Predictions of the demise of the mass-mailed worm are premature, a security researcher said Tuesday.

"I think that's maybe wishful thinking," said Pete Simpson, the manager of ClearSwift's threat lab as the security firm released its annual 2004 retrospective report.

Some analysts have said that the traditional mass-mailed worms -- like Bagle and Netsky and MyDoom, all big names in 2004 -- will fall by the wayside as hackers and criminals turn to other techniques, such as network worms that use operating system vulnerabilities to compromise computers ala Sasser. Simpson says the report of their death, to paraphrase Mark Twain, has been greatly exaggerated.

"We've seen several Bagles and MyDooms in the last few weeks. I don't think [mass-mailed worms] are lying down. Instead, they'll diversify by mixing other attack avenues rather than dropping mass-mailing."

That trend of increasing complexity has been cited by security experts for the past two years. In early 2004, the buzzword was "blended threat," but Simpson's term now is "convergence."

"The compartmental labels such as 'virus,' 'worm,' 'Trojan,' 'spyware,' and 'phish' are losing utility," he said, "as multifaceted malware emerges sharing several of these attributes. This is a quite different phenomenon from the so-called 'blended threats' that simply use several spreading vectors, such as mass-mailing, network shares, and file-sharing networks."

Simpson expects that the comparatively overt style of phishing attacks known today -- where scammers must dupe users into visiting a fake Web site and spilling personal secrets such as credit card or bank account numbers -- will soon be replaced by a more insidious threat.

Already seen in limited numbers, this newer style of phishing relies on planting spyware, usually key loggers but sometimes also screen capture software, on compromised computers to invisibly watch users. "Phishing primarily will become a matter of inserting spyware. That lets the criminals just sit back and wait until the user does, say, his online banking, and then snaps up the keystrokes."

To get this spyware on users' PCs, phishers are, and will increasingly, use malicious code like worms, or team with worm or virus writers, to attack, infect, and take control of numbers of computers. There were signs late in 2004, however, that some were using another method: by drawing users to the legitimate sites, but then exploiting vulnerabilities within the browser, primarily Microsoft's Internet Explorer, they managed to load spyware on machines.

A side effect of such a shift in phishing will be to open the scamming playing field to even more criminals. Phishing attacks now require some sophistication, since the bogus Web site has to mimic the real thing, and URLs must be spoofed or disguised to trick the greatest number of people. And large-scale spam campaigns must be launched to get out the huge numbers of e-mails required for a successful rip-off.

That goes out the window when phishers rely on spyware to help them steal identities. "If they're monitoring all the keystrokes or images on the screen there's no need to build a replica Web site, is there?" asked Simpson.

Simpson's take on 2005 is decidedly gloomy. "I don't see any reversal in this trend [of more dangerous threats]," said Simpson, "not one criminal elements involved in money-making schemes are broadly established [in hacking]."