Symantec today released its 12th bi-annual Internet Security Threat Report covering malicious activity over the first six months of the year, which confirms some trends that have been emerging and notes some new ones, as well.
The report covers activity from Jan. 1 to June 30 of this year, covering data gathered by Symantec’s Global Intelligence Network. This consists of more than 40,000 sensors monitoring network activity in over 180 countries and sample code gathered by more than 120 million client, server, and gateway systems that have deployed Symantec’s antivirus products.
Also, Symantec runs what it calls the Probe Network, a system of over 2 million decoy accounts to attract e-mail messages from 20 different countries around the world, which allows Symantec to measure global spam and phishing activity.
What it found isn’t pretty. Malicious activity is less computer vandalism and much more in the realm of criminality. Gone are the days when some punk’s virus stomped on your FAT table and wrecked the hard drive. Symantec, along with many other antivirus vendors, thinks viruses as we know them are in decline, replaced with crimeware.
“Viruses are dropping in favor of theft,” Zulfikar Ramzan, senior principal researcher in Advanced Threat Research at Symantec, told InternetNews.com. “Of the top 20 samples we received, 65 percent could threaten confidential info, and 88 percent of those were keystroke loggers. Goes to show hackers are much more after the financial benefits of their activities as opposed to the notoriety of it.”
Making things worse is the commercialization of malware thanks to development kits that allow anyone to make a Trojan or worm. The most notorious is MPACK, written by a Russian crimeware gang, that Ramzan said goes for around $1,000. MPACK comes with sample code, making it easy to jumpstart the task.
“[Malware is] getting worse because developers aren’t starting from scratch; they’re taking existing work and making it worse,” he said. In addition, Symantec found that 42 percent of phishing attacks were from 3 specific kits, none of which have a name.
In general, Ramzan said phishing operations can be completely outsourced and require no technical skills. All one needs is a kit to develop a phishing attack relatively easily, rent time on spam and phishing servers, buy a list of e-mail addresses from the underground economy, and go trolling.
Once you have a bunch of credit cards, bank accounts or identities, you can then turn around and sell them on underground servers. Ramzan found credit cards selling for 50 cents to $5, depending on the limit, bank accounts selling for $30 to $400 and identities selling for $6 to $100.
A lot of the crooks involved in this business actually treat it like a job. “We notice more activity on weekdays then weekends. There’s a supply chain from the underground, commoditization of the tools, support contracts for the toolkits. There’s an incredible amount of professionalization that’s gone into this world,” he said.
Overwhelmingly, the targets of attacks are home users. Symantec estimates 95 of all attacks in the last six months have been aimed at the home user, an increase from the 87 percent last year.
And those attacks are not aimed at vulnerabilities. Even though Symantec found all of the operating system vendors have improved their response times to when a vulnerability pops up, with the exception of HP, that’s not where the criminals are going. Symantec found that exploits of vulnerabilities only made up 18 percent of attacks. The rest were simply looking for a sucker to click on the wrong link or run a file they shouldn’t.
One of the new areas of exploitation is browser plug-ins. Symantec saw an explosion from 74 to 237 over the course of one period between reports. Ramzan said the plug-ins are becoming targets because the browsers are being hardened. The only browser under attack is Apple’s Safari, which went from four in the last report period to 25 in this most recent one, a testament to Apple’s growing popularity.
Rootkits, those devils that seemed to scare the daylights out of everyone, seem to have fallen off the radar. The one exception was the Storm Trojan because it used a rootkit to hide itself. Trojans remain the most common form of attack, which require a gullible end user, not an exploit.