The figures, compiled by Sophos’s global network of monitoring stations, show a dramatic drop in malware spreading in the form of email attachments, with just one infected message in every 1,000 emails in August, compared to one in 322 during the first six months of 2007.
Spam, however, has continued to be a problem - much of it linking to malicious websites designed to infect users. A series of large-scale attacks have been made via spam email, directing users to infected webpages with the promise of ecards, pictures of nude celebrities, YouTube movies, and pop music videos. People visiting the sites are running the risk of having their PCs infected by malicious code which can then steal personal information, spam out more malware and junk email, or launch distributed denial of service attacks against innocent parties.
The total number of infected webpages continues to grow, albeit at a slightly slower rate than the month before. During August, Sophos detected an average of 5,000 new infected webpages each day, compared to 6,000 in July.
There was also a sharp spike in spam activity in the middle of August due to one of the world’s biggest ever single spam campaigns designed to manipulate stock prices.
The top ten list of web-based malware threats in August 2007 reads as
follows:
1. Mal/Iframe: 47.8%
2. Mal/ObfJS: 17.7%
3. Troj/Decdec: 14.0%
4. Troj/Fujif: 4.3%
5. Mal/EncPk: 2.5%
6. Troj/Psyme: 2.2%
7. Mal/Packer: 1.1%
8. Troj/Pintadd: 1.0%
9. VBS/Redlof: 0.7%
10. Mal/Behav: 0.5%
Others 8.2%
Mal/Iframe and ObfJS have retained their positions at the top of the chart.
Meanwhile, Decdec has crept up to third place, accounting for 14 percent of this month’s web-based malware, up 11 percent on July.
"Cybercriminals are successfully using email and the web in co-ordination to infect innocent internet surfers," said Carole Theriault, senior security consultant at Sophos. "Home users and businesses alike need to take more steps to protect themselves from online threats, or risk being hit time and time again. It should be clear for everyone to see that businesses, web hosts and ISPs are failing to properly defend their websites. Fraudsters are continuing to find rich pickings on the internet, duping users into handing over their personal information."
The top ten list of countries hosting malware-infected web pages in August 2007, reads as follows:
1. China (inc. Hong Kong): 44.8%
2. United States: 20.8%
3. Russia: 11.3%
4. Ukraine: 7.7%
5. Poland: 2.4%
6. Germany: 1.6%
7. Netherlands: 1.1%
8. Italy: 0.9%
9= Canada: 0.8%
9= United Kingdom: 0.8%
Others 7.8%
Whilst the top three countries hosting malware-infected webpages during August have remained unchanged from July, the percentage of malicious pages hosted by them has dropped by ten percent to 76.6 percent. The proportion of infected pages hosted by the Ukraine has more than doubled in the last month, and the Netherlands, Italy and Canada have all re-entered the chart.
"While more than three quarters of infected webpages are hosted in just three countries, that doesn’t mean you only get hit if you visit websites based in those areas," explained Theriault. "Hackers are hijacking websites around the world to make them point to malware on sites based in China, the USA, and Russia. Cybercriminals don’t discriminate when it comes to targeting the web - they’re just out for all they can get."
The top ten list of email-based malware threats in August 2007 reads as
follows:
1. W32/Netsky: 30.5%
2. W32/Zafi: 20.0%
3. W32/Mytob: 15.0%
4. Troj/Pushdo: 10.8%
5. Troj/Dloadr: 4.8%
6. W32/MyDoom: 4.4%
7. Mal/Dropper: 2.3%
8. W32/Bagle: 2.1%
9. W32/Sality: 1.8%
10. W32/Traxg: 1.2%
Others 7.1%
While the Pushdo Trojan horse has been around since March, it is a newcomer to the top ten, accounting for 10.8 percent of all email borne malware during August. Its rise is down to the fact that around four new variants of Pushdo are currently being spammed out every day, in a bid to try and bypass security systems.
"Most malware writers seem to be taking an extended holiday from spreading their malicious code via email attachments, and are using spam and the web instead to infect users," said Theriault. "Criminals are hard at work trying to slip past filters at the corporate gateway, and businesses must ensure that their security solutions are kept up-to-date to defend against new virus variants and new spam techniques before they can strike."
During August, Sophos continued to see hoaxes and chainletters spreading between internet users via email. One new hoax, which took advantage of the growing popularity of social networking websites, warned that Facebook users who accepted a friend invitation from a user called Bum_tnoo7 would be opening themselves up to identity theft.
Sophos does recommend that users of social networking websites take steps to protect their identities online but this particular warning is bogus.
Graphics of the above top ten virus chart are available at www.sophos.com/pressoffice/imggallery/topten/
R S S feed
