Networks More Prone To Malicious Attacks Than Ever Before: Report

Updated: Mar 25 2004, 05:30am hrs
The Symantec Internet Security Threat Report provides a six-month update of Internet threat activity. This issue includes an analysis of network-based attacks, known vulnerabilities, and malicious code for the period of July 1 to December 31, 2003. It also examines how and why attacks have affected some organisations more severely than others, and how current trends are expected to shape future Internet security threats. Extracts from the report:

One of the most significant events of 2003 occurred in August when the Internet experienced three new Category 4 worms in a span of only 12 days. Blaster, Welchia, and Sobig.F infected millions of computers worldwide. These threats alone may have resulted in as much as $2 billion in damages. In the first half of 2003, only one-sixth of the companies analysed, reported a serious breach. In the second half of the year, half of the companies reported a serious breach.

Seven new vulnerabilities a day were announced in 2003. Malicious code that exposes confidential data increased significantly. So did blended threats targeting Windows operating systems. Attackers and blended threats are increasingly utilising previously compromised systems to launch attacks.

Attack Trend Highlights Of The Report Include:
* Worms remained the most common source of attacks.

* Almost one-third of all attacking systems targeted the vulnerability exploited by Blaster.

* Attackers increasingly targeted backdoors left by other attackers and worms.

* Attacking systems tended to target geographic regions close to them.

* Financial services, healthcare, and power and energy were among the industries hardest hit by severe events.

* Increased client tenure continues to result in a decrease of severe events. Over 70 per cent of clients with tenure of more than six months successfully avoided a severe event.

Vulnerability Trend Highlights
* Symantec documented 2,636 new vulnerabilities in 2003, an average of seven per day.

* Symantec data indicates that the rate of vulnerability disclosure has leveled off.

* Newly discovered vulnerabilities are increasingly severe and easy to exploit

* In 2003, 70 per cent of vulnerabilities were classified as easy to exploit.

* The percentage of vulnerabilities for which exploit code was publicly available increased by 5 per cent in 2003.

* The percentage of vulnerabilities that do not require specialised tools to exploit them, increased by 6 per cent.

Malicious Code Trend Highlights
* Blended threats make up 54 per cent of the top ten submissions over the past six months.

* Two and a half times the number of Win32 viruses and worms were observed by Symantec than over the same period in 2002.

* Within the top ten malicious code submissions, the number of mass-mailer worms with their own mail engine increased by 61 per cent over the first half of 2003.

* Threats to privacy and confidentiality were the fastest growing dangers, with 519 per cent growth in volume of submissions within the top ten.

Current Issues
* In January 2004, MyDoom began spreading at rates similar to Sobig.F, exposing infected systems through a backdoor and carrying out a targeted attack.

* Two new worms, Doomjuice and Deadhat, followed MyDoom, both propagating via the backdoor left by MyDoom.

* Blended threats continue to serve as vehicles to launch large-scale denial-of-service attacks, including Blaster in August and MyDoom and its successors (DeadHat and DoomJuice) in the first two months of 2004.

Attackers Leveraging Existing Backdoors
A large number of sensors observed activity that was targeting backdoors left behind by previous attacks and blended threats. By leveraging existing backdoors to gain control of a target system, attackers can install their own backdoor or use the compromised system to participate in a distributed denial-of-service attack (DDoS). As of the first quarter of 2004, attackers and new blended threats are scanning networks seeking the backdoor contained in the MyDoom worm.

Vulnerabilities Severe And Easy To Exploit
On average, over the past six months, 99 new high-severity vulnerabilities a month were announced. Vulnera-bilities are becoming increasingly easy to exploit. This either means that no specialised knowledge is required to gain unauthorised access to a network or that tools are readily available to help attackers do so. This increases the likelihood of damaging intrusions. In 2003, 70 per cent of vulnerabilities announced were considered easy to exploit, up from 60 per cent in 2002.