Sophisticated Targeting, Spike In Web Attacks Highlight Symantec Threat Report

Web-based attacks nearly doubled in 2010, and criminals are now making use of social networks and other information sources to launch targeted attacks against both enterprises and small and midsize businesses, according to the Symantec Internet Security Threat Report. Symantec reports a 93 percent increase in Web-based attacks, driven by the proliferation of attack toolkits that put sophisticated malicious software in the hands of a broad base of criminals.

The Phoenix toolkit played a role in 39 percent of all Web-based attacks, followed by NeoSploit and Nukesploit, each at 18 percent. At the same time, attackers are exploiting social networks to perform reconnaissance before cracking into businesses and tricking trusting employees into divulging information that gives them access to key systems and sensitive data.

Enterprise attacks may target executives or someone with access to source code or customer accounts. Small businesses may be compromised by tricking whomever has access to their bank accounts. "They're sort of two sides of the same coin," says Marc Fossi, executive editor of the report. "Targeted attacks use a lot of social engineering, doing all this reconnaissance, maybe gathering information from social networking sites and sending very directed emails.The other side of the coin, Web-based attacks, is completely indiscriminate, affecting anyone who visits a Web site that's been compromised."

Other targeted attacks, such as the high-profile Stuxnet and Hydraq (Aurora) attacks, make use of sophisticated malware that flies under the radar, leveraging zero-day vulnerabilities and rookits. In a number of cases, malware is designed to spread through portable storage devices, such as USB drives, a key to penetrating the "air-gapped" systems that Stuxnet penetrated. (This technique recalls the early days of "sneaker-net infection, when malware was spread via floppy disks.)

It's difficult to say if targeted attacks are on the rise overall, Fossi says, because by nature they are designed to remain hidden. Other reports have shown that breaches often go months without being detected. Stuxnet and Hydraq may have helped increase awareness about these kinds of attacks.The combination of attack toolkits and plenty of vulnerabilities to exploit--Symantec reports more than 6,000 new ones in 2010--fueled the rise in Web attacks, while traditional propagation mechanisms, notably file transfer and email attachments, dropped 18 percent. There were 14 new zero-day vulnerabilities, primarily in widely used applications such as Internet Explorer, and Adobe Reader and Flash Player. Stuxnet alone used four of these vulnerabilities.

Malware writers churned out a startling 2.86 million unique variants in 2010 in an effort to overwhelm traditional anti-malware techniques, such as signature-based detection. Security vendors such as Symantec and others have responded with a wider range of detection technologies, notably Web site and, more recently, file reputation. Symantec says that the widely distributed toolkits helped criminals inflate malware totals.

Mobile device vulnerabilities were up, but the numbers were still small, rising from 115 in 2009 to 163 in 2010. Moreover, there's is no sign that criminals are about to start exploiting smartphones, tablets, etc. in any significant numbers. The large majority of mobile devices are still "dumb" cellphones, Fossi observes, and criminals are making a lot of money exploiting desktop and laptop computers. He believes that criminals will turn their attention to mobile devices when the money is there.

"The real turning point will be the number of financial transactions that people do on these devices," he says. "When people start using them more regularly to purchase online or do their banking, that's what's going to attract more attention.

See more on this topic by subscribing to Network Computing Pro Reports Security: Wicked Innovation (subscription required).