March's Bug Story: Old Worms Maintain Grip

Older worms and viruses continued to dominate March's list of Top 10 baddest apples, security firms say.
Older worms and viruses continued to dominate March's list of Top 10 baddest apples, said security firms Thursday, in part because users don't update their anti-virus defenses, but also because 2005's entries have been too weak to unseat the old guard.

According to the list produced monthly by Sophos, the Zafi.d worm led the Top 10 for March by accounting for 45.1 percent of all the malicious traffic the U.K.-based security vendor monitored. Netsky.p came in second with 21 percent of the month's total. Rounding out the top 10 were Zafi.b, Sober.k, Netsky.d, Netsky.z, Netsky.b, MyDoom.o, Netsky.c, and Netsky.q.

"The older worms continue to spread insidiously," said Graham Cluley, a senior technology consultant with Sophos. "They're just not dying off, and it's because there are a lot of people who haven't protected their computers.

"Just because your new PC came with anti-virus software, you mustn't think that that's the end of the story. Those trial versions typically expire in a few weeks, and even during the free-use period, they're usually out of date, since they're built on old disk images."

Zafi.d, for instance, first appeared in mid-December 2004, and has held the top spot in Sophos Top 10 since then. All but one of the ten worms or viruses, in fact, are from 2004.

"Think of Typhoid Mary, spreading disease. Unprotected PCs are like that. Similarly, poxed PCs continue to spread these diseases," said Cluley.

"It's really worrying that some of these worms are over a year old. With so many thousands of viruses out there, what are the chances of these PCs being protected against the newest threats, like spyware?"

Another reason the senior citizens of malware remain potent is that there haven't been any real replacements of late. "The older worms continue to hold their spots because there haven't been any new, large outbreaks yet this year," said Cluley.

In other end-of-the-month reports, managed e-mail provider Postini noted that it saw a slight dip in the amount of malicious messages during March. "Only" 87 percent of the mail traffic Postini processed was spam or virus-carrying messages, the Redwood City, Calif.-based company said; that was a 1 percent drop from February.

The firm also tracked a larger decrease of 8 percent in the number of directory harvest attacks in March. So-called DHAs are brute-force attempts by spammers to guess addresses by bombarding mail servers in the hopes of spotting the legitimate addresses. Those are added to the spammer's database for later blitzing.

Postini believed that the down-turns were only temporary. "In March, we saw typical fluctuations in spam, virus, and DHA levels," said Andrew Lochart, the director of product marketing at Postini, in a statement. "While the overall trend for the past five years has been a steady increase, we occasionally see small declines from month to month. We foresee no long term decrease in the amount of spam businesses can expect to receive."

Mail-Filters, a San Mateo, Calif.-based company that OEMs its anti-spam technology, weighed in with its March numbers, which concentrated on phishing attacks.

The volume of phishing messages climbed 17 percent during March, Mail-Filters alleged. (Other data, such as that collected by the Anti-Phishing Working Group, is a month behind, and indicated a small 2 percent increase in the number of phishing campaigns.)

One disturbing pattern that Mail-Filters monitored was a jump in the number of phishing messages sent on weekdays. Previously, phishing volume spikes would show each weekend, indicating consumers as the primary target group. "[There was] a noticeable increase in weekday phishing message attacks aimed at corporate users" during March, said Mail-Filters in a statement.

With March over, some security vendors looked to April, especially April 1, April Fool's Day.

"People should not forget common-sense rules for computing during April Fool's day," said Mike Murray, the director of vulnerability and exposure research at San Francisco-based nCircle. "Opening email from unknown source or clicking on attachments can make a computer vulnerable to attacks."

April Fool's Day is particularly troublesome, since millions use e-mail or instant messaging to exchange pranks, often involving files and/or Web site links.