In-Depth

Patch or Perish: Symantec Notes Dramatic Increase in Threats

Symantec's assessment of system vulnerabilities in the first half of this year shows a dramatic increase in the number and potential destruction of security threats.

• By Mathew Schwartz
• 09/29/2004

Bot armies are on the rise. Beloved by attackers, who sneak remote-control software onto PCs, bots—also known as zombie computers—can siphon and transmit sensitive information from the PC, receive and spread malware updates, and be used in distributed, denial-of-service attacks.

“We’ve seen a rise in remote-controlled bot networks from 2,000 in January—by unique IPs—to over 30,000, again by unique IPs,” says Dean Turner, executive editor of the Symantec Internet Security Threat Report, and also a Symantec Security Response manager.

To write the latest Threat Report, which covers the first six months of 2004, Symantec analyzed data from 20,000 information-collecting devices in about 180 countries, plus 120,000 gateway client-server devices running its software. “We tie that all in together. We have our analysts sit down and look at all the data, and we use it to build better detection in our products,” notes Turner.

One finding was the extent to which bot networks are growing. “We track the ports associated with known bot networks … We know 99 percent of the time when the activity is associated with bots,” he says.

The primary function of bot networks is to spread malware. "What we’re seeing bot networks used for is propagating and seed networks for viruses and worms." Unfortunately, such networks are very efficient. “Think about being able to upgrade a virus or worm or Trojan in 10 to 15 seconds. Now you’re starting to talk about things like zero-day exploits and compromises.”

Bots’ primary purpose, however, is ultimately financial. “What we’re seeing is a shift from hacking for fame, to fortune. This all ties into phishing scams, and hackers and ne’er-do-wells being lured by profit,” Turner observes. Consumers’ lucrative personal information is often the objective. E-commerce companies are one repository, which helps explain why they were the most-targeted sites, with 16 percent of all targeted attacks directed against them, up from 12 percent in the same period last year.

Viruses, Worms, and System Vulnerabilities Grow Sharply

Beyond bots, 4,496 new Windows viruses and worms were discovered in the first six months of this year, up 450 percent from the same period last year. In the same time period, 1,237 new vulnerabilities were discovered, for an average of 48 vulnerabilities per week or 7 per day. Of all vulnerabilities, “over 96 percent were considered moderately or highly severe,” says Turner. That means the vulnerabilities could lead to partial or complete system compromise.

Of those vulnerabilities, 479 involve Web applications, increasing risk. Indeed, 39 percent of the volume of attacks over the report’s time period took aim at Web applications.

Also troubling to security managers is the shrinking window of opportunity to apply patches. “The average time between the announcement of a vulnerability and the appearance of [an exploit] is 5.8 days,” Turner says. With some reports indicating 40 or 50 days is the average time an enterprise takes to patch a vulnerability, security managers will be under increasing pressure to escape the patch-or-perish cycle. The problem isn’t limited to companies, either. “Consumers tend to take a little longer than enterprises, because they’re less security aware,” he notes.

Of all the threats in the first half of 2004, SQL Slammer was the most prevalent. Blended threats figured prominently in the last Threat Report, for the latter half of 2003, and a blended threat, Gaobot, came in second this time. Gaobot “exploits the DCOM/RPC vulnerability, and it tries to steal passwords, and terminate your security software, your firewalls, etc., and it tries to access the host through IRC, [and] spread though network shares,” says Turner.

For the rest of 2004, expect to see increased numbers of bots, and more blended threats, targeting more things. Symantec suspects client-side Web applications will be an especial target, as will consumers’ broadband devices. It notes 20 vulnerabilities were discovered this year that affect consumer-grade, hardware-based firewalls and routers from such vendors as Linksys and D-Link. Consumers have a difficult time upgrading their hardware’s firmware, says Turner, which could delay patching future device vulnerabilities. “It comes down to education, and that’s one of the reasons we expend so much effort on the Threat Report.”

Mobile devices are also increasing targets. Noting the appearance of Cabir, the first worm for the Windows CE platform, Symantec anticipates Windows CE and Palm devices will become a popular target, and suspects attacks will be able to jump between devices, especially "as we become more and more interconnected with technologies like Bluetooth. It truly is a blended threat environment.”

To compensate, people need to get proactive. Though many, if not most, enterprises and consumers already use antivirus products, containing the spread of new viruses and worms requires more. To start, “you should be checking everyday for new updates,” he says. “That’s the way of the world now.”

Related Articles

New Technology Combats Zero-Day Attacks
http://esj.com/enterprise/article.aspx?EditorialsID=1086

Name-Dropping Attacks
http://esj.com/news/article.aspx?EditorialsID=1114

Seeking the Perfect Patch Process
http://esj.com/news/article.aspx?EditorialsID=680