McAfee Names Worst Viruses

[CaptinCrunch]

A rivalry between the creators of the Netsky and Bagle viruses helped cause a dramatic increase in threats in the first half of the year, but the most serious was Download.Ject, a Trojan horse program that exploited a vulnerability in Microsoft Internet Explorer, according to McAfee.

McAfee's Anti-virus and Vulnerability Emergency Response Team (AVERT) ranks Exploit-MhtRedir.gen, also known as Download.Ject or Scob, as the top threat because it was used in a high number of attacks against both corporations and consumers. It also took advantage of the widely-used IE browser, and was a new type of threat, says Vincent Gullotto, AVERT vice president.


AVERT is releasing a list of the ten biggest malicious threats in the first half of this year. For the first time, the company considered not just the prevalence of the threat in terms of reports from end users, but also special circumstances, Gullotto says. Those include whether the threat hit corporations, whether it represented a new approach, and whether a patch was available for it. The Netsky-Bagle rivalry is another factor.

Deadliest Threats

About 60 percent of all the malicious threats tracked by AVERT are what McAfee calls Potentially Unwanted Programs, giving customers the chance to decide whether they want to keep the software. These include adware and spyware, which may even be legitimate programs but end up on a system without the user's knowing consent, Gullotto says. Reports of such programs are increasing both because the software is growing more prevalent and because McAfee has added more reporting capabilities for it, he adds.


Here are McAfee's top ten threats of the year so far:

Exploit-MhtRedir.gen (also known as Download.Ject or Scob)
VBS/Psyme
Adware-Gator
Adware-180Solutions
Adware-Cydoor
Adware-BetterInet
W32/Netsky.d@MM
W32/Netsky.p@MM
W32/Netsky.q@MM
W32/Mydoom.a@MM
Trojans Multiply

The Exploit-MhtRedir.gen attack uses compromised Microsoft Internet Information Services (IIS) Web servers to distribute Trojan horse programs. Using two vulnerabilities in Windows and Internet Explorer, it silently runs the malicious code distributed from the IIS servers on machines that visit the compromised sites, redirecting the customers to Web sites controlled by hackers and downloading a Trojan horse program that captures keystrokes and personal data.


The only defense against the attack is in Windows XP (news - web sites) Service Pack 2, not available in final form until next month, and numerous Web servers may still be compromised, Gullotto said.


"While it wasn't significant in prevalence, the significance today is that it's used in multiple cases, and there's still no patch for it," Gullotto said.


VBS/Psyme is a Trojan horse that exploits a vulnerability in Internet Explorer and overwrites local files on the user's system.

Netsky Vs. Bagle

Netsky, which first appeared in February, comes as an attachment to an e-mail message and installs itself on Windows PCs when the attachment is opened. It also tries to exploit a long-patched Microsoft hole that enables file attachments launch automatically when an e-mail message is read. The virus combs the machine's hard drive, harvesting e-mail addresses from a variety of file types, then spreads itself further. The Bagle worm and its variants, whose creators apparently carried on a war of words with the Netsky authors in hidden text inside virus code, were edged off the list because Netsky spread itself more effectively, Gullotto says.


MyDoom is included both because it was the most prevalent threat in the period and because it used a new type of e-mail message to cause users to open up its attachment. MyDoom uses subject lines such as "delivery failed" and spoofed sender addresses such as "postmaster," "Post Office" and "MAILER-DAEMON" that make the e-mail resemble a rejected message.


The total number of threats has grown over the past three years, according to Gullotto. In just the first quarter of this year, more than 21 viruses reached McAfee's "medium" rating or higher, compared with 20 in all of 2003. McAfee has added 400 to 500 new threats to its database each month this year, compared with 300 to 400 per month in 2003 and 200 to 300 per month in 2002, Gullotto says. Meanwhile, the company estimates 50 new threats are appearing daily on the Internet, and some are never reported to McAfee.


Another large and growing threat is phishing attacks, which use spoofed e-mail addresses and fake Web sites to trick users into divulging sensitive information, according to McAfee.