Kris Lamb, operations manager of X-Force research and development for IBM, said, "The Storm Worm provides a microcosm of the kinds of threats users faced in 2007. All in all, the exploits used to spread Storm Worm are a blend of various threats including spam, phishing and drive-by-downloads by way of web browser exploitation."
The report details "a disturbing rise in the sophistication of attacks by criminals on web browsers worldwide". By attacking the browsers of computer users, cybercriminals are now stealing the identities and controlling the computers of consumers at a rate never before seen on the internet, IBM said.
The study said a complex and sophisticated criminal economy had developed to capitalise on web vulnerabilities. Underground brokers are delivering tools to aid in obfuscation, or camouflaging attacks on browsers, so cybercriminals can avoid detection by security software, it said.
In 2006, few attackers employed camouflaging techniques, but this soared to 80% during the first half of 2007, and nearly 100% by year-end. The report predicts the criminal element will contribute to a proliferation of attacks in 2008.
Storm techniques let cybercriminals infiltrate an unprotected user's computer to steal their user IDs and passwords or personal information like national identity numbers, social security numbers and credit card information.
"When attackers invade an enterprise machine, they could steal sensitive company information or use the compromised machine to gain access to other corporate assets behind the firewall," IBM said.
"Computer security professionals can claim some victories, such as the drop in the amount of image-based spam, but attackers are adapting their approaches," said Lamb.
The Storm worm was the most pervasive internet attack last year, Lamb said. It continues to infect computers around the world through a blend of threats that includes malware, spam and phishing. Last year X-Force reported a 30% rise in the number of malcode samples identified. The Storm Worm comprised around 13% of the entire malcode set collected in 2007. Lamb said that for the first time the amount of spam e-mails dropped to pre-2005 levels.
The new report also reveals that:
- The number of critical computer security vulnerabilities disclosed increased by 28%.
- The overall number of vulnerabilities reported dropped for the first time in 10 years.
- Only half the vulnerabilities disclosed last year could be corrected with vendor patches.
- Nearly 90% of vulnerabilities disclosed in 2007 were exploitable remotely.