Internet Security Threat Report: Cybercrime continues to rise

The report, covering the second half of 2005, found that malicious code for profit continues to proliferate. In fact, malicious code threats that could reveal confidential information increased in this period. This article looks at today's cybercrime-related threat landscape in detail.

An evolving threat landscape

The Symantec Internet Security Threat Report provides analysis of network-based attacks, a review of known vulnerabilities, and highlights of malicious code and additional security risks. It draws upon numerous sources of Internet threat data around the world. For example, the Symantec Global Intelligence Network, which includes the DeepSight Threat Management and Managed Security Services, consists of more than 40,000 sensors monitoring network activity in more than 180 countries. In addition, Symantec gathers malicious code data (along with spyware and adware reports) from more than 120 million client, server, and gateway systems that have deployed its antivirus products.

The latest edition of the Threat Report traces a landscape characterized by ongoing threats to our digital lifestyle and to online business in general. Specifically,


• Cybercrimes such as online fraud and the theft of confidential information dominate today's online environment.


• Bots, bot networks, and customizable or 'modular' malicious code are the preferred methods attackers use to compromise and control host systems.


• Web-based technologies are the target of choice for attackers.


• There has been a continued decline in 'noisy,' high-severity threats and a corresponding increase in 'quieter,' stealthier, and initially lower-severity threats.

Attack trends

As Symantec noted in the previous Internet Security Threat Report, attackers are generally moving away from large, multiple purpose attacks against traditional security devices such as firewalls and routers. Instead, they are focusing on regional targets, desktops, and Web applications that enable an attacker to steal corporate, personal, financial, or confidential information.

One of the more pronounced attack trends in the current reporting period involved denial of service (DoS) attacks. Between July 1 and December 31, 2005, the average number of DoS attacks detected per day was 1,402, an increase of 51% from the first half of 2005.

In this same period, Symantec identified an average of 9,163 bot-infected computers per day (bot networks are increasingly used for criminal DoS-based extortion attempts), down from 10,347 in the first six months of 2005.

Among other attack trends:


• The United States was the origin of 26% of the world's bot-infected computers, the most of any country.


• Financial services was the most frequently targeted industry.


• During the last six months of 2005, the United States was the source country of 31% of attacks, the most of any country.

Vulnerability trends

In the last six months of 2005, Symantec documented 1,895 new software vulnerabilities, the largest total number of recorded vulnerabilities since 1998. Of these, 97% were considered moderately or highly severe and 79% were considered easy to exploit. Overall, Symantec documented 40% more vulnerabilities in 2005 than in 2004.

In the last six months of 2005, 69% of the vulnerabilities reported to Symantec affected Web application technologies, a 15% increase over the previous period. Web application technologies, which rely on a browser for their user interface, present an easier target for attackers due to their availability over commonly allowed protocols such as HTTP.

Microsoft's Internet Explorer browser had the highest number of new vulnerabilities (including both vendor confirmed and non-vendor confirmed), with 24. The Mozilla Firefox browser had the highest number of new vendor-confirmed vulnerabilities, with 13.

The average time between the announcement of a vulnerability and the appearance of exploit code was 6.8 days in the second half of 2005, up from 6.0 days. On average, 49 days elapsed between the disclosure of a vulnerability and the release of an associated patch, down from 64 days.

Malicious code trends

As noted above, the use of malicious code for profit is on the rise. During the second half of 2005, malicious code threats that could reveal confidential information rose from 74% of the top 50 malicious code samples studied by Symantec in the last reporting period to 80% this period.

Symantec also observed an increase in modular malicious code, which initially possesses limited functionality but is designed to update itself with new, more damaging capabilities. Modular malicious threats can expose confidential information that is then used in identity theft, credit-card fraud, or other criminal financial activities. During the last six months of 2005, modular malicious code accounted for 88% of the top 50 malicious code samples reported to Symantec, up from 77% last period.

In this same reporting period, more than 10,992 new virus and worm variants were discovered, representing a small increase over the previous reporting period (10,866) but a 49% increase over the same time period last year.

In the last six months of 2005, Sober.X was the most widely reported malicious code sample. This mass-mailing worm, initially discovered on November 19, 2005, was upgraded to a Category 3 threat on November 22. Even though it was in the wild for just over a month, Sober.X was reported more frequently than any other malicious code sample in the entire six-month period.

Additional security risks

As the latest Threat Report observes, with Internet-based services and applications expanding and diversifying, 'the potential for computer programs to introduce other types of security risks has increased. The emergence of new risks, particularly spam, phishing, spyware, and adware, has necessitated an expansion of the traditional security taxonomy' beyond the categories of attacks, vulnerabilities, and malicious code.

In the last half of 2005, Symantec blocked 1.5 billion phishing attempts, a 44% increase over the first half of 2005. Symantec detected an average of 7.9 million phishing attempts per day, an increase of 39% over the first half of 2005.

Spam, meanwhile, made up 50% of all monitored email traffic. Spam associated with financial goods and services was the most common type. The United States was the country of origin of 56% of all spam.

Over the last six months of 2005, CometCursor was the most commonly reported spyware program, accounting for 42% of the top 10 spyware programs reported during this period. CometCursor is an Internet Explorer browser 'helper object' (or add-on program), which installs a toolbar that has links to affiliate Web sites.

In this same period, the most commonly reported adware program was Websearch, which accounted for 19.1% of the top 10 adware programs reported. Nine of the top 10 adware programs in this period were installed by so-called rogue affiliates, while seven of the top 10 carried a risk rating of 'high' or 'medium.'

Conclusion

Based on the data gathered in this and previous reporting periods, Symantec expects to see more diverse and sophisticated threats used for cybercrime to emerge, as well as an increase in the theft of confidential information for financial gain. The threat landscape has indeed shifted. Enterprises would do well to avail themselves of the insight that the latest Threat Report provides into how cybercrime is happening and how it can be prevented.