Hackers costing enterprises billions

Hackers continued adding billions to the cost of doing business on the Internet in the first half of 2004, despite security executives' efforts to prevent malicious attacks.

Motivated increasingly by money, the hackers are amassing legions of unwitting bot computers for distributed denial-of-service (DDoS) attacks. They are also exploiting Web applications and mobile devices to steal identities through e-commerce scams, including phishing.

These are some of the worrisome conclusions drawn by the Cupertino, Calif.-based security vendor Symantec Corp. in its semi-annual Internet Security Threat Report released today.

The report finds that -- among the computers monitored by Symantec -- the number of monitored bot computers rose from less than 2,000 to more than 30,000 between January and June 2004.

Attackers use remotely controlled "bot" (also known as "zombie") networks to scan for vulnerable systems and to maximize the impact of DDoS attacks. Organized crime syndicates use the threat of bot attacks to extort money from business owners.

In fact, of the targeted attacks Symantec detected in the last six months, the majority were against e-commerce companies, including financial institutions. Small business received the second highest number of attacks.

"We're no longer talking strictly about the male teenager with the low moral compass, or the hactivist, who defaces sites or uses malicious code or worms against those on one side in a political conflict," said Vincent Weafer, senior director of Symantec Security Response. "These people are targeting e-commerce, and they are often backed by organized crime."

The Symantec report is based on data gathered from 20,000 devices that are a part of the company's DeepSight security alert system. The report also relies on information from Symantec's BugTraq malicious code submissions program, which receives 250,000 samples monthly from computer users who believe they have received malicious code.

Symantec was also able to incorporate data gathered by the spam-filtering service Brightmail, which it acquired in June. "Brightmail probes one-quarter of all e-mail traffic in the world," said Weafer.

The news in the Internet Security Threat Report is not entirely bad. The daily volume of Internet-based worm attacks decreased in the first half of the year, according to Symantec. The Slammer worm was the most likely to have attacked computers.

But another trend is more disturbing: The average time period between the disclosure of a vulnerability and its first exploit by hackers collapsed from several weeks in past reports to less than six days in the first half of 2004.

"In some cases, we saw global exploits in less than two days," said Weafer. The current report finds that the vast majority of those vulnerabilities were moderately to highly severe and nearly 40% were associated with Web applications.

The Symantec report also predicted trouble ahead for users of P2P software and mobile devices, which it calls "popular propagation vectors for worms and other malicious code."

The report noted that 2004 saw the first malicious worm for mobile devices, Cabir, which attacks Bluetooth devices.

That means security execs will have even more assets to watch over in the coming years. "You will want to make sure you have policies in place for the use of new technologies, and have a means for making sure users comply with them," said Weafer.