Key Findings of the Symantec Internet Security Threat Report

So concludes the latest volume of Symantec's comprehensive Internet Security Threat Report, released last month, offering an overview of the threat activity that took place between January 1 and June 30, 2005. The report, whose data is drawn from more than 24,000 sensors monitoring network activity in over 180 countries, makes it unmistakably clear that a shift in the threat landscape has occurred. This article provides an overview of the main findings of the report.

Hacking for profit

During the first six months of 2005, new methods of using malicious code for financial gain were observed with increasing frequency. Symantec also uncovered evidence indicating that bot networks are available for hire. (Bots -- short for 'robots' -- are programs that are covertly installed on a user's computer in order to allow an unauthorized user to control the computer remotely. They are designed to let an attacker create a network of compromised computers known as a bot network.) These can be used for malicious purposes, such as extorting money from e-commerce sites by threatening denial of service (DoS) attacks.

And the use of bots is on the rise. In the first six months of 2005, Symantec identified an average of 10,352 bots per day, up from less than 5,000 per day in December 2004. The increase in bot activity has likely driven a corresponding increase in DoS attacks. This may be related to financial motives, as DoS attacks have been reported in extortion attempts. Symantec also observed a dramatic increase in bot variants in the first half of 2005.

Exposure of confidential information

Between January 1 and June 30, 2005, malicious code that exposed confidential information represented 74% of the top 50 malicious code samples reported to Symantec, up from 54% the previous six months. The rise in confidential information threats is also likely due to the rapid proliferation of bots during this period. Such developments are becoming more worrisome as online shopping and Internet banking continue to increase.

Malicious code variants proliferate

Further evidence of a shifting threat landscape: over the first half of 2005, Symantec documented more than 10,866 new Win32 viruses and worms, an increase of 48% over the 7,360 documented in the second half of 2004. It is also an increase of 142% over the 4,496 documented in the first half of 2004. Win32 threats are executable programs that operate by using the WIN32 API. This massive increase in variants is important because each variant represents a new, distinct threat against which administrators must protect their systems and for which antivirus vendors must create a new antivirus definition. Symantec believes the substantial rise in the number of Win32 viruses and worms over the past six months is due to the tremendous increase of Win32 worms that implement bot features -- such as remote access through IRC channels and denial of service capability -- that attackers can use for financial gain. As of June 30, 2005, the total number of Win32 variants surpassed 28,000.

Phishing and spam continue to grow

The report also found that phishing attacks continue to proliferate. The volume of phishing messages grew from an average of 2.99 million messages a day to 5.70 million. One out of every 125 email messages scanned by Symantec Brightmail AntiSpam was a phishing attempt, an increase of 100 percent from the last half of 2004. Symantec Brightmail AntiSpam antifraud filters were blocking more than 40 million phishing attempts per week on average, up from approximately 21 million per week at the beginning of January.

During the first six months of 2005, spam made up approximately 61% of all email traffic. That's a slight increase over the last six months of 2004 when just over 60% of email was classified as spam. A little more than 50% of all spam received worldwide originated in the United States.

A substantial increase in vulnerabilities

The first half of 2005 was marked by a substantial increase in the number of vulnerabilities disclosed. Between January 1 and June 30, 2005, Symantec documented 1,862 new vulnerabilities, which is the highest number recorded since the Internet Security Threat Report began tracking new vulnerabilities. It is also an increase of 31% over the 1,416 new vulnerabilities documented in the last half of 2004. Ninety-seven percent of these vulnerabilities were classified as 'moderate' or 'high' in severity, and 59% of all vulnerabilities were found in Web application technologies, marking an increase of 59% over the previous reporting period and a 109% increase over the first six months of 2004.

The time between the disclosure of a vulnerability and the release of associated exploit code decreased from 6.4 days to 6.0 days in the first half of 2005. In addition, an average of 54 days elapsed between the appearance of a vulnerability and the release of an associated patch by the affected vendor.

Malicious mobile code makes headway

In September 2004, the Symantec Internet Security Threat Report predicted that malicious code for mobile devices would become a threat. In the March 2005 volume, Symantec reported that the number of variants of malicious code for mobile devices in the wild had indeed increased. During the current reporting period, malicious code for mobile devices continued to make headway; however, it consisted primarily of proof-of concept malicious code, particularly for smart phones. Thus, while the number of mobile device threats continues to increase, the number reported in the wild is still relatively small.

Mozilla browsers have most vulnerabilities

In the first half of 2005, the Mozilla browsers, including Firefox, had the most vulnerabilities of all Web browsers. During this period, 25 vendor-confirmed Mozilla vulnerabilities were disclosed, compared to 32 in the previous reporting period and two in the first half of 2004. Eighteen of the 25 Mozilla vulnerabilities in this period, or 72%, were classified as high severity. That's up from the 14 high-severity Mozilla vulnerabilities in the second half of 2004.

During the first six months of 2005, 13 vendor-confirmed Microsoft Internet Explorer vulnerabilities were disclosed. That's a decrease from the 31 documented in the second half of 2004. Eight of the 13 Internet Explorer vulnerabilities disclosed during the current period, or 62%, were considered high severity. 18 Internet Explorer vulnerabilities were considered high-severity in the last six months of 2004.

Adware and spyware continue to propagate

During the first six months of 2005, adware made up 8% of the top 50 programs reported to Symantec, up from 5% in the previous reporting period. ShopAtHomeAgent, was the most common adware program, accounting for 18% of the top 10 adware programs reported.

Webhancer was the top spyware program during this reporting period, accounting for 29% of the top 10 spyware programs reported. During this period, six of the top 10 spyware programs were delivered by bundling with other programs, and six were installed through Web browsers.

Looking ahead

Throughout the year, Symantec collects data that provides the basis for an analysis of future and emerging trends. Organizations should use this information to prepare themselves for a number of rapidly evolving and complex security issues in the coming year, including:


• Modular malicious code. Increasingly, malicious code authors have been deploying modular malicious code. Modular malicious code is malicious code - such as worms, viruses, and Trojans -- that initially possesses limited functionality. However, once installed on a target computer, it downloads other pieces (or modules) of malicious code with different functionalities and further compromises the infected computer.


• Phishing continues to evolve. Phishing messages are continually being altered in order to evade antispam and antiphishing filters. This is driving new innovation in methods of evasion, particularly in the use of randomized changes in phishing messages. This can take the form of randomized pixels in attached images, as well as URL obfuscation techniques such as the use of cousin domains, and Web site redirection. Security administrators are urged to monitor the registration of 'cousin' domain names and to educate users on the increased sophistication of these types of attacks.


• Wireless security threats. As the number of wireless local area networks (WLAN) in enterprises and other locations continues to increase, so too do the number of concerns posed by insecure wireless access points. In some cases, attackers impersonate the wireless access point itself in order to capture sensitive or useful information from machines attempting to connect to it. This has led to a reported increase in the number of 'war drivers' who use those connections to launch attacks and steal confidential information.


• VOIP threats. Voice over Internet Protocol (VoIP) is quickly becoming a widely adopted alternative to traditional analogue phone systems. It has been estimated that by the end of 2006, two-thirds of the Global 2000 companies will have adopted VoIP as their primary means of voice communication. Security researchers believe VoIP may be vulnerable to a wide range of possible attacks. While there are currently few reported attacks directed at VoIP systems, Symantec feels that as this new communications technology gains widespread acceptance and deployment, it is only a matter of time before attackers target it more intensely.

The need to be proactive

As these highlights demonstrate, the threat landscape is changing. Where traditional attack activity was motivated by curiosity and a desire to show off technical virtuosity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud.

As a result, enterprises need to be especially diligent in keeping their systems up-to-date with security patches and security solutions. It is also strongly recommended that they employ defense-in-depth practices, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection methodology. This should include the deployment of antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. Enterprises should also ensure that they are actively monitoring their environments 24x7 against attack.

By publishing its analysis of Internet security activity in the Internet Security Threat Report, Symantec hopes to provide enterprises with the information they need to help effectively secure their systems today.