Sophos: Malicious PDF files accounted for up to two thirds of infected email in three day spam campaign
November 2007 by Sophos
IT security and control firm Sophos has revealed the most prevalent malware threats and countries causing problems for computer users around the world during October 2007.
The study, compiled by Sophos’s global network of monitoring stations, has shown that a new Trojan horse, PDFex, that is typically spammed out in email messages with an infected Adobe Acrobat PDF attachment, has smashed its way into third position in the chart. The Trojan was widely spammed out in an attack during the last few days of October, taking advantage of an unpatched Windows vulnerability to infect innocent PCs.
"PDFex only started to circulate at the very end of the month, but still managed to account for over 13 percent of all emailed malware during October. It was heavily spammed out between 26-28th October, and during that period, it accounted for a staggering two thirds, or 66 percent, of all malware spread via email," said Carole Theriault, senior security consultant at Sophos. "PDFs have long been used in business as a means of sharing information, so the social engineering trickery of using a PDF puts insufficiently protected businesses at risk. Adobe has issued an update to its Acrobat software that fixes the problem, and eyes are now turned to Microsoft to patch the underlying flaw in Windows which could also affect other vulnerable applications such as Skype and Firefox."
The top ten list of email-based malware threats in October 2007 reads as follows:
1. Troj/Pushdo 25.4%
2. W32/Netsky 18.3%
3. Troj/PDFex 13.6% NEW ENTRY
4. W32/Zafi 8.4%
5. W32/Mytob 7.4%
6. Mal/Iframe 6.5%
7. Troj/Dloadr 4.0%
8. W32/MyDoom 3.9%
9. W32/Traxg 2.8%
10. Mal/Dropper 2.3%
Although criminals are currently using PDF files to try and infect innocent PCs with malware, SophosLabs has seen little evidence of more spammers continuing to use PDF files to get their unwanted marketing messages in front of computer users.
Sophos’s research also indicates a slight decrease in the percentage of infected email. Overall in October, 0.1 percent of emails were carrying malicious email attachments, or one in every 1,000, compared to 1 in every 833 during September.
Web attacks continue to pose a significant threat, with Mal/Iframe being responsible for almost seven out of every ten infections found on the web by Sophos. During October, Sophos detected an average of 5,200 new compromised webpages hosting malicious code each day, a similar figure to last month.
The top ten list of web-based malware threats in October 2007 reads as follows:
1. Mal/Iframe 68.7%
2. Troj/Unif 15.9%
3. Mal/ObfJS 5.4%
4. Troj/Fujif 3.4%
5. Troj/Decdec 0.7%
6. Troj/Zlobar 0.7%
7. Mal/Packer 0.6%
8. Troj/Psyme 0.5%
9. Troj/Rectoun 0.3%
10. Troj/Spywad 0.3%
Troj/Unif is a new entry at number two this month, accounting for 15 percent of all infected webpages. It was used by hackers in a number of coordinated attacks during October, where legitimate webpages were compromised and visitors were subsequently redirected to a series of attack sites, hosted in countries all over the world, from Turkey to Malaysia.
The top ten list of countries hosting malware-infected webpages in October 2007 reads as follows:
1. China (including Hong Kong) 51.5%
2. Russia 20.9%
3. United States 14.3%
4. Ukraine 1.7%
5. Netherlands 1.2%
6. Canada 1.1%
7. Argentina 0.9%
8. South Korea 0.8%
9. Germany 0.7%
10. Singapore 0.6%
China continues to hold the top position and was responsible for hosting more than half of all the infected webpages detected by Sophos during October. Significantly, Russia and the US have swapped places this month. Russia was responsible for hosting a fifth of infected webpages in October, more than five percent more than September, while the US continues to decrease its impact. The US now hosts less than 15 percent of malicious pages served up on the internet, whereas six months ago, it accounted for double that.
The Ukraine and the Netherlands, this month holding the fourth and fifth positions, hosted a surprising amount of infected webpages in October considering their populations and number of PCs. Despite the fact that these two countries were responsible for hosting less than three percent of infected webpages between them, the sheer volume of pages being infected worldwide on a daily basis means that even a tiny percentage equates to a significant amount of malware.
"In October, we saw a large Dutch domain attacked by Mal/ObfJS. With the infection spreading to all the pages the domain served up, it significantly impacted the Netherlands’ position in the chart. As the domain has now cleaned up the infection, we hope that the country will be able to slip out of Sophos’s next top ten list. This should be a wake-up call to other web providers to ensure they have the right protection and up-to-date patches in place to stop a potential infection in its tracks," concluded Theriault.
Graphics of the above top ten virus chart are available at:
- Sophos: Jailed Panda Worm author "rewarded" by job offer frome one of jis victims
- Sophos: Network Access Control needed to secure all desktop, mobile and guest network users
- Sophos: Managed appliances boost security and simplify email policy enforcement
- Sophos: Over 50% of people polled admit they have stolen Wi-Fi internet access
- Sophos: 70% of businesses concerned about data leakage via email
- Sophos: Survey shows 93% concerned that they don’t know what security measures are in place, as Government admits 25m records lost
- Sophos Reports: Teenager allegedly headed international hacking ring
- Sussex Health informatics service choose Sophos in joined-up NHS IT Security initiative
- Hackers fail to take a holiday break as Sophos sees 2008 malware attacks gather steam
- Sophos: Don’t fall in love with the storm trojan horse
- Sophos : New web appliance delivers improved reporting capability and security filtering
- Sophos: First Virus writer arrester arrested in Japan... for breaching