Most online outlaws have abandoned server-clogging, headline-grabbing worms in favor of quieter malcode that extracts network files, hijacks identities and drops unwanted programs on PCs. They've also shifted from attacks against the network perimeter to those against client-side applications -- vulnerable browsers like Internet Explorer, for instance.
According to Symantec's latest Internet security threat report released today, that trend could continue to worsen. The Cupertino, Calif.-based antivirus giant expects cyberspace to grow even more hazardous in the future, with stealthier malcode that can download additional functionality and overwhelm networks increasingly reliant on wireless and VoIP technology.
"We had already seen this trend developing in the second half of 2004, but this year we've watched financially-motivated attacks really gain speed," said Oliver Friedricks, senior manager of Symantec Security Response. "This includes everything from stealing data from networks to stealing identities. When we look at the top 50 threats of the first half of 2005, 74% of them posed a risk of confidential information disclosure -- malware designed to open backdoors and so on. That's up from 54% in the second half of 2004."
Symantec also monitored an increase in the number of reported client-side application vulnerabilities, and the company's research indicates attackers have noticed the same thing. "We've seen a dramatic shift from attackers targeting the network parameter to attackers targeting client-side applications," Friedricks said. "Browsers are a big target, since flaws are increasing there."
He said Mozilla acknowledged 25 browser vulnerabilities in first half of the year, compared to 13 in Microsoft's much-attacked Internet Explorer. That doesn't mean Symantec now considers the latter browser more secure. "Though Mozilla had more vulnerabilities, with open source software the flaws are fixed quicker than would have been the case with IE," he said.
The bad guys realize they can accomplish a lot more by exploiting browser security holes. "These types of vulnerabilities can lead to drive-by installs," Friedricks said. "By visiting a malicious Web site, you can be infected with spyware, adware, Trojans and bots without your knowledge. These attacks have become more common."
The source of Symantec's findings
Symantec's conclusions are based on research it gathered from the following sources:
DeepSight Threat Management System and Managed Security Services. Through these services, the firm has more than 24,000 sensors monitoring network activities in over 180 countries.
Antivirus programs. Symantec said more than 120 million client, server and gateway systems that use Symantec antivirus products generate reports on malicious code, including spyware and adware.
Vulnerability database The company maintains a database on more than 13,000 vulnerabilities affecting more than 30,000 technologies from more than 4,000 vendors.
BugTraq. Symantec operates BugTraq, a forum where vulnerabilities are disclosed and discussed. The service has more than 50,000 subscribers.
Probe Network. Symantec also operates a system of more than 2 million decoy accounts that attract e-mail messages from 20 different countries. Symantec uses the system to measure global spam and phishing activity.
Advice for IT professionals
Grim as the picture may be, Friedricks said the situation isn't hopeless. There are a variety of steps IT professionals can take to stay ahead of the bad guys -- or at least keep up.
"My advice is to deploy defense-in-depth -- a variety of solutions to protect gateway and client-side applications like firewalls, antivirus and intrusion detection and prevention," he said. "Awareness of the latest threats is key."
Last month's attacks against Microsoft Windows' Plug and Play vulnerability showed that enterprises have nothing to fear when they stay on top of threats and take precautions, he said. "Companies that had defense-in-depth were not affected," he said.