Dangerous Blended Attacks Increase, Symantec Says

Payload and speed make them especially dangerous; eight best practices for resisting their impact

In the first half of this year, computer attacks using a “blended” combination of malicious code and existing software vulnerabilities accounted for over half of all attacks. Blended attacks were the most frequently reported kind of attack, and they’re on the rise.

On the other hand, companies are getting savvier about securing systems. Severe attacks declined during that time, from 23 percent a year ago to 11 percent in 2003.

Those findings, and best practice recommendations, come from Symantec’s latest Internet Security Threat Report. To generate the report, Symantec analyzed information from over 20,000 threat management sensors at customer sites in more than 180 countries. The report covers network-based attacks, a review of vulnerabilities discovered and exploited, and highlights of malicious code trends.

Two things make blended threats especially dangerous: payload and speed. Payload is a problem because if there’s an easy way into the network, the worm can drop the other shoe, perhaps deleting files or wiping the Windows registry, causing machines to fail once they reboot. Then there’s speed. Slammer hit a noticeably high number of computers in mere hours. At its peak, the Blaster worm nailed 2,500 computers per hour.

Unfortunately, worms are only getting faster. Blaster—a blended attack—debuted only 26 days after the vulnerability it exploits was announced. Worms are also dangerous, since they frequently have the ability to install back-door software to gain later access to compromised computers. Large networks of compromised computers can be used for future attacks.

The growth in the speed worms propagate may be attributed to the ease with which more new vulnerabilities are exploited. For the first half of 2003, says Symantec, 70 percent of all vulnerabilities were easy targets for attackers, since an exploit was either easily available or not even needed. That was an increase of 10 percent from the previous year. In addition, 80 percent of new vulnerabilities could be remotely exploited.

Worms are also exploring new options. Of the 50 most-common viruses and worms of the first half of 2003, 19 had the ability to use peer-to-peer networks and instant messaging to spread. That's a significant increase from last year.

Overall, companies face a 19 percent increase in attacks—an average of 38 per company per week—since the first half of 2002. A number of attacks, however, seem to be targeting some companies more than others. For example, Bugbear.B, which debuted in June, targeted financial institutions.

In the future, expect to see more worms, faster propagation, and resulting network overloads compromising users’ ability to connect.

To help counteract the increasing amounts of malicious code, Symantec urges companies to follow eight best practices:

  • Deactivate unneeded services

  • Ppatch, patch, patch, and keep them up to date

  • Make users choose secure passwords, and change them with frequency

  • Automatically block harmful file types—.vbs, .bat, .exe, .pif, and .scr—at the perimeter, i.e., at the firewall or e-mail server

  • Isolate any infected computer and thoroughly vet it, perform forensic analysis to see if it led to anything else being compromised, and only then return it to service

  • Educate, and re-educate, employees, to delete attachments unless they’re explicitly expected

  • Constantly test security levels

  • Create and maintain emergency plans

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.