1. /
  2. Confident Insights Newsletter/
  3. Symantec: Malicious Code Activity Spiked in 2008

Symantec: Malicious Code Activity Spiked in 2008

May 12, 2009


Just how busy were cyber-criminals last year? If the latest Symantec Internet Security Threat Report is any indication, they’ve never been busier, as malicious code activity grew at a record pace. Enterprise users need to be extra vigilant about their security practices.
Just how busy were cyber-criminals last year? If the latest Symantec Internet Security Threat Report is any indication, they’ve never been busier.
According to Volume XIV of the report, issued in April, attackers released Trojan horses, viruses, and worms (also called “malicious code”) at a record pace in 2008, primarily targeting computer users’ confidential information. Specifically, Symantec documented a staggering 1.6 million instances of malicious code on the Web in 2008. That compares with 624,267 instances in 2007.
Vincent Weafer, Symantec’s vice president of security content and intelligence, put these numbers in perspective in a recent interview with Reuters.
“Sixty percent of all the [malicious code] threats in the past 20 years came in the last 12 months alone,” Weafer said.
Weafer added that this explosive growth can be attributed to the increasing professionalism of malicious code development.
In response, Symantec created more than 1.6 million new malicious code signatures in 2008, a record number. These signatures helped block an average of more than 245 million attempted attacks around the world each month, according to the report.

Top trends and threats

Previously released every six months, the latest Internet Security Threat Report documents trends and threats that Symantec observed throughout 2008. It covers Internet threat activities, vulnerabilities, malicious code, phishing, spam and security risks, as well as future trends.
A number of the trends and threats observed last year will be familiar to readers of previous volumes of the Threat Report. For example, malicious activity has increasingly become Web-based; attackers are targeting end users instead of computers; and the online underground economy has consolidated and matured.
As the report observes:
“The underground economy is increasingly becoming a self-sustaining system where tools specifically developed to facilitate fraud and theft are freely bought and sold. These tools are then used for information theft that may then be converted into profit to fund the development of additional tools.”
According to the report, Web surfing remained the primary source of new infections in 2008, and attackers relied more and more on customized malicious code toolkits to develop and distribute their threats. Of the threats that Symantec detected last year, 90% attempted to steal confidential information.
More than ever before, attackers are intent upon compromising end users for financial gain.
“In 2008, 78% of confidential information threats exported user data and 76% used a keystroke-logging component to steal information such as online banking account credentials,” the report said.
The most popular item for sale on underground economy servers in 2008 was credit card information, accounting for 32% of the total, the report observed, adding that “the price for each card can be as low as 6 cents when they are purchased in bulk.”

A particular concern for enterprises

The latest report makes the point that the methods used by attackers are becoming increasingly complex. Rather than exploit a single high-severity flaw to compromise users, attackers now string together multiple exploits for medium-severity vulnerabilities to achieve the same goals. For example, eight of the top 10 vulnerabilities exploited in 2008 were rated as medium severity.
This development should be of special concern to today’s enterprises, many of which make patching high-severity vulnerabilities a priority, while ignoring medium- and low-severity vulnerabilities. But as the report observes:
“In many cases, medium-severity vulnerabilities are sufficient to mount successful attacks if attackers are able to execute arbitrary code and perform actions such as accessing confidential information or making network connections. ... Medium-severity vulnerabilities affecting client or desktop applications are often sufficient for an attacker to mount successful malicious attacks on individual end users as well as at the enterprise level.”

Other key findings

Among the other findings of the Threat Report, which is derived from data collected from millions of Internet sensors, first-hand research, and the monitoring of hacker communications
  • Phishing continued to grow in 2008. Symantec detected 55,389 phishing Website hosts last year, an increase of 66% over 2007, when Symantec detected 33,428 phishing hosts. Financial services accounted for 76% of phishing lures in 2008 compared to 52% in 2007.
  • The volume of spam also continued to grow. Over the past year, Symantec observed a 192% increase in spam detected across the Internet as a whole, from 119.6 billion messages in 2007 to 349.6 billion in 2008. In 2008, botnets were responsible for the distribution of approximately 90% of all spam email. (A botnet is a network of zombie computers set up to forward viruses or spam.)
  • By the end of 2008 more than 1 million computers were infected with the Conficker worm. This worm was able to spread rapidly across the Internet due to a number of advanced propagation mechanisms. (The number of Conficker infections worldwide grew to more than 3 million infected systems during the first quarter of 2009.)
  • Symantec observed an average of more than 75, 000 active bot-infected computers each day in 2008, a 31% increase from 2007.
  • The report also points to the increased resilience of malware authors against attempts to halt their activities. As an example, the shutdown of two U.S.-based botnet hosting outfits contributed to a significant decrease in active botnet activity during September and November of 2008. However, botnet operators found alternative hosting Web sites, and botnet infections quickly rose to their pre-shutdown levels.
  • In 2008, the growth of malicious code activity was greatest in the Europe, Middle East, and Africa region.


As malicious code continues to grow at a record pace, attackers are shifting away from the mass distribution of a few threats to the micro-distribution of millions of distinct threats. Moreover, these cybercriminals are intent upon distributing threats that steal confidential information, particularly bank account credentials and credit card data. Symantec expects this malicious activity to continue this year.
As Stephen Trilling, Vice President of Symantec Security Technology and Response has put it: “While the above ground economy suffers, the underground economy has remained consistently steady.”
To find out more about the increasingly sophisticated threats facing today’s Internet users, and to familiarize yourself with Symantec’s Enterprise Best Practices, download the Internet Security Threat Report today.

Back to Newsletter