Consumers are now on the main target of malicious hackers intent on enriching themselves through the misery of others. Vulnerabilities in desktop applications and the increased use of stealth techniques are on the rise among members of the digital underground.
The latest edition of Symantec's Internet Security Threat Report, which covers the first half of 2006, suggests that consumer security protection is weak, leaving Joe Public easy prey to identity thieves, botnet herders and other financially motivated criminals. Crackers are using a variety of techniques to escape detection and remain on infected systems for longer.
Symantec reckons assaults against consumers account for 86 per cent of all targeted attacks. Banks and other financial sector organisations are the second most prevalent target for Internet attacks. Phishing attacks almost doubled during the reporting period.
The first six months of 2006 saw a continuation of the trend of large, widespread Internet worms giving way to smaller, more targeted attacks focusing on fraud, data theft, and criminal activity. Client-side applications such as web browsers and email clients are popular attack targets.
Vulnerabilities affecting web applications accounted for 69 per cent of all vulnerabilities documented by Symantec in the first half of 2006. Flaws in web browsers were particularly prominent in this mix with 47 vulnerabilities documented in Mozilla browsers (compared to 17 in the last reporting period), 38 in Microsoft Internet Explorer (compared to 25 in 2H05), and 12 in Apple Safari (compared to six in 2H05). Symantec fails to say how many of these vulnerabilities are serious, so direct comparisons may be misleading.
Ollie Whitehouse, Symantec research scientist and one of the authors of the report, told El Reg that the company didn't classify in the report how many of these vulnerabilities might be used to inject hostile code, as opposed to simply crashing browsers.
Hide and seek
In the first half of 2006, 18 per cent of all malicious code samples detected by Symantec had not been seen before, indicating that hackers are trying harder to evade detection by signature-based anti virus and intrusion prevention systems.
Phishers are also attempting to bypass filtering technologies by creating multiple randomised messages. In H1 2006, 157,477 unique phishing messages were detected, 81 per cent more than the previous six months. The financial services sector was the most heavily phished, accounting for 84 per cent of phishing sites tracked by the Symantec.
Spam accounted for just over half (54 per cent) of monitored email traffic, slightly up from 50 per cent in 2H05. Malware authors are increasingly trying to tempt users into web sites hosting malicious code as opposed to burying viruses within infectious attachments, where hostile code is more likely to be blocked.
Networks of compromised PCs remain a lucrative resource for hackers. These bot networks can be used not only to spread malicious code, but to send spam or phishing messages, download adware and spyware, launch denial of service attacks, or harvest confidential user information.
Symantec identified more than 4.6m active bot network computers and observed an average of 57,717 active bot network computers per day during the first half of 2006. During the reporting period, the IT security firm observed an average of 6,110 denial of service attacks per day, a big increase from the 1,402 DoS attacks per day it recorded in the last six months of 2005. Just over half (54 per cent) of these attacks were thrown at US-based systems. ISPs bore the brunt of the onslaught.
Other financially motivated attacks use modular malicious code, malware that updates itself or downloads more aggressive threat components onto compromised PCs once it gains a foothold. During the first half of 2006, modular malicious code accounted for 79 percent of the top 50 malicious code samples reported to Symantec. Malicious code samples capable of exposing confidential data represented 30 of the top 50 samples seen be the security firm.
Symantec predicts that virus writers will resurrect polymorphic virus techniques in a bid to escape detection by anti-virus filters. It also reckons hackers will apply "Web 2.0" concepts such as user-based publishing and technologies like AJAX in Internet attacks.
Symantec documented 2,249 new vulnerabilities in the first half of 2006, an increase of 18 per cent over 2H05 and the highest volume of vulnerabilities recorded for any reporting period so far. Fuzzers, programs or scripts designed to find vulnerabilities in software code, will raise the vulnerability count even further.
On a more positive note, vendors are releasing software patches more quickly. The window of exposure for enterprise vendors and web browsers was 28 days, down from 50 days in the previous period. Microsoft Internet Explorer had an average window of exposure of nine days (down from 25), Apple Safari at five days (up from zero), Opera at two days (down from 18), and Mozilla at one day. These figures down take into account the effect of the latest, unpatched IE exploits might have on statistics.
For the first time, Symantec also looked at how long operating system vendors take to patch security bugs. Sun had the longest patch release time with 89 days followed by HP with 53 days. Apple took an average of 37 days while Microsoft and Red Hat had the lowest average patch release times of 13 days apiece.