Malware for Money: Zafi, Sober, Netsky Still Haunting Net

As virus writing is increasing, average time to infection is decreasing, according to a Danish Internet security firm. Sophos’ chart of activity for the first six months of 2005 reports there is now a 50 percent chance of being infected by an Internet worm in just 12 minutes of being online using an unprotected, unpatched Windows PC.

Patrick Hinojosa, CTO for Panda Software U.S., said trojans that allow a cybercriminal to remotely run code on another’s computer without the user’s consent is a major trend he has seen since June 2004. It is the most persistent infector of machines, he added, and it’s not stopping.

“The virus writer’s complexion has changed in the past year or so,” Hinojosa said. “We’ve moved away from the major activity coming from script kitties writing malware for bragging rights to people sending spam and anonymously performing other activities with a money motive.”

Zafi-D Zooms to Number One

The long-standing Zafi-D worm accounts for more than a quarter of all viruses reported to Sophos so far this year. Dominating the top of the monthly virus charts for the first four months, this Hungarian worm uses the guise of a Christmas greeting to trick users into opening its infected attachment.

“Most surprising is that Zafi-D managed to hang around long after the festive season and well into the spring,” said Graham Cluley, senior technology consultant at Sophos. “It’s only in the last two months that Zafi-D has started to lose its stranglehold on the chart, but it’s still a significant threat.”

The bilingual Sober-N, which first emerged in May, ranks third. Posing as tickets to the 2006 World Cup in Germany, Sober-N compromised thousands of PCs in 40 countries. Sober-N waited silently in the background of infected PCs, before upgrading itself to a newer version in order to churn out German nationalistic spam from the compromised, “zombie” computers.

“The Sober family of worms show just how much damage can now be done through a zombie machine,” said Cluley. “The combined effort of spammers, virus writers and their zombie armies are certainly a force to be reckoned with. Increasingly, legitimate organizations are being thrown into the firing line – finding themselves being identified as sources of spam.”

Keylogging on the Rise

Sophos reports a threefold increase in the number of keylogging trojans so far this year. Trojans are delivered to target organizations via e-mail attachments or links to Web sites. They are often used by remote hackers to steal privileged information and very often, to launch further attacks.

“What we are witnessing is a stampede of new Trojan horses every day,” said Cluley. “Although some familiar worms have a tight grip on the charts, the growth in Trojan horses is perhaps the most significant development in malware-writing. Trojans don’t normally make the charts because they don’t spread under their own steam, and are increasingly being used for targeted attacks designed to make money or steal information.”

Variants of the Mytob worm are also prevalent in the chart at sixth and eighth places. More recent versions of the worm have adopted a new trick, most commonly used by phishers, which includes a faked Web link pointing to the malicious code. Each new Mytob variant has been tweaked slightly differently, which indicates that the authors may be searching for the elements of their malicious code that will help them create a super worm.

Netsky-P Writer Faces Trial

The prevalence of organized computer crime is higher than ever. The attempted breach at the Sumitomo Mitsui bank in London and the MasterCard hack are prime examples of the continued trend towards financially motivated computer crime. But the number of arrests are also on the rise.

In May, Israeli police managed to track down a London based couple, who were arrested for writing malicious software that was used by Israeli companies to spy on their competitors. The previous month saw the arrest of a Cypriot man who spied on a 17-year old girl via her Webcam after infecting her PC with a Trojan horse. A similar scenario resulted in a Spanish student being fined.

Netsky-P, which was the hardest-hitting virus of 2004 and still ranks second on Sophos top 10 list, has enjoyed an extremely long reign near the top of the virus chart so far in 2005. German teenager Sven Jaschan, who admitted writing the Netsky and Sasser worms more than a year ago, will face trial next week for computer sabotage, data manipulation and disruption of public systems.

“Even though Jaschan’s worms continue to spread and cause problems for many computer users, he’s likely to avoid a prison sentence because of his age,” said Cluley. “When comparing a dumb teenager with other Internet criminals who plot to steal millions of credit card details or bank account information from infected PCs, it’s clear who should get the harsher sentences.”

1 Comment

  • Says the article:
    "When comparing a dumb teenager with other Internet criminals who plot to steal millions of credit card details or bank account information from infected PCs, it’s clear who should get the harsher sentences."
    Yes, the virus writer who cases hundreds of million dollars damage world wide should get the harsher sentence. Treat the kid as if he’d blown up a building. Ten years in prison minimum.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels