UK tops league of top bot countries according to Symantec Internet Security Threat Report

The UK has emerged as the country with the highest percentage of worldwide bot-infected computers, according to the latest Symantec Internet Security Threat Report. Britain has more than a quarter (25.2 per cent) of all bots – software programs that are covertly installed on computers allowing unauthorised access for malicious purposes like identity theft and online fraud – with the US (24.6 per cent) and China (7.8 per cent) in second and third place.

The statistics, taken from Symantec’s global “Threat Report’ for the period July to December 2004, are based on the number of computers worldwide that are known to be infected with bots and the percentage situated in each country. Knowing where bot-infected computers are located is important, as a high percentage of infected machines could lead to a greater potential for bot-related attacks, and it provides an indication of the level of security awareness in different countries.

While overall, the number of bot-infected computers declined from 30,000+ a day in July to an average of less than 5,000 a day by December, the severity and risks associated with them continues to be a major problem, most notably with a shift towards bots and bot networks being used for financial gain.

“The fact that Britain has the highest percentage of bot infections is significant because it is directly linked to the rapid roll-out of broadband in this country,” explained Nigel Beighton, Symantec’s Director of Enterprise Strategy, EMEA. “We saw 93 per cent growth in broadband connections last year and this has had a huge impact on the number of people accessing the Internet.

“Unfortunately, new broadband users may not be fully aware of the additional safety precautions that need to be taken when using an always-on high-speed Internet connection. Clearly, awareness around security issues is improving and it’s making a notable difference, but education still remains the number one challenge.”

Attack Trends

Organisations received 13.6 attacks per day, up from 10.6 in the previous six months.
The United States continues to be the top attack source country, followed by China and Germany.
For the third reporting period, the Microsoft SQL Server Resolution Service Stack Overflow Attack (formerly known as the Slammer attack) was the most common attack, used by 22 per cent of all attackers. The second most common attack was the TCP SYN Flood Denial of Service Attacked, which was launched by 12 per cent of attackers.
The financial services sector experienced the highest ratio of severe attacks, with 16 severe events per 10,000 security events.
Known bot network computers declined from over 30,000 per day in late July to an average of below 5,000 per day by the end of the year. The United Kingdom had a higher percentage of bot-infected computers than any other country Vulnerability Trends

The time between the disclosure of a vulnerability and the release of associated exploit code remained extremely short at 6.4 days.
Symantec documented 1,403 new vulnerabilities, a 13 per cent increase over the previous six-month period. Ninety-seven per cent of documented vulnerabilities were considered either highly or moderately severe. Moreover, 70 per cent of all documented vulnerabilities were classified as easily exploitable.
Web application vulnerabilities made up 48 per cent of all vulnerabilities disclosed, up from 39 per cent in the first half of 2004. Vulnerabilities targeting Web applications are often classified as easily exploitable.
Vulnerabilities are affecting new alternative browser distributions. During the last six months of 2004, 21 vulnerabilities affecting Mozilla browsers were disclosed, compared to 13 vulnerabilities affecting Microsoft Internet Explorer. Six vulnerabilities were reported in Opera.

Malicious Code Trends

As in previous reports, mass-mailing worms dominated the top malicious code reported over the last six months of 2004. Eight of the top 10 samples reported to Symantec during this period were variants of mass-mailer worms that have been seen in previous reports, including Netsky, Sober, Beagle, and MyDoom.
Two bots were present in the top 10 malicious code samples, compared to just one in the previous reporting period. Gaobot was the third most frequently reported sample over the past six months, followed by Spybot. Moreover, 4,300 new distinct variants of Spybot were reported, an increase of 180 per cent over the previous six months.
Symantec documented more than 7,360 new Windows 32 viruses and worms, an increase of 64 per cent over the first half of the year and an increase of more than 332 per cent over the 1,702 documented in the second half of 2003. As of Dec. 31, 2004, the total number of Windows 32 variants approached 17,500.
Malicious code that exposes confidential information made up 54 per cent of the top 50 malicious code samples, up from 44 per cent in the previous reporting period and 36 per cent in the second half of 2003. This represents a 23 per cent increase between the current period and the first half of 2004 and a 50 per cent increase over the same period the previous year.
At the end of the reporting period, there were 21 known samples of malicious code for mobile applications, up from one—the Cabir worm—in June 2004. Among the new threats were the Duts virus, the first threat to Windows CE; and the Mos Trojan, which was discovered in a Symbian game.

Additional Security Risks

By the end of December 2004, Symantec Brightmail AntiSpam antifraud filters were blocking an average of 33 million phishing attempts per week, up from an average of 9 million per week in July 2004. This represents an increase of over 366 per cent.
In the last six months of 2004, adware programs made up five per cent of the top 50 Symantec customer reports, up from four per cent in the previous report. Iefeats was the most commonly reported adware program, accounting for 36 per cent of top 10 reports.
Webhancer was the most frequently reported spyware program during the second half of 2004, representing 38 per cent of the top 10 spyware reported.
Five of the top 10 adware reported samples were installed via a Web browser. Nine of the top 10 reported spyware programs were bundled with other software.
Symantec reported a 77 per cent growth in spam for companies whose systems were monitored for spam; the weekly totals of spam rose from an average of 800 million spam messages per week to well over 1.2 billion spam messages per week by the end of the reporting period. Moreover, spam made up more than 60 per cent of all e-mail traffic observed by Symantec during this period.

Future and Emerging Trends

The use of bots and bot networks for financial gain will increase, especially as the diverse means of acquiring new bots and developing bot networks become more prevalent.
Malicious code targeting mobile devices is expected to increase in number and severity. With many groups researching vulnerabilities in Bluetooth-enabled devices, the possibility of a worm or some other type of malicious code propagating by exploiting these vulnerabilities increases.
Symantec expects that client-side attacks using worms and viruses as propagation methods will become more common. Attacks hidden in embedded content in audio and video images are expected to increase. This is a concern as image files are ubiquitous, almost universally trusted, and an integral part of modern day computing.
Symantec expects security risks associated with adware and spyware to increase. Impending legislation to curb these risks is not expected to be an effective or sufficient deterrent on its own.

About the Symantec Internet Security Threat Report
Symantec has established one of the most comprehensive sources of Internet threat data in the world. The following resources give Symantec analysts unparalleled sources of data with which to identify emerging trends in attacks and malicious code activity:

DeepSight Threat Management System and Managed Security Services – more than 20,0000 sensors monitoring network activities in over 180 countries.
Symantec’s antivirus products – more than 120 million client, server, and gateway systems that have deployed Symantec’s antivirus products provide reports on malicious code as well as spyware and adware.
Vulnerability database – covering over 11,000 vulnerabilities affecting more than 20,000 technologies from more than 2,000 vendors, Symantec maintains one of the world’s most comprehensive databases of security vulnerabilities. BugTraq – Symantec operates BugTraq, one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet.
Symantec Probe Network – a system of more than 2 million decoy accounts, attracting e-mail messages from 20 different countries around the world that allows Symantec to gauge global spam and phishing activity.

About Symantec
Symantec is the global leader in information security providing a broad range of software, appliances, and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec’s Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, Calif., Symantec has operations in more than 35 countries. More information is available at http://www.symantec.com.