War Of The Worms: Netsky-P Tops This Year’s List
Sophos, a world leader in protecting businesses against viruses and spam, has released a report revealing the hardest hitting viruses of 2004. In a year which saw a 51.8% increase in the number of new viruses, the Netsky-P worm has accounted for almost a quarter of all virus incidents reported, making it the hardest hitting virus of 2004. The mass-mailing Netsky-P and Zafi-B worms have been battling it out for the top spot in the chart for most of the second half of the year, while internet worm Sasser disrupted thousands of businesses and home users in May.
The top ten viruses of the year are as follows:
Pos Name Percentage First seen
1. W32/Netsky-P 22.6% MARCH 2004
2. W32/Zafi-B 18.8% JUNE 2004
3. W32/Sasser 14.2% MAY 2004
4. W32/Netsky-B 7.4% FEBRUARY 2004
5. W32/Netsky-D 6.1% MARCH 2004
6. W32/Netsky-Z 3.7% APRIL 2004
7. W32/MyDoom-A 2.4% JANUARY 2004
8. W32/Sober-I 1.9% NOVEMBER 2004
9. W32/Netsky-C 1.8% MAY 2004
10. W32/Bagle-AA 1.6% APRIL 2004
Others 19.5%
“2004 was the year of the Netsky – the first of more than 30 versions of this worm arrived on the scene in February and an astonishing five variants have made it into the annual top ten,” said Graham Cluley, senior technology consultant at Sophos. “A German teenager called Sven Jaschan is responsible for more than 50% of all the virus incidents reported in 2004.”
Although Jaschan, who has admitted writing the Netsky and Sasser worms, was apprehended and confessed to his involvement in May 2004, his worms continue to spread. Even when his trial takes place early next year, his worms will still be infecting innocent computers.
In November 2004, eight months since its original discovery in March, Jaschan’s Netsky-P worm was still the world’s most widely reported virus.
The second most prevalent worm of the year, Zafi-B, was first seen back in June 2004, and has been spreading successfully ever since, with little sign of slowdown.
“It is simply shocking that viruses like Netsky-P and Zafi-B are still infecting computers, months after they were first protected against by anti-virus companies,” said Cluley. “Anyone still being infected by these worms is demonstrating a worrying lack of concern for their PC’s health.”
Sasser, the year’s third most prevalent worm, does not use email to propagate. Sasser spread via the internet, attacking vulnerable Windows computers, which were not updated with a critical Microsoft security patch. This patch was made available only 2 weeks before Sasser was first seen.
“The prevalence of Sasser just goes to show that computer users cannot afford to rely solely on email scanning to protect them from the virus threat. Computers not properly protected with anti-virus updates, firewalls and security patches are wide open to infection,” continued Cluley. “The time period between patch availability and worm exploit is getting shorter than ever.”
Sophos has detected 10,724 new viruses, worms and Trojan horses to date this year, a 51.8% increase over the previous year, bringing the total protected against to 97,535.
“Sadly there is no sign of viruses becoming a thing of the past. Those responsible for writing malware are more active than ever before,” said Cluley.
Many other virus and spam developments have taken place during 2004, and have revealed trends for the future:
More law enforcement, but still no framework for reporting viruses and spam
As well as the arrest of Sven Jaschan, 2004 saw numerous other arrests. Australian email scammer Nick Marinellis, who stole more than £2 million, was jailed; Brazilian authorities made more than 50 arrests for Trojan phishing; the UK’s National Hi-Tech Crime Unit (NHTCU) made several arrests related to phishing. On the virus front, female virus writer Gigabyte was arrested in Belgium, and the infamous 29A gang was broken apart as one member “Whale” was found guilty and fined, while “Benny” was reportedly questioned in connection with the Slammer internet worm outbreak of early 2003.
Worryingly, Sophos reports a continuing need for a formal framework allowing disgruntled computer users to report virus infections or spam easily. To report unsolicited mail, recipients must download and print a form, fill it in by hand and post it via snail mail. The NHTCU has insufficient resources to deal with reports of virus infections, and so relies on anti-virus vendors to gather information on victims only after a suspect has been apprehended.
Continued dominance of Windows 32 viruses in 2004
All of the 2004 top ten viruses are Windows 32 viruses. These only affect Microsoft users, using email or the internet to spread. Motivated by the thought of spreading their malicious code as far and wide as possible, virus writers are likely to continue targeting the ubiquitous Microsoft and its users in 2005 and beyond.
New phishing trends – a new wave of online bank robbery
Numerous UK financial institutions continued to be the targets of phishing scams – NatWest even suspended some of its online banking services to deflect an attack – and there was a worrying trend of phishers recruiting ‘mules’ to help send stolen money overseas. Interestingly, Sophos identified a new type of phishing attack in 2004. Rather than emails that direct innocent users to fake banking websites in order to capture personal details, the new wave of phishers use Trojans that wait for users to visit real banking websites before surreptitiously monitoring and secretly recording the login process.
No sign of spam subsiding, as spammers adopt new tricks
Despite an increased number of arrests and convictions of spammers, the spam problem shows no sign of disappearing. Spammers are continuing to exploit innocent hacked computers to send their spam, and using different guises in their attempts to fool users into visiting their sites.
The worst offender when it comes to spam is the USA, with 42% of all spam being sent from American computers during 2004. But the UK is also contributing to the glut of unwanted email, responsible for more than 1 in every 100 spams, being narrowly beaten in the spamming stakes by computers in France and Spain.
In the run-up to the festive season, Sophos has seen an increase in spams pretending to be from online stores, claiming that users have paid for products with their credit card and inviting them to click on a link for more details – only to find an advert at the other end.
Proof of concept malware targets mobile platforms, but no outbreaks
There was much hype this past year around viruses, worms and Trojans infecting mobile devices. Several new pieces of malware, including the Mosquito and Skulls Trojan horses and the Cabir bluetooth worm, which were designed for the Symbian operating system, were identified. Crucially, all of these nuisances need confirmation from the phone user before they can infect. Sophos comments that the threat continues to be very low, advising computer users to focus on the biggest threat – viruses for Windows desktop PCs.
Virus hoaxes and chain letters continue to cause confusion and clog email systems
The Hotmail chain letter that tells recipients to forward an email to ten other Hotmail users was the most widely reported chain letter or hoax of the year, accounting for 20% of all the reports to Sophos. Although not viral, email hoaxes and chain letters waste bandwidth, clog up mail servers and confuse users, in much the same way as true viruses. Users can find out more about hoaxes, and how to implement an anti-hoax policy at: http://www.sophos.com/virusinfo/hoaxes/
Sophos has made available a free, constantly updated information feed for intranets and websites which means users can always find out about the latest viruses and hoaxes: http://www.sophos.com/virusinfo/infofeed/