Sobig-F Wins 2003 War of the Worms
- 04 December, 2003 12:41
<p>Sophos identifies new trends in viruses and spam.</p>
<p>FOR IMMEDIATE RELEASE.
Sydney, 4 December 2003.</p>
<p>Sophos, a world leader in protecting businesses against spam and viruses, has revealed that the Sobig-F worm has accounted for almost a fifth of all reports to Sophos during 2003, making it the hardest hitting virus of the year. The mass-mailing Sobig-F worm shrugged off stiff competition for the top spot from the infamous Blaster worm, which attempted to knock a Microsoft website off the internet. Both these viruses – plus the third-placed Nachi worm – hit businesses and home users during August 2003, making it the worst single month in virus history.</p>
<p>The top ten viruses of the year are as follows:</p>
<p>1. W32/Sobig-F (Sobig variant) 19.9%</p>
<p>2. W32/Blaster-A (Blaster worm) 15.1%</p>
<p>3. W32/Nachi-A (Nachi worm) 8.4%</p>
<p>4. W32/Gibe-F (Gibe variant) 7.2%</p>
<p>5. W32/Dumaru-A (Dumaru worm) 6.1%</p>
<p>6. W32/Sober-A (Sober worm) 5.8%</p>
<p>7. W32/Mimail-A (Mimail worm) 4.8%</p>
<p>8. W32/Bugbear-B (Bugbear variant) 3.1%</p>
<p>9. W32/Sobig-E (Sobig variant) 2.9%</p>
<p>10. W32/Klez-H (Klez variant) 1.6%</p>
<p>"It appears that the author of Sobig-F tested several different techniques during the year to determine which would be most successful," said Sean Richmond, Sophos's Technical Support Manager for Australia and New Zealand. "This lead to Sobig-F claiming the questionable title of 'Worm of the Year' since it spread more aggressively than any email virus seen before. Several companies found themselves overwhelmed by hundreds of thousands of infected emails on a daily basis.</p>
<p>"Many email gateways were clogged by Sobig-F traffic which may, inadvertently, have lead to a reduction in the amount of other spam being received by organisations as the spammers relays were swamped. Microsoft has issued a substantial financial reward for evidence leading to the arrest and conviction of Sobig's author, but we seem to be no closer to identifying him or her," he said.</p>
<p>Blaster, the year's second most prevalent worm, did not use email to distribute itself, but spread like wildfire across the internet, exploiting – to Microsoft's embarrassment – a critical security hole in versions of Windows. Containing a mocking message for Microsoft's chairman Bill Gates, it attempted to blast one of Microsoft's websites off the internet, leading the industry giant to take evasive action. Ironically, the third placed Nachi worm tried to undo the damage done to computers infected by the Blaster worm; in reality it only added to the chaos. Both Blaster and Nachi continue to infect unprotected computers four months later.</p>
<p>Sophos has detected 7,064 new viruses, worms and Trojan horses to date this year, bringing the total protected against to more than 86,000.</p>
<p>Many other virus and spam developments have taken place during 2003. Sophos predicts that the following trends will continue to affect users well into the future:</p>
<p>-- Spammers find new tricks; disparate legislative approach is a toothless response
Spammers have been adopting complicated techniques to get their messages through scanners, including mixing innocent and bad text and using invalid HTML code or random characters to break up spammy words. New adaptive filtering techniques are combating the problem and companies are increasingly looking for a consolidated solution which protects against both spam and viruses.</p>
<p>Comprehensive international legislation is needed to discourage those companies considering spam email marketing.</p>
<p>-- Continued dominance of Windows 32 viruses in 2003.
All of the 2003 top ten viruses are Windows 32 viruses. These only affect Microsoft users, using email or the internet to spread. Motivated by the thought of getting their code to spread as far and wide as possible, virus writers are likely to continue targeting the ubiquitous Microsoft in 2004 and beyond.</p>
<p>-- More backdoor Trojan horses and RATs detected.
Sophos has seen a significant rise in the number of Backdoor Trojans, which open up holes in operating systems enabling hackers to implant Remote Access Tools (RATs). These RATs enable hackers to take remote control of the infected PC. The most prevalent Trojans of 2003 included Graybird, which posed as a patch for a security hole in Microsoft Windows, and Sysbug, which was spammed to thousands of users posing as smutty photographs of an erotic encounter.</p>
<p>-- Evidence that spammers and virus writers are working in tandem.
2003 saw growing evidence that spammers and virus authors are joining forces, with the Mimail-E and Mimail-H worms using infected computers as a launch pad from which to start denial of service attacks on several anti-spam websites. Some Trojan horses, including the new Regate-A and Dmomize-A Trojans, allow spammers to take over third party computers belonging to innocent parties and use them for sending spam without the users' knowledge.</p>
<p>-- Money makes the worm go around: viruses attempt to defraud computer users.
In 2003, virus writers recognised that there was money to be made from their viral code, with several worms attempting to extract financial information from infected users. The most prolific of these was Mimail-J, a worm that disguised itself as a message from the PayPal online payment website and duped users into disclosing confidential credit card and PIN details.</p>
<p>-- Courts, law enforcement agencies treating cybercrime more seriously.
A number of high profile virus writer arrests peppered 2003, with youths apprehended in the USA, UK, Spain, Italy and Romania. Cybercrime is increasingly taking place across national boundaries, and international law enforcement agencies have responded by working together to bring virus writers and hackers to book. Recently (October 2003), a suspected perpetrator of the Nigerian scam (known as 419) appeared in an Australian court. Businesses got tough on virus writers too, with Microsoft offering a reward fund of $5 million to encourage their capture.</p>
<p>-- Virus hoaxes continue to cause confusion.
The JDBGMGR virus hoax - an email duping users into deleting a legitimate file from their PCs - was, for the second year running, the most widely reported hoax. Although not viral, hoaxes waste bandwidth, clog up mail servers and confuse users, much in the same way as true viruses. Users can find out more about hoaxes, and how to implement an anti-hoax policy at http://www.sophos.com/virusinfo/articles/hoaxes.html</p>
<p>Notes for Editors.</p>
Sophos is a world leading specialist developer of anti-virus and anti-spam software. Sophos is headquartered in the UK and protects all types of organisations, including small- to medium-sized businesses, large corporations, banks, governments and educational institutions against viruses and spam. The company is acclaimed for delivering the highest level of customer satisfaction and protection in the industry. Sophos's products, backed by 24 hour support are sold and supported in more than 150 countries.</p>
<p>Sophos's regional head office for Australia and New Zealand is in Sydney and hosts one of the company's three Computer Virus Research and Development Laboratories to provide global support services.</p>
<p>FOR FURTHER INFORMATION:
Sean Richmond (firstname.lastname@example.org) is available for comment:
+61 2 9409 9161 (tel)
+61 2 9409 9191 (fax)</p>
<p>Sophos's press contact at Gotley Nix Evans is:
Michael Henderson (email@example.com)
+61 2 9957 5555 (tel)
+61 413 054 738 (mobile)
+61 2 9957 5575 (fax)</p>