Web Increasingly Dangerous as Threats Grow at Record Pace, Symantec Report Reveals

Web-based attacks more sophisticated, hackers' targets now end-user data, not systems; stable underground economy driving thefts

• By James E. Powell
• 04/14/2009

Symantec Corp. today announced the results of its Internet Security Threat Report Volume XIV which details the rapid growth of malicious code activity in 2008.  The target has moved from end-users’ systems to acquiring confidential information of those users. 

Symantec found more than 1.6 million new and distinct malicious code signatures last year -- 60 percent of all released detections the firm has ever created, Zulfikar Ramzan, technical director of Symantec Security Response told Enterprise Strategies.  The company said these signatures helped it “block an average of more than 245 million attempted malicious code attacks across the globe each month during 2008.”

The Web remains a dangerous place -- it’s the primary source of new infections, the report notes.  “Only three percent of this code exploits technical difficulties; 97 percent of it assumes you’ll install something (such as software that downloads other software) or provide information (such as in a phising e-mail),” Ramzan said. “Attackers are relying more on using code toolkits to spread their threats, and they use keystroke-loggers, for example, to steal financial information which is the top target.  We found that keylogging was responsible for 76 percent of confidential information threats; that’s an increase from 2007, when it was 72 percent.”

Many of the phishing expeditions are timed to current events.  With so many financial services firms making the headlines, the most popular technique is for hackers to wait until a bank is in the news, then send out e-mails that trick victims into responding as a result of current events.  “It’s all in the timing -- e-mail recipients think their banks are sending requests for information because of what they’ve read or seen in the news, and they’re fooled into giving information.” 

The financial services sector was hard hit; 12 percent of all data breaches from such firms exposed credit card information; the average cost per data breach incident was $6.7 billion, up five percent from 2007; Symantec reported that lost business averaged $4.6 million per incident.

Timing isn’t all hackers rely on to get information; end users and security administrators may also share some of the blame. Hackers are using increasing complex methods; “attackers are now frequently stringing together multiple exploits for medium-severity vulnerabilities to achieve the same goal.” The problem is that although enterprises and end users often patch high-severity problems, low-and medium-severity patches aren’t installed, and it’s at this level that many vulnerabilities operate.  Network worm exploits were less potent last year because they relied on “high-severity vulnerabilities in remotely accessible services” in order to spread, but individual users and enterprises had already changed their behavior and patched high-severity exploits quickly.

The underground economy is driving much of the continued threats.  “The economy at large is rough, with prices down, but the underground economy remains stable, and the cost of stolen credit cards and other personal information remains pretty much unchanged.”  Last year, 78 percent of “confidential information threats exported user data.”

The report highlights “the increased resilience of malware authors against attempts to halt their activities.”  The shutdown of two U.S.-based botnet hosting firms reduced botnet activity from September through November 2008, but botnet operators quickly found alternate hosts and activity was back to its former level within a couple of months.

“Sixty-three percent of vulnerabilities were lurking in Web applications,” Ramzan recounted, a figure that’s up from just 39 percent in 2007.  “Web apps aren’t as secure as other applications,” he says.  Common techniques include “exploiting a vulnerable Web application running on the server (by attacking through improperly secured input fields)” and “exploiting some vulnerability present in the underlying host operating system,” according to the report.

The report explains that in addition, many “pre-built software products are designed to simplify the deployment of new Web sites and are in widespread use around the Internet. Many of these platforms were not designed with security in mind and consequently harbor numerous flaws leaving them potentially vulnerable to attack.”  Most (38 percent) Web-based attacks still originate from the U.S.; China is second at 13 percent, with Ukraine following at 12 percent.

Despite crackdowns of a few large spam purveyors, unsolicited e-mail volume continued its meteoric growth -- 192 percent worldwide last year -- rising from 119.6 billion messages in 2007 to 349.6 billion messages last year, of which 90 percent were distributed by bot networks.  Symantec says it observed, on average, over 75, 000 active bot-infected computers every day, a nearly one-third (31 percent) gain over 2007.  Other top delivery mechanisms include portable drives (USB sticks) and file sharing sites, Ramzan said.

The Internet Security Threat Report combines data from millions of Internet sensors the company has placed globally, its own research, and individual interviews.