A rivalry between the creators of the Netsky and Bagle
viruses helped cause a dramatic increase in threats against PCs in
the first half of the year, but the most serious threat was
Download.Ject, a Trojan horse that exploited a vulnerability in
Microsoft's Internet Explorer web browser, according to security
products company McAfee.
McAfee's Anti-virus and Vulnerability Emergency Response Team
(Avert) ranked Exploit-MhtRedir.gen, also known as Download.Ject or
Scob, as the top threat because it was used in a high number of
attacks against both enterprises and consumers, took advantage of
the widely used Explorer browser and was a new type of threat, said
Vincent Gullotto, vice-president of Avert.
Avert has released a list of the 10 biggest malicious threats in
the first half of this year. For the first time, the company looked
at not just the prevalence of the threat in terms of reports from
end users, but also special circumstances, Gullotto said.
Those included whether the threat hit corporations, whether it
represented a new approach, and whether a patch was available for
it. A war between virus writers, such as the Netsky-Bagle rivalry,
is another factor.
About 60% of all the malicious threats tracked by Avert are what
McAfee calls Potentially Unwanted Programs, or PUPs, giving
customers the chance to decide whether they want to keep the
software.
These include "adware" and "spyware," which may even be
legitimate software, but ends up on a system without the user's
consent, Gullotto said. Reports of PUPs are increasing both because
the software is growing more prevalent and because McAfee has added
more reporting capabilities for it, he said.
McAfee's top 10 threats of the year so far are:
- Exploit-MhtRedir.gen (also known as Download.Ject or Scob)
- VBS/Psyme
- Adware-Gator
- Adware-180Solutions
- Adware-Cydoor
- Adware-BetterInet
- W32/Netsky.d@MM
- W32/Netsky.p@MM
- W32/Netsky.q@MM
- W32/Mydoom.a@MM
The Exploit-MhtRedir.gen attack uses compromised Microsoft
Internet Information Services (IIS) web servers to distribute
Trojan horse programs.
Using two vulnerabilities in Windows and Explorer, it silently
runs the malicious code distributed from the IIS servers on
machines that visit the compromised sites, redirecting the
customers to websites controlled by hackers and downloading a
Trojan horse program that captures keystrokes and personal
data.
The only defence against the attack is in Windows XP Service
Pack 2, not available in final form until next month, and numerous
webservers may still be compromised, Gullotto said.
VBS/Psyme is a Trojan horse that exploits a vulnerability in
Explorer and overwrites local files on the user's system.
Netsky, which first appeared in February, comes as an attachment
to an e-mail message and installs itself on Windows machines when
the attachment is opened.
It also tries to exploit a long-patched Microsoft hole that
allows file attachments to be launched automatically when the
e-mail message is read. The virus combs the machine's hard drive
and harvests e-mail addresses from a variety of file types, which
it then uses to spread itself further.
The Bagle worm and its variants, whose creators apparently
carried on a war of words with the Netsky authors in hidden text
inside virus code, were edged out of the list because Netsky spread
itself more effectively, Gullotto said.
MyDoom was included both because it was the most prevalent
threat in the period and because it used a new type of e-mail
message to cause users to open up its attachment. MyDoom uses
subject lines such as "delivery failed" and spoofed sender
addresses such as "postmaster", "Post Office" and "MAILER-DAEMON"
that make the e-mail resemble a rejected message.
The total number of threats has grown over the past three years,
according to Gullotto. In just the first quarter of this year,
there were more than 21 viruses that reached McAfee's "medium"
rating or higher, compared with 20 in all of 2003, according to the
company.
And McAfee has added 400 to 500 new threats to its database each
month this year, compared with 300 to 400 per month in 2003 and 200
to 300 per month in 2002, he said. Meanwhile, the company estimates
50 new threats per day are going out over the internet, some of
them never reported to McAfee.
Another large and growing threat is phishing attacks, which use
spoofed e-mail addresses and fake websites to trick users into
divulging sensitive information, according to McAfee.
Stephen Lawson writes for IDG News
Service