Malware Problem Shows no Sign of Slowing

Symantec today has issued its 13th Internet Security Threat Report, an overarching state of security on the Internet. The report shows the evolution of how both the threat and the criminals behind it have matured almost as much as the software industry itself.

Over 40 pages, Symantec (NASDAQ: SYMC) covers four major points: trusted Web sites have become the focus of a large portion of malicious activity; attackers are seeking information, not just to damage your PC; attackers are selling information to a mature underground economy; and attackers are adapting rapidly to new security measures.

Criminals have the advantage of operating in the shadows while software vendors have to operate in the open. As much as criminal hackers dig around for vulnerabilities, software firms make it easy for them by publishing fixes, which have to be done in public.

The bad guys then take those fixes, such as Microsoft’s monthly Patch Tuesday releases, and reverse engineer the fixes. They then issue malware to target people that were too slow to patch.

In the time period covering the 13th ISTR, from July 1, 2007, to Dec. 31, 2007, Symantec found 11,253 site-specific examples of cross-site scripting vulnerabilities. During that, only 473 of the vulnerabilities had been patched. Many attacks are generated out of fixes issues by firms.

“They’re going after people too slow to patch,” Wayne Periman, director of operations for Symantec Security Response, told “From the point of release until a patch is installed, that vulnerability becomes a target rich environment.”

And a wide open one, too. Symantec found that the average amount of time to install patches from when they are first issued is 52 days, nearly two months from issuance to installation.

The tactic of targeting trusted sites is due to security measures that look at the name and age of a domain. An e-mail gateway can be programmed to look at the originating domain for a letter, realize the domain was registered just two weeks prior (often a red flag) and reject the letter.

But what if that letter or code originates from Yahoo (NASDAQ: YHOO), Google (NASDAQ: GOOG), MySpace or Facebook, or pretends
? It has a better chance of getting past the security. Plus, with so much cross-linking through friends lists and address books, once you compromise one account, plenty more become targets as well.

“Attackers are going after those sites in a big way, simply because they can propagate quickly through the victim’s social network,” Periman said. Phishing attacks attempting to imitate two social networks accounted for 91 percent of all phishing attacks in the ISTR’s report’s time period. Periman wouldn’t specify the sites, but given the dominance of two certain sites it’s not hard to figure out which sites Symantec is talking about.

A full 76 percent of the top 50 pieces of malware seen by Symantec in this period had keystroke loggers, and 71 percent exported the user’s data to a remote destination. Fifty-three percent of that information found its way onto the underground economy, where it’s bought and sold.

One of the more disturbing trends was just how good the criminal element has gotten, thanks to phishing and botnet kits. In 2007, two-thirds of all the threats Symantec found during the course of the year were created that year thanks to kits that are the criminal equivalent of an SDK.

“They’ve gone to MBA school,” Periman joked. “It’s beginning to look more and more like a traditional business. They are not just trading [code] to build malware but to build kits. If you want to be a bad guy, just go out and buy a kit.”

Malware is evolving as well. The number of botnets grew by 17 percent during the ISTR time period, but the number of command and control servers dropped by 4,000. Periman theorized that the botnet owners are adopting a peer-to-peer means of communication, which is harder to take down than a hub-and-spoke system as before.

News Around the Web