For the second month in a row, representatives of the new Trojan-Downloader family Diehard have been creating a considerable stir in mail traffic.
Our December 2007 Top Twenty contain three variants of this program; yet another variant has joined the rankings in the first month of 2008. The unknown authors are using exactly the same approach which made families such as Warezov and Zhelatin so successful two years ago - conducting a multitude of very short lived mass-mailings. However, in contrast to Warezov, we're not yet seeing ten new variants of Diehard every day.
All of this has a very interesting effect - older email worms end up occupying leading positions in the rankings. Two examples are NetSky.q, which seems to constantly head the Top Twenty, and Nyxem.e, which made it into second place in January. They are a constant presence in mail traffic, and it's always the same variants. However, it's not them that represent a real threat, but rather the short lived widespread mass mailings of Trojans which they conduct.
On the other hand, Warezov shows no sign of disappearing. In December, a member of this family was in third place, and in January a different variant took tenth place.
Nyxem.e, Bagle.gt and Netsky.aa have made a noticeable leap forward. They are taking up three out of the top four positions, while a mere two months ago, in November, they had only just managed to re-enter the rankings.
It's interesting that Fraud.ay, a phishing attack which targets users of Yandex.Dengi, a Russian e-payment system, has disappeared from the Top Twenty. This malicious program first appeared in April last year, and started appearing more and more frequently in autumn and at the beginning of winter. The organizers of the attack didn't waste their time and efforts attempting to evade antivirus and antispam filters - even the newest variants of phishing emails could be detected and intercepted without having to update antivirus databases.
It may happen that the attacks on Yandex will be repeated in the near future; phishing in mail traffic is likely to become much more significant in 2008. After all, the foundation for these attacks is the army of zombie computers created by Warezov and Diehard.
Other malicious programs made up 6.83% of all malicious code in mail traffic, indicating that there is still a significant number of other worm and Trojan families in circulation.
- New: Trojan-Downloader.Win32.Diehard.dg, Trojan-Dropper.Win32.Small.bdj, Email-Worm.Win32.Warezov.yi, Trojan-Downloader.Win32.Diehard.dh, Trojan-Downloader.Win32.Diehard.dj, Trojan-Downloader.Win32.Diehard.dk.
- Went up: Email-Worm.Win32.Nyxem.e, Bagle.gt, Netsky.aa, Email-Worm.Win32.NetSky.d, Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Bagle.gen, Net-Worm.Win32.Mytob.t.
- Went down: Email-Worm.Win32.Scano.bn.
- Re-entry: Net-Worm.Win32.Mytob.w, Net-Worm.Win32.Mytob.q, mail-Worm.Win32.NetSky.t.