Hijacked consumer machines target the enterprise

Attackers continue to strike gold by targeting consumers who lack the security savvy to address desktop application flaws, according to Symantec Corp. Enterprises ultimately pay the price.

The digital underground has learned that the best way to strike gold is to target consumers blissfully unaware that their desktop applications are riddled with security holes. By hijacking as many consumer desktops as possible, the bad guys can expand their botnets and use them to burglarize big enterprises with deep pockets.

That's the takeaway from Symantec Corp.'s threat report for the first half of the year. The Cupertino, Calif.-based antivirus giant released the report Monday. It covers the threat landscape over the six-month period between Jan. 1 and June 30, 2006 and is similar in many respects to Symantec's threat report for the second half of 2005.

Among the highlights:

  • As attackers focus on financial gain, they have found that consumers are the easiest prey. After consumers, their top target is the financial services sector.

  • Desktops have become the attack vector of choice, as illustrated by recent exploits using flaws in Microsoft Word, PowerPoint and Excel.

  • Firefox had the most flaws in the first six months of 2006, but nearly half the browser attacks in that period targeted Internet Explorer. Meanwhile, a majority of security holes continue to be found in Web applications.

  • Phishing attacks surged in the first part of the year with 157,477 unique phishing campaigns, each consisting of hundreds of thousands of emails a day.

    Botnets [have become] the attacker's Swiss Army knife.
    Oliver Friedrichs
    Director of Security ResponseSymantec Corp.
    "Consumers are the weakest link because they are more susceptible to social engineering attacks like phishing and there tends to be more flaws on their machines," said Oliver Friedrichs, director of Symantec Security Response. By targeting consumer machines, attackers are able to expand their botnets, which are then used to target enterprise networks.

    "Botnets have become a major part of the underground economy," he said. "[They] are used to launch spam, phishing emails, denial-of-service attacks and to commit click-fraud. They've become the attacker's Swiss Army knife."

    Therefore, he added, it was no surprise when attackers used the Windows Server Service flaw to draft more machines into their botnets shortly after Microsoft issued a patch for the vulnerability in August.

    Here's a more detailed breakdown of Symantec's findings:

    Attack trends

  • Microsoft Internet Explorer was the most frequently targeted Web browser, accounting for 47% of all browser attacks.
  • Symantec observed an average of 6,110 denial-of-service attacks per day.
  • The United States was the target of the most denial-of-service attacks, accounting for 54% of the worldwide total.
  • The Internet service provider (ISP) sector was the most frequently targeted by denial-of-service attacks.
  • China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total.
  • The United States had the highest percentage of bot command-and-control servers with 42%.
  • Beijing was the city with the most bot-infected computers in the world.
  • The United States ranked as the top country of attack origin, accounting for 37% of the worldwide total.
  • The home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks.

    Vulnerability trends

  • Symantec documented 2,249 new vulnerabilities, up 18% over the second half of 2005. This is the highest number ever recorded for a six-month period.
  • Web application vulnerabilities made up 69% of all vulnerabilities this period.
  • Mozilla browsers had the most vulnerabilities, 47, compared to 38 in Microsoft Internet Explorer.
  • In the first six months of 2006, 80% of vulnerabilities were considered easily exploitable, up from 79% the previous reporting period.
  • Seventy-eight percent of easily exploitable vulnerabilities affected Web applications.
  • The window of exposure for enterprise vulnerabilities was 28 days.
  • Internet Explorer had an average window of exposure of nine days, the largest of any Web browser. Apple Safari averaged five days, followed by Opera with two days and Mozilla with one day.
  • In the first half of 2006, Sun operating systems had the highest average patch development time, with 89 days, followed by Hewlett Packard with 53 days, Apple with 37 days and Microsoft and Red Hat with 13 days.

    Malware trends

  • Eighteen percent of all distinct malicious code samples detected by Symantec honeypots were new.
  • Five of the top 10 new malicious code families reported were Trojan horse programs.
  • The most prevalent new malicious code family this period was that of the Polip virus.
  • Worms made up 38 of the top 50 malicious code samples.
  • Worms made up 75% of the volume of top 50 malicious code reports.
  • Symantec documented 6,784 new Win.32 viruses and worms.
  • Bots accounted for 22% of the top 50 malicious code reports, up slightly from the 20% reported in the last period.
  • Thirty of the top 50 malicious code samples exposed confidential information.

    Other security risks

  • The Symantec Probe Network detected 157,477 unique phishing messages, an increase of 81%.
  • Financial services was the most heavily phished sector, accounting for 84% of phishing activity.
  • Spam made up 54% of all monitored email traffic, up from 50% in the last period.
  • The most common type of spam detected in the first six months of 2006 was related to health services and products.
  • Fifty-eight percent of all spam detected worldwide originated in the United States
  • Eight of the top 10 reported security risks were adware programs.
  • Three of the top 10 new security risks are what Symantec calls "misleading applications."

    Sourcing Symantec's findings
    The conclusions in Symantec's threat reports are based on research gathered from sources that include:

    DeepSight Threat Management System and Managed Security Services. Through these services, the firm has more than 40,000 sensors monitoring network activities in over 180 countries.

    Antivirus programs. Symantec said more than 120 million client, server and gateway systems that use Symantec antivirus products generate reports on malicious code, including spyware and adware.

    Vulnerability database. The company maintains a database on more than 20,000 vulnerabilities affecting more than 30,000 technologies from more than 4,000 vendors.

    BugTraq. Symantec operates BugTraq, a forum where vulnerabilities are disclosed and discussed. The service has more than 50,000 subscribers.

    Probe Network. Symantec also operates a system of more than 2 million decoy accounts that attract e-mail messages from 20 different countries. Symantec uses the system to measure global spam and phishing activity.

  • Read more on Operating systems software