subscribe: Daily Newsletter


Users, sites more vulnerable than ever


Symantec's recently released 2008 Internet Security Threat Report describes
a shifting threat landscape that has seen an increase in Web-based malicious
activity, increased attacks on end users rather than computers, and an
underground economy that is consolidating and maturing. Awareness of these
changes in tactics improves the ability of security administrators and end
users to protect data and IP.

Says Rowland Gcwensa, Symantec product specialist at Drive Control
Corporation (DCC): "New threats require new security solutions and
approaches, but this is an ever evolving cycle – as new security measures
are applied, so attackers develop more innovative ways to attain their
objectives. In this report, Symantec has identified a number of trends that
have developed over the last six months of 2007 based on data collected in
this period, as well as future trends which it expects to surface through
"An awareness of these evolving threats – and the solutions and approaches
that will mitigate their impact – is crucial for organisations of all sizes
and, increasingly, for end users." Symantec gathers malicious code reports
from over 120 million client, server, and gateway systems that have deployed
its antivirus product, and also maintains one of the world's most
comprehensive vulnerability databases, currently consisting of over 25,000
recorded vulnerabilities (spanning more than two decades) affecting more
than 55,000 technologies from over 8,000 vendors. It uses these sources of
data to identify, analyze, and provide informed commentary on emerging
trends in attacks, malicious code activity, phishing and spam.
Malicious activity has become Web-based, putting pressure on organizations
to implement suitable solutions. Says Gcwensa: "In the past, traditional
attack activity primarily used widespread, broadcast attacks aimed at
computers deployed on networks. However, administrators and vendors have
fortified perimeter defenses  with tools such as firewalls and intrusion
detection/prevention systems (IDS/IPS). In response, attackers have adopted
stealthier, more focused techniques that target individual computers via the
World Wide Web."
According to the report, site-specific vulnerabilities that affect custom or
proprietary code for a specific Web site (site-specific cross-site scripting
vulnerabilities)  ncreased fivefold through the second half of 2007 compared
to documented traditional vulnerabilities.
Says Gcwensa: "Attackers are particularly targeting sites that are likely to
be trusted by end users, such as social networking sites. Compromised Web
sites are then used to launch attacks against users. This has shown to be an
effective strategy for launching multistage attacks and exploiting
client-side vulnerabilities,
with a specific focus on browser plug-in vulnerabilities. The attacker then
installs malicious software such as Trojans, back doors, and bots on the
compromised computer."
However, adds Gcwensa, malicious activity no longer targets computers, it
targets confidential end-user information that can be used in fraudulent
activity for financial gain. Symantec notes that this trend is reflected on
underground economy servers – the black market forums used by criminals and
criminal organisations to advertise and trade stolen information and
services typically for use in identity theft – where data related to
identities, credit cards and financial details accounted for 44% of goods
advertised in the second half of 2007.
A recurring theme is the increased professionalisation and commercialisation
of malicious activities. Symantec believes that it has evolved into a
mature, consolidated underground economy. This economy is characterized by a
number of traits that are present in more orthodox economies, including
specialization of production of goods and services; outsourcing of
production; multivariate pricing and adaptable business models.
"The most important approach for administrators," says Gcwensa, "is to make
sure all users have the latest virus program and that the latest threat
definitions are downloaded. With regard to packaged solutions, Norton
Internet Security 2008 (NIS 2008) and Norton's 360 v2.0, an all in one
security solution, have new features that will assist administrators to
prevent Web-based malicious attacks, email-based attacks and theft of
personal information."
Based on new patent-pending technology, zero day protection in Norton
Internet Security 2008 and 360 fights back against new and unknown threats
that exploit vulnerabilities in Internet Explorer. Another feature in NIS
2008, Symantec Threat Interceptor Browser Defender, protects the core of
Internet Explorer, helping to ensure that malware cannot load and execute.
Says Gcwensa: "In addition to infection data, Symantec analyses and
documents attributes for each new form of malicious threat that emerges both
in the wild and in a zoo environment. NIS 2008's Norton Confidential feature
thus lets users safeguard their personal information from online identity
theft. These new features also help users to optimize the PC and protect
important files by backing them up and restoring them at anytime.
In 2008, Symantec believes there will be a number of rapidly evolving and
complex security issues that will spawn trends that organisations should
begin to look out for. These include the increasing use of whitelisting
technologies, an increased focus on portable media and shrink-wrapped
devices; and the decline of IRC-controlled bot networks.
Says Gcwensa: "The preliminary results of a new study by Symantec indicate
that the release rate of malicious code and other unwanted programs may be
reaching a tipping point, exceeding the release of legitimate software
applications. For example, Symantec measured the adoption rate of
applications and found that out of 54,609 unique applications deployed on
Microsoft Windows PC s, 65 percent were malicious. This will increase the
focus on whitelisting technologies."
While traditional blacklisting identifies bad applications based on a list
of known characteristics and removes, blocks, or quarantines malicious code
or unwanted applications, whitelisting focuses on identifying known or
certified "good" applications. Notes Gcwensa: "Users need to look out for
security technologies that adopt this model, as they will more economically
and effectively write signatures for a smaller set of legitimate programs.
This will allow these security vendors to provide consumers and enterprises
with adaptive solutions that reflect changes in the threat landscape."
Portable media such as USB flash thumb drives, portable audio and video
players, and other small storage devices such as digital picture frames
represent a serious security concern, not only as an attack target, but also
in their ability to act as a distribution system for malicious code, such as
viruses, worms and Trojans. With some of these devices having Internet
connectivity, Symantec speculates that, as these devices continue to
increase in popularity, attackers and malicious code authors will target
these devices more frequently, even during the manufacturing process.
A final trend that Symantec believes will become more prevalent is the shift
away from traditional Internet Relay Chat (IRC) bot command-and-control
communications. Explains Gcwensa: "Attackers are adopting a decentralized
command-and-control architecture, thus making their bot networks more
difficult to detect and disable. For example, HTTP and peer-to-peer (P2P)
networks are being established for bot communication."