Central Command, Inc., an anti-virus and anti-spam company based in Medina, Ohio, stopped 150 percent more infectious emails in their anti-virus filters than they did in October, which was a record-breaking month in its own right. And this past November saw 185 percent more virus outbreaks than November of 2004, according to Steve Sundermeier, a vice president with Central Command.
''It was a bad month,'' says Sundermeier. ''The number of viruses increased in November but the actual volume of malware was significantly higher because of Sober, which we have as accounting for one in 17 emails last month.''
Actually, the Sober-AI variant was the most prolific worm for all of November, accounting for 64.58 percent of all malware plaguing the Internet, according to analysts at Central Command. The rest of the top five came in far behind their malicious ranking leader: Mytob-IU came in second accounting for 2.66 percent of all malware; Mytob-NO was third with 2.49 percent; Mytob-NX was fourth with 2.31 percent, and Netsky-D was fifth with 2.20 percent.
Sophos, Inc., an anti-virus and anti-spyware company with U.S. headquarters in Lynnfield, Mass., has a similar top five list. Sophos analysts give the malware this ranking: Sober-Z took first place with 42.9 percent; Netsky-P was second with 8.1 percent; Mytob-GH was third with 6.8 percent; Mytob-EX was fourth with 4.5 percent, and Zafi-D was fifth with 4 percent. (Keep in mind that different vendors often assign the same variants slightly different names.)
''Since we saw the first Sober worm back in October 2003, its author has tried to improve upon tried-and-tested tricks to dupe computer users into launching infected attachments,'' says Carole Theriault, senior security consultant at Sophos, in a written statement. ''This latest worm claims to be a warning from CIA and FBI agents, accusing recipients of visiting illegal Websites. Mocking the feds is a sure-fire way of goading the authorities, and you can't help but wonder whether the author is desperate to be caught.''
Sundermeier tells eSecurityPlanet that Sober-AI isn't a new and super piece of malicious code -- it's simply well-designed.
''It's author didn't reinvent the wheel but it uses a combination of several factors,'' says Sundermeier. ''It reproduces very easily. Lots of times we see little coding flaws in the propagation routines and that didn't exist with this version. It used its own SMTP engine, and it was good at harvesting email addresses from compromised machines... It just works really well.''
Mytob is crowding top five lists simply because of sheer volume, says Sundermeier. There are hundreds of Mytob variants on the Internet at this point and that makes for a lot of infected machines. And that means it's easier for the new variants to get a foothold and spread quickly around the globe.
And Sundermeier says he's predicting an active December.
Sober-AI continues to dominate, he notes, pulling down big numbers as the month begins. ''And December has been known in the past to be a bad month for virus activity,'' Sundermeier adds. ''At the least, we generally see something new. In December of 2004, we had the Zafid worm and that topped the charts for a while. In December of 2003, we had another Sober variant released and that topped the charts for the month. And lately we have this trend where every month outdoes the last in terms of total volume.''