Led off by a virulent Sober worm, November was another record-breaking
month for malware attacks, according to security analysts.
Central Command, Inc., an anti-virus and anti-spam company based in
Medina, Ohio, stopped 150 percent more infectious emails in their
anti-virus filters than they did in October, which was a record-breaking
month in its own right. And this past November saw 185 percent more virus
outbreaks than November of 2004, according to Steve Sundermeier, a vice
president with Central Command.
”It was a bad month,” says Sundermeier. ”The number of viruses
increased in November but the actual volume of malware was significantly
higher because of Sober, which we have as accounting for one in 17 emails
last month.”
Actually, the Sober-AI variant was the most prolific worm for all of
November, accounting for 64.58 percent of all malware plaguing the
Internet, according to analysts at Central Command. The rest of the top
five came in far behind their malicious ranking leader: Mytob-IU came in
second accounting for 2.66 percent of all malware; Mytob-NO was third
with 2.49 percent; Mytob-NX was fourth with 2.31 percent, and Netsky-D
was fifth with 2.20 percent.
Sophos, Inc., an anti-virus and anti-spyware company with U.S.
headquarters in Lynnfield, Mass., has a similar top five list. Sophos
analysts give the malware this ranking: Sober-Z took first place with
42.9 percent; Netsky-P was second with 8.1 percent; Mytob-GH was third
with 6.8 percent; Mytob-EX was fourth with 4.5 percent, and Zafi-D was
fifth with 4 percent. (Keep in mind that different vendors often assign
the same variants slightly different names.)
”Since we saw the first Sober worm back in October 2003, its author has
tried to improve upon tried-and-tested tricks to dupe computer users into
launching infected attachments,” says Carole Theriault, senior security
consultant at Sophos, in a written statement. ”This latest worm claims
to be a warning from CIA and FBI agents, accusing recipients of visiting
illegal Websites. Mocking the feds is a sure-fire way of goading the
authorities, and you can’t help but wonder whether the author is
desperate to be caught.”
Sundermeier tells eSecurityPlanet that Sober-AI isn’t a new and
super piece of malicious code — it’s simply well-designed.
”It’s author didn’t reinvent the wheel but it uses a combination of
several factors,” says Sundermeier. ”It reproduces very easily. Lots of
times we see little coding flaws in the propagation routines and that
didn’t exist with this version. It used its own SMTP engine, and it was
good at harvesting email addresses from compromised machines… It just
works really well.”
Mytob is crowding top five lists simply because of sheer volume, says
Sundermeier. There are hundreds of Mytob variants on the Internet at this
point and that makes for a lot of infected machines. And that means it’s
easier for the new variants to get a foothold and spread quickly around
the globe.
And Sundermeier says he’s predicting an active December.
Sober-AI continues to dominate, he notes, pulling down big numbers as the
month begins. ”And December has been known in the past to be a bad month
for virus activity,” Sundermeier adds. ”At the least, we generally see
something new. In December of 2004, we had the Zafid worm and that topped
the charts for a while. In December of 2003, we had another Sober variant
released and that topped the charts for the month. And lately we have
this trend where every month outdoes the last in terms of total volume.”