Symantec Internet Security Threat Report Tracks Rise in Blended Threats, Worms Targeting Corporate and Consumer Systems, Severe Attacks

News Release

Exposure Window Continues to Shrink while Vulnerabilities Becoming Easier to Exploit

CUPERTINO, Calif. - March 15, 2004 - Symantec Corp. (Nasdaq: SYMC), the world leader in Internet security, today released its newest Internet Security Threat Report, one of the most comprehensive analyses of trends in Internet threat activity. Symantec has an unparalleled ability to identify, report on, and respond to emerging threats. In the company's six Security Operations Centers and nine Response Labs throughout the world, analysts monitor and evaluate security data to gain an unparalleled global perspective of the security landscape. The report's findings are based on anonymous data from Symantec Managed Security Services customers as well as from 20,000 DeepSight Threat Management System registered sensors worldwide monitoring attack activity in more than 180 countries.

The report examines how and why attacks have affected some organizations more severely than others and how current trends are expected to shape future Internet security threats. In addition, the report outlines information security best practices for corporations and consumers. This is the fifth issue of Symantec's Internet Security Threat Report.

"The Symantec Internet Security Threat Report is based on expert analysis of real data gathered from hundreds of enterprises, tens of thousands of security devices, and millions of desktops around the world," said Gail Hamilton, executive vice president and general manager Symantec Global Services and Support "Consequently, it is one of the most accurate, comprehensive, and timely sources of security information available for helping companies assess and mitigate risk of cyber attacks now and in the future."

Internet Security Threat Report: Key Highlights
The rise in blended threats, increased vulnerabilities targeting Windows components, and escalating discovery of severe information systems vulnerabilities pose a significant security issue for companies in the coming year.

Blended threats made up 54 percent of the top 10 malicious code submissions over the last six months of 2003. These threats have caused widespread damage more quickly than ever before due to increased propagation speed, aided in part by improved bandwidth and decreased latency.

One of the most "successful" worms, Blaster, targeted a vulnerability in core Windows components. Threats targeting these components are more widespread than the server software targeted by previous network-based worms, resulting in a much higher density of vulnerable systems.

The number of new vulnerabilities discovered has leveled off, but newly discovered vulnerabilities are more severe, rated as such based on their impact, remote exploitability, authentication and availability. In addition, the period of time between the announcement of a vulnerability and the release of an associated exploit is shrinking. These trends suggest that "zero-day" threats may be imminent. Such threats target vulnerabilities before they are announced and patches are made available, making prevention and containment extremely challenging.

Internet Security Threat Report: Attack Trends

In the first half of 2003, only one sixth of the companies analyzed reported a serious security breach. In the second half of the year, half of the companies reported a serious breach. This rise is largely the result of increasingly "successful" worms, which remain the most common source of attack activity. Moreover, almost one third of all attacking systems targeted the vulnerability exploited by the Blaster worm.
Financial services, healthcare, and power and energy were among the industries hardest hit by severe security events. However, in 2003 as in 2002, the rate of severe events decreased as client tenure with Symantec Managed Security Services increased. More than 70 percent of clients with a tenure of more than six months successfully avoided experiencing a severe attack.
Attackers increasingly targeted backdoors left by other attackers and worms. By leveraging existing backdoors to gain control of a target system, attackers can install their own backdoor or use the compromised system to participate in a distributed denial of service (DDoS).

This trend is also evident today. In January 2004, MyDoom began spreading at rates similar to Sobig.F, exposing infected systems through a backdoor and carrying out a targeted attack. Two new worms, Doomjuice and Deadhat, followed MyDoom, both propagating via the backdoor left by MyDoom.

Internet Security Threat Report: Vulnerability Trends

In 2003, slightly more vulnerabilities were discovered than in 2002, with 2,636 vulnerabilities documented compared with 2,587 in 2002, averaging seven per day.
The number of moderately severe vulnerabilities increased from an average of 98 per month in 2002 to an average of 115 per month in 2003. In addition, 70 percent of the vulnerabilities found in 2003 were classified as easy to exploit compared with 60 percent in 2002.
The majority of vulnerabilities with associated exploit code in 2002 and 2003 were classified as high-severity, with 175 in 2002 and 231 in 2003. The percentage of vulnerabilities for which exploit code was publicly available increased by 5 percent in 2003. The percentage of vulnerabilities that did not require specialized tools to exploit them increased by 6 percent in 2003.
Client-side vulnerabilities in Microsoft Internet Explorer are on the rise, from 20 in the first half of 2003 to 34 in the second half of the year-an increase of 70 percent. Many of these vulnerabilities allow attackers to compromise the systems of client users who visit Web sites hosting malicious content, intentionally or not. The primary reason for concern over this trend is the massive market dominance of Internet Explorer.

Internet Security Threat Report: Malicious Code Trends

Blended threats were responsible for some of the most significant security events of the year, which occurred in August when the Internet experienced three new Category 4 worms in only 12 days. These worms-Blaster, Welchia, and Sobig.F-infected millions of computers worldwide and, according to estimates by Computer Economics, may have resulted in up to $2 billion in damages.
Two and a half times the number of Win32 virus and worm submissions were observed in the second half of 2003 than over the same period in 2002, from 687 in the second half of 2002 to 1,702 in the second half of 2003. Included in these submissions were Blaster, Welchia, Sobig.F, and Dumaru. With these new threats, we have seen some associated trends. First, the time between the announcement and widespread exploitation of a vulnerability is decreasing. Second, hackers are increasingly using packers to conceal malicious code. Packers compress and encrypt Windows executable files, making it more difficult to detect malicious code in these files.
Within the top 10 malicious code submissions, the number of mass-mailer worms with their own mail engine increased by 61 percent in the second half of 2003 over the first half of the year. Because emails generated by the self-contained engine of malicious code do not interact with the user's email system, there are few signs of an active infection. Antivirus programs with heuristics-based detection can resist these types of threats.
During the second half of 2003, threats to privacy and confidentiality were the fastest growing threat. There was a 519 percent growth in volume of submissions within the top 10 malicious code submissions compared to the first half of the year. While older threats compromised confidentiality by exporting random documents, more recent viruses and blended threats also extract passwords, decryption keys, and logged keystrokes.

Recommended Best Practices
Symantec encourages users and administrators to adhere to the following best security practices to better protect their information assets:

Turn off and remove unneeded services.
Always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Keep virus definitions updated. By deploying the latest virus definitions, corporations and consumers are protected against the latest viruses known to be spreading "in the wild."
Enforce a password policy.
Configure email servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif, and .scr files.
Isolate infected computers quickly to prevent further compromise. Perform a forensic analysis and restore the computers using trusted media.
Train employees to open only attachments they expect and to not execute software downloaded from the Internet unless it has been scanned for viruses.
Ensure that emergency response procedures are in place.
Educate management on security budgeting needs.
Test security to ensure adequate controls are in place.

About Symantec
Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com.

NOTE TO EDITORS: : If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at http://www.symantec.com/PressCenter/ on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States.

Symantec, the Symantec logo, VERITAS, and the VERITAS logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and certain other countries. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.

http://www.symantec.com/press/2004/n040315b.html