The Symantec Internet Security Threat Report provides a six-month update of Internet threat activity. It includes analysis of network-based attacks, a review of known vulnerabilities, and highlights of malicious code. It also assesses trends in phishing and spam activity. This article provides an overview of the latest report, covering the six-month period from January 1 to June 30, 2007.
Over the past several reporting periods, Symantec has observed a fundamental change in the threat landscape. Attackers have moved away from nuisance and destructive attacks and toward activity that is motivated by financial gain. Today’s attackers are increasingly sophisticated and organized, and they have begun to adopt methods that are similar to traditional software development and business practices.
In previous Internet Security Threat Reports, Symantec has also reported that global, decentralized networks of collaborative malicious activity were beginning to appear. Moreover, distinct regional threat patterns were beginning to emerge. In response to these trends, Symantec has released three new reports
: the EMEA Internet Security Threat Report for Europe, the Middle East, and Africa (EMEA); the APJ Internet Security Threat Report for the Asia-Pacific/Japan (APJ) region; and the Government Internet Security Threat Report, which focuses on threats and trends that are of specific interest to organizations in the government.
Today, the threat landscape is arguably more dynamic than ever. As security measures are developed and implemented to protect the computers of end users and organizations, attackers are rapidly adapting new techniques and strategies to circumvent them. Based on the data collected during the first six months of 2007, Symantec has observed that the current security threat landscape is characterized by the following:
- Increased professionalization and commercialization of malicious activities To meet the needs of what has become a multi-billion dollar criminal industry, much malicious activity has become professionalized and commercialized over the past two years. MPack was one of the notable security threats that emerged in the first half of 2007. It is a commercially available black-market attack toolkit that can launch exploits for browser and client-side vulnerabilities against users who visit a malicious or compromised Web site. Symantec believes that MPack was professionally written and developed. The robustness of MPack suggests that it benefited from professional development. Plus, there is evidence that MPack was selling online for $1,000.
- Threats are increasingly targeted at specific regions While there have always been attacks that are regional in nature, recent analysis indicates that attackers are currently focusing more on targets that share a common language, infrastructure, or online activity. Where earlier threat activity was predominantly global in nature, the expansion of broadband Internet into areas that have traditionally not been served by high-speed connectivity has given attackers new targets. In part, this is because new broadband users may not be aware of the precautions required to protect their computers. It is also likely because rapidly expanding Internet service providers (ISPs) tend to focus their resources on meeting growing demand at the expense of implementing adequate security measures. During the first six months of 2007, EMEA accounted for 43% of all potential infections caused by worms, while North America accounted for just 23%. This may indicate that defenses implemented by North American ISPs are successfully limiting the spread of network worms.
- Increasing numbers of multi-staged attacks Recently, Symantec has been seeing considerable attack activity that incorporates multi-staged attacks. These are attacks in which an initial, low-profile compromise is used to establish a beachhead from which
subsequent attacks are launched. The clearest example of the multi-staged approach is malicious code known as staged downloaders. Sometimes called modular malicious code, staged downloaders are threats that download and install other malicious code onto a compromised computer. These threats allow an attacker to change the downloadable component to any type of threat that suits his objectives. As the attacker’s objectives
change, he can change any later components that will be downloaded to perform the requisite tasks. During the first six months of 2007, 28 of the top 50 malicious code samples were staged downloaders. Although down slightly from the 29 samples in the second half of 2006, during this period 79% of potential malicious code infections were some form of staged downloader. Another example of multi-staged attacks is the MPack kit, which was discovered in May 2007. During the current reporting period, the MPack kit was used to install malicious code on thousands of computers. Legitimate Web sites were compromised and modified to include code that redirected the user’s browser to a malicious MPack server.
- Attackers target victims by first exploiting trusted entities Over the last few years, Symantec has observed that attackers, instead of trying to break into the computers of targeted users, are now compromising trusted sites and/or applications. When an end user visits that site or uses that application, the attacker is able to compromise the user’s computer often by directing the user to a malicious Web site or by downloading a Trojan onto the user’s computer. This trend has been made possible by the increased deployment of Web applications and Web 2.0 technologies. During the current reporting period, 61% of all vulnerabilities disclosed were Web application vulnerabilities. This has serious implications for end users because they can no longer place their trust in well-known sites.
- A convergence of attack methods Traditionally, the Symantec Internet Security Threat Report has analyzed security activity separately, namely as Internet attacks, vulnerabilities, malicious code, phishing and spam, and other malicious activities. However, over the past two reporting periods, it has become apparent that attackers are now consolidating diverse attack methods to create global networks that support coordinated malicious activity. MPack and other Trojans exhibit this convergence of threats. Once installed on a computer, they can be used to view confidential information that can then be used in identity theft or fraud. They can also be used to launch phishing attacks or to host phishing Web sites. Finally, they can be used as spam zombies. As attackers become more financially motivated, this convergence of activities has allowed them to optimize the capabilities of the broad spectrum of attack methods. This suggests that exploit code developers, malicious code authors, spammers, and phishers may be collaborating for mutual gain.
The Symantec Internet Security Threat Report draws upon some of the most comprehensive sources of Internet threat data available. For example, the Symantec Global Intelligence Network tracks attack activity across the entire Internet. It consists of more than 40,000 sensors monitoring network activity in over 180 countries. Also, Symantec gathers malicious code reports from more than 120,000,000 client, server, and gateway systems that have deployed Symantec’s antivirus products. In addition, Symantec operates the BugTraq mailing list, which has approximately 50,000 subscribers who share vulnerability research on a daily basis.
Volume XII of the Symantec Internet Security Threat Report, which includes Symantec’s recommended “Enterprise Best Practices,” can be downloaded here