The trend in July was largely the same as for the rest of 2006: few threats provoking massive infections but a steady flow of malicious code related to fraud.
The ranking published by PandaLabs once again sees Sdbot.ftp at the top of the list. It has now been the malicious code most frequently detected by ActiveScan for more than 12 months. Sdbot.ftp is a script used by the Sdbot family of worms to download themselves onto computers via FTP. It uses the RPC-DCOM and LSASS vulnerabilities, among others, in order to enter computers.
In second place came W32/Bagle.pwdzip, which actually covers several malicious codes. It groups several variants of the Bagle worm, including Bagle.F, Bagle.G, Bagle.H, Bagle.I, Bagle.N and Bagle.O. These worms reach computers in a password protected zip file attached to an email message. The fact that these files are password protected means that antivirus programs cannot scan their content before it is extracted. Therefore, when one of these files reaches a computer, the antivirus cannot warn the user that the file is infected. This can create a false sense of security.
As with Sdbot.ftp, the malicious code in third place, Netsky.P, exploits a vulnerability in order to enter computers, in this case Exploit/iFrame, infecting computers simply when viewed in the email client preview pane. It has also been in the ActiveScan ranking of most frequently detected malicious code for some considerable time, since March 2004 in fact.
Malware % of infections
In fourth place came the Trj/Torpig.DC Trojan, which can allow intrusions and attacks on the compromised computer, including capturing of screenshots, spying on personal data, etc.
After having slid down from third to eighth place in the previous months, Exploit/Metafile has once again returned to the top half of the table. It appears that it will unfortunately still be around for some months to come.
The bottom half of the ranking was made up of W32/Ailis.A.worm (a worm that makes copies of itself, without infecting other files, in order to crash computers and networks), W32/Parite.B (a polymorphic virus that infects EXE, executables, and SRC, screen saver files), Trj/Qhost.gen (Qhost.gen is a generic detection of modifications to the HOSTS files), Trj/Jupillites.G (which allows intrusions and attacks on the compromised computer) and Bck/Manshi.G (a backdoor Trojan that allows hackers to compromise user confidentiality).
This data highlights how many systems there are without adequate protection, as the malicious code in the Top Ten are in no way new on the virus scene, but have been around for some considerable time. In general, users do not have adequate or up-to-date protection, contributing to the spread of these malicious codes.
More worrying still is the extent to which systems are not kept up-to-date, as many of these threats could not spread if systems were properly installed and updated.
The threat panorama outlined by the present Top Ten ranking makes for the ideal environment for online fraud and theft, as Luis Corrons, PandaLabs director explains, “many of the threats described here allow theft of information that can then be used fraudulently, for example to access user bank accounts. This situation has become increasingly dangerous in 2006, with malware creators driven by the dynamic of online crime.”