Malicious code on the rise

A recent Symantec Corp. Internet security threat report paints a picture of an increasingly nefarious cyberspace, though one with an occasional thin silver lining.

“The Internet was founded on trust and there is very little of that trust today,” said Michael Murphy, general manager of Symantec Canada in Toronto.

The report found that documented IT system vulnerabilities were up 81.5 per cent, and, alarmingly, 60 per cent of the known vulnerabilities are easily exploitable, requiring either an available tool or no tool at all.

On the upside, however, the percentage of new vulnerabilities with available exploits decreased.

Malicious code creations were up, too. Blended threats (such as Klez and Bugbear, those with multiple characteristics), which represented 80 per cent of the malicious code documented in 2002, doubled in number when compared to the same six-month period in 2001. But they were nowhere near as damaging as their 2001 counterparts Code Red and Nimda.

The lone bit of good news was tat network-based cyberattacks (excluding those generated by worm activity) were down six per cent.

“I did not take that to mean we are in a kinder, gentler world now,” said Eric Ogren, senior analyst in the security solutions planning service with The Yankee Group in Boston.

Regardless, Ogren says the report is helpful. “It gets people’s attention,” he said. “These kinds of numbers can actually help a CIO say, ‘Are we doing enough here to protect the company?'”

One finding that surprised Ogren was the time between a vulnerability discovery and the first documented attack. “There is some time there for security companies to actually do something about it…to basically beat the script kiddies,” he said. Unfortunately end user overwork (or apathy) often allows for a successful malicious code launch even after vendors have made patches available to stop them.

you might want to patch that

The recent SQL Slammer outbreak never would have happened if SQL Server 2000 users had patched their systems last summer when Microsoft issued the fix, Ogren said. “A patch had been around for five months.”

But he also understands IT’s predicament. “Companies are really deluged with the patches that they need to apply…[so] they can’t apply them all,” he added.

Murphy said he was surprised by the 80.5 per cent growth in reported vulnerabilities.

“It is significant in the sense that it is that large, and that there are now over 6,000 known vulnerabilities for which there are many exploits [available],” he said. But Murphy has at least a partial explanation for the increase. Though there are more software bugs to exploit, Murphy said the industry is looking at itself more critically than in years past, and is now more forthcoming about disclosing new vulnerabilities.

Ogren puts part of the increase down to the simple fact that code is getting more complex year after year. “I don’t think coders have got any more shoddy (with their work),” he said. In fact, he said they have improved. But at the same time, the level of communication between developers has increased, and with it the reported number of vulnerabilities.

Murphy’s overall concern is that with the huge number of vulnerabilities needing either no specific code or easily attainable code, more people can easily get into the “hacking” game.

Ogren was also surprised by the increased vulnerability of open-source code (the report mentions an increase in malicious code targeting Linux systems but does not give exact numbers), one he said has outpaced the growth of open-source systems. He also voiced a concern with the ability to catch these vulnerabilities.

“It is very difficult for someone to look through a large section of open-source code and say ‘Oh, this does not look right,'” he said. “You would have to depend on the vigilance of the community (to find them).”

For the time being he suggests that users be extra vigilant and know exactly where their code comes from. “Don’t necessarily take code from a friend,” Ogren said.

The bi-annual report is divided into three sections: cyberattack trends, vulnerability trends and malicious code trends. One interesting statistic was the fact attacks on Saturday and Sunday were at half the level of the rest of the week, once again proving hackers may indeed have lives.

The cyberattack data comes from Symantec’s managed security services sector, of which Symantec has more than 2,000 customers worldwide. The vulnerability statistics are from its security focus database, while the malicious code statistics come from Symantec’s research centre database.

The entire report is available on Symantec’s Web site.