Security threats Toolkit

Malware variant trend reflects police action

Tags:
Mytob,
Bagle

Cath Everett ZDNet.co.uk

Published: 01 Jun 2005 15:50 BST

The increase in the number of malware variants may reflect the increased effectiveness of law enforcement agencies in targeting their creators.

Carole Theriault, a security consultant at security software firm Sophos, believes that the explosion in the number of variants of the Mytob worm and Bagle virus could be due to virus writers taking a lower profile and enlisting script kiddies to spread their wares.

Up until only a few months ago, the same old viruses had been doing the rounds for some time, but there is now "a lot of activity on a broad scale, with people introducing variants more than ever before," said Theriault on Wednesday, responding to the latest outbreak.

Mytob has to date materialised in more than 50 different forms since it emerged last year, but if taken together, these variants comprise 37.5 percent of all virus activity over the last five days. This means Mytob is currently the largest single malware threat out there.

Number two on the list is Bagle, with all 70 or so variations collectively accounting for about 21.4 percent of total activity, Theriault added.

This trend towards the creation of variants, Theriault suggested, could be because more sophisticated virus writers are no longer putting their code into the wild at the same rate as previously to avoid police attention. Instead they may be posting the malware on Web sites for those with less experience to modify and release.

"With variants, there is a cumulative effect, but if each one infects only a few thousand machines, law enforcement has to make a judgement call and may decide that it should focus its resources elsewhere," Theriault said.

But another key trend in the security world is the growth of Trojan Horse attacks specifically targeted at individual organisations. Figures here have jumped from five per day in April 2004 to about 15 per day in April 2005.

"There are many more targeted attacks taking place, where a guy is paid to attack a specific target, in particular companies, may be to gather corporate information or undertake a denial of service attack on the Web site. This is because unlike viruses, Trojans don't spread by themselves so you can send them to specific people and control it more," Theriault said.