The State of Malware Today - July 2005

The State of Malware Today

Fortinet Reviews Malicious Code Activity During July 2005

This month's highlights:

  • New MyTob variants continue to be reported
  • Phishing attacks on the rise
  • Virus masquerades as a Microsoft security update
  • Virus authors on a hiatus?

Virus Prevalence in July

Top 20 Viruses detected by Fortinet in July 2005

1. W32/Netsky.P-mm 17.54%
2. Possible_MyTob.G 7.02%
3. W32/MyTob.EK-mm 5.10%
4. W32/Zafi.D-mm 4.58%
5. Possible_Netsky.P 3.91%
6. W32/MyTob.fam-mm 3.45%
7. W32/Zafi.B-mm 3.42%
8. Possible_MyTob.B 3.11%
9. HTML/SouthTrust-phish 2.26%
10. W32/MyTob.FF-mm 2.01%
11. Possible_MyTob.F-mm 1.87%
12. W32/MyTob.FJ-mm 1.62%
13. W32/Netsky.D-mm 1.56%
14. HTML/eBay-phish 1.51%
15. W32/MyTob.DJ-mm 1.34%
16. W32/Netsky.Z-mm 1.29%
17. W32/Lovgate-dam 1.20%
18. W32/MyTob.DZ-mm 1.18%
19. W32/MyTob.GB-mm 1.12%
20. Possible_MyTob.E 1.12%


Top 20 Spyware detected by Fortinet in July 2005

1. Adware/BetterInternet 41.82%
2. Adware/180Solutions 36.63%
3. Download/Px 9.00
4. Adware/Websearch 5.50%
5. Adware/ShopAtHomeSelect 1.16%
6. Joke/Renos.A 0.86%
7. Adware/ExitFuel 0.58%
8. BHO/Clientman 0.53%
9. Adware/IstBar 0.30%
10. Adware/FunWeb.A 0.23%
11. Adware/180SA 0.20%
12. Adware/RBlast.A 0.17%
13. Adware/Midaddle.DLL 0.14%
14. Adware/ZangoSA 0.13%
15. Toolbar/Mywebsearch 0.13%
16. Adware/Gator 0.12%
17. Adware/WinAd 0.12%
18. Dial/Dialer 0.11%
19. Adware/CyDoor 0.11%
20. Adware/WhenU 0.10%


Top 10 countries reporting infections:

1. United States of America 18%
2. Italy 7%
3. Korea, Republic of 6%
4. Mexico 5%
5. Taiwan, Province of China 5%
6. China 5%
7. India 5%
8. France 4%
9. Thailand 4%
10. Canada 3%


Fortinet's Threat Research team has compiled a list of the most significant threats and research findings during the month of July. They share their analysis below.

EBay mimic - rise of the phish

In July, an influx of phishing attempts were observed, including HTML/Ebay-phish, which is a new phishing scam that is sent to target email addresses in an attempt to fool and convince users to sign onto a Web page using their eBay login information. The Web page is not affiliated with eBay and may track the user's login information in order to steal data. Identity theft, credit card fraud and financial loss are very real possibilities should the attack yield the requested information.

HTML/Ebay-phish ranked 14th on Fortinet's list of top viruses in July. Fortinet Antivirus Researcher Patrick Nolan said, "On a scale of 1 to 10 on creativity, the HTML/Ebay-phish phishing scam earns high marks on fooling users. It is important to note that after the first click, this phishing attack brings up text that looks like any other phishing attack." For an online description that provides insight into the attack methodology of this phishing scam, please visit Fortinet's Virus Encyclopedia at: http://www.fortiguardcenter.com/ve?vn=HTML/Ebay!phish

MyTob variants remain a constant

Although new MyTob variants are observed on an almost daily basis, the spreading of MyTob appears to be reduced to minimal first-time appearances. "This is a result of improved heuristics with MyTob variant detections coupled with Network Administrator configurations of blocking dangerous file extension types such as .EXE, .SCR and .PIF" said Patrick Nolan, antivirus researcher for Fortinet. For the month of July, Fortinet Antivirus Analysts added 109 detections [including damaged variants], however none of the new MyTob threats for July made Fortinet's top 20 list.

Virus masquerades as a Microsoft security update

A new variant of the SDBot virus masquerades as a Microsoft security bulletin. The e-mail contains an attachment that supposedly contains updates to address the issues cited within the bulletin. "This is an age-old social engineering technique," said Fortinet Researcher Trevor Welsh. "Many users of Windows know and trust the provider of their operating system. The best protection for these sorts of attacks is education first and foremost." Should the user fall prey to SDBot's cunning techniques, the user may be relinquishing control of their PC to a third party. SDBot will allow remote browsing, and control of a PC over the IRC protocol.

Virus authors on a hiatus?

It would seem that virus authors are out soaking up some sun rays. Virus detections, including heuristics, were down 28% for the month of July. Detections for Malware were also down, but by 15%. "This is great news" says Fortinet Researcher Bryan Lu. "Let's not rest on our laurels however. We cannot downplay the importance of regular signature, and security updates," cautions Lu. "More than 47 million viruses were detected for July, and that's still a big number."