Arthur Wong, the vice president of Symantec Security Response and Managed Security Services said attackers are launching increasingly sophisticated attacks in an effort to compromise the integrity of corporate and personal information.
This was one key finding from Symantec’s latest Internet
Security Threat Report. The seventh bi-annual report provides analysis and discussion of trends in Internet attacks, vulnerabilities, malicious code activity, and additional security risks for the period of July 1, 2004 to Dec. 31, 2004.
Other key findings include:
Rise in threats to confidential information
Over the past three reporting periods, threats with the potential to expose confidential information have continued to increase. Between July 1 and Dec. 31, 2004, malicious code created to expose confidential information represented 54 per cent of the top 50 malicious code samples received by Symantec, up from 44 per cent in the first six months of the year and 36 per cent in the second half of 2003. This is partially due to the proliferation of Trojan horses. Between July 1 and Dec. 31, 2004, Trojans represented 33 per cent of the top 50 malicious code reported to Symantec.
Steady Increase in Phishing Attacks
As predicted in the previous volume of the Internet Security Threat Report, the number of phishing attacks is increasing. Phishing is a method to steal confidential information such as passwords, credit card numbers, and other financial information. By the end of December 2004, Symantec Brightmail AntiSpam antifraud filters were blocking an average of 33 million phishing attempts per week, up from an average of 9 million per week in July 2004. This represents an increase of over 366 per cent. Symantec expects that phishing will continue to be a very serious concern over the next year.
Increase in Attacks Against Web Applications
Web applications are popular targets because they enjoy widespread deployment and can allow attackers to circumvent traditional perimeter security measures such as firewalls. They are a serious security concern because they may allow attackers access to confidential information without having to compromise individual servers. Nearly 48 percent of all vulnerabilities documented between July 1 and Dec. 31, 2004 were Web application vulnerabilities, a significant increase from the 39 per cent documented in the previous six-month period.
Rise in Number of Windows Virus/Worm Variants
Due to the widespread deployment of Microsoft Windows operating systems in enterprise and consumer environments, Windows 32 viruses and worms pose a serious threat to the security and integrity of the computing community. From July 1 to Dec. 31, 2004, Symantec documented more than 7,360 new Windows 32 virus and worm variants. This represents an increase of 64 per cent over the previous six-month period. As of Dec. 31, 2004, the total number of documented Windows 32 threats and their variants was approaching 17,500. Because a failure to prevent, detect, or remove these threats could mean severe financial losses, the disclosure of confidential information, and the loss of data, organizations are challenged with updating their antivirus solutions more often than ever before which, in turn, puts more pressure on current resources.
Increase in Severe, Easy-to-Exploit, Remotely Exploitable Vulnerabilities
Between July 1 and Dec. 31, 2004, Symantec documented more than 1,403 new vulnerabilities, which translates into more than 54 new vulnerabilities per week or almost eight new vulnerabilities per day. Of these, 97 per cent were considered moderately or highly severe, which means that successful exploitation of the vulnerability could result in a partial or complete compromise of the targeted system. Furthermore, 70 per cent were considered easy to exploit, which means that either no custom code is required to exploit the vulnerability or that such code is publicly available. Compounding this problem is that nearly 80 per cent of all documented vulnerabilities in this reporting period are remotely exploitable, which likely increases the number of possible attackers.
For the third straight reporting period, the Microsoft SQL Server Resolution Service Stack Overflow Attack (formerly known as the Slammer attack) was the most common attack, used by 22 per cent of all attackers. The second most common attack was the TCP SYN Flood Denial of Service Attacked, which was launched by 12 per cent of attackers. Organizations received 13.6 attacks per day, up from 10.6 in the previous six months. The United States continues to be the top attack source country, followed by China and Germany. The financial services sector experienced the highest ratio of severe attacks, with 16 severe events per 10,000 security events.
The time between the disclosure of a vulnerability and the release of associated exploit code remained extremely short at 6.4 days. Symantec documented 1,403 new vulnerabilities, a 13 per cent increase over the previous six-month period. Ninety-seven per cent of documented vulnerabilities were considered either highly or moderately severe. Moreover, 70 per cent of all documented vulnerabilities were classified as easily exploitable. Web application vulnerabilities made up 48 per cent of all vulnerabilities disclosed, up from 39 per cent in the first half of 2004. Vulnerabilities targeting Web applications are often classified as easily exploitable. Vulnerabilities are affecting new alternative browser distributions. During the last six months of 2004, 21 vulnerabilities affecting Mozilla browsers were disclosed, compared to 13 vulnerabilities affecting Microsoft Internet Explorer. Six vulnerabilities were reported in Opera.
Malicious code trends
As in previous reports, mass-mailing worms dominated the top malicious code reported over the last six months of 2004. Eight of the top 10 samples reported to Symantec during this period were variants of mass-mailer worms that have been seen in previous reports, including Netsky, Sober, Beagle, and MyDoom. Two bots were present in the top 10 malicious code samples, compared to just one in the previous reporting period.Gaobot was the third most frequently reported sample over the past six months,followed by Spybot. Moreover, 4,300 new distinct variants of Spybot werereported, an increase of 180 per cent over the previous six months. Symantec documented more than 7,360 new Windows 32 viruses and worms, an increase of 64 per cent over the first half of the year and an increase of more than 332 per cent over the 1,702 documented in the second half of 2003. As of Dec. 31, 2004, the total number of Windows 32 variants approached 17,500. Malicious code that exposes confidential information made up 54 percent of the top 50 malicious code samples, up from 44 per cent in the previous reporting period and 36 per cent in the second half of 2003. This represents a 23 per cent increase between the current period and the first half of 2004 and a 50 percent increase over the same period the previous year. At the end of the reporting period, there were 21 known samples of malicious code for mobile applications, up from one-the Cabir worm-in June 2004. Among the new threats were the Duts virus, the first threat to Windows CE; and the Mos Trojan, which was discovered in a Symbian game.
Additional Security Risks
In the last six months of 2004, adware programs made up five percent of the top 50 Symantec customer reports, up from four percent the previous report. Iefeats was the most commonly reported adware program, accounting for 36 percent of top 10 reports. Webhancer was the most frequently reported spyware program during the second half of 2004, representing 38 per cent of the top 10 spyware reported. Five of the top 10 adware reported samples were installed via a Web browser. Nine of the top 10 reported spyware programs were bundled with other software. Symantec reported a 77 per cent growth in spam for companies whose systems were monitored for spam; the weekly totals of spam raised from an average of 800 million spam messages per week to more than 1.2 billion spam messages per week by the end of the reporting period. Moreover, spam made up more than 60 per cent of all e-mail traffic observed by Symantec during this period.
Future and Emerging Trends
The use of bots and bot networks for financial gain will likely increase, especially as the diverse means of acquiring new bots and developing bot networks become more prevalent. Malicious code targeting mobile devices is expected to increase in number and severity. With many groups researching vulnerabilities in Bluetooth-enabled devices, the possibility of a worm or some other type of malicious code propagating by exploiting these vulnerabilities increases. Symantec expects that client-side attacks using worms and viruses as propagation methods will become more common. Attacks hidden in embedded content in audio and video images are expected to increase. This is worrisome becauseimage files are ubiquitous, almost universally trusted, and an integral part ofmodern day computing. Symantec expects security risks associated with adware and spyware will likely increase. Impending legislation to curb these risks is not expected to be an effective or sufficient deterrent on its own.