Home users were the greatest targets for computer security attacks during the first six months of 2006. Are enterprise systems off the hook, then, in the eyes of malicious attackers? Not quite.
Hijacked computers can be used to launch denial-of-service (DoS) attacks against enterprise networks, and often, the easiest unwitting accomplices are the less-secure home systems, according to the latest global Internet Security Threat Report issued by Symantec Corp.
DoS attacks can render Web sites and other network services inaccessible to customers and employees, resulting in business disruptions that translate into income and productivity losses.
According to the report, based on security intelligence gathered worldwide over a six-month period from January to June 2006, home users account for 86 per cent of all targeted attacks.
“As computers in the home sector are less likely to have well-established security measures and practices in place, they may be more vulnerable to targeted attacks,” the report stated. Cyber attacks targeted to home users can become a “cover” for larger attacks, said Michael Murphy, vice-president and general manager at Symantec Canada, at a recent media briefing.
Attackers can install bot software on compromised systems, which allows the attacker to create remotely controlled bot networks (botnets) or groups of zombie computers listening for and responding to external commands. Home users as easy targets create an opportunity for cyber crooks.
“Home users buy machines and get high-speed Internet connection; they are generally unprotected and fairly unpatched, and that makes it attractive to attackers,” said Brian Bourne, president and CEO of Toronto-based IT security consulting firm CMS Consulting.
The huge number of targeted attacks among home users, however, is not an indication that corporate systems cannot be compromised and become part of a botnet, said Bourne. And one way to ensure that a corporate system does not become part of a botnet is to monitor and manage outgoing network traffic, he said.
A bot-infected computer typically calls home to the bot master through an Internet Relay Chat (IRC) channel to accept commands from the attacker. IRC communication maintains a hacker’s anonymity, said Bourne. By blocking unnecessary outgoing firewall ports, the infected machine will be prevented from accomplishing what the attacker intended, he explained.
During the reporting period, Symantec recorded over 4.6 million active botnet computers or an average of 57,717 active botnet systems per day.
“[The numbers] suggest there are still a large number of unprotected and compromised systems and people don’t know about it,” said Murphy.
Bots can be used by external attackers to perform DoS attacks against an organization’s Web site or network. The report showed an average of 6,110 DoS attacks per day during the first six months of this year. Previous Symantec reports indicated that DoS attacks are increasingly becoming a means to launch criminal extortion schemes.
Although Symantec’s report did not give specifics on what proportion of DoS attacks were coming from home-based users, “we can speculate that since a large number of other attacks come from bots, and that bots are likely infected home PCs, a large percentage of attacks are coming from home user PCs,” said Dean Turner, executive editor of the Symantec Internet Security Threat Report.
Symantec recommends that organizations maintain a documented procedure for responding to DoS events. The antivirus firm also suggests organizations perform egress filtering, which means filtering not only traffic going into the network but also traffic that is going out as well.
DoS attacks remain consistent with increasing trend among attackers driven by financial motivations, more dangerous and damaging than the previous breed of bragging-inspired hackers.