PCs Have 50-50 Shot At Infection In Just 12 Minutes

Sophos reported that it had pinpointed 7,944 new pieces of malicious software in the first six months of the year, an increase of 59 percent compared to the first half of 2004.

The firm's researchers tracked an even larger spike in the number of keylogging Trojan horses. According to Sophos, that category has tripled in number.

"We are seeing a large amount of new Trojan horses on a daily basis, representing what may be the most significant development in malware writing," said Gregg Mastoras, a Sophos senior security analyst, in a statement.

Keyloggers are increasingly used not only by spyware criminals, but by general hackers as well. These small programs, usually delivered via e-mail attachments or installed from malicious sites linked to from spammed messages (but more and more also showing up as links sent by instant messaging clients), record keystrokes, sometimes only those associated with online banking sites, and send that data to the hacker, who quickly empties the account.

Trojan horses often don't make the monthly Top 10 lists that many security vendors crank out, since they don't spread on their own. But their impact can be significant. Last month, for instance, the U.K.'s version of US-CERT, the National Infrastructure Security Co-ordination Center (NISCC), made the unprecedented move of publicizing a long-running, well-organized, and tightly-targeted Trojan-based attack on government agencies and companies in Britain.

"Trojans typically don't make the charts because they don't spread on their own and are used for targeted attacks, which are designed to make money or steal information," added Mastoras.

Along with the rapid rise in malware, Sophos researchers said, was a quick decrease in the amount of time an unprotected PC is likely to survive without an infection when connected to the Internet.

Sophos estimated that a new PC stands a 50-50 chance of being infected by a worm within 12 minutes of being connected to the Internet. (Other analysts, such as the Internet Storm Center, put the current average survival time at around 34 minutes.)

The company's list of most "popular" (read "prevalent") worms and viruses for the first half of 2005 held no surprises.

Top of the list was Zafi.d, which accounted for more than 25 percent of all viruses reported this year, even though it rolled out in mid-December, 2004 and uses a Christmas greeting to entice recipients to open its attachment.

"Most surprising is that Zafi.d managed to hang around long after the festive season and well into the spring," said another Sophos analyst, Graham Cluley, in a statement. "It's only in the last two months that Zafi.d has started to lose its stranglehold on the chart. But it's still a significant threat." Another 2004 worm, Netsky.p, held second place in Sophos' list, accounting for 17.5 percent of the total tracked.

Sober.n, in third, is the top-ranked 2005 worm. The bilingual (English and German) worm debuted in May, and gained ground quickly by offering free tickets to next year's World Cup. Early on, it accounted for a whopping 70 percent of all mail traffic.

"The Sober family is an example of how damaging the collaborative efforts between virus writers and spammers can be, hijacking the computers of legitimate organizations to create zombies, whose purpose is to perpetuate the generation of more spam," commented Mastoras.

Other malware on the six-month chart include more variants of Netsky and Sober, as well as several a pair of Mytobs, an especially prolific family that during a seven-day run in June, generated an average of 2.7 versions per day.