Report Reveals Increase in Attacks Against Web Applications, Threats to Windows, Severe/Easy-to-Exploit Vulnerabilities, Phishing Scams

Hong Kong ( March 22, 2005) – Symantec Corp. (Nasdaq: SYMC), the global leader in information security, today released its newest Internet Security Threat Report. The seventh bi-annual report provides analysis and discussion of trends in Internet attacks, vulnerabilities, malicious code activity, and additional security risks for the period of July 1, 2004 to December 31, 2004.

"Attackers are launching increasingly sophisticated attacks in an effort to compromise the integrity of corporate and personal information," said Arthur Wong, vice president of Symantec Security Response and Managed Security Services. "By offering not only an unparalleled view of current Internet threat activity but also critical insights regarding future trends, Symantec's Internet Security Threat Report serves as an invaluable tool for enabling businesses and individuals to safeguard the security and availability of their information assets no matter what."

Key Findings
Rise in Threats to Confidential Information: Over the past three reporting periods, threats with the potential to expose confidential information have continued to increase. Between July 1 and December 31, 2004, malicious code created to expose confidential information represented 54 percent of the top 50 malicious code samples received by Symantec, up from 44 percent in the first six months of the year and 36 percent in the second half of 2003. This is partially due to the proliferation of Trojan horses. Between July 1 and December 31, 2004, Trojans represented 33 percent of the top 50 malicious code reported to Symantec.

Steady Increase in Phishing Attacks: As predicted in the previous volume of the Internet Security Threat Report, the number of phishing attacks is increasing. Phishing is a method to steal confidential information such as passwords, credit card numbers, and other financial information. By the end of December 2004, Symantec Brightmail AntiSpam antifraud filters were blocking an average of 33 million phishing attempts per week, up from an average of 9 million per week in July 2004. This represents an increase of over 366 percent. Symantec expects that phishing will continue to be a very serious concern over the next year.

Increase in Attacks Against Web Applications: Web applications are popular targets because they enjoy widespread deployment and can allow attackers to circumvent traditional perimeter security measures such as firewalls. They are a serious security concern because they may allow attackers access to confidential information without having to compromise individual servers. Nearly 48 percent of all vulnerabilities documented between July 1 and December 31, 2004 were Web application vulnerabilities, a significant increase from the 39 percent documented in the previous six-month period.

Rise in Number of Windows Virus/Worm Variants: Due to the widespread deployment of Microsoft Windows operating systems in enterprise and consumer environments, Windows 32 viruses and worms pose a serious threat to the security and integrity of the computing community. From July 1 to December 31, 2004, Symantec documented more than 7,360 new Windows 32 virus and worm variants. This represents an increase of 64 percent over the previous six-month period. As of December 31, 2004, the total number of documented Windows 32 threats and their variants was approaching 17,500. Because a failure to prevent, detect, or remove these threats could mean severe financial losses, the disclosure of confidential information, and the loss of data, organisations are challenged with updating their antivirus solutions more often than ever before which, in turn, puts more pressure on current resources.

Increase in Severe, Easy-to-Exploit, Remotely Exploitable Vulnerabilities: Between July 1 and December 31, 2004, Symantec documented more than 1,403 new vulnerabilities, which translates into more than 54 new vulnerabilities per week or almost eight new vulnerabilities per day. Of these, 97 percent were considered moderately or highly severe, which means that successful exploitation of the vulnerability could result in a partial or complete compromise of the targeted system. Furthermore, 70 percent were considered easy to exploit, which means that either no custom code is required to exploit the vulnerability or that such code is publicly available. Compounding this problem is that nearly 80 percent of all documented vulnerabilities in this reporting period are remotely exploitable, which likely increases the number of possible attackers.

Attack Trends

• For the third straight reporting period, the Microsoft SQL Server Resolution Service Stack Overflow Attack (formerly known as the Slammer attack) was the most common attack, used by 22 percent of all attackers. The second most common attack was the TCP SYN Flood Denial of Service Attacked, which was launched by 12 percent of attackers.


• Organisations received 13.6 attacks per day, up from 10.6 in the previous six months. The United States continues to be the top attack source country, followed by China and Germany.


• The financial services sector experienced the highest ratio of severe attacks, with 16 severe events per 10,000 security events.

• The time between the disclosure of a vulnerability and the release of associated exploit code remained extremely short at 6.4 days.


• Symantec documented 1,403 new vulnerabilities, a 13 percent increase over the previous six-month period. 97 percent of documented vulnerabilities were considered either highly or moderately severe. Moreover, 70 percent of all documented vulnerabilities were classified as easily exploitable.


• Web application vulnerabilities made up 48 percent of all vulnerabilities disclosed, up from 39 percent in the first half of 2004. Vulnerabilities targeting Web applications are often classified as easily exploitable.


• Vulnerabilities are affecting new alternative browser distributions. During the last six months of 2004, 21 vulnerabilities affecting Mozilla browsers were disclosed, compared to 13 vulnerabilities affecting Microsoft Internet Explorer. Six vulnerabilities were reported in Opera.

Malicious Code Trends

• As in previous reports, mass-mailing worms dominated the top malicious code reported over the last six months of 2004. Eight of the top 10 samples reported to Symantec during this period were variants of mass-mailer worms that have been seen in previous reports, including Netsky, Sober, Beagle, and MyDoom.


• Two bots were present in the top 10 malicious code samples, compared to just one in the previous reporting period. Gaobot was the third most frequently reported sample over the past six months, followed by Spybot. Moreover, 4,300 new distinct variants of Spybot were reported, an increase of 180 percent over the previous six months.


• Symantec documented more than 7,360 new Windows 32 viruses and worms, an increase of 64 percent over the first half of the year and an increase of more than 332 percent over the 1,702 documented in the second half of 2003. As of December 31, 2004, the total number of Windows 32 variants approached 17,500.


• Symantec documented more than 7,360 new Windows 32 viruses and worms, an increase of 64 percent over the first half of the year and an increase of more than 332 percent over the 1,702 documented in the second half of 2003. As of December 31, 2004, the total number of Windows 32 variants approached 17,500.


• Malicious code that exposes confidential information made up 54 percent of the top 50 malicious code samples, up from 44 percent in the previous reporting period and 36 percent in the second half of 2003. This represents a 23 percent increase between the current period and the first half of 2004 and a 50 percent increase over the same period the previous year.


• At the end of the reporting period, there were 21 known samples of malicious code for mobile applications, up from one-the Cabir worm-in June 2004. Among the new threats were the Duts virus, the first threat to Windows CE; and the Mos Trojan, which was discovered in a Symbian game.

• In the last six months of 2004, adware programs made up 5 percent of the top 50 Symantec customer reports, up from 4 percent the previous report. Iefeats was the most commonly reported adware program, accounting for 36 percent of top 10 reports.


• Webhancer was the most frequently reported spyware program during the second half of 2004, representing 38 percent of the top 10 spyware reported.


• Five of the top 10 adware reported samples were installed via a Web browser. Nine of the top 10 reported spyware programs were bundled with other software.


• Symantec reported a 77 percent growth in spam for companies whose systems were monitored for spam; the weekly totals of spam raised from an average of 800 million spam messages per week to well over 1.2 billion spam messages per week by the end of the reporting period. Moreover, spam made up more than 60 percent of all e-mail traffic observed by Symantec during this period.

Future and Emerging Trends

• The use of bots and bot networks for financial gain will likely increase, especially as the diverse means of acquiring new bots and developing bot networks become more prevalent.


• Malicious code targeting mobile devices is expected to increase in number and severity. With many groups researching vulnerabilities in Bluetooth-enabled devices, the possibility of a worm or some other type of malicious code propagating by exploiting these vulnerabilities increases.


• Symantec expects that client-side attacks using worms and viruses as propagation methods will become more common.


• Attacks hidden in embedded content in audio and video images are expected to increase. This is worrisome because image files are ubiquitous, almost universally trusted, and an integral part of modern day computing.


• Symantec expects security risks associated with adware and spyware will likely increase. Impending legislation to curb these risks is not expected to be an effective or sufficient deterrent on its own.

About the Symantec Internet Security Threat Report
Symantec has established one of the most comprehensive sources of Internet threat data in the world. The following resources give Symantec analysts unparalleled sources of data with which to identify emerging trends in attacks and malicious code activity:

• DeepSight Threat Management System and Managed Security Services - More than 20,000 sensors monitoring network activities in over 180 countries.


• Symantec's antivirus products - More than 120 million client, server, and gateway systems that have deployed Symantec's antivirus products provide reports on malicious code as well as spyware and adware.


• Vulnerability database - Covering over 11,000 vulnerabilities affecting more than 20,000 technologies from more than 2,000 vendors, Symantec maintains one of the world's most comprehensive databases of security vulnerabilities.


• BugTraq - Symantec operates BugTraq, one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet.


• Symantec Probe Network - A system of more than 2 million decoy accounts, attracting e-mail messages from 20 different countries around the world that allows Symantec to gauge global spam and phishing activity.

NOTE TO EDITORS: If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at http://www.symantec.com/PressCenter/ on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States.

Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.