From January to June 2004 the number of viruses and worms targeting the Microsoft Corp. Windows operating system rose by 350 per cent from the same period the year before, with a total of 4,496 new pieces of malware created to exploit it, according to a recent report released by Symantec Corp.
Though the increase in malware targeting Windows was significant, there were other key findings in the report, according to Michael Murphy, the Canadian general manager of Symantec Corp. Murphy points to the fact that the Slammer worm is still the number one systems attack, despite a patch having been available for more than two years and the original attack being a year-and-a-half old.
“The fact that it continues to be in the double digits (15 per cent of attacking IP addresses use this exploit) is surprising,” he said. Murphy admits it does not paint a pretty picture, from an enterprise security perspective, when an old, patchable worm vulnerability is still the top vector of choice for global hackers.
But Ariel Silverstone, chief information security officer at Temple University in Philadelphia, said the statistic is misleading without the knowledge that “Slammer’s initial detection is based on one UDP (User Datagram Protocol) packet,” he said.
“The fact [hackers] can send one UDP packet to a whole network at a time (and it) is viewed as attacking each machine on the network” whether it runs SQL or not would naturally push the percentage up, he said. This is explained in the full report.
Murphy said companies, for the most part, have patched the Microsoft SQL Server 2000 systems vulnerable to Slammer — that they are aware exist — but the worm’s continued perch at the top is partially attributed to hundreds of unknown or ignored unpatched SQL systems.
The solution is “absolutely” to have better internal IT auditing practices, Silverstone said. At Temple, “we normally troll the network for vulnerabilities.”
“Even though we are seeing companies getting better at patch management there are still a number of systems…that are being managed by business units,” said Nick Galletto, partner security services with Deloitte & Touche LLP in Toronto. “These guys are kind of out there and no one really knows about them [and the company] doesn’t have the appropriate level of control over them.”
Some of this control will come as corporations are forced to comply with new legislation like PIPEDA and Sarbanes-Oxley, Murphy said. But he added that, though there has been increased awareness and spending because of compliance issues, the money has not yet trickled down to the “tactical or functional level.”
GROWTH IN BOT NETWORKS
Two other areas of concern, Murphy said, are the rise in bot networks and an ever-shrinking window between a vulnerability announcement and the first exploit released to attack it.
From January to June 2004 the number of bot-infected computers (those with a covertly installed program allowing a hacker to remotely control it) rose from 2,000 to 30,000. During the same period the time between a vulnerability’s public announcement and the release of an exploit designed to attack it dropped from seven to 5.8 days, showing an inevitable path towards the feared zero-day attack — a scenario in which an attack on a vulnerability occurs for which there is no patch available.
“I think that both of those combined pose the greatest threat to a corporation,” Murphy said, especially since the number, speed and scope of bot networks is quickly increasing. “If we thought things spread quickly in the past, they’re spreading more quickly today because the attacking systems are distributed.”
According to the report “the short vulnerability-to-exploit window makes these bots particularly dangerous. Once an exploit is released, the owner of the bot network can quickly and easily upgrade the bots, which can then scan target systems for the vulnerability in question. This vastly increases the speed and breadth of potential attacks.”
“You’ve got no time and almost no reasonable chance for a corporation to deal with this,” Murphy said. “It tells me [companies] are going to have to put their efforts into vulnerability assessment…and get deeper in their controls at the perimeter beyond packet inspection and basic firewalls into full-blown intrusion prevention systems,” he said. But even Murphy admits antivirus vendors have their work cut out for them, since a lot of the bot infections are of a poly or metamorphic nature, meaning they change their signatures as they spread and make detection using traditional antivirus software difficult.
In fact the Gaobot went from being unranked to number two (behind Slammer) on the list of hackers most preferred methods of attack, as measured as a percentage of total attacking addresses. It represented four per cent of attacks, behind Slammer’s 15 per cent.
To date, Murphy is unaware of any targeted attack having used Gaobot as its primary source of infection. Since the bots are difficult to detect and locate, “right now it is sort of noise…(but) it is the calm before the storm,” he warned.
“These bot attacks are something that organizations need to be concerned about,” Galletto said. There needs to be an increased focus on internal assessments to look for Trojans and bots, he said, but the majority focus on outside threats.
U.S. STILL ON TOP
Not surprisingly, the United States retained it position as the top source of attacks, although what was a majority in 2003 (58 per cent) has fallen to a minority (37 per cent) in the first half of this year. Regardless it is still noticeably ahead of number two China (six per cent) and number three Canada (six per cent, a fall from eight per cent and the number two spot the previous year). Silverstone did have some concerns with the numbers since Symantec did not disclose whether its global sensor locations changed enough to account for the dramatic decrease in U.S. based attacks. More sensors outside of the U.S. would likely be more accurate in pinpointing the true origin of an attack, especially if the compromised machine was in a country other than that of the attacker.
Another statistic of note is that e-commerce is now the “most highly targeted industry.” High-tech was the number one target in the last half of 2003 but fell to number four — behind e-commerce, small businesses and non-profits — with only four per cent of its attacks appearing to be targeted.
The report said finding e-commerce at the top — 16 per cent of attacks were considered targeted — is worrisome since “these businesses often depend entirely on the Internet for their revenue.”
Galletto said a real concern with e-commerce focused attacks is that they are often application-specific. He said a lot of companies focus on network-based security assessments but have not done due diligence on the application side. “So the application becomes an easy vehicle to get in.”
Murphy doesn’t think it’s likely we’ll see a plateau in the growth rate in Windows-specific malware, although he said the recent triple-digit growth is unlikely to continue. But “until something changes [Windows] will be the popular target.”
He also sees a future where phishing and spyware scams increase, since the motivating factor is economic gain and individuals will risk breaking the law to make money.