Symantec Internet Security Threat Report Highlights Rise In Threats To Confidential Information
Report Reveals Increase in Attacks Against Web Applications,
Threats to Windows, Severe/Easy-to-Exploit Vulnerabilities, Phishing Scams
Symantec Corp. (Nasdaq: SYMC), the global leader in information security, today released its newest Internet Security
Threat Report. The seventh bi-annual report provides analysis and discussion of trends in Internet attacks,
vulnerabilities, malicious code activity, and additional security risks for the period of July 1, 2004 to December 31,
2004.
“Attackers are launching increasingly sophisticated attacks in an effort to compromise the integrity of corporate and
personal information, ” said Richard Batchelar, country manager, Symantec New Zealand. “By offering not only an
unparalleled view of current Internet threat activity but also critical insights regarding future trends, Symantec’s
Internet Security Threat Report serves as an invaluable tool for enabling businesses and individuals to safeguard the
security and availability of their information assets no matter what.”
Key Findings
Rise in Threats to Confidential Information: Over the past three reporting periods, threats with the potential to expose
confidential information have continued to increase. Between July 1 and December 31, 2004, malicious code created to
expose confidential information represented 54 percent of the top 50 malicious code samples received by Symantec, up
from 44 percent in the first six months of the year and 36 percent in the second half of 2003. This is partially due to
the proliferation of Trojan horses. Between July 1 and December 31, 2004, Trojans represented 33 percent of the top 50
malicious code reported to Symantec.
Steady Increase in Phishing Attacks: As predicted in the previous volume of the Internet Security Threat Report, the
number of phishing attacks is increasing. Phishing is a method to steal confidential information such as passwords,
credit card numbers, and other financial information. By the end of December 2004, Symantec Brightmail AntiSpam
antifraud filters were blocking an average of 33 million phishing attempts per week, up from an average of 9 million per
week in July 2004. This represents an increase of over 366 percent. Symantec expects that phishing will continue to be a
very serious concern over the next year.
Increase in Attacks Against Web Applications: Web applications are popular targets because they enjoy widespread
deployment and can allow attackers to circumvent traditional perimeter security measures such as firewalls. They are a
serious security concern because they may allow attackers access to confidential information without having to
compromise individual servers. Nearly 48 percent of all vulnerabilities documented between July 1 and December 31, 2004
were Web application vulnerabilities, a significant increase from the 39 percent documented in the previous six-month
period.
Rise in Number of Windows Virus/Worm Variants: Due to the widespread deployment of Microsoft Windows operating systems
in enterprise and consumer environments, Windows 32 viruses and worms pose a serious threat to the security and
integrity of the computing community. From July 1 to December 31, 2004, Symantec documented more than 7,360 new Windows
32 virus and worm variants. This represents an increase of 64 percent over the previous six-month period. As of December
31, 2004, the total number of documented Windows 32 threats and their variants was approaching 17,500. Because a failure
to prevent, detect, or remove these threats could mean severe financial losses, the disclosure of confidential
information, and the loss of data, organisations are challenged with updating their antivirus solutions more often than
ever before which, in turn, puts more pressure on current resources.
Increase in Severe, Easy-to-Exploit, Remotely Exploitable Vulnerabilities: Between July 1 and December 31, 2004,
Symantec documented more than 1,403 new vulnerabilities, which translates into more than 54 new vulnerabilities per week
or almost eight new vulnerabilities per day. Of these, 97 percent were considered moderately or highly severe, which
means that successful exploitation of the vulnerability could result in a partial or complete compromise of the targeted
system. Furthermore, 70 percent were considered easy to exploit, which means that either no custom code is required to
exploit the vulnerability or that such code is publicly available. Compounding this problem is that nearly 80 percent of
all documented vulnerabilities in this reporting period are remotely exploitable, which likely increases the number of
possible attackers.
Attack Trends
For the third straight reporting period, the Microsoft SQL Server Resolution Service Stack Overflow Attack (formerly
known as the Slammer attack) was the most common attack, used by 22 percent of all attackers. The second most common
attack was the TCP SYN Flood Denial of Service Attacked, which was launched by 12 percent of attackers.
Organisations received 13.6 attacks per day, up from 10.6 in the previous six months. The United States continues to be
the top attack source country, followed by China and Germany.
The financial services sector experienced the highest ratio of severe attacks, with 16 severe events per 10,000 security
events.
Vulnerability Trends
The time between the disclosure of a vulnerability and the release of associated exploit code remained extremely short
at 6.4 days.
Symantec documented 1,403 new vulnerabilities, a 13 percent increase over the previous six-month period. Ninety-seven
percent of documented vulnerabilities were considered either highly or moderately severe. Moreover, 70 percent of all
documented vulnerabilities were classified as easily exploitable.
Web application vulnerabilities made up 48 percent of all vulnerabilities disclosed, up from 39 percent in the first
half of 2004. Vulnerabilities targeting Web applications are often classified as easily exploitable.
Vulnerabilities are affecting new alternative browser distributions. During the last six months of 2004, 21
vulnerabilities affecting Mozilla browsers were disclosed, compared to 13 vulnerabilities affecting Microsoft Internet
Explorer. Six vulnerabilities were reported in Opera.
Malicious Code Trends
As in previous reports, mass-mailing worms dominated the top malicious code reported over the last six months of 2004.
Eight of the top 10 samples reported to Symantec during this period were variants of mass-mailer worms that have been
seen in previous reports, including Netsky, Sober, Beagle, and MyDoom.
Two bots were present in the top 10 malicious code samples, compared to just one in the previous reporting period.
Gaobot was the third most frequently reported sample over the past six months, followed by Spybot. Moreover, 4,300 new
distinct variants of Spybot were reported, an increase of 180 percent over the previous six months.
Symantec documented more than 7,360 new Windows 32 viruses and worms, an increase of 64 percent over the first half of
the year and an increase of more than 332 percent over the 1,702 documented in the second half of 2003. As of Dec. 31,
2004, the total number of Windows 32 variants approached 17,500.
Malicious code that exposes confidential information made up 54 percent of the top 50 malicious code samples, up from 44
percent in the previous reporting period and 36 percent in the second half of 2003. This represents a 23 percent
increase between the current period and the first half of 2004 and a 50 percent increase over the same period the
previous year.
At the end of the reporting period, there were 21 known samples of malicious code for mobile applications, up from one –
the Cabir worm – in June 2004. Among the new threats were the Duts virus, the first threat to Windows CE; and the Mos
Trojan, which was discovered in a Symbian game.
Additional Security Risks
In the last six months of 2004, adware programs made up five percent of the top 50 Symantec customer reports, up from
four percent the previous report. Iefeats was the most commonly reported adware program, accounting for 36 percent of
top 10 reports.
Webhancer was the most frequently reported spyware program during the second half of 2004, representing 38 percent of
the top 10 spyware reported.
Five of the top 10 adware reported samples were installed via a Web browser. Nine of the top 10 reported spyware
programs were bundled with other software.
Symantec reported a 77 percent growth in spam for companies whose systems were monitored for spam; the weekly totals of
spam raised from an average of 800 million spam messages per week to well over 1.2 billion spam messages per week by the
end of the reporting period. Moreover, spam made up more than 60 percent of all e-mail traffic observed by Symantec
during this period.
Future and Emerging Trends
The use of bots and bot networks for financial gain will likely increase, especially as the diverse means of acquiring
new bots and developing bot networks become more prevalent.
Malicious code targeting mobile devices is expected to increase in number and severity. With many groups researching
vulnerabilities in Bluetooth-enabled devices, the possibility of a worm or some other type of malicious code propagating
by exploiting these vulnerabilities increases.
Symantec expects that client-side attacks using worms and viruses as propagation methods will become more common.
Attacks hidden in embedded content in audio and video images are expected to increase. This is worrisome because image
files are ubiquitous, almost universally trusted, and an integral part of modern day computing.
Symantec expects security risks associated with adware and spyware will likely increase. Impending legislation to curb
these risks is not expected to be an effective or sufficient deterrent on its own.
About the Symantec Internet Security Threat Report
Symantec has established one of the most comprehensive sources of Internet threat data in the world. The following
resources give Symantec analysts unparalleled sources of data with which to identify emerging trends in attacks and
malicious code activity:
DeepSight Threat Management System and Managed Security Services – More than 20,000 sensors monitoring network
activities in over 180 countries.
Symantec’s antivirus products – More than 120 million client, server, and gateway systems that have deployed Symantec’s
antivirus products provide reports on malicious code as well as spyware and adware.
Vulnerability database – Covering over 11,000 vulnerabilities affecting more than 20,000 technologies from more than
2,000 vendors, Symantec maintains one of the world’s most comprehensive databases of security vulnerabilities.
BugTraq – Symantec operates BugTraq, one of the most popular forums for the disclosure and discussion of vulnerabilities
on the Internet.
Symantec Probe Network – A system of more than 2 million decoy accounts, attracting e-mail messages from 20 different
countries around the world that allows Symantec to gauge global spam and phishing activity.
About Symantec
Symantec is the global leader in information security providing a broad range of software, appliances, and services
designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT
infrastructure. Symantec’s Norton brand of products is the worldwide leader in consumer security and problem-solving
solutions. Headquartered in Cupertino, Calif., Symantec has operations in more than 35 countries. More information is
available at http://www.symantec.com.
###
NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please view the
Symantec Press Centre at http://www.symantec.com/PressCenter/ on Symantec’s web site. All prices noted are in US dollars
and are valid only in the United States.
Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other
countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of
the individual companies and are respectfully acknowledged.