Worm's-eye View of Attack Trends

An analysis of tens of thousands of computer security attacks over the second half of last year, conducted as part of Symantec's fifth Internet Security Threat Report, has revealed some disturbing trends hidden within the not-surprising news that worms remained the most common vector of attacks.

The most surprising finding, according to Oliver Friedrichs, senior manager with Symantec Security Response, was how much the threat to confidential data has increased. In the first half of 2003, roughly 22 percent of the top 10 malicious code submissions represented threats to sensitive data such as credit card information. In the second half of the year, that number jumped to nearly 78 percent.

Attacks such as Bugbear were designed to find and extract confidential information as well as log keystrokes. They also endanger networks by installing backdoors, allowing others to easily gather information as well, Friedrichs says.

Another trend was the use of "packers," programs that compress and encrypt files, to hide malicious code. The report notes that more than 75 percent of the more than 500 versions of the Spybot worm were packed. This obfuscated code makes the process of finding threats more difficult, Friedrichs says, though he added that Symantec and some other antivirus companies "have the ability to basically detect threats that have been compressed and write definitions that do detect threats once they've been compressed and encrypted like this." The use of packers to hide malicious code reinforces the idea that antivirus software needs to be deployed "across all tiers of a corporate network," the report states, including on individual desktops.

Late last year there was also an increase in mass-mailing viruses that included their own e-mail engines; this enabled them to replicate and then send copies to new victims (or possibly send spam) without interacting with the user's e-mail system. The report notes that heuristics-based antivirus products are typically able to detect and block this type of threat.

While many threats still come from hackers seeking a challenge, Friedrichs worries that these tactics will be exploited by serious malefactors. "With the monetary gain that somebody can obtain from releasing threats like this," he notes, "the potential for organized crime and others with criminal intent will likely increase as well."