Symantec: Hackers Have It Easier Than Ever
Data from the company's customers as well as from its global DeepSight Threat analysis system shows the trends. A report released Monday by the security firm says attackers are having an easier time exploiting vulnerabilities. They are increasingly using backdoors to gain access to compromised systems, and they are trying to turn a quick buck with stolen confidential information.
During all of 2003, according to Symantec's data, the number of easily-exploited vulnerabilities climbed by about 10 percent from the year before, marking the first time that vulnerabilities so classified broke the two-thirds mark. In 2003, fully 70 percent of all security vulnerabilities were simple for attackers to manage.
The reasons are two-fold, said Brian Dunphy, the director of Symantec's managed securities services group. More vulnerabilities, such as those affecting Web services, take very little exploit expertise, and more hackers are relying on already-published exploit code and easily-available tools to craft new attacks.
Other security analysts besides those at Symantec have harped on the same subject, and the proof in the trend has been as recent as 2004's wave of worms, due in part to the release of source code to such malware as MyDoom and Netsky into the underground.
Even though Symantec saw the number vulnerabilities posted during the last six months of 2003 leveling off from previous months, those which were disclosed were more severe in nature. In particular, Symantec put the spotlight on Microsoft's Internet Explorer, which experienced a 70 percent jump in disclosed vulnerabilities in the second half of 2003 over the first.
The combination -- easily-exploited vulnerabilities and an increasing number of severe security holes -- means two things, said Dunphy. "The exploit windows continue to shrink," he said, referring to the continuing shortening of the time span between a vulnerability's release and the appearance of an exploit, and "zero-day threats may be on the horizon."
As an example of the first, Symantec held out the Gaobot worm, which exploited a vulnerability in Microsoft's Workstation Service less than two weeks after the flaw was first published in November 2003.
Zero-day threats are those that target vulnerabilities before they're announced and patches posted. Needless to say, they're the most dangerous, and difficult to contain.
"So far, every exploit we've seen has been against known vulnerabilities, for which patches are available," Dunphy said, even the disastrous MSBlast worm of August 2003. But he's not confident that he'll always be able to say that's true.
Other trends that Symantec spotted during the second half of 2003 show a huge increase in the number of exploits that took advantage of existing backdoors planted on previously-compromised computers. The number of submissions of worms and viruses that targeted backdoors to plant their own code -- from key loggers to updates of the original worm -- jumped by some 276 percent in 2003 over the previous year, and now account for almost half of malware referred to Symantec by its customers.
That trend spilled over into 2004, with worms such as MyDoom, which planted a backdoor used by other worms, including Doomjuice, to re-infect systems with a new wave of malicious code.
"Backdoors are effectively holes in the perimeter of an enterprise network," said Dunphy. "Increasingly, attackers are simply looking for backdoors, and users should definitely expect this to continue."
More malicious code is also packed with its own mail server, a tactic that hackers have used to bypass gateway defenses companies have established for outgoing messages. Amongst the worms submitted to Symantec, for instance, 61 percent more came packaged with their own SMTP engines in the second half of 2003 compared to the first half.
"It vastly improves the effectiveness of that worm to propagate," said Dunphy.
Other data squired from Symantec's six-month analysis ranges from a major jump in the number of worms that exploit Windows to hackers after financial gain, not notoriety, said Dunphy. The number of worms and viruses aimed at Windows increased by two and a half times over the same period in 2002, according to the company's numbers.
And hackers aren't after just kicks anymore. "Their intent isn't fun and games," said Dunphy. "Their attacks are even more malicious [than before] and they're actually utilizing these threats to steal money."
Attacks after confidential information -- such as credit card numbers, passwords, and encryption keys -- were on the increase in a major way during the last half of 2003. The percentage of threats with information theft as their target grew by 519 percent in the last half of 2003, and accounted for a whopping 78 percent of all Symantec's top ten submissions, up from just 22 percent in the first six months.
Although Dunphy drew a dark picture of the state of security, there are some hints that the future will be a bit brighter. One area: automated updating on the part of operating systems to patch vulnerabilities.
"The trend is to automate [patches] and do this in the background," said Dunphy, pointing to announced plans such as Microsoft's to integrate automatic vulnerability patching in Windows XP Service Pack 2 (SP2) this summer. "Operating system vendors are moving in the right direction to make patching easier," he said.
That's crucial, and not just for corporate users, who faced, on average, seven new patches per day during 2003. In fact, Dunphy said, automated patch deployment is actually more important to protect home users who rarely keep track of vulnerabilities and infrequently update their machines.
"If you have a half million home users infected or controlled by hackers, these machines can be used target companies," he said. "We need to harden up the home user computers, since they also feed back into the corporate network" via at-home workers connecting back to the enterprise.
"It's all one big public road that we're on," he said. "We're all in the same boat."
This story courtesy of TechWeb .