Sophos: E-Mail Virus Count Down

The proportion of e-mail messages that contain malware has fallen for the first six months this year compared to the same period last year, Sophos said on Wednesday.

Statistics released by Sophos show that about one in 91 e-mail messages contained a virus or other types of bad software, far less than the one-in-35 figure of a year ago, said Graham Cluley, senior technology consultant. Sophos provides enterprise-level antivirus, spam, adware and malware protection products.

“E-mail, as far as viruses are concerned, is actually safer than it was last year,” Cluley said.

While the news is welcome, the bad guys haven’t given up. Instead, their tactics are changing to avoid detection, and they’re writing different kinds of bad software, Cluley said.

Malware writers are increasing their focus on Trojan horse programs, a class of malicious software that can include programs called keyloggers. Keyloggers send user log-ins and passwords to a server controlled by a hacker. The programs can also harvest credit card numbers and other personal data that could be used in an identity theft scheme.

Trojan horse programs, unlike viruses, do not replicate themselves. About 81 percent of the new bad software Sophos sees circulated on the Internet is this kind of program.

“It’s a big financial push,” Cluley said.

Criminals are also taking a lower profile in their spam campaigns. When masses of virus- or Trojan-laden e-mail are sent out, antivirus companies such as Sophos receive samples and quickly update their client software.

The attack’s effectiveness is thus hampered, so malware writers are sending out fewer large batches of e-mail and targeting victims more carefully, Cluley said.

Many aging pieces of malware code are still drifting around the Internet in large numbers, Sophos’ Top 10 list of malware shows. One reason is laziness on the part of hackers, who don’t want to write new code, Cluley said.

A second reason is that many consumer computers lack antivirus software, making them ripe targets even though most antivirus programs could protect them.

“Home users are much more laid back about virus protection,” Cluley said.

The No. 2 and No. 3 most common pieces of malware, Netsky-P and Zafi-B respectively, have been around for a couple of years, Cluley said. Both are mass-mail worms. A worm, like other viruses, is a program that replicates, but does not infect other files.

The most common malware so far for 2006 is Sober-Z, a worm that was active only for the first six days of the year. The worm, which was contained in e-mail purportedly from the U.S. FBI or CIA and claimed a user had visited illegal websites, was programmed to stop replicating after Jan. 6.

But in that short time, it spread in such quantities that it still holds the number-one spot, appearing in some 22.4 percent of viral e-mail, Cluley said.

Four variations of the Mytob virus hold slots on Sophos’ top-10 list. Variants of Mytob can turn off antivirus software, forge the sender’s e-mail address, download other malicious code from the Internet plus modify and steal data on computers.

In a separate list classifying malware by families, Mytob came in first, appearing in some 28.7 percent of viral e-mail.

Nyxem-D, a much-discussed worm that was also called MyWife, Blackmal and Kama Sutra, came in fourth, although it did not cause much damage.

-Jeremy Kirk, IDG News Service (London Bureau)

Keep checking in at our CSO Security Feed page for updated news coverage.