Symantec’s Global Internet Security Threat Report Discovers Huge Rise In “bot’ Infected Computers

According to Symantec’s latest Internet Security Threat Report released today, the number of remotely controlled computers, referred to as “bots’, has risen dramatically from under 2,000 to more than 30,000 per day – peaking at 75,000 in one day during the first six months of 2004.

Bots are programs that are covertly installed on a targeted system, allowing unauthorised users to remotely control a computer for a wide variety of malicious purposes, which may include the theft of confidential information such as passwords and financial data.

Large numbers of bot-controlled systems, known as botnets, allow attackers to co-ordinate targeted attacks which scan for vulnerable systems. Computers with inadequate or out of date security software can be exploited by the bots and use them to increase the speed and breadth of their attack.

Richard Archdeacon, Symantec’s director of technical services says: “Bot networks create unique problems for organisations and individual PC users as systems can be automatically upgraded with new exploits very quickly, allowing attackers to outpace efforts to patch or download security updates. We saw a steady increase in the number of bots during the reporting period. Variants of the “Gaobot’ family alone accounted for 67,000 submissions.”

Archdeacon continues: “The methods in which these bots are being deployed are becoming increasingly sophisticated. We have detected a significant number of malicious code mutations, otherwise known as first generation polymorphism. What this essentially means is that in-between each virus replication the code is changed resulting in very different patterns. These advanced infection mechanisms may render many traditional antivirus scanning techniques ineffective. Regularly updating virus definitions will protect individual PCs and networks from the latest threats known to be spreading in the wild.”

Other findings

E-commerce was the hardest hit sector with four times the number of security attacks reported during the previous six months – a rise from 4 per cent to 16 per cent. This indicates that malicious attacks against computer systems are increasingly motivated by economic gain rather than notoriety
Increase in “phishing’ scams and spyware designed to steal confidential information are becoming more prevalent and sophisticated
The average vulnerability-to-exploit window is now 5.8 days compared to 7 days in the previous reporting period. A vulnerability is defined as a hole in a software application allowing security attacks to take place
95 per cent of the 1,237 new vulnerabilities detected between January 1 and June 30 2004 were considered to be highly severe
4,496 new Windows viruses and worms were detected during the same period which is four and half times more than in 2003
MyDoom and Netsky were the most significant and high-profile Win32 worm outbreaks in the first half of 2004. MyDoom A was the top submission received by Symantec during this period
The US remains the top country of attack origin by aggregate volume
Latvia, Macau and Israel are the top three source countries of attacks according to number of attacks per 100,000 Internet users South Korea and Japan have both moved down the list of top ten source countries suggesting that increased awareness and education programmes are proving effective

Future trends

Phishing is one of the top threats to watch for in the coming months. Over the past year alone, it has been estimated that phishing has cost US banks and credit card issuers almost US$1.2 billion in damages. It has been estimated that over 1.78 million people have fallen victim to online fraud.
Perimeter devices such as firewall and broadband routers are becoming increasingly popular targets for security attacks. Symantec’s vulnerability database documented over 20 vulnerabilities during 2004.
Spyware programmes are causing serious security concerns and are becoming harder to remove as some packages now contain self-updating code Portable devices will continue to be targeted by malicious code. PDAs, mobile phones and Bluetooth devices have all seen proof-of concept viruses executed on their mobile platforms.
Client-side and web application technologies, such as peer-to-peer networks and web browsers continue to be a major concern, as they become more popular methods of spreading malicious code.

Editors notes

About the Internet Security Threat Report
The Symantec Internet Security Threat Report provides a six-month update of Internet threat activity. The report provides analysis and discussion of current trends in Internet attacks, vulnerabilities, and malicious code activity. Symantec has some of the most comprehensive sources of Internet threat data in the world. 20,000 security devices deployed in over 180 countries by Symantec DeepSightâ„? Threat Management System and Symantecâ„? Managed Security Services gather Internet attack activity data. Analysts in five Security Operations Centers throughout the world monitor and evaluate this data, providing Symantec with an unparalleled ability to identify, report on, and respond to emerging threats.

Symantec maintains one of the world’s most comprehensive databases of security vulnerabilities, covering over 9,000 vulnerabilities affecting over 20,000 technologies from over 2,000 vendors. Symantec also operates BugTraq, the most popular forum for the disclosure and discussion of vulnerabilities on the Internet. Symantec gathers malicious code data from over 120 million client, server, and gateway systems that have deployed Symantec’s antivirus products in both consumer and corporate environments. The Symantec Digital Immune Systemâ„? and Scan and Deliver technologies allow customers to automatically submit malicious code data.

The Symantec Internet Security Threat Report is grounded on the expert analysis of real data rather than theoretical speculation. Based on Symantec’s expertise and experience, the Internet Security Threat Report yields the most informed commentary on current Internet threat activity. By publishing the analysis of discussion of Internet security activity in the Internet Security Threat Report, Symantec’s goal is to provide the information security community with the information they need to effectively secure their systems now and in the future.