Symantec: More Computer Attacks Use Blended Tactics
Oct 1, 2003 9:59 AM PT
Reinforcing the message that can be easily inferred from recent virus and worm outbreaks, security giant Symantec has reported that attacks on company computers -- up 19 percent to an average of 38 attacks per business per week -- increasingly are using a potent combination of disclosed security vulnerabilities and complex computer worms to hit systems.
The latest Internet Security Threat Report, which also shows speedier exploitation of an increasing number of software vulnerabilities by more than double the number of last year's viruses and worms, warns companies to extend security beyond public systems because scans increasingly target nonpublic services, such as Microsoft SQL Server technology and file-sharing networks.
The report, which is based on feedback from Symantec Managed Security Services customers and some 20,000 sensors that monitor network-based attacks, also advises that companies turn off unnecessary services; update patches, particularly for HTTP, FTP, mail and DNS services; enforce password policies; train employees not to open dangerous attachments or execute unscanned software; and configure e-mail servers to block or remove e-mail with attachments commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr.
More Attacks, Less Time
Symantec's report indicated the overall rate of attack activity was up almost 20 percent in the first half of 2003 compared with the same time last year. The company reported a trend toward the use of worms -- which are viruses capable of spreading without using host files -- to exploit vulnerabilities.
The report also highlighted the shortening time window between the disclosure of vulnerabilities -- by vendors, public mailing lists, security sites and underground forums -- and exploitation of those vulnerabilities. The Symantec report discussed the Blaster worm's rate of striking as many as 2,500 machines per hour. Security experts are currently on the lookout for a worm that is expected to exploit similar Remote Procedure Call (RPC) vulnerabilities announced last month by Microsoft.
"Symantec expects to see greater worm propagation resulting in overloads to network hardware, crippling network traffic and seriously preventing both individuals and businesses from using the Internet," the report said.
Pain Through Persevering
The report did find that severe attacks continued to decline in the first half of 2003 -- down to 11 percent from 2002's 23 percent. However, Symantec Security Response senior director Vincent Weafer told TechNewsWorld that increasingly complex, blended threats modeled after the successful Nimda worm are spreading via multiple channels -- including instant-messaging and peer-to-peer networking applications.
With 19 out of the top 50 malicious code submissions using instant-messaging and peer-to-peer platforms to spread, Symantec reported the increase in new viruses and worms using these networks to infect was nearly 400 percent during the first half of 2002.
These worms, which also can masquerade as bogus security updates to activate themselves, are extremely persistent and can cause major problems for businesses once they make their way into the company network, according to Weafer.
Symantec also pointed to a trend in the use of back-door trojans -- malicious code that cedes control of a user's computer system to attackers. Symantec said submission of malicious code that includes the back doors used to create networks of zombie computers -- called "bot nets" -- rose 50 percent in the first half of 2003.
The back-door trojan called Bugbear.B, which targeted banking institutions last June, was among the most prominent back-door threats.
Ken Dunham, iDefesne malicious code threat manager, told TechNewsWorld that there is a growing number of computers that attackers can use regularly to steal identity and banking information. Dunham said most of these computers are owned by consumers and small business users or are located in geographic regions that do not habitually use antivirus or firewall software, particularly Asia.
Symantec stressed the need for corporations and consumers to take security precautions, but indicated businesses have an increased burden because they share services -- Microsoft SQL and peer-to-peer file-sharing -- that are common to home and internal corporate networks. These nonpublic services accounted for the majority of the top 10 targets sought by potential attackers scanning networks, Symantec said.
MessageLabs chief information security analyst Paul Wood told TechNewsWorld that the continued trend to attack known vulnerabilities by scanning the same vulnerable ports and releasing virus variants indicates widespread lack of patching, firewall use and other security measures.
"Of course, there's still a number of people out there that won't follow any security advice," he said. "Much of this involves problems that are easy to solve, but the number of machines not patched is significant enough to continue to draw the interest of attackers."