While the number of vulnerabilities found in software essentially has plateaued, the flaws are increasingly easy to exploit and, more often than not, quite severe, according to a new report.
As bad as the vulnerability problem is, the virus plague currently tormenting Internet users may well be worse. In the second half of last year, there were 250 percent more new Windows viruses discovered than in the same period in 2002, the report shows—a total of 1,702 new Win32 viruses.
Worms, however, beat out their virus cousins as the most common source of attack activity, according to the Internet Security Threat Report, released by Symantec Corp. Together, worms and blended threats accounted for 43 percent of all of the attack traffic detected by Symantecs DeepSight Threat Management System sensors.
“Thats a continuation of what weve seen in past years, and its likely to continue that way for some time,” said Vincent Weafer, senior director of Security Response at Symantec, based in Cupertino, Calif. “No surprise there.”
Another entry in the “no surprise” category is the state of software security. Of the more than 2,600 new vulnerabilities discovered in all of last year, 70 percent were easy to exploit—meaning that either they didnt require exploit code or that code was readily available. Symantec analysts also found that, overall, the volume of exploit code available on the Internet is increasing.
Among the blended threats from last year, Bugbear was the most prevalent, Symantec said. The Blaster worm, which hammered the Internet last August and still continues to cause trouble in some quarters, came in second, with SoBig.F, Redlof and Swen rounding out the top five. Many of these threats, including Blaster and SoBig.F, install a back door as part of their infection process. Symantecs analysts found that attackers who write other threats are including functionality in their worms and viruses that scan for and then exploit these back doors. Often, such compromised machines are used later in distributed denial-of-service attacks.
This trend has continued into 2004, with worms such as MyDoom installing back doors and others, including Doomjuice, seeking out PCs infected by MyDoom and sneaking in through the open back door.
Symantec produces its Internet Security Threat Report every six months using data collected by its DeepSight sensors deployed in enterprises and other large organizations.