A rivalry between the creators of the Netsky and Bagle viruses helped cause a dramatic increase in threats against home and enterprise computers in the first half of this year, but the most serious threat was Download.Ject, a Trojan that exploited a vulnerability in Microsoft Corp.'s Internet Explorer Web browser, according to McAfee Inc.
McAfee's Anti-virus and Vulnerability Emergency Response Team (AVERT) ranked Exploit-MhtRedir.gen, also known as Download.Ject or Scob, as the top threat because it was used in a high number of attacks against both enterprises and consumers, took advantage of the widely used Internet Explorer browser and was a new type of threat, said Vincent Gullotto, vice president of AVERT.
AVERT is releasing on Monday a list of the 10 biggest malicious threats in the first half of this year. For the first time, the company looked at not just the prevalence of the threat in terms of reports from end users, but also special circumstances, Gullotto said. Those included whether the threat hit corporations, whether it represented a new approach and whether a patch was available for it. A war between virus writers, such as the Netsky-Bagle rivalry, is another factor.
About 60 percent of all the malicious threats tracked by AVERT are what McAfee calls Potentially Unwanted Programs, or PUPs, giving customers the chance to decide whether they want to keep the software. These include "adware" and "spyware," which may even be legitimate software but end up on a system without the user's knowing consent, Gullotto said. Reports of PUPs are increasing both because the software is growing more prevalent and because McAfee has added more reporting capabilities for it, he said.
Here are McAfee's top 10 threats of the year so far:
1. Exploit-MhtRedir.gen (also known as Download.Ject or Scob)
2. VBS/Psyme
3. Adware-Gator
4. Adware-180Solutions
5. Adware-Cydoor
6. Adware-BetterInet
7. W32/Netsky.d@MM
8. W32/Netsky.p@MM
9. W32/Netsky.q@MM
10. W32/Mydoom.a@MM
The Exploit-MhtRedir.gen attack uses compromised Microsoft Internet Information Services (IIS) Web servers to distribute Trojan horse programs. Using two vulnerabilities in Windows and Internet Explorer, it silently runs the malicious code distributed from the IIS servers on machines that visit the compromised sites, redirecting the customers to Web sites controlled by hackers and downloading a Trojan horse program that captures keystrokes and personal data.
The only defense against the attack is in Windows XP Service Pack 2, not available in final form until next month, and numerous Web servers may still be compromised, Gullotto said.
"While it wasn't significant in prevalence, the significance today is that it's used in multiple cases, and there's still no patch for it," Gullotto said.
VBS/Psyme is a Trojan horse that exploits a vulnerability in Internet Explorer and overwrites local files on the user's system.
Netsky, which first appeared in February, comes as an attachment to an e-mail message and installs itself on Windows machines when the attachment is opened. It also tries to exploit a long-patched Microsoft hole that allows file attachments to be launched automatically when the e-mail message is read. The virus combs the machine's hard drive and harvests e-mail addresses from a variety of file types, which it then uses to spread itself further. The Bagle worm and its variants, whose creators apparently carried on a war of words with the Netsky authors in hidden text inside virus code, were edged out of the list because Netsky spread itself more effectively, Gullotto said.
MyDoom was included both because it was the most prevalent threat in the period and because it used a new type of e-mail message to cause users to open up its attachment. MyDoom uses subject lines such as "delivery failed" and spoofed sender addresses such as "postmaster," "Post Office" and "MAILER-DAEMON" that make the e-mail resemble a rejected message.
The total number of threats has grown over the past three years, according to Gullotto. In just the first quarter of this year, there were more than 21 viruses that reached McAfee's "medium" rating or higher, compared with 20 in all of 2003, according to the company. And McAfee has added 400 to 500 new threats to its database each month this year, compared with 300 to 400 per month in 2003 and 200 to 300 per month in 2002, he said. Meanwhile, the company estimates 50 new threats per day are going out over the Internet, some of them never reported to McAfee.
Another large and growing threat is phishing attacks, which use spoofed e-mail addresses and fake Web sites to trick users into divulging sensitive information, according to McAfee.