Sober-Z maintains a monopoly despite having stopped spreading on 6 January 2006. Further reinforcing this, only one in every 91 of all emails were viral so far this year, compared with one in every 35 for the same period in 2005.

The top ten list of malware reported at Sophos's global network of monitoring stations in the first six months of 2006 are as follows:

PositionVirusPercentage of reports
1 W32/Sober-Z
22.4%
2 W32/Netsky-P
12.2%
3 W32/Zafi-B
8.9%
4 W32/Nyxem-D
5.9%
5 W32/Mytob-FO
3.3%
6 W32/ Netsky-D
2.4%
7 W32/Mytob-BE
2.3%
8= W32/Mytob-EX
2.2%
8= W32/Mytob-AS
2.2%
10 W32/Bagle-Zip
1.9%
Others 36.3%

All of the above malware works on Windows; none is capable of infecting Mac OS X.

In contrast to the drop in new worms and viruses, the overall level of malware continues to rise - indicating that spyware, Trojan horses and phishing are now the more favoured methods of attack for cyber criminals. In June 2005, the number of different pieces of malware protected against by Sophos stood at 140,118. A year later, by June 2006, Sophos was identifying and protecting against 180,292 different viruses, spyware, worms, Trojan horses and other malware, as well as adware and other potentially unwanted applications (PUAs). The vast majority of malware continues to be written for Windows, and while the first malware for Mac OS X was seen in February 2006, it has not spread in the wild and not heralded an avalanche of malicious code aimed at Macs.

"The continuing rise of malware will concern many - the criminals responsible are obviously making money from their code, otherwise they'd give up the game," said Graham Cluley, senior technology consultant at Sophos. "It's more vital than ever that all organizations use an integrated security solution to protect against intrusion, as well as blocking known and unknown malware. On top of this, hackers seem happy to primarily target Windows users and not spread their wings to other platforms. It seems likely that Macs will continue to be the safer place for computer users for some time to come - something that home users may wish to consider if they're deliberating about the next computer they should purchase."

82% of the new threats that protected against during the first six months of 2006 have been Trojan horses, which cannot spread by themselves and are typically targeted at particular groups of people - the lower profile attack heightening the chances of tricking users into handing over money or information. However, Sophos's top ten chart of the most prevalent malware according to families of threats shows that the Clagger family of Trojan horses have been spammed out so aggressively they collectively account for the eighth most prevalent threat.

The top ten list of malware families reported at Sophos's global network of monitoring stations in the first six months of 2006 were as follows:

PositionMalware familyPercentage of reports
1 W32/Mytob
28.7%
2 W32/Sober
22.6%
3 W32/Netsky
19.0%
4 W32/Zafi
9.9%
5 W32/Nyxem
5.9%
6 W32/Bagle
4.3%
7 W32/MyDoom
3.3%
8 Troj/Clagger
1.3%
9 W32/Dolebot
1.1%
10 W32/Lovgate
0.8%
Others 3.1%

Again, all of the above malware works on Microsoft Windows; none is capable of infecting the Apple Macintosh operating system.

Clagger Trojans have been distributed under the guise of emails from organisations that include Amazon and PayPal. February 2006 saw the first ever Trojan horse, Clagger-G, enter the monthly top ten malware chart, and the following month, Clagger-I burst in at sixth position.

"These Trojans had to be mass-spammed to millions of email addresses in order to enter the chart, and their prevalence shows that cyber criminals are continually repackaging their malicious code and using spam technology to generate illegitimate income," said Cluley. "However, most perpetrators now opt for smaller, strategically targeted attacks, which are more manageable and have better chances of tricking computer users."

2006 has also seen the introduction of a new kind of Trojan horse attack, whereby infected users can find their data and files kidnapped and held to ransom. Deemed 'ransomware', users are typically blackmailed into paying to have their data retrieved or risk losing it altogether. Three recent examples include the Ransom-AZippo-A and Arhiveus-A Trojans - all of which caused havoc and panic for poorly protected computer users.

"Criminals are constantly finding new ways to get their hands on some easy cash and now they've stooped to blackmail," continued Cluley. "Given these filthy tactics, it's understandable that authorities are giving out increasingly harsh sentences for crimes of this nature."

In May 2006, the longest ever sentence was dealt out for spreading malware, when 21-year-old American, Jeanson James Ancheta, received a 57-month prison sentence for running a zombie network. The pending extradition of British hacker, Gary McKinnon, to the US is further evidence of authorities clamping down on cybercrime. McKinnon, who hacked into Pentagon and NASA computers, could face decades in jail and hefty fines. Almost every day of 2006 has seen stories break about arrests, trials and sentences relating to internet crime across the globe.

Sophos has made available free virus and security news RSS feeds, ensuring that internet users are always up-to-the-second with news about the latest viruses and security threats.

For more information about safe computing read Sophos's best practice advice.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.