Symantec threat report: A closer look

Details of the enterprise security provider's latest customer data.

Here's a breakdown of what's in Symantec's Internet threat report for the first half of 2005:

Key findings

Increase in malcode for profit: Attackers used new methods and malcode for financial gain with more zeal. For example, 64% of the top 50 malicious code samples reported to Symantec allowed spam relaying. Symantec also detected Trojans that downloaded and installed adware. Meanwhile, bot networks and custom bot code were available for purchase or rent. Symantec observed an average of 10,352 active bot network computers per day, an increase of more than 140% from the previous reporting period's 4,348 bot computers.

Rise in confidential information exposure: Malcode that exposed confidential information represented 74% of the top 50 samples reported to Symantec, up from 54% in the previous six months.

Increase in malcode variants: Symantec documented more than 10,866 new Win32 virus and worm variants, a 48 % increase over the 7,360 documented in the second half of 2004. It is also an increase of 142% over the 4,496 documented in the first half of 2004. Each variant represents a new, distinct threat against which administrators must protect their systems and for which antivirus vendors must create a new antivirus definition, Symantec said. It also signifies a shift away from broadly disseminated threats such as mass-mailing worms towards malcode that is modular and customizable.

Increase in phishing threats: The volume of phishing messages grew from an average of almost 3 million messages a day to 5.7 million. One out of every 125 e-mail messages scanned by Symantec Brightmail AntiSpam was a phishing attempt, an increase of 100% from the last half of 2004. Symantec Brightmail AntiSpam antifraud filters were blocking more than 40 million phishing attempts per week on average, up from approximately 21 million per week at the beginning of January.

Increase in vulnerability disclosure: Symantec documented 1,862 new vulnerabilities -- the highest number ever recorded in the Internet Security Threat Report. Ninety-seven percent of these vulnerabilities were classified as moderate or high, and 59% of all vulnerabilities were found in Web application technologies, marking an increase of 59% over the previous reporting period and a 109% increase over the first six months of 2004. Web application vulnerabilities are particularly dangerous because they can allow an attacker to access confidential information without having to compromise any servers, the report noted.

Attack trends

  • For the fourth straight reporting period, the Microsoft SQL Server Resolution Service Stack Overflow Attack (also known as the Slammer attack) was the most common attack, used by 33% of all attackers.
  • Denial-of-service attacks grew from an average of 119 per day to 927 per day during the first half of 2005 -- a 680% increase over the previous reporting period.
  • Education was the most frequently targeted industry, followed by small business and financial services.

Vulnerability trends

  • The time between the disclosure of a vulnerability and the release of associated exploit code decreased from 6.4 days to 6.0 days. Also, an average of 54 days elapsed between the appearance of a vulnerability and the release of an associated patch by the affected vendor. This means that on average, 48 days elapsed between the release of an exploit and the release of an associated patch.
  • Symantec documented 1,862 new vulnerabilities, a 31% increase over the previous six-month period. Ninety-seven percent were rated as moderately or highly severe; 73% were considered easy to exploit.
  • Web application vulnerabilities made up 59% of all vulnerabilities disclosed. The Mozilla family of browsers had the highest number of vulnerabilities during the first six months of 2005 with 25; 18 of these -- 72% -- were rated as high-severity. Microsoft Internet Explorer had 13 vendor confirmed vulnerabilities of which eight -- 62% -- were considered high-severity.

Malcode trends

  • Symantec documented 10,866 new Win32 virus and worm variants, an increase of 48% over the previous reporting period and 142% over the first half of 2004. In the current period, 6,361 new variants of Spybot were reported to Symantec, a 48% increase over the 4,288 variants documented in the second half of 2004.
  • Five of the top 10 malcode samples reported to Symantec were Trojans, and Netsky-P was the most frequently reported malcode sample. Additionally, bot-related malicious code continues to increase. Gaobot and Spybot represented 14% of the top 50 malicious code samples reported to Symantec, rising from third and fourth respectively to second and third respectively in the top 10 malicious code samples for this reporting period.
  • Malcode that exposed confidential information made up 74% of the top 50 malcode samples reported to Symantec, up from 54% in the previous reporting period and 44% during the same reporting period last year.

Additional risks

  • Adware made up 8% of the top 50 reported programs, up from 5% in the previous reporting period. Eight of the top 10 adware programs were installed through Web browsers. Of the top 10 adware programs reported in the first six months of 2005, five hijacked browsers.
  • Six of the top 10 spyware programs were bundled with other programs, and six were installed through Web browsers.
  • Messages that constitute phishing attempts increased from an average of almost 3 million per day to approximately 5.70 million messages.
  • Spam made up 61% of all e-mail traffic; 51% of all spam received worldwide originated in the United States.

Future and emerging trends

  • The prevalence of modular malicious code -- malicious code that downloads additional functionality -- is expected to increase.
  • Bot networks are expected to increase in number, diversity, and sophistication.
  • Phishing targets are likely to expand as phishers employ increasingly sophisticated methods to avoid detection.
  • Adware and spyware are expected to appear with increasing frequency on mobile devices and to employ stealthier technology to avoid detection.
  • An increase in the number of attacks and threats directed at wireless networks is likely.
  • Voice over Internet protocol (VoIP) threats are expected to emerge as more enterprises merge their data and voice networks.

Dig Deeper



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:



  • Virtual desktop security guide

    To secure virtual desktops, consider antivirus, certificates and network vulnerabilities. Just remember, VDI doesn't always ...

  • Guide to low-cost desktop virtualization

    In this guide, learn to virtualize desktops without spending more than you would when deploying PCs, and what VDI vendors are ...

  • VDI pilot project guide

    A VDI pilot project should start with a VDI project plan. Know what pitfalls to avoid and test product options to achieve a ...