Symantec: Boom Times For HackersSymantec: Boom Times For Hackers

Symantec Corp.'s twice-annual Internet Security Threat Report paints a menacing picture, one that security professionals know all too well.

A report released Monday by the security vendor using data from customers as well as from its DeepSight Threat analysis system says attackers are having an easier time than ever exploiting vulnerabilities. They're also increasingly using back doors to gain access to compromised systems, and are trying to turn a quick buck with stolen confidential information.

During 2003, according to Symantec's data, the number of easily-exploited vulnerabilities climbed about 10% from the year before, marking the first time that vulnerabilities so classified broke the two-thirds mark. In 2003, fully 70% of all security vulnerabilities were simple for attackers to manage.

The reasons are twofold, said Brian Dunphy, director of Symantec's managed securities services group. More vulnerabilities, such as those affecting Web services, take very little exploit expertise. Also, more hackers are relying on already-published exploit code and easily available tools to craft new attacks.

Other security analysts have harped on the same subject, and the proof in the trend has been as recent as 2004's wave of worms, due in part to the release of source code to such malware as MyDoom and Netsky into the underground.

Even though Symantec saw the number vulnerabilities posted during the last six months of 2003 leveling off from previous months, those that were disclosed were more severe in nature. In particular, Symantec put the spotlight on Microsoft's Internet Explorer, which experienced a 70% jump in disclosed vulnerabilities in the second half of 2003 over the first half.

The combination of easily exploited vulnerabilities and an increasing number of severe security holes means two things, said Dunphy. "The exploit windows continue to shrink," he said, referring to the continuing shortening of the time span between a vulnerability's release and the appearance of an exploit, and "zero-day threats may be on the horizon."

As an example of the first, Symantec held out the Gaobot worm, which exploited a vulnerability in Microsoft's Workstation Service less than two weeks after the flaw was first published in November 2003.

Zero-day threats are those that target vulnerabilities before they're announced and patches posted. Needless to say, they're the most dangerous, and difficult to contain.

"So far, every exploit we've seen has been against known vulnerabilities, for which patches are available," Dunphy said, even the disastrous Blaster worm of last August. But he's not confident he'll always be able to say that's true.

Other trends that Symantec spotted during the second half of 2003 show a huge increase in the number of exploits that took advantage of existing back doors planted on previously compromised computers. The number of submissions of worms and viruses that targeted back doors to plant their own code--from key loggers to updates of the original worm--jumped by 276% in 2003 over the previous year, and now account for almost half of malware referred to Symantec by its customers.

That trend spilled over into 2004, with worms such as MyDoom, which planted a back door used by other worms, including Doomjuice, to re-infect systems with a new wave of malicious code.

"Backdoors are effectively holes in the perimeter of an enterprise network," said Dunphy. "Increasingly, attackers are simply looking for back doors, and users should definitely expect this to continue."

More malicious code is also packed with its own mail server, a tactic that hackers have used to bypass gateway defenses companies have established for outgoing messages. Among the worms submitted to Symantec, for instance, 61% more came packaged with their own SMTP engines in the second half of 2003 compared to the first half.

"It vastly improves the effectiveness of that worm to propagate," said Dunphy.

Other data from Symantec's six-month analysis range from a major jump in the number of worms that exploit Windows to hackers after financial gain, not notoriety, said Dunphy. The number of worms and viruses aimed at Windows increased by 2-1/2 times over the same period in 2002, according to the company's numbers.

And hackers aren't after just kicks anymore. "Their intent isn't fun and games," said Dunphy. "Their attacks are even more malicious, and they're actually utilizing these threats to steal money."

Attacks seeking confidential information such as credit card numbers, passwords, and encryption keys grew markedly during the last half of 2003. The percentage of threats with information theft as their target grew 519% in the last half of 2003, and accounted for 78% of all Symantec's top 10 submissions, up from just 22% in the first six months.

Although Dunphy drew a dark picture of the state of security, there are some hints that the future will be a bit brighter. One area: automated updating on the part of operating systems to patch vulnerabilities.

"The trend is to automate [patches] and do this in the background," said Dunphy, pointing to announced plans such as Microsoft's to integrate automatic vulnerability patching in Windows XP Service Pack 2 this summer. "Operating system vendors are moving in the right direction to make patching easier."

That's crucial, and not just for business users, who faced, on average, seven new patches per day during 2003. In fact, Dunphy said, automated patch deployment is actually more important to protect home users who rarely keep track of vulnerabilities and infrequently update their machines.

"If you have a half-million home users infected or controlled by hackers, these machines can be used target companies," he said. "We need to harden up the home user computers, since they also feed back into the corporate network" via at-home workers connecting back to the enterprise.

"It's all one big public road that we're on," he said. "We're all in the same boat."