Software vulnerability disclosures are in decline forcing cybercriminals to use targeted attacks against third-party browser components, according to two global threat reports issued by Microsoft and Symantec Corp.
Version 8 of the Microsoft Security Intelligence Report was issued today, outlining global information security trends observed by the software giant in the second half of 2009. Much of its data is gleaned from users of its Security Essentials software and its Hotmail webmail and Bing search engine. The annual Symantec Global Internet Security Threat Report tracked trends for all of 2009, using data from users of its security software and gateway products.
Vulnerability disclosures were down 8.4% in the second half of 2009, according to Microsoft's analysis. The number of severe vulnerabilities was also down 9% in that same period and down 30% since the second half of 2008.
Symantec saw similar declines, noting a decrease in Internet Explorer vulnerabilities as well as an overall decrease in malicious activity in 2009 in the United States. The U.S. was the top country for overall malicious activity observed by Symantec, making up 19% of all malicious activity, a 3% decrease from 2008.
Ben Greenbaum, a senior research manager at Symantec Security Response, said the decline in malicious activity can be attributed to a number of factors. Attackers have turned to countries where broadband penetration is relatively new, he said. India and Brazil represent the emerging countries making the top 5 list of malicious activity, which includes the U.S., China and Germany. Attackers choose emerging countries because they have fewer laws protecting users, he said. People with Internet access for the first time may also be more susceptible to phishing and Web-based attacks.
"It's kind of a wild west scenario," Greenbaum said. "They have an online population large enough to meet the threshold of being worthwhile for attackers."
Of the top attacked vulnerabilities observed by Symantec in 2009, four of the top five were client-side vulnerabilities. Symantec said attackers targeted remote code execution vulnerabilities in Adobe Reader and Flash Player as well as third-party components in Microsoft Internet Explorer.
Attacks targeting ActiveX vulnerabilities are the most prevalent, but they are on the decline, making up 42% of the total in 2009 from 70% of the total Web-based attacks in 2008. Security improvements in Internet Explorer 7 and 8 have helped alleviate many attacks targeting ActiveX controls. But attackers are turning to other browser components, Greenbaum said.
"Attackers are very adaptable," he said. "As one kind of attack brings to bear less fruit for them, they'll begin to focus on other areas."
Attack toolkits gain sophistication and sharpen focus
Microsoft said automated attack tools, designed to make it easier for cybercriminals to scan victim machines using multiple exploits, are also undergoing change. Many kits contain fewer exploits than in the past due to a rise in successful attacks against third-party browser components, Microsoft said. In the past the kits contained four to six working exploits. In the second half of 2009, the number of exploits dropped, averaging 2.3 exploits per kit, Microsoft said.
However, not all toolkits are equal. Microsoft observed a toolkit with 23 working exploits. Toolkits continue to target Microsoft vulnerabilities. More than 55% of all attacks targeted Windows XP machines, according to a sampling of browser-based exploits analyzed by Microsoft. A growing number are targeting third-party components (45%) on Windows XP. The figure is even higher for Windows 7 machines with more than 75% of Web-based attacks targeting third-party components.
Symantec also noted the growing popularity of the attack toolkit. Greenbaum cautioned that attack toolkits like Fragus, Eleonore, and Neosploit still carry a lot of exploits to older vulnerabilities, as attackers attempt to take advantage of people using outdated software.
The Zeus toolkit, known for causing problems in the banking industry by infecting victims' computers with password stealing malware, contained 90,000 unique malware variants, Symantec said. Traditional signature-based antivirus can't keep up with the tens of thousands of variants, Symantec said, noting that it should be supplemented with behavioral analysis and reputation-based security.
"The increased sophistication of these kinds of toolkits has lowered the technological prowess of those using them to pull off these kinds of attacks," Greenbaum said. "One signature will capture many variants, but not all of them."