Attacks driven by love of money

By Bill Brenner, Senior News Writer 07 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

While attack strategies and statistics may change, one thing remains the same: the most dangerous digital desperadoes aren't wreaking havoc for fun. They're in it for the money.

That's the takeaway from Symantec Corp.'s threat report for the second half of 2005. The Cupertino, Calif.-based AV giant released the report Tuesday. It covers the threat landscape over the six-month period between July 1 and Dec. 31, 2005. Many of the themes are similar to those in its report for the first half of the year, most notably:

• Attackers continue to shift their attacks from the perimeter to Web applications.
• Massive, headline-grabbing attacks are giving way to stealthier and more targeted assaults.
• Malicious activity is increasingly motivated by money.

"We're also seeing an increase in 'modular' malcode," said Dean Turner, senior manager of Symantec Security Response. He said attackers have moved toward modular malcode because initially it appears to have limited functionality, but soon morphs into something else. "They'll try to disable the firewall. Then they will open a backdoor and download additional functionality."

For more information Cybercrooks going after the desktop September 2005 threat report: A closer look New threats, dissolving perimeters

Symantec also observed a significant spike in attacks coming from China. Turner said attacks originating from computers there rose 153%. But the United States continues to be the place where most attacks are initiated. Turner said 31% of all attacks originated in the U.S. in the second half of 2005. Seven percent of attacks were from China and 6% originated in Britain.

The report also shows attackers continuing to harness botnets, even though the actual number of bot-infested machines appears to have decreased slightly.

Here's a breakdown of Symantec's findings:

Attack trends

• For the fifth straight reporting period, the Microsoft SQL Server resolution service stack overflow (formerly referred to as Slammer) was the most common attack. It was used by 45% of all attackers.
• Symantec sensors from its customers' firewall and IDS tools detected an average of 39 attacks per day. This is a decrease of 18 attacks per day from the last reporting period.
• Known bot network computers decreased from 10,347 per day in the first half of 2005 to 9,163 per day in the second half of the year. The United States had the highest percentage of bot-infected hosts globally with 26%.
• The highest percentage of bot network command-and-control servers, 47%, were found in the U.S. South Korea had 9% of the worldwide total and Canada had 6%.
• Financial services was the most frequently targeted industry, followed by education and small business.

Vulnerability trends

• The time between the disclosure of a vulnerability and the release of associated exploit code increased from six days to 6.8 days.
• On average, 49 days elapsed between the appearance of a vulnerability and the release of a patch by the affected vendor.
• Web application vulnerabilities made up 69% of all new vulnerabilities disclosed during the last half of 2005, a 15% increase over the last reporting period.
• Of the flaws disclosed in the second half of 2005, 97% were rated as moderately or highly severe. Seventy-nine percent were classified as easy to exploit.
• Microsoft Internet Explorer had 24 vendor- and non-vendor-confirmed vulnerabilities, the highest number of all Web browsers.
• The Mozilla family of browsers had 13 vendor-confirmed vulnerabilities.

Malcode trends

• Sober-X was the most widely reported malicious code sample for the reporting period. It was the Sober variant that a number of AV firms predicted would reemerge Jan. 3, but largely failed to materialize.
• With Sober-X removed from consideration, malicious code that exposed confidential information made up 80% of the top 50 malicious code samples reported to Symantec, up from 74% in the previous reporting period and up 54% during the same period last year.
• Modular malcode accounted for 88% of the top 50 malicious code samples reported to Symantec in the last six months of 2005, up from 77% in the first half of 2005. Modular malcode are code segments that appear to have limited capabilities but often open a backdoor and enable a broader attack.
• Symantec documented more than 10,992 new Win32 viruses and worms, up slightly from 10,866 in the first half of 2005.
• In the second half of the year, 6,542 new distinct variants of Spybot were reported, an increase of nearly 3% over the previous six months.
• Of the malcode targeting instant messaging (IM) services, worms made up 91%.

Additional security risks

• The most commonly reported adware program was WebSearch, which accounted for 19% of the top 10 adware programs.
• Comet Cursor was the most frequently reported spyware program, accounting for 42% of the top 10 spyware programs.
• During the current reporting period, Symantec detected an average of 7.9 million phishing attempts per day, an increase of 9% over the previous reporting period.
• Spam made up 50% of all e-mail traffic observed by Symantec antifraud sensors. The United States was the country of origin with 56% of worldwide spam.
• Spam associated with financial goods and services was the most common type of spam detected by Symantec antifraud filters.

Sourcing Symantec's findings
The conclusions in Symantec's threat reports are based on research gathered from the following sources:

DeepSight Threat Management System and Managed Security Services. Through these services, the firm has more than 24,000 sensors monitoring network activities in over 180 countries.

Antivirus programs. Symantec said more than 120 million client, server and gateway systems that use Symantec antivirus products generate reports on malicious code, including spyware and adware.

Vulnerability database. The company maintains a database on more than 13,000 vulnerabilities affecting more than 30,000 technologies from more than 4,000 vendors.

BugTraq. Symantec operates BugTraq, a forum where vulnerabilities are disclosed and discussed. The service has more than 50,000 subscribers.

Probe Network. Symantec also operates a system of more than 2 million decoy accounts that attract e-mail messages from 20 different countries. Symantec uses the system to measure global spam and phishing activity.

Tags: Vulnerability Risk Assessment,  Network Intrusion Detection (IDS),  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Monitoring Network Traffic and Network Forensics,  IM Security Issues, Risks and Tools,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Vulnerability Risk Assessment Are Web application penetration tests still important? McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Vulnerability test methods for application security assessments Free HP SWFScan tool detects Adobe Flash flaws PCI QSA assurance program penalizes assessors Information security book excerpts and reviews New York drafts language demanding secure code Security experts identify 25 dangerous coding errors Microsoft Windows XML flaw exploits test desktop antimalware Vulnerability Risk Assessment Research Network Intrusion Detection (IDS) SIMs tools and tactics for business intelligence IPS and IDS deployment strategies Know when you need IDS, IPS or both Trend Micro to acquire Third Brigade for virtualization, cloud security New product aims to control rogue applications that avoid firewalls How to perform a network forensic analysis and investigation What is the cause of an 'intrusion attempt' message? Host-based intrusion prevention addresses server, desktop security Intrusion detection vs. intrusion prevention Product review: AirDefense Enterprise 7.3 Network Intrusion Detection (IDS) Research Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary