Symantec: Boom Times For Hackers

[InfoSec News <isn () c4i org>]

http://www.informationweek.com/story/showArticle.jhtml?articleID=18400171

By Gregg Keizer
TechWeb News 
March 15, 2004

Symantec Corp.'s twice-annual Internet Security Threat Report paints a
menacing picture, one that security professionals know all too well.

A report released Monday by the security vendor using data from
customers as well as from its DeepSight Threat analysis system says
attackers are having an easier time than ever exploiting
vulnerabilities. They're also increasingly using back doors to gain
access to compromised systems, and are trying to turn a quick buck
with stolen confidential information.

During 2003, according to Symantec's data, the number of
easily-exploited vulnerabilities climbed about 10% from the year
before, marking the first time that vulnerabilities so classified
broke the two-thirds mark. In 2003, fully 70% of all security
vulnerabilities were simple for attackers to manage.

The reasons are twofold, said Brian Dunphy, director of Symantec's
managed securities services group. More vulnerabilities, such as those
affecting Web services, take very little exploit expertise. Also, more
hackers are relying on already-published exploit code and easily
available tools to craft new attacks.

Other security analysts have harped on the same subject, and the proof
in the trend has been as recent as 2004's wave of worms, due in part
to the release of source code to such malware as MyDoom and Netsky
into the underground.

Even though Symantec saw the number vulnerabilities posted during the
last six months of 2003 leveling off from previous months, those that
were disclosed were more severe in nature. In particular, Symantec put
the spotlight on Microsoft's Internet Explorer, which experienced a
70% jump in disclosed vulnerabilities in the second half of 2003 over
the first half.

The combination of easily exploited vulnerabilities and an increasing
number of severe security holes means two things, said Dunphy. "The
exploit windows continue to shrink," he said, referring to the
continuing shortening of the time span between a vulnerability's
release and the appearance of an exploit, and "zero-day threats may be
on the horizon."

As an example of the first, Symantec held out the Gaobot worm, which
exploited a vulnerability in Microsoft's Workstation Service less than
two weeks after the flaw was first published in November 2003.

Zero-day threats are those that target vulnerabilities before they're
announced and patches posted. Needless to say, they're the most
dangerous, and difficult to contain.

"So far, every exploit we've seen has been against known
vulnerabilities, for which patches are available," Dunphy said, even
the disastrous Blaster worm of last August. But he's not confident
he'll always be able to say that's true.

Other trends that Symantec spotted during the second half of 2003 show
a huge increase in the number of exploits that took advantage of
existing back doors planted on previously compromised computers. The
number of submissions of worms and viruses that targeted back doors to
plant their own code--from key loggers to updates of the original
worm--jumped by 276% in 2003 over the previous year, and now account
for almost half of malware referred to Symantec by its customers.

That trend spilled over into 2004, with worms such as MyDoom, which
planted a back door used by other worms, including Doomjuice, to
re-infect systems with a new wave of malicious code.

"Backdoors are effectively holes in the perimeter of an enterprise
network," said Dunphy. "Increasingly, attackers are simply looking for
back doors, and users should definitely expect this to continue."

More malicious code is also packed with its own mail server, a tactic
that hackers have used to bypass gateway defenses companies have
established for outgoing messages. Among the worms submitted to
Symantec, for instance, 61% more came packaged with their own SMTP
engines in the second half of 2003 compared to the first half.

"It vastly improves the effectiveness of that worm to propagate," said
Dunphy.

Other data from Symantec's six-month analysis range from a major jump
in the number of worms that exploit Windows to hackers after financial
gain, not notoriety, said Dunphy. The number of worms and viruses
aimed at Windows increased by 2-1/2 times over the same period in
2002, according to the company's numbers.

And hackers aren't after just kicks anymore. "Their intent isn't fun
and games," said Dunphy. "Their attacks are even more malicious, and
they're actually utilizing these threats to steal money."

Attacks seeking confidential information such as credit card numbers,
passwords, and encryption keys grew markedly during the last half of
2003. The percentage of threats with information theft as their target
grew 519% in the last half of 2003, and accounted for 78% of all
Symantec's top 10 submissions, up from just 22% in the first six
months.

Although Dunphy drew a dark picture of the state of security, there
are some hints that the future will be a bit brighter. One area:  
automated updating on the part of operating systems to patch
vulnerabilities.

"The trend is to automate [patches] and do this in the background,"  
said Dunphy, pointing to announced plans such as Microsoft's to
integrate automatic vulnerability patching in Windows XP Service Pack
2 this summer. "Operating system vendors are moving in the right
direction to make patching easier."

That's crucial, and not just for business users, who faced, on
average, seven new patches per day during 2003. In fact, Dunphy said,
automated patch deployment is actually more important to protect home
users who rarely keep track of vulnerabilities and infrequently update
their machines.

"If you have a half-million home users infected or controlled by
hackers, these machines can be used target companies," he said. "We
need to harden up the home user computers, since they also feed back
into the corporate network" via at-home workers connecting back to the
enterprise.

"It's all one big public road that we're on," he said. "We're all in
the same boat."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.