DonsDeals Blog: Internet Security Threat Report Volume 16 - Build Your Report

I try to keep up with Internet Security and Breach Trends. But, the past two years 2010-2011 have had so much going on, that I have almost lost track of what is going on and what the biggest threats are. I found this Custom Report Generator on the Symantec Site today (10-31-11). And while the Report I generated by my selections, is long. It is very helpful info. And it could have been allot longer!:O After reading this over. You may want to go there and generate a Report of your Own...
http://www.symantec.com/business/threatreport/build.jsp

Don

Internet Security Threat Report Volume 16

Custom Report

Threat Activity Trends

During this reporting period, the United States had the most overall malicious activity, with 19 percent of the total—down slightly from 20 percent in 2009, when it also ranked first.

The United States was the top country for originating network attacks in 2010, with 22 percent—down from 24 percent in 2009.

The average daily volume of Web-based attacks observed in 2010 was 93 percent higher than in 2009.

Attacks related to the Phoenix toolkit were the most prominent of the Web-based attack activities observed in 2010, with 39 percent of the top 10 activities observed.

Of the search terms that resulted in visits to malicious websites, 49 percent were in the adult entertainment category.

In 2010, the healthcare sector had the highest percentage of data breaches that could lead to identity theft, with 27 percent—an increase from 15 percent in 2009.

The financial sector was the top sector in 2010 for identities exposed in data breaches, with 23 percent—a decrease from 60 percent in 2009.

The leading cause of data breaches that could lead to identity theft in 2010 was the theft or loss of a computer or other data-storage device, with 36 percent of the total; this is nearly unchanged from its 37 percent total in 2009.

Hacking was the leading source of reported identities exposed in 2010 with 42 percent of the total—down from 60 percent in 2009.

The most exposed type of data in deliberate breaches (hacking, insider breaches, or fraud) was customer-related information, accounting for 59 percent of the total. Customer data also accounted for 85 percent of identities exposed in deliberate breaches.

Of malicious URLs observed on social networking sites during a three-month period in 2010, 66 percent made use of a URL shortening service; of these, 88 percent were clicked at least once.

The United States had the most bot-infected computers in 2010, accounting for 14 percent of the total—an increase from 11 percent in 2009.

Taipei was the city with the most bot-infected computers in 2010, accounting for 4 percent of the total; it also ranked first in 2009, with 5 percent.

In 2010, Symantec identified 40,103 distinct new bot command-and-control servers; of these, 10 percent were active on IRC channels and 60 percent on HTTP.

The United States was the location for the most bot command-and-control servers, with 37 percent of the total.

The United States was the most targeted county by denial-of-service attacks, with 65 percent of the total.

Vulnerability Trends

The total number of vulnerabilities for 2010 was 6253—a 30 percent increase over 4814 vulnerabilities documented in 2009 and the most of any year recorded by Symantec.

The number of new vendors affected by vulnerabilities increased to 1914 in 2010 from 734 in 2009—a 161 percent increase.

Among the new vendors affected by vulnerabilities in 2010, 76 vulnerabilities were rated as being high severity—a 591 percent increase over the 11 such vulnerabilities in 2009.

There were 191 vulnerabilities documented in Chrome in 2010, versus 41 in 2009.

Internet Explorer had the longest average window of exposure to vulnerabilities in 2010, with an average of four days in 2010 (based on a sample set of 47 vulnerabilities).

In 2010, 346 vulnerabilities affecting browser plug-ins were documented by Symantec, compared to 302 vulnerabilities affecting browser plug-ins in 2009.

The highest number of plug-in vulnerabilities affected ActiveX controls, with 117 of the total; this is a decrease from 134 in 2009.

Symantec identified 14 zero-day vulnerabilities in 2010, an increase from 12 in 2009. Eight of these affected Web browsers and browser plug-ins.

In 2010, there were 15 public SCADA vulnerabilities identified; in 2009, the total was 14.

Malicious Code Trends

The top three malicious code families in 2010 were Sality, Downadup, and Mabezat, all of which had a worm component.

The top 10 malicious code families detected in 2010 consisted of five families with worm and virus components, one worm with a backdoor component, two worms, one virus with a backdoor component, and one Trojan.

The top three new malicious code families detected in 2010 were the Ramnit worm, the Sasfis Trojan, and the Stuxnet worm.

In 2010, 56 percent of the volume of the top 50 malicious code samples reported were classified as Trojans—the same percentage as in 2009.

In 2010, Sality.AE was the most prevalent potential malicious code infection in every region except for North America, where Ramnit was the most prevalent.

The percentage of threats to confidential information that incorporate remote access capabilities increased to 92 percent in 2010 from 85 percent in 2009.

In 2010, 79 percent of threats to confidential information exported user data and 76 percent had a keystroke-logging component; these are increases from 77 percent and 74 percent, respectively, in 2009.

In 2010, propagation through executable file sharing accounted for 74 percent of malicious code that propagates—up from 72 percent in 2009.

In December 2010, approximately 8.3 million malicious files were reported using reputation-based detection.

The percentage of documented malicious code samples that exploit vulnerabilities decreased to 1 percent in 2010 from 6 percent in 2009.

Fraud Actvity Trends

The most frequently spoofed organization was banks, which accounted for 56 percent of phishing attacks blocked in 2010.

Credit cards were the most commonly advertised item for sale on underground servers known to Symantec, accounting for 22 percent of all goods and services advertised—an increase from 19 percent in 2009.

The United States was the top country advertised for credit cards on known underground servers, accounting for 65 percent of the total; this is a decrease from 67 percent in 2009.

The top three spam botnets that delivered the highest volume of spam in 2010 were Rustock, Grum, and Cutwail.

India was the leading source of botnet spam in 2010, with 8 percent of the worldwide total.

Approximately three quarters of all spam in 2010 was related to pharmaceutical products.

Threat Activity Trends Introduction

The following section of the Symantec Internet Security Threat Report provides an analysis of threat activity, as well as other malicious activity, and data breaches that Symantec observed in 2010. The malicious activity discussed in this section not only includes threat activity, but also phishing, malicious code, spam zombies, bot-infected computers, and attack origins. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report.

This section discusses the following metrics, providing analysis and discussion of the following trends:

Malicious activity by source
Web-based attack prevalence
Web-based attack activity
Malicious websites by search term
Data breaches that could lead to identity theft
- By sector
- By cause
- Type of information exposed in deliberate breaches
Malicious shortened URLs on social networking sites
Bot-infected computers

Malicious Activity by Source

Background

Malicious activity usually affects computers that are connected to high-speed broadband Internet because these connections are attractive targets for attackers. Broadband connections provide larger bandwidth capacities than other connection types, faster speeds, the potential of constantly connected systems, and typically a more stable connection. Symantec categorizes malicious activities as follows:

Malicious code: This includes viruses, worms, and Trojans that are covertly inserted into programs. The purposes of malicious code include destroying data, running destructive or intrusive programs, stealing sensitive information, or compromising the security or integrity of a victim’s computer data.

Spam zombies: These are compromised systems that are remotely controlled and used to send large volumes of junk or unsolicited emails. These emails can be used to deliver malicious code and phishing attempts.

Phishing hosts: A phishing host is a computer that provides website services for the purpose of attempting to illegally gather sensitive, personal and financial information while pretending that the request is from a trusted, well-known organization. These websites are designed to mimic the sites of legitimate businesses.

Bot-infected computers: These are compromised computers that are being controlled remotely by attackers. Typically, the remote attacker controls a large number of compromised computers over a single, reliable channel in a bot network (botnet), which is then used to launch coordinated attacks.

Network attack origins: This measures the originating sources of attacks from the Internet. For example, attacks can target SQL protocols or buffer overflow vulnerabilities.

Methodology

This metric assesses the sources from which the largest amount of malicious activity originates. To determine malicious activity by source, Symantec has compiled geographical data on numerous malicious activities, including malicious code reports, spam zombies, phishing hosts, bot-infected computers, and network attack origin.

The proportion of each activity originating in each source is then determined. The mean of the percentages of each malicious activity that originates in each source is calculated. This average determines the proportion of overall malicious activity that originates from the source in question and the rankings are determined by calculating the mean average of the proportion of these malicious activities that originated in each source.

Data

Table 1. Malicious activity by source: overall rankings, 2009–2010
Source: Symantec Corporation

Table 2. Malicious activity by source: malicious code, 2009–2010
Source: Symantec Corporation

Table 3. Malicious activity by source: spam zombies, 2009–2010
Source: Symantec Corporation

Table 4. Malicious activity by source: phishing hosts, 2009–2010
Source: Symantec Corporation

Table 5. Malicious activity by source: bots, 2009–2010
Source: Symantec Corporation

Table 6. Malicious activity by source: network attack origins, 2009–2010
Source: Symantec Corporation

Commentary

Frontrunners continue to pull away from the pack: In 2010, the United States and China were once again the top sources for overall malicious activity. The United States saw an increase in spam zombies, phishing hosts, and bot-infected computers during this reporting period, which are all related to botnet activity. The United States is the main source of bot-infected computers for Rustock, one of the largest and most dominant botnets in 2010, and for the botnet associated with the Tidserv Trojan. At the end of 2010, Rustock was estimated to have 1.1 million to 1.7 million bots and accounted for 48 percent of all botnet spam sent out during the year. The Tidserv Trojan uses an advanced rootkit to hide itself on a computer, and over half of all infected computers that were part of this botnet were located in the United States in 2010. As such, these factors would have contributed to the increases in spam zombie and bot-infection percentages for the United States. China's rise as a source of malicious activity is related to a spike in Web-based attacks originating from compromised computers and Web servers based there. Much of this activity was linked to ZeuS activity. Symantec will monitor this activity and provide more detail in future reports if the activity continues.

Jockeying for position after the frontrunners: The bottom eight of the top 10 sources continue to be separated by a narrow margin. Beyond the United States and China, there was only a 4 percent difference (after rounding) for overall malicious activity between the remaining eight sources of the top 10 during this reporting period. The same limited percentage difference was also the case in 2009. This suggests that it would only take a small shift in the overall malicious activity landscape to affect the rankings. As such, it may be likely that the rankings of the countries in this bottom eight group for malicious activity will vary for the next reporting period without any dramatic shifts in malicious activity occurring.

Spam zombies drop significantly in China: China’s rank in spam zombies dropped from eighth in 2009 to 23rd in 2010. This drop in spam zombie activity may be related to the drop in spam originating from China in 2010, which, in turn, may be due to increased regulations governing domain registration there. Potential registrants can no longer register a .cn domain name anonymously and are required to provide paper application forms, official business seals, and an identity card. The amount of spam originating from .cn domains has decreased from over 40 percent of all spam detected in December 2009 to less than 10 percent by March 2010. The decrease in spam originating from China may also be due to new regulations issued by China’s Ministry of Information Industry (MII) in March 2010. These regulations require all ISPs to register the IP addresses of their email servers with Chinese authorities and to maintain logs of all email traffic for at least 60 days.

Spam zombies dominant in Brazil: Brazil has ranked first in spam zombies for the past three reporting periods. Factors that influence this high ranking may include the prominence of large, dominant botnets in Brazil. Brazil is a strong source of bot-infected computers for major botnets that send out spam email messages, including Rustock, Maazben, and Ozdok (Mega-D).

Web-Based Attack Prevalence

Background

The circumstances and implications of Web-based attacks vary widely. They may target specific businesses or organizations, or they may be widespread attacks of opportunity that exploit current events, zero-day vulnerabilities, or recently patched and publicized vulnerabilities against which some users are not yet protected. While some major attacks garner significant attention when they occur, examining overall Web-based attacks provides insight into the threat landscape and how attack patterns may be shifting. Moreover, analysis of the underlying trend can provide insight into potential shifts in Web-based attack usage and can assist in determining the likelihood of Web-based attacks increasing in the future.

Methodology

This metric assesses changes to the prevalence of Web-based attack activity by comparing the overall volume of activity and the average number of attacks per day in each month during the current and previous reporting periods. These monthly averages are based on telemetry data of opt-in participants and, therefore, may not be directly synonymous with overall activity levels or fluctuations that occurred as a whole. However, underlying trends observed in the sample data provide a reasonable representation of overall activity trends.