The month of malicious spam: Fraudsters step up their attempts to infect PC users

Sophos Press Release

Sophos announces top ten web and email borne threats for August 2007

Sophos, a world leader in IT security and control, has revealed the most prevalent malware threats causing problems for computer users around the world during August 2007.

The figures, compiled by Sophos's global network of monitoring stations, show a dramatic drop in malware spreading in the form of email attachments, with just one infected message in every 1,000 emails in August, compared to one in 322 during the first six months of 2007.

Spam, however, has continued to be a problem - much of it linking to malicious websites designed to infect users. A series of large-scale attacks have been made via spam email, directing users to infected webpages with the promise of ecards, pictures of nude celebrities, YouTube movies, and pop music videos. People visiting the sites are running the risk of having their PCs infected by malicious code which can then steal personal information, spam out more malware and junk email, or launch distributed denial of service attacks against innocent parties.

The total number of infected webpages continues to grow, albeit at a slightly slower rate than the month before. During August, Sophos detected an average of 5,000 new infected webpages each day, compared to 6,000 in July.

There was also a sharp spike in spam activity in the middle of August due to one of the world's biggest ever single spam campaigns designed to manipulate stock prices.

Top ten web threats

The top ten list of web-based malware threats in August 2007 reads as follows:

Position Last
Malware Percentage of reports
1 1 Mal/Iframe
2 2 Mal/ObfJS
3 4 Troj/Decdec
4 5 Troj/Fujif
5 New Mal/EncPk
6 3 Troj/Psyme
7 8 Mal/Packer
8 New Troj/Pintadd
9 9= VBS/Redlof
10 9= Mal/Behav
Others 8.2%

Mal/Iframe and ObfJS have retained their positions at the top of the chart. Meanwhile, Decdec has crept up to third place, accounting for 14 percent of this month's web-based malware, up 11 percent on July.

"Cybercriminals are successfully using email and the web in co-ordination to infect innocent internet surfers," said Carole Theriault, senior security consultant at Sophos. "Home users and businesses alike need to take more steps to protect themselves from online threats, or risk being hit time and time again. It should be clear for everyone to see that businesses, web hosts and ISPs are failing to properly defend their websites. Fraudsters are continuing to find rich pickings on the internet, duping users into handing over their personal information."

Top malware-hosting countries

The top ten list of countries hosting malware-infected webpages in August 2007, reads as follows:

Position Last
Country Percentage of reports
1 1 China (inc. HK)
2 2 United States
3 3 Russia
4 4 Ukraine
5 8= Poland
6 5 Germany
7 Re-entry Netherlands
8 Re-entry Italy
9= 8= Canada
9= 7 United Kingdom
Others 7.8%

Whilst the top three countries hosting malware-infected webpages during August have remained unchanged from July, the percentage of malicious pages hosted by them has dropped by ten percent to 76.6 percent. The proportion of infected pages hosted by the Ukraine has more than doubled in the last month, and the Netherlands, Italy and Canada have all re-entered the chart.

"While more than three quarters of infected webpages are hosted in just three countries, that doesn't mean you only get hit if you visit websites based in those areas," explained Theriault. "Hackers are hijacking websites around the world to make them point to malware on sites based in China, the USA, and Russia. Cybercriminals don't discriminate when it comes to targeting the web - they're just out for all they can get."

Top ten email threats

The top ten list of email-based malware threats in August 2007 reads as follows:

Position Last
Malware Percentage of reports
1 1 W32/Netsky
2 3 W32/Zafi
3 2 W32/Mytob
4 New Troj/Pushdo
5 Re-entry Troj/Dloadr
6 5 W32/MyDoom
7 New Mal/Dropper
8 6= W32/Bagle
9 New W32/Sality
10 6= W32/Traxg
Others 7.1%

While the Pushdo Trojan horse has been around since March, it is a newcomer to the top ten, accounting for 10.8 percent of all email borne malware during August. Its rise is down to the fact that around four new variants of Pushdo are currently being spammed out every day, in a bid to try and bypass security systems.

"Most malware writers seem to be taking an extended holiday from spreading their malicious code via email attachments, and are using spam and the web instead to infect users," said Theriault. "Criminals are hard at work trying to slip past filters at the corporate gateway, and businesses must ensure that their security solutions are kept up-to-date to defend against new virus variants and new spam techniques before they can strike."

Top ten hoaxes and scams

During August, Sophos continued to see hoaxes and chainletters spreading between internet users via email. One new hoax, which took advantage of the growing popularity of social networking websites, warned that Facebook users who accepted a friend invitation from a user called Bum_tnoo7 would be opening themselves up to identity theft. Sophos does recommend that users of social networking websites take steps to protect their identities online but this particular warning is bogus.

The top ten list of email hoaxes and scams in August 2007 reads as follows:

Position Hoax Percentage of reports
1 Hotmail hoax
2 A virtual card for you
3 Olympic torch
4 Bonsai kitten
5 MySpace J_Neutron07 virus
6 Bill Gates fortune
7 Justice for Jamie
8 Heart attacks and warm water
9 Meninas da Playboy
10 Budweiser frogs screensaver
Others 47.8%

Sophos experts have compiled simple best practice guides to adopting a multi-layered defense. With blended threats, spam and phishing attacks on the rise it has never been more important to educate end users about how best to protect themselves.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at