Symantec threat report under the microscope

@17552 Security bloggers have spent the week dissecting the latest threat report from Symantec Corp. If nothing else, Big Yellow's analysis for the second half of 2006 confirms much of what IT professionals already knew: The bad guys are using botnets and Trojans to exploit zero-day flaws so they can steal sensitive data from networks and sell it to the highest bidder.

Among the highlights of the latest report:

• Symantec reported more than six million distinct bot-infected computers worldwide during the second half of 2006, a 29% increase from the previous period. The number of command-and-control servers used to relay commands to these bots actually decreased by 25%, though Symantec attributes that to botnet owners consolidating their networks and increasing the size of their existing networks.
• Trojans accounted for 45% of the top 50 malware samples, a 23% increase over the first six months of the year.
• Twelve zero-day vulnerabilities were counted during the second half of 2006, marking a significant increase from the one zero-day flaw documented in the first half of the year.
• Digital miscreants are using underground economy servers to sell stolen information, including government-issued identity numbers, credit cards, bank cards and personal identification numbers (PINs), user accounts, and email address lists.
• Theft or loss of a computer or data storage medium, such as a USB memory key, made up 54% of all identity theft-related data breaches.
• Countries with the highest amount of malicious activity originating from their networks were the U.S. at 31%; China at 10% and Germany at 7%.

Symantec warned IT security professionals to prepare for threats against Windows Vista, with a focus on vulnerabilities, malicious code and attacks against the Teredo platform. The company also predicted attackers will target third-party applications that run on Vista and step up their assault against mobile devices and virtualization programs.

@33952 "We've seen a gradual process where blended threats have morphed from a single attack targeting millions of people to higher numbers of individual attacks targeting individuals or small groups," Dean Turner wrote in the Symantec Security Response blog. "Targeted malicious code is all the rage and if you have the knowledge, skills, and a high-value target, chances are you're taking advantage of a zero-day vulnerability to install your bot software, spam zombie, phishing site, or keystroke logger."

For people like Mike Rothman, president and principal analyst of Security Incite in Atlanta, the findings were hardly surprising.

"The biggest news peg … is that the bad guys are now selling multiple pieces of identity data, basically enough to compromise your identity, for $18," he wrote in his Daily Incite blog. "Seems cheap, no? The point is that identity information is plentiful out there and that means prices are coming down."

That doesn't mean that all of those $18 identities will be compromised, but they could be, he said, adding, "That's why I pay 'insurance' to a company called LifeLock. I hope I never need it, but if I do I'd rather have these folks fight the battles with the credit rating companies. I've got too much other stuff to do."

Richard Bejtlich, founder of the Washington, D.C.-based consultancy Tao Security, found no new revelations in the report, but found it a pretty good overview of what's going on in cyberspace today.

"Nothing really jumped out at me … but it's good background data if you need to cite the state of digital security for a report," he wrote in his blog.

Some did find fault with sections of the report, however.

Stephen Kost, CTO of Chicago-based security firm Integrigy Corp., wrote in his blog that while he's usually not in a position to defend Oracle's patching process, he did think Symantec overshot the database giant's vulnerability count.

"[The report] inflated the vulnerability count for Oracle by comparing apples and oranges," he said. "This version of the threat report contains a comparison of the number of vulnerabilities found in five leading relational databases (Oracle, IBM DB2, Microsoft SQL Server, MySQL, and PostgreSQL) [and] Oracle looks really bad with 168 vulnerabilities published during the second half of 2006 as compared to five for IBM DB2 and zero for Microsoft SQL Server during the same period."

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: Symantec threat report under the microscope Spam crackdown: Bloggers take on the SEC  Blogosphere highlights DST security concerns

While Oracle has suffered plenty of flaws, Kost said the number is far less than 168. "Our internal count puts the Oracle Database-only published vulnerability count for the second half of 2006 at 49," he said.

Others found a little humor amidst all the sobering statistics.

StillSecure Chief Strategy Officer Alan Shimel wrote in his blog that it was simply nice to see Symantec writing about something other than the evils of Microsoft and Windows Vista.

"And here I just thought Symantec was busy preparing reports that knocked Vista and Microsoft's inherent conflict of interest in providing operating systems and security programs that protect them," he said.

Dave Goldsmith of New York-based Matasano Security LLC joked in the organization's blog that the report at least showed that America was leading the world in malware production.

"Overcoming stereotypes of American laziness, Symantec's research has shown that our malware authors are more productive than any other country!" he wrote.