While the number of vulnerabilities found in software essentially has stabilized, the flaws are increasingly easy to exploit—and more often than not, quite severe—according to a new report released on Monday.
Furthermore, as bad as the vulnerability problem is, the virus plague currently tormenting Internet users may well be worse. In the second half of 2003, there were 250 percent more new Windows viruses discovered than in the same period in 2002, the report shows. A total of 1,702 new Win32 viruses were found in the last six months of the year. Worms, however, beat out their virus cousins as the most common source of attack activity, according to the Internet Security Threat Report, released by Symantec Corp.
Together, worms and blended threats—i.e., viruses that include other capabilities, such as backdoor or keylogger installation—accounted for 43 percent of all attack traffic detected by Symantecs DeepSight sensors, which are intrusion detection systems in place at Symantec customer sites that collect data on intrusions and attacks and then send the data back to Symantec.
“Thats a continuation of what weve seen in past years, and its likely to continue that way for some time,” said Vincent Weafer, senior director of Security Response at Symantec, based in Cupertino, Calif. “No surprise there.”
Another entry in the “no-surprise” category is the state of software security. Of the more than 2,600 new vulnerabilities discovered in 2003, 70 percent were easy to exploit, meaning that they either didnt require exploit code or that code was readily available. Symantec analysts found that, overall, the volume of exploit code available on the Internet is increasing as well.
Among the blended threats from last year, Bugbear was the most prevalent, according to Symantec. The Blaster worm, which hammered the Internet last August and still continues to cause trouble in some quarters, came in second, with SoBig.F, Redlof and Swen rounding out the top five. Many of these threats, including Blaster and SoBig.F, install a backdoor as part of their infection process. Symantecs analysts found that attackers who write other threats are including functionality in their worms and viruses that scan for and then exploit these backdoors. Often, such compromised machines are used later in distributed denial-of-service attacks.
This trend has continued into 2004, with worms such as MyDoom installing backdoors and others, including Doomjuice, seeking out PCs infected by MyDoom and sneaking in through the open backdoor.
Symantec produces its Internet Security Threat Report every six months using data collected by its DeepSight Threat Management System sensors deployed in enterprises and other large organizations.