US worst for malware hosting and spam relaying

Sophos, a world leader in IT security, has published its Security Threat Report 2007, examining the threat landscape over the previous 12 months, and predicting malware and spam developments during 2007.

The report reveals that the US hosts more than one-third of the Web sites containing malicious code identified during 2006, as well as relaying more spam than any other nation.

The top 10 countries hosting Web-based malware during 2006 were:

1. United States 34.2%
2. China 31%
3. Russian Federation 9.5%
4. Netherlands 4.7%
5. Ukraine 3.2%
6. France 1.8%
7. Taiwan 1.7%
8. Germany 1.5%
9. Hong Kong 1%
10. Korea 0.9%
Others 10.5%

The US remains a hot spot for online criminal activity, and despite authorities' continued efforts to clamp down on cyber crime, too many US-hosted Web sites still have lax security measures in place, according to Sophos.

"Given the effectiveness of Web-based attacks, Web hosting companies in the US and elsewhere need to step up their policing of published content, and ensure that malicious code is quickly removed, before innocent users get hit," says Brett Myroff, CEO of master Sophos distributor, NetXactics.

The UK ranked 19 in the chart, responsible for hosting 0.5% of all Web sites containing malicious code.

In addition to hosting the largest number of malicious Web sites, the US continues to top the list of worst spam-relaying nations. While the US has made good progress in its efforts to reduce spam-relaying statistics, there was still more spam sent from US computers in 2006 than any other single nation.

The top 12 spam-relaying countries during 2006 were:

1. United States 22%
2. China (including Hong Kong) 15.9%
3. South Korea 7.4%
4. France 5.4%
5. Spain 5.1%
6. Poland 4.5%
7. Brazil 3.5%
8. Italy 3.2%
9. Germany 3%
10. United Kingdom 1.9%
11. Russia 1.8%
12. Taiwan 1.8%
Others 24.4%

Sophos experts note that up to 90% of all spam is now relayed from zombie computers, hijacked by Trojan horses, worms and viruses under the control of hackers. This means that they do not need to be based in the same country as the computers being used to send the spam.

Sophos found that the most prolific e-mail threats during 2006 were the Mytob, Netsky, Sober and Zafi families of worms, which together accounted for more than 75% of all infected e-mail.

However, Sophos predicts that 2007 is likely to see a significant shift away from the use of e-mail security threats, with cyber criminals instead looking to exploit the continued global growth in Web use, as well as user-defined Web content.

E-mail will continue to be an important vector for malware authors, though the increasing adoption of e-mail gateway security is making hackers turn to other routes for infection. The number of Web sites being infected with malware is on the rise. SophosLabs uncovers an average of 5 000 new URLs hosting malicious code each day.

The Internet now represents the easiest way for cyber criminals to gain entry to corporate networks, as more users are accessing unregulated sites, downloading applications and streaming audio/video, potentially jeopardising security in the process.

"Many businesses aren't geared up to gain insight into users' online behaviour, let alone control it, and it's vital that they now begin to examine ways to incorporate Web security into their overall IT security strategy," says Myroff.

During 2006 Sophos saw a decrease in the use of traditional spyware, in favour of multiple Trojan downloaders. The hacker sends a 'special offer' (or similar) e-mail in an attempt to dupe recipients into visiting a Web site containing a malicious downloader. The executable file will attempt to download additional Trojans, a process that may be repeated multiple times to try and disable all security defences, before it downloads a spyware component - which will then have a better chance of success.

Statistics reveal that in January 2006 spyware accounted for 50.43% of all infected e-mail, while 40.32% were e-mails linking to Web sites containing Trojan downloaders. By December 2006 the figures had been reversed, with the latter now accounting for 51.24%, and spyware-infected e-mails reduced to 41.87%. This trend looks set to continue into 2007 and beyond.

Sophos notes that 30% of all malware is now written in China, most of it taking the form of Trojans used for gaining a backdoor into users' computers. Surprisingly, 17% of malware written in China is designed for the specific purpose of stealing passwords from online gamers. In contrast, malware authors based in Brazil are responsible for 14.2% of all malware, the majority of which is designed to steal information from online bankers.

"Malware often exploits current country-specific online trends, and identifying its source helps security experts and authorities strengthen criminal profiles and bring the perpetrators to justice," Myroff adds.

Sophos detected 41 536 new pieces of malware in 2006, bringing the total protected against to 207 684. Of these threats, Trojans now outnumber Windows viruses and worms by 4:1. The proportion of infected e-mails was down from one in 44 during 2005 to just one in 337 during 2006.

The Sophos Security Threat Report 2007 can be downloaded from www.sophos.com/securityreport2007.

To listen to the latest Sophos podcast, which discusses the report and the threat landscape for 2007, please visit http://www.sophos.com/podcasts.