The Deadly Duo: Spam and Viruses, August 2006

Nine Microsoft employees received certificates of “Exceptional Service in the Public Interest” for aiding the FBI in the resolution of the 2005 Mytob/Zotob computer worm investigation. The case resulted in the arrest of two individuals located in Morocco.

Spammers recently picked up a new tactic to harvest e-mail addresses. According to Sophos, the nefarious bulk mailers pose as chain mail researchers, asking recipients to forward the message as if it was a chain e-mailed joke; potentially collecting the e-mail addresses of entire address books or departments for those who forward jokes to coworkers.

The same security firm found a worm posing as a security patch. The W32/Stratio-AN worm, also referred to as the Stration worm, is e-mailed, usually with the subject “Mail server report.” Instead of the perceived necessary fix, the recipient is tricked into downloading the malicious worm.

Top 10 Malware, August 2006
Rank Malware Frequency (%)
1 W32/Netsky-P 19.9
2 W32/Mytob-AS 15.8
3 W32/Bagle-Zip 8.0
4 W32/Nyxem-D 6.4
5 W32/Netsky-D 4.4
6 W32/Mytob-C 4.1
7 W32/Mytob-E 3.2
8 W32/MyDoom-O 3.0
9 W32/Zafi-B 2.7
10 W32/Mytob-FO 1.5
Others 31.0
Source: Sophos Plc., 2006

Top 10 Hoaxes, August 2006
Position Hoax Percentage of Reports
1 Olympic torch 11.0
2 Hotmail hoax 8.5
3 Bonsai kitten 4.6
4 Budweiser frogs screensaver 3.8
5 Meninas da Playboy 3.4
6 MSN is closing down 3.1
7 Bill Gates fortune 2.8
7 Justice for Jamie 2.8
8 A virtual card for you 2.6
9 Mobile phone hoax 1.7
Others 55.7
Source: Sophos Plc., 2006

Earlier this year, spammers inserted messages within images, varying each execution to fool spam filters. McAfee Avert Labs recognized a trend toward the usage of Word and HTML coding to spread the spam word. Prior to the rise in image spam, this tactic was deployed.

“We often see successful attacks cycled,” McAfee Avert Labs Security Researach and Communications manager David Marcus told ClickZ Stats. “It’s an ongoing ebb and flow, we’ll see techniques used and then go away for a while.”

Spammers also cycled through 72 percent more domains, which resulted in an uptake of spammers using URLs within messages including in Word documents.

August saw a 30 percent increase over the previous month in directory harvest attacks (DHA), as recognized by Postini. A DHA is when a spammer hijacks and steals the entire e-mail directory of an enterprise, then overwhelms the company’s e-mail server with junk messages. Such attacks can slow e-mail traffic for the company by mimicking a DoS (define) event.

A report from Kaspersky Labs details virus and spam activity for the first six months of 2006. It notes a 9 percent increase in the number of Trojans, compared to the first half of 2005. Viruses and worms experienced a 1.1 percent dip, and malware declined by 2.3 percent in the same period.

Online Scanner Top 20, August 2006
Position Name Percentage
1 Email-Worm.Win32.Mydoom.m 4.93
2 Email-Worm.Win32.NetSky.q 0.74
3 Email-Worm.Win32.Nyxem.e 0.31
4 Trojan-Dropper.Win32.Agent.asl 0.22
5 Backdoor.IRC.Zapchast 0.16
6 Email-Worm.Win32.NetSky.aa 0.15
7 Trojan-Downloader.Win32.Agent.arc 0.15
8 Backdoor.Win32.mIRC-based 0.13
9 Trojan-Proxy.Win32.Horst.av 0.12
10 Virus.DOS.PS-MPC-based 0.10
11 Email-Worm.Win32.Rays 0.10
12 not-a-virus:Monitor.Win32.Perflogger.163 0.10
13 not-a-virus:RiskTool.Win32.HideWindows 0.09
14 0.09
15 Trojan-Spy.Win32.Banker.anv 0.09
16 Net-Worm.Linux.Ramen 0.09
17 Email-Worm.Win32.Brontok.q 0.09
18 Virus.Win32.Parite.b 0.08
19 Backdoor.IRC.Acnuz 0.08
20 Backdoor.IRC.Mimic 0.07
Other malicious programs 92.11
Source: Kaspersky Lab, 2006

Related reading