Key Findings of the Symantec Internet Security Threat Report (page 1 of 3)

So concludes the latest volume of Symantec's comprehensive Internet Security Threat Report, released last month, offering an overview of the threat activity that took place between January 1 and June 30, 2005. The report, whose data is drawn from more than 24,000 sensors monitoring network activity in over 180 countries, makes it unmistakably clear that a shift in the threat landscape has occurred. This article provides an overview of the main findings of the report.

Hacking for profit

During the first six months of 2005, new methods of using malicious code for financial gain were observed with increasing frequency. Symantec also uncovered evidence indicating that bot networks are available for hire. (Bots -- short for "robots" -- are programs that are covertly installed on a user's computer in order to allow an unauthorized user to control the computer remotely. They are designed to let an attacker create a network of compromised computers known as a bot network.) These can be used for malicious purposes, such as extorting money from e-commerce sites by threatening denial of service (DoS) attacks.

And the use of bots is on the rise. In the first six months of 2005, Symantec identified an average of 10,352 bots per day, up from less than 5,000 per day in December 2004. The increase in bot activity has likely driven a corresponding increase in DoS attacks. This may be related to financial motives, as DoS attacks have been reported in extortion attempts. Symantec also observed a dramatic increase in bot variants in the first half of 2005.

Exposure of confidential information

Between January 1 and June 30, 2005, malicious code that exposed confidential information represented 74% of the top 50 malicious code samples reported to Symantec, up from 54% the previous six months. The rise in confidential information threats is also likely due to the rapid proliferation of bots during this period. Such developments are becoming more worrisome as online shopping and Internet banking continue to increase.

Malicious code variants proliferate

Further evidence of a shifting threat landscape: over the first half of 2005, Symantec documented more than 10,866 new Win32 viruses and worms, an increase of 48% over the 7,360 documented in the second half of 2004. It is also an increase of 142% over the 4,496 documented in the first half of 2004. Win32 threats are executable programs that operate by using the WIN32 API. This massive increase in variants is important because each variant represents a new, distinct threat against which administrators must protect their systems and for which antivirus vendors must create a new antivirus definition. Symantec believes the substantial rise in the number of Win32 viruses and worms over the past six months is due to the tremendous increase of Win32 worms that implement bot features -- such as remote access through IRC channels and denial of service capability -- that attackers can use for financial gain. As of June 30, 2005, the total number of Win32 variants surpassed 28,000.

Phishing and spam continue to grow

The report also found that phishing attacks continue to proliferate. The volume of phishing messages grew from an average of 2.99 million messages a day to 5.70 million. One out of every 125 email messages scanned by Symantec Brightmail AntiSpam was a phishing attempt, an increase of 100 percent from the last half of 2004. Symantec Brightmail AntiSpam antifraud filters were blocking more than 40 million phishing attempts per week on average, up from approximately 21 million per week at the beginning of January.