It's been a good year for cybercrooks, especially those with the foresight to have gotten in on the boomingTrojan horse business.

The number of new worms, viruses, and Trojan horses jumped 48 percent in 2005, a security company said Tuesday, as it detailed the year's security woes.

U.K.-based Sophos detected nearly 16,000 new threats from January to November, 2005, a major bump from the 10,724 during the same period in 2004. Every month in 2005 posted larger-than-last-year numbers, but November, which was marked by the debut of a strong Sober.z worm, outpaced all others. By Sophos' records, 1,940 new viruses, worms, Trojans, and spyware threats were spotted last month, its largest-ever monthly increase. If that pace were to continue, the next 12 months would see a whopping 23,000 threats.

Topping Sophos' top-10 chart was the long-running Zafi.d, a mass-mailed worm that made itself known almost a year ago: It accounted for 16.7 percent of all threats detected during the first 11 months of 2005. Netsky.p took second place, with 15.7 percent, while the new Sober.z came in at third, with six percent.

"Given more time, Sober.z would have dominated the chart, but its emergence in late November prevented it from taking pole position," said Graham Cluley, senior technology consultant at Sophos.

But it's not the threats that make national news that has Cluley, and other security experts, worried.

"Trojan horses are the real growth area," said Cluley. Sophos' report noted that new Trojan horses outnumbered Windows-oriented worms and viruses by almost 2:1. In 2005, Trojans accounted for 62 percent of all threats, while Windows worms made up 35 percent of the total.

"This [overall] increase stems from the escalating interest in authoring Trojans by criminal gangs intent on making a profit," said Cluley. "By focusing their efforts on a smaller number of victims [with Trojans], cybercriminals can increase their chances of slipping under the security net.

"The recent Sober.z worm is unusual," Cluley went on. "It's an old-school worm. That doesn't work for the criminally minded, who actually think that infecting millions is just a nuisance. They want to infect only enough machines to create a steady revenue stream from identity theft or selling systems to spammers."

The focus on making money from computer security threats isn't new--Cluley acknowledged that it's a trend which continues to build--but the overwhelming number of Trojan horses is evidence of the practice. "At least now we have some hard facts," he said.

Sophos' analysis of 2005's threats also disclosed their most common characteristics for the first time. Nearly 42 percent of all threats allowed others to access a compromised machine, while 40 percent downloaded code from a Web site using so-called "drive-by download" exploits. Thirty-four percent stole some kind of information, while 16 percent included a keylogger.

One in ten threats exploited a known vulnerability, and almost one in six tried to disable anti-virus software.

On the spam front, Cluley noted the rapid rise in "pump-and-dump" stock spam scams.

"That's the kind of spam where spammers buy a lot of penny stocks, send out messages to promote the stock, then when the price climbs, they sell their shares," said Cluley. "These spammers don't have to deliver any product or even create a Web site. All they have to do to make money is convince enough people to invest in a stock, then sell their shares. And if the price hasn't gone up, they haven't lost anything."

By November, pump-and-dump spam accounted for 13.5 percent of all spam; at the beginning of the year, it was a measly 0.8 percent.

"A lot of these spams are getting through anti-spam products," said Cluley, "because they don't include a link to a URL, a common technique defenses use to spot spam."