COLUMN

Symantec threat report under the microscope

By Bill Brenner 22 Mar 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security bloggers have spent the week dissecting the latest threat report from Symantec Corp. If nothing else, Big Yellow's analysis for the second half of 2006 confirms much of what IT professionals already knew: The bad guys are using botnets and Trojans to exploit zero-day flaws so they can steal sensitive data from networks and sell it to the highest bidder.

Among the highlights of the latest report:

• Symantec reported more than six million distinct bot-infected computers worldwide during the second half of 2006, a 29% increase from the previous period. The number of command-and-control servers used to relay commands to these bots actually decreased by 25%, though Symantec attributes that to botnet owners consolidating their networks and increasing the size of their existing networks.
• Trojans accounted for 45% of the top 50 malware samples, a 23% increase over the first six months of the year.
• Twelve zero-day vulnerabilities were counted during the second half of 2006, marking a significant increase from the one zero-day flaw documented in the first half of the year.
• Digital miscreants are using underground economy servers to sell stolen information, including government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts, and email address lists.
• Theft or loss of a computer or data storage medium, such as a USB memory key, made up 54% of all identity theft-related data breaches.
• Countries with the highest amount of malicious activity originating from their networks were the U.S. at 31%; China at 10% and Germany at 7%.

Symantec warned IT security professionals to prepare for threats against Windows Vista, with a focus on vulnerabilities, malicious code and attacks against the Teredo platform. The company also predicted attackers will target third-party applications that run on Vista and step up their assault against mobile devices and virtualization programs.

And here I just thought Symantec was busy preparing reports that knocked Vista and Microsoft's inherent conflict of interest in providing operating systems and security programs that protect them. Alan Shimel Chief Strategy Officer, StillSecure

"We've seen a gradual process where blended threats have morphed from a single attack targeting millions of people to higher numbers of individual attacks targeting individuals or small groups," Dean Turner wrote in the Symantec Security Response blog. "Targeted malicious code is all the rage and if you have the knowledge, skills, and a high-value target, chances are you're taking advantage of a zero-day vulnerability to install your bot software, spam zombie, phishing site, or keystroke logger."

For people like Mike Rothman, president and principal analyst of Security Incite in Atlanta, the findings were hardly surprising.

"The biggest news peg … is that the bad guys are now selling multiple pieces of identity data, basically enough to compromise your identity, for $18," he wrote in his Daily Incite blog. "Seems cheap, no? The point is that identity information is plentiful out there and that means prices are coming down."

That doesn't mean that all of those $18 identities will be compromised, but they could be, he said, adding, "That's why I pay 'insurance' to a company called LifeLock. I hope I never need it, but if I do I'd rather have these folks fight the battles with the credit rating companies. I've got too much other stuff to do."

Richard Bejtlich, founder of the Washington, D.C.-based consultancy Tao Security, found no new revelations in the report, but found it a pretty good overview of what's going on in cyberspace today.

"Nothing really jumped out at me … but it's good background data if you need to cite the state of digital security for a report," he wrote in his blog.

Some did find fault with sections of the report, however.

Stephen Kost, CTO of Chicago-based security firm Integrigy Corp., wrote in his blog that while he's usually not in a position to defend Oracle's patching process, he did think Symantec overshot the database giant's vulnerability count.

"[The report] inflated the vulnerability count for Oracle by comparing apples and oranges," he said. "This version of the threat report contains a comparison of the number of vulnerabilities found in five leading relational databases (Oracle, IBM DB2, Microsoft SQL Server, MySQL, and PostgreSQL) [and] Oracle looks really bad with 168 vulnerabilities published during the second half of 2006 as compared to five for IBM DB2 and zero for Microsoft SQL Server during the same period."

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Symantec threat report under the microscope Spam crackdown: Bloggers take on the SEC  Blogosphere highlights DST security concerns

While Oracle has suffered plenty of flaws, Kost said the number is far less than 168. "Our internal count puts the Oracle Database-only published vulnerability count for the second half of 2006 at 49," he said.

Others found a little humor amidst all the sobering statistics.

StillSecure Chief Strategy Officer Alan Shimel wrote in his blog that it was simply nice to see Symantec writing about something other than the evils of Microsoft and Windows Vista.

"And here I just thought Symantec was busy preparing reports that knocked Vista and Microsoft's inherent conflict of interest in providing operating systems and security programs that protect them," he said.

Dave Goldsmith of New York-based Matasano Security LLC joked in the organization's blog that the report at least showed that America was leading the world in malware production.

"Overcoming stereotypes of American laziness, Symantec's research has shown that our malware authors are more productive than any other country!" he wrote.

Tags: Emerging Information Security Threats,  Windows Security: Alerts, Updates and Best Practices,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity? Federal efforts to secure cyberinfrastrucure Adobe working on patch to correct new zero-day flaw Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering Identity Theft and Data Security Breaches Man pleads guilty in online banking hacking scam White House cybersecurity czar faces major hurdles Heartland breach cost $12.6 million, CEO says An inside look at security log management forensics investigations LexisNexis investigates breach, notifies thousands Senators hear call for federal cybersecurity restructuring Former Federal Reserve Bank employee arrested Attackers cash in on fundamental data handling mistakes, Verizon finds Courts turn aside data breach suits Data security best practices for PCI DSS compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary