Symantec report: Attacks are down but bots are way up

Security firm Symantec has released its biannual Internet Security Threat Report. This edition of The Locksmith breaks down some of the most significant findings.

The latest Symantec Internet Threat Report indicates a reduction in the number of attacks but a surge in bot networks with 30,000 new systems hijacked every day. There are also a number of other interesting developments to watch.


Twice each year Symantec publishes a compilation and analysis of new Internet threats based on both published vulnerability reports and actual attacks against the machines that Symantec regularly monitors.

The report for the first half of 2004 shows that the number of economic-based threats is increasing rapidly and is mainly directed at e-commerce sites. This is especially worrisome because phishing, data mining, theft of industrial secrets, and denial of service attacks motivated by a desire for economic gain are likely to be more "professionally" created and pursued. This is a much greater threat than the threat posed by the attacks of script kiddies and old-style hackers who are more likely to be motivated by passing whims or social factors.

The good news is that there was actually a decline in the volume of daily attacks during the first part of 2004. This is mostly due to the fact that there was less Internet-based worm activity during the first half of 2004, or at least there wasn't one huge virus/worm outbreak.

Also, as highlighted in a CNET article that covered the study, Symantec discovered that the average number of bots perpetrated per day has surged from 2,000 to 30,000. The diversity of different kinds of bots (e.g., peer-to-peer, IRC, and file sharing) has also multiplied dramatically.

Another very troubling discovery for IT professionals is the fact that 40 percent of Fortune 100 companies were a source of worm traffic.

Web applications have been seen to be an increasing threat to enterprise operations, with nearly 40 percent of newly disclosed vulnerabilities being found in these business services that are Internet-enabled. A large percentage of the vulnerabilities were considered both serious and easy to exploit.

The Symantec Internet Security Threat Report for January 1, 2004 through June 30, 2004 is a 60-page document just packed with interesting and useful threat statistics and analysis as well as pages of predictions. There is far more information in the actual report than I could even touch upon here.

Linux administrators should take note of the statement in the outlook section of this report where Symantec experts indicate that, in part because of the appearance of an increasing number of Linux/UNIX vulnerabilities, attacks against Linux/UNIX systems are likely to increase in the near future.

Those who look to weekly security updates as a way to protect their systems should take note of the Symantec finding that the average time between public disclosure of a vulnerability and the initial appearance of an exploit is less than six days.

Final word

I certainly believe the report that bot numbers have surged. I recently discovered a bot on a Windows XP system (with no patches) that was fully protected by a commercial personal firewall and an antivirus program—and it was on a dialup connection. No damage resulted other than the time needed to switch operations to another system but it is indicative of the level of the threat that a firewall-protected dialup system was successfully infected despite the fact that I've never opened an e-mail attachment or viewed a message in HTML on that system for five years or more. I don't use Outlook or Outlook Express and only get e-mail services from online providers using virus scanning. And still a bot managed to sneak its way into that machine.

Also watch for …

  • Keep in mind that Mozilla and Firefox have both recently been patched for a number of vulnerabilities. I mention that because statistics have shown an increasing number of companies are turning to Mozilla and Firefox to avoid the many problems in Internet Explorer. Some users may feel that the alternative browsers are much less vulnerable and I am concerned that some may therefore let down their guard and forget that they still need to track new patches.
  • In hacker news, the German teen who confessed to creating Netsky and Sasser has been offered a security job at Securepoint. I'm certain that Securepoint clients will be interested in learning this. Following the German company's lead, perhaps we should look for new FBI special agents among the recent parolees of the federal penal system.
  • reports a new firewall configuration vulnerability found in Windows XP SP2 and publishes an exploit. This threat can allow remote users to view shared files.
  • Sun Microsystems Java Enterprise System 2004Q2 and System 2003Q4 contain a DoS vulnerability. A patch is available and there is no known workaround.

Editor's Picks

Free Newsletters, In your Inbox