What the Latest Symantec Threat Report Means to SMBs

By any measure, it was a banner year for Trojan horses, viruses, and worms.
According to the latest Symantec Internet Security Threat Report, these malicious code threats spiked dramatically in 2008. Symantec said it detected a staggering 1,656,227 malicious code threats last year, an increase of 265% from 2007.
Why such explosive growth? Symantec says it can be attributed to “the professionalism of malicious code development, supporting the demand for goods and services that facilitate online fraud.”
Continue reading to learn how Web-based attacks are becoming more sophisticated as the Internet grows, and what the consequences of these attacks are for small and midsize businesses.

Attacks are becoming more sophisticated

Previously released every six months, the latest Internet Security Threat Report documents trends and threats that Symantec observed throughout all of 2008. It covers Internet threat activities, vulnerabilities, malicious code, phishing, spam and security risks, as well as future trends.
The latest report documents in detail how Web-based threats have not only become more widespread, they’ve also become increasingly sophisticated:
“The lengthy and complicated steps being pursued to launch successful Web-based attacks also demonstrate the increasing complexity of the methods used by attackers. While a single high-severity flaw can be exploited to fully compromise a user, attackers are now frequently stringing together multiple exploits for medium-severity vulnerabilities to achieve the same goal.”
The report goes on to observe that some botnets (networks of zombie computers set up to forward viruses or spam) are being redesigned specifically to inject malicious code into compromised Websites.

What attackers want

So what is the purpose of all this malicious activity? What, in short, do attackers want today? More than ever before, they are concentrating on compromising end users for financial gain.
“In 2008, 78% of confidential information threats exported user data, and 76% used a keystroke-logging component to steal information such as online banking account credentials. Additionally, 76% of phishing lures targeted brands in the financial services sector, and this sector also had the most identities exposed due to data breaches.”
Once attackers obtain financial information or other personal details, they frequently sell that data on the thriving underground economy:
“The most popular item for sale on underground economy servers in 2008 was credit card information, accounting for 32% of the total. This is likely due to the fact that there are numerous ways for credit card information to be stolen, and that stolen card data can be easily cashed out. This is because the underground economy has a well-established infrastructure for monetizing such information, again indicating the increased sophistication of the underground economy.”

Other key findings

Among the other findings of the Threat Report, which is derived from data collected from millions of Internet sensors, first-hand research, and the monitoring of hacker communications:
  • Phishing continued to grow in 2008. Symantec detected 55,389 phishing Website hosts last year, an increase of 66% over 2007, when Symantec detected 33,428 phishing hosts. Financial services accounted for 76% of phishing lures in 2008 compared to 52% in 2007.
  • The volume of spam also continued to grow. Over the past year, Symantec observed a 192% increase in spam detected across the Internet as a whole, from 119.6 billion messages in 2007 to 349.6 billion in 2008. In 2008, botnets were responsible for the distribution of approximately 90% of all spam email.
  • By the end of 2008 more than 1 million computers were infected with the Conficker worm. This worm was able to spread rapidly across the Internet due to a number of advanced propagation mechanisms. (The number of Conficker infections worldwide grew to more than 3 million infected systems during the first quarter of 2009.)
  • Symantec observed an average of more than 75, 000 active bot-infected computers each day in 2008, a 31% increase from 2007.
  • The report also points to the increased resilience of malware authors against attempts to halt their activities. As an example, the shutdown of two U.S.-based botnet hosting outfits contributed to a significant decrease in active botnet activity during September and November of 2008. However, botnet operators found alternative hosting Web sites, and botnet infections quickly rose to their pre-shutdown levels.
  • In 2008, the growth of malicious code activity was greatest in the Europe, Middle East, and Africa region.

The implications for SMBs

The large increase in the number of new malicious code threats, coupled with the use of the Web as a distribution mechanism, demonstrates the growing need for more responsive security measures, according to the report. While antivirus signature scanning, heuristic detection, and intrusion prevention continue to be vital for the security of organizations as well as end users, newer technologies, such as reputation-based security, will become increasingly important.
In addition, the Threat Report’s observation that medium-severity vulnerabilities are now sufficient to mount successful attacks should be of special concern to small and midsize businesses. In many cases, SMBs will ignore medium- and low-severity vulnerabilities, focusing their attention instead on patching high-severity vulnerabilities. That may not be a wise course to follow. As the report points out, eight of the top 10 vulnerabilities exploited in 2008 were rated as medium severity. Failure to patch such vulnerabilities means SMBs are leaving their computers exposed to the latest threats.


As the latest Symantec Internet Security Threat Report amply demonstrates, malicious code activity grew at a record pace in 2008, and confidential information was its primary target. The report, which provides a global view of the state of Internet security, shows that there continues to be a well-organized underground economy specializing in the sale of stolen confidential information, particularly credit card and bank account credentials.
For small and midsize businesses, this unfortunate state of affairs means they must be more vigilant than ever about their security practices. For that reason, SMBs are strongly encouraged to download the latest Internet Security Threat Report to learn more about security best practices.