Malicious attack trends: good, bad, and worse

Von Roger A.

So, who is the enemy? When fighting malicious hackers and malware, it helps to know who the enemy is. Symantec"s Internet Security Threat Report, Vol. VIII is a good place to start. Its findings echo InfoWorld"s own security survey and report.

Even though the Symantec report represents just one vendor"s view on the changing threat space, Symantec is pulling its data from 24,000 sensors in more than 180 companies participating in its DeepSight Threat Management System and Symantec Managed Security Services. Here are some of the most interesting points:

Overall number of attacks against a particular site in a given day have decreased.

Increase of hacking for profit: If you haven"t learned this point yet, hacking is big business now. Hacking used to be for script kiddies and technical wizards trying to prove a point and gain Net cred. Today, they are being crowded out by hackers making a living. Hackers use increasingly sophisticated worms, Trojans, and bots that they then sell to the highest bidder. Bidders are looking to send spam and adware, increase click-through rates, implement random DoS attacks, and steal credit card information, identity information, corporate information, and anything else that will turn a quick profit.

Increase in bot nets (closely related to the first point).

Information theft is on the rise. Seventy-four percent of most popular code submitted to Symantec had the ability to steal information. Again, this is strongly related to the first two points.

Nearly 11,000 new malware programs were identified in the first half of 2005 -- up 48 percent from 2004. Most of the increase is due to variants.

Mozilla-based browsers had more vulnerabilities than Internet Explorer in 2005. Per, Firefox had 20 vulnerabilities vs. IE"s 12, and Firefox had more critical vulnerabilities that allowed complete system compromise. This, of course, doesn"t mean that Firefox is more risky; it"s newer and is expected to have more bugs initially, but it does mean that open source browsers aren"t a defensive panacea. Can anyone code a secure, usable browser that substantially withstands the hacker threat that accompanies larger market shares? It would be interesting to see how Opera would handle increased scrutiny if it gained a larger market share.

Spam still accounts for the majority of e-mail on the Internet today. Nearly two years since President Bush signed the Can Spam law, spam control is no better than it was then. There may have been some token arrests, but when a convicted spammer is only paying negotiated fines that he can make back in a day, what"s the incentive to be scared of actual prosecution? Of course, anyone really interested in fighting spam was against the defanged Can Spam legislation in the first place -- it was a spam giveaway. Anybody in Congress paying attention?

Phishing attacks increased in 2005.

SQL Slammer worm-style attack code was the most popular attack by a wide margin against a network. Remember, old exploits often cause more damage than the new stuff.

An interesting side note to the previous point: MS SQL port 1433 wasn"t in the top 10 of attacked ports. The top 10 attacked ports included the normal Windows ports (which shouldn"t be exposed to the Internet if a firewall is in place), plus a few file sharing ports (Gnutella, eDonkey, etc.), the normal set of attacked Internet ports -- like 25, 80, 443 -- and two "random" ports.

Linux-based exploits made up three of the top five attacks. Is this good or bad for Linux?

Total attacks per day are decreasing. Symantec attributed a large part of this to the implementation of SP2 for Windows XP. It turns out that a one-way firewall, turned on by default, does have some benefits.

DDoS attacks are still increasing.

Average time between an exploit being disclosed and a working attack was six days. Average time for a patch release after a new exploit was announced was 54 days. That"s an interesting gap to consider. How well is your vendor doing?

Another interesting point that may not be obvious from looking at this list is the overwhelming use of automated code. Your biggest threat is not the dedicated, malicious hacker, but his automated worm, virus, Trojan, or bot.

The first bullet point is one alert that really needs to be communicated to senior management and your security defense teams, if it hasn"t already. Paul Revere is sounding the alarm: Hacking isn"t for fun anymore -- it"s for profit. Many other surveys are reporting a significant increase in targeted hacking, corporate espionage, and data theft. These aren"t worms and Trojans that want to be found; they are more stealthy, and they intend to learn and steal from the compromised host.

So, while overall attacks may be going down, the professional bad stuff is on the rapid increase. This means your security risk exposure is going up. Adjust your budgeting, defenses, and arguments to management accordingly.