While attack strategies and statistics may change, one thing remains the same: the most dangerous digital desperadoes aren't wreaking havoc for fun. They're in it for the money.
That's the takeaway from Symantec Corp.'s threat report for the second half of 2005. The Cupertino, Calif.-based AV giant released the report Tuesday. It covers the threat landscape over the six-month period between July 1 and Dec. 31, 2005. Many of the themes are similar to those in its report for the first half of the year, most notably:
- Attackers continue to shift their attacks from the perimeter to Web applications.
- Massive, headline-grabbing attacks are giving way to stealthier and more targeted assaults.
- Malicious activity is increasingly motivated by money.
"We're also seeing an increase in 'modular' malcode," said Dean Turner, senior manager of Symantec Security Response. He said attackers have moved toward modular malcode because initially it appears to have limited functionality, but soon morphs into something else. "They'll try to disable the firewall. Then they will open a backdoor and download additional functionality."
The report also shows attackers continuing to harness botnets, even though the actual number of bot-infested machines appears to have decreased slightly.
Here's a breakdown of Symantec's findings:
- For the fifth straight reporting period, the Microsoft SQL Server resolution service stack overflow (formerly referred to as Slammer) was the most common attack. It was used by 45% of all attackers.
- Symantec sensors from its customers' firewall and IDS tools detected an average of 39 attacks per day. This is a decrease of 18 attacks per day from the last reporting period.
- Known bot network computers decreased from 10,347 per day in the first half of 2005 to 9,163 per day in the second half of the year. The United States had the highest percentage of bot-infected hosts globally with 26%.
- The highest percentage of bot network command-and-control servers, 47%, were found in the U.S. South Korea had 9% of the worldwide total and Canada had 6%.
- Financial services was the most frequently targeted industry, followed by education and small business.
- The time between the disclosure of a vulnerability and the release of associated exploit code increased from six days to 6.8 days.
- On average, 49 days elapsed between the appearance of a vulnerability and the release of a patch by the affected vendor.
- Web application vulnerabilities made up 69% of all new vulnerabilities disclosed during the last half of 2005, a 15% increase over the last reporting period.
- Of the flaws disclosed in the second half of 2005, 97% were rated as moderately or highly severe. Seventy-nine percent were classified as easy to exploit.
- Microsoft Internet Explorer had 24 vendor- and non-vendor-confirmed vulnerabilities, the highest number of all Web browsers.
- The Mozilla family of browsers had 13 vendor-confirmed vulnerabilities.
- Sober-X was the most widely reported malicious code sample for the reporting period. It was the Sober variant that a number of AV firms predicted would reemerge Jan. 3, but largely failed to materialize.
- With Sober-X removed from consideration, malicious code that exposed confidential information made up 80% of the top 50 malicious code samples reported to Symantec, up from 74% in the previous reporting period and up 54% during the same period last year.
- Modular malcode accounted for 88% of the top 50 malicious code samples reported to Symantec in the last six months of 2005, up from 77% in the first half of 2005. Modular malcode are code segments that appear to have limited capabilities but often open a backdoor and enable a broader attack.
- Symantec documented more than 10,992 new Win32 viruses and worms, up slightly from 10,866 in the first half of 2005.
- In the second half of the year, 6,542 new distinct variants of Spybot were reported, an increase of nearly 3% over the previous six months.
- Of the malcode targeting instant messaging (IM) services, worms made up 91%.
Additional security risks
- The most commonly reported adware program was WebSearch, which accounted for 19% of the top 10 adware programs.
- Comet Cursor was the most frequently reported spyware program, accounting for 42% of the top 10 spyware programs.
- During the current reporting period, Symantec detected an average of 7.9 million phishing attempts per day, an increase of 9% over the previous reporting period.
- Spam made up 50% of all e-mail traffic observed by Symantec antifraud sensors. The United States was the country of origin with 56% of worldwide spam.
- Spam associated with financial goods and services was the most common type of spam detected by Symantec antifraud filters.
Sourcing Symantec's findings
The conclusions in Symantec's threat reports are based on research gathered from the following sources:
DeepSight Threat Management System and Managed Security Services. Through these services, the firm has more than 24,000 sensors monitoring network activities in over 180 countries.
Antivirus programs. Symantec said more than 120 million client, server and gateway systems that use Symantec antivirus products generate reports on malicious code, including spyware and adware.
Vulnerability database. The company maintains a database on more than 13,000 vulnerabilities affecting more than 30,000 technologies from more than 4,000 vendors.
BugTraq. Symantec operates BugTraq, a forum where vulnerabilities are disclosed and discussed. The service has more than 50,000 subscribers.
Probe Network. Symantec also operates a system of more than 2 million decoy accounts that attract e-mail messages from 20 different countries. Symantec uses the system to measure global spam and phishing activity.