8 March 2006
Symantec Internet Security Threat Report Tracks
Notable Rise in Cybercrime Activity
80 Percent of the Top 50 Malicious Code Samples Could Reveal Confidential Information
Symantec Corp. (Nasdaq: SYMC) today released its ninth volume of the Internet Security Threat Report, one of the most
comprehensive sources of Internet threat data in the world. The semiannual report, covering the six-month period from
July 1, 2005 to Dec. 31, 2005, marks an increase in threats designed to facilitate cybercrime.
While past attacks were designed to destroy data, today’s attacks are increasingly designed to silently steal data for
profit without doing noticeable damage that would alert a user to its presence. In the previous Internet Security Threat
Report, Symantec cautioned that malicious code for profit was on the rise, and this trend continued during the second
half of 2005. Malicious code threats that could reveal confidential information rose from 74 percent of the top 50
malicious code samples last period to 80 percent this period.
“Cybercrime represents today’s greatest threat to consumers’ digital lifestyle and to online businesses in general,”
said Arthur Wong, vice president, Symantec Security Response and Managed Security Services. “The unparalleled insight
this report provides into how cybercrime is happening and how it can be prevented enables Symantec to help protect the
widest variety of customers in the world.”
The report also details the growing trend of attackers using bot networks, targeted attacks on web applications and web
browsers, and modular malicious code. Based on this and data from previous reporting periods, Symantec expects to see
more diverse and sophisticated threats used for cybercrime as well as an increase in the theft of confidential,
financial, and personal information for financial gain.
Crimeware Tools Expand Reach, Function
Cybercrime-related threats are gaining momentum through the use of crimeware, software tools built with the purpose of
committing online scams and stealing information from consumers and businesses. As Symantec noted in the previous
Internet Security Threat Report, attackers are moving away from large, multiple purpose attacks against traditional
security devices such as firewalls and routers. Instead, they are focusing their efforts on regional targets, desktops
and web applications that may allow an attacker to steal corporate, personal, financial, or confidential information;
this information could then be used for additional criminal activity.
Programs that provide attackers with unauthorised control of a computer, known as bots, also contribute to the rise in
cybercrime threats. While the number of bot-infected computers is 11 percent lower than last period – with an average of
9,163 infected systems identified each day during the current reporting period – bot networks are increasingly used for
criminal activities such as denial of service (DoS)-based extortion attempts. Symantec estimates that this measurement
is only capturing a portion of global activity and that the actual infection numbers are likely to be much higher. On
average, Symantec observed 1,402 DoS attacks per day, a 51 percent increase over the previous reporting period. Symantec
speculates that this growth trend will continue as attackers leverage an increasing number of web-based application and
browser vulnerabilities.
In the previous report, Symantec speculated that attacks directed at web applications would increase. During the current
reporting period, 69 percent of the vulnerabilities reported to Symantec affected web application technologies, a 15
percent increase over the previous period. Web application technologies, which rely on a browser for their user
interface, present an easier target for attackers due to their availability over commonly allowed protocols such as
HTTP.
Symantec has also seen an increase in modular malicious code, which initially possesses limited functionality but is
designed to update itself with new, more damaging capabilities. Modular malicious threats often expose confidential
information that can then be used in identity theft, credit card fraud, or other criminal financial activities. During
the last six months of 2005, modular malicious code accounted for 88 percent of the top 50 malicious code samples
reported to Symantec, up from 77 percent last period.
Additional Key Findings
- China experienced the largest increase of bot-infected computers, with 37 percent growth – 24 percentage points above
the average increase – putting China behind only the U.S. in this category. The increase is likely related to China’s
rapid growth in broadband internet connections. China also saw the largest overall increase in originating attacks; such
attacks increased by 153 percent over the last period, marking 72 percentage points above the average increase. Bots may
be an increasing source of this activity.
- Phishing threats, which are attempts to deceive users into revealing confidential information, continued to increase
during the last half of 2005 while focusing on smaller, regional targets. During the last half of 2005, 7.92 million
daily phishing attempts were identified, an increase over the 5.70 million attempts per day in the previous reporting
period. Symantec expects to see an increase in the number of phishing messages and malicious code distributed through
instant messaging services in the future.
- Symantec documented 1,895 new software vulnerabilities, the largest total recorded number of vulnerabilities since
1998. Of these, 97 percent were considered moderately or highly severe and 79 percent were considered easy to exploit.
-To highlight the importance of applying operating system and application patches quickly, Symantec assessed the time it
took for attackers to compromise newly installed operating systems in standard deployments such as web servers and
desktops. Of the servers, Windows 2000 Server with no patches had the shortest average time to compromise, while patched
Windows 2003 Web Edition and both unpatched and patched RedHat Enterprise Linux 3 were not compromised in the testing
period. Of the desktops, Microsoft Windows XP Professional with no patches had the shortest average time to compromise,
while the same desktop system with all patches applied as well as SuSE Linux 9 Desktop were not compromised.
- With the increased volume of vulnerabilities discovered, Symantec also monitored the speed that organisations were
able to patch vulnerable systems. During this reporting period, an average of 6.8 days elapsed between the announcement
of a vulnerability and the release of associated exploit code, up from six days last period. An average of 49 days
elapsed between the disclosure of a vulnerability and the release of a vendor-supplied patch.
Consequently, enterprises and consumers may be susceptible to potential attack for 42 days, highlighting the need for
users to patch systems or take other protective measures as soon as possible. Symantec expects that the
commercialisation of vulnerability research will increase, with a growth in black market forums and an increase in
vulnerability information purchased for criminal pursuits.
- Symantec documented a small increase in new Win32 virus and worm variants with 10,992 this period versus 10,866 last
period. This trend is part of a noticeable decline in category 3 and 4 threats (moderate and extremely serious) and a
corresponding increase in category 1 and 2 threats (low and very low). The number of new Win32 virus and worm families
also decreased by 39 percent – from 170 new families in the first half of 2005 to 104 this period. This suggests that
malicious code developers may be choosing to modify currently circulating source code rather than developing new threats
from scratch.
About the Symantec Internet Security Threat Report
The Symantec Internet Security Threat Report provides analysis of network-based attacks, a review of known
vulnerabilities, and highlights of malicious code and additional security risks. Employing the Symantec Global
Intelligence Network, Symantec identifies and analyses emerging trends in Internet security activity. This unparalleled
pool of data includes the following:
- Symantec DeepSight Threat Management System and Symantec Managed Security Services: more than 40,000 sensors monitor
network activity in more than 180 countries and comprehensively track attack activity across the entire internet
- Symantec’s antivirus solutions: more than 120 million client, server, and gateway systems that have deployed
Symantec’s antivirus products provide reports on malicious code as well as spyware and adware
- Vulnerability database: covering more than 13,000 vulnerabilities affecting more than 30,000 technologies from more
than 4,000 vendors, Symantec maintains one of the world’s most comprehensive databases of security vulnerabilities
- BugTraq: one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet, with
more than 50,000 subscribers
- Symantec Probe Network: a system of more than two million decoy accounts, attracting email messages from 20 different
countries around the world, allowing Symantec to gauge global spam and phishing activity
The full report is available for download from www.symantec.com. Broadcast media can download multimedia from
www.thenewsmarket.com/symantec.
About Symantec
Symantec is the world leader in providing solutions to help individuals and enterprises assure the security,
availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more
than 40 countries. More information is available at www.symantec.com.
ENDS