Norton Internet Security logo

Symantec Internet Security Threat Report 2010, Volume 16

Apr 4, 2011

Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network. This network captures worldwide security intelligence data that gives Symantec analysts unparalleled sources of data to identify and analyze, to deliver protection and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam.

More than 240,000 sensors in more than 200 countries and territories monitor attack activity through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services and Norton™ consumer products, as well as additional third-party data sources.

Symantec gathers malicious code intelligence from more than 133 million client, server, and gateway systems that have deployed its antivirus products. Additionally, Symantec’s distributed honeypot network collects data from around the globe, capturing previously unseen threats and attacks that provide valuable insight into attacker methods.

In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 40,000 recorded vulnerabilities (spanning more than two decades) affecting more than 105,000 technologies from more than 14,000 vendors. Symantec also facilitates the BugTraq™ mailing list, one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet, which has approximately 24,000 subscribers who contribute, receive, and discuss vulnerability research on a daily basis.

Spam and phishing data is captured through a variety of sources including:

  • Symantec Probe Network — a system of more than 5 million decoy accounts;
  • MessageLabs Intelligence — a respected source of data and analysis for messaging security issues, trends and statistics;
  • as well as other Symantec technologies;

Data is collected in more than 86 countries from around the globe. Over 8 billion email messages, as well as over 1 billion Web requests are processed per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors and more than 50 million consumers.

These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The result is the Symantec Internet Security Threat Report, which gives enterprises and consumers the essential information to secure their systems effectively now and into the future.

The Symantec Internet Security Threat Report is one of the most comprehensive sources of Internet threat data in the world. Symantec’s analysts have access to unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam.

Supporting the main report are four appendices of data collected over the course of 12 months in the following categories: threat activity, vulnerabilities, malicious code and fraud activity. The Symantec Internet Security Threat Report gives enterprises and consumers the essential information they need to secure their systems effectively — now, and into the future.

Symantec Internet Security Threat Report 2010 (Volume 16), includes several sections, namely:
  1. Highlights:
    • Threat Activity Trends;
    • Vulnerability Trends;
    • Malicious Code Trends;
    • Fraud Actvity Trends;

  2. Main Report:
    • About This Report;
    • Executive Summary;
    • Notable Statistics;
    • Threat Landscape;
    • 2010 Timeline;

  3. Threat Activity Trends:
    The following section of the Symantec Internet Security Threat Report 2010 (Volume 16) provides an analysis of threat activity, as well as other malicious activity, and data breaches that Symantec observed in 2010. The malicious activity discussed in this section not only includes threat activity, but also phishing, malicious code, spam zombies, bot-infected computers, and attack origins. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activities can be found in their respective sections within this report.

    This section discusses the following metrics, providing analysis and discussion of the following trends:
    • Malicious activity by source;
    • Web-based attack prevalence;
    • Web-based attack activity;
    • Malicious websites by search term;
    • Data breaches that could lead to identity theft:
      • By sector;
      • By cause;
      • Type of information exposed in deliberate breaches;
    • Malicious shortened URLs on social networking sites;
    • Bot-infected computers;

  4. Vulnerability Trends:
    A vulnerability is a weakness that allows an attacker to compromise the availability, confidentiality, or integrity of a computer system. Vulnerabilities may be the result of a programming error or a flaw in the design that will affect security. Vulnerabilities can affect both software and hardware. It is important to stay abreast of new vulnerabilities being identified in the threat landscape because early detection and patching will minimize the chances of being exploited. This section discusses selected vulnerability trends, providing analysis and discussion of the trends indicated by the data. The following metrics are included:
    • Total number of vulnerabilities;
    • Web browser vulnerabilities;
    • Window of exposure for Web browsers;
    • Web browser plug-in vulnerabilities;
    • Zero-day vulnerabilities;
    • SCADA vulnerabilities;

  5. Malicious Code Trends:
    Symantec collects malicious code information from its large global customer base through a series of opt in anonymous telemetry programs, including Norton Community Watch, Symantec Digital Immune System and Symantec Scan and Deliver technologies. Well over 100 million clients, servers and gateway systems actively contribute to these programs. New malicious code samples, as well as detection incidents from known malicious code types, are reported back to Symantec. These resources give Symantec’s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in malicious code activity in the threat landscape. Reported incidents are considered potential infections if an infection could have occurred in the absence of security software to detect and eliminate the threat.

    Malicious code threats are classified into four main types — backdoors, viruses, worms, and Trojans:
    • Backdoors allow an attacker to remotely access compromised computers.
    • Trojans are malicious code that users unwittingly install onto their computers, most commonly through either opening email attachments or downloading from the Internet. Trojans are often downloaded and installed by other malicious code as well. Trojan horse programs differ from worms and viruses in that they do not propagate themselves.
    • Viruses propagate by infecting existing files on affected computers with malicious code.
    • Worms are malicious code threats that can replicate on infected computers or in a manner that facilitates them being copied to another computer (such as via USB storage devices).

    Many malicious code threats have multiple features. For example, a backdoor is always categorized in conjunction with another malicious code feature. Typically, backdoors are also Trojans, however many worms and viruses also incorporate backdoor functionality. In addition, many malicious code samples can be classified as both worm and virus due to the way they propagate. One reason for this is that threat developers try to enable malicious code with multiple propagation vectors in order to increase their odds of successfully compromising computers in attacks.

    This discussion is based on malicious code samples detected by Symantec in 2010, with the following trends being analyzed:
    • Top malicious code families;
    • Prevalence of malicious code features;
    • Top malicious code samples by region;
    • Threats to confidential information;
    • Propagation mechanisms;

  6. Fraud Activity Trends:
    Fraud activity discusses trends in phishing, spam. It also discusses activities observed on underground economy servers, because this is where much of the profit is made from phishing and spam attacks.

    Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization by mimicking (or spoofing) a specific, usually well-known brand. Phishers attempt to trick users into disclosing personal data, such as credit card numbers, online banking credentials, and other sensitive information, which they can then use to commit fraudulent acts. Phishing generally requires victims to provide their credentials, often by duping them into filling out an online form. This is one of the characteristics that distinguishes phishing from spam-based scams (such as the widely disseminated “419 scam” and other social engineering scams).

    Spam is usually defined as junk or unsolicited email sent by a third party. While it is certainly an annoyance to users and administrators, spam is also a serious security concern because it can be used to deliver Trojans, viruses, and phishing attempts. Spam can also include URLs that often link to malicious sites that, without the user being aware of it, attack a user’s system upon visitation. Large volumes of spam could also cause a loss of service or degradation in the performance of network resources and email gateways.

    Underground economy servers are black market forums for advertising and trading stolen information and services. This discussion assesses underground economy servers according to the different types of goods and services advertised. It should be noted that this discussion might not necessarily be representative of Internet-wide activity; rather, it is intended as a snapshot of the activity that Symantec monitored during this period.

    This section discusses the following metrics:
    • Phishing scams using current events;
    • Underground economy servers—goods and services available for sale;
    • Spam delivered by botnets;
    • Originating sources of botnet spam;
    • Significant spam tactics;
    • Spam by category;

  7. Europe, the Middle East, and Africa (EMEA):
    In addition to gathering global Internet attack data, Symantec also analyses attack data that is detected by sensors deployed in specific regions. This report discusses notable aspects of malicious activity Symantec has observed in Europe, the Middle East and Africa (EMEA) for 2010.

    This section discusses the following metrics:
    • EMEA Introduction;
    • EMEA Threat Activity Trends;
    • EMEA Malicious Activity by Country;
    • EMEA Attack Origin by Country;
    • EMEA Web-based Attack Activity;
    • EMEA Bot-Infected Computers by Country;
    • EMEA Malicious Code Activity Trends;
    • EMEA Prevalence of Malicious Code Features;
    • EMEA Top Malicious Code Samples;
    • EMEA Top New Malicious Code Families;
    • EMEA Threats to Confidential Information;
    • EMEA Propagation Mechanisms;
    • EMEA Fraud Activity Trends;
    • EMEA Phishing URLs by Country and Top Targeted Sectors;
    • EMEA Countries of Botnet Spam Origin;

  8. Latin America (LAM):
    In addition to gathering global Internet attack data, Symantec also analyzes attack data that is detected by sensors deployed in specific regions. This report discusses notable aspects of malicious activity Symantec has observed in the Latin America (LAM) region for 2010.

    This section discusses the following metrics:
    • LAM Introduction;
    • LAM Malicious Activity by Country;
    • LAM Attack Origin by Source;
    • LAM Bot-Infected Computers by Country;
    • LAM Top Malicious Code Samples;
    • LAM Countries of Botnet Spam Origin;

  9. Best Practices:
    • Enterprise Best Practices;
    • Consumer Best Practices;

The following consumer best practices, that are suggested by Symantec Corporation in Internet Security Threat Report 2010 (Volume 16), can help protect your computer from security threats:
  1. Protect yourself: Use a modern Internet security solution that includes the following capabilities for maximum protection against malicious code and other threats:
    • Antivirus (file and heuristic based);
    • Bidirectional firewall;
    • Intrusion prevention to protect against Web-attack toolkits, unpatched vulnerabilities, and social-engineering attacks;
    • Browser protection to protect against Web-based attacks;
    • Reputation-based tools that check the reputation and trust of a file and website before downloading;
    • Behavioral prevention that keeps malicious threats from executing even if they get onto your computer;
    • URL reputation and safety ratings for websites found through online searches;

  2. Keep up to date:
    • Keep virus definitions and security content updated hourly, if possible. By keeping your virus definitions up to date, you can protect your computer against the latest viruses and malicious software (“malware”);

    • Whenever possible, use the automated updating capability of your programs to keep your operating system, Web browsers, browser plug-ins, and applications current with the latest updated versions. Running out-of-date versions can put you at risk of being exploited by Web-based attacks;

  3. Know what you are doing:
    • Be aware that malware or applications that try to trick you into thinking your computer is infected can be automatically downloaded on computers with the installation of file-sharing programs, free downloads, and freeware and shareware versions of software;

    • Downloading “free,” “cracked,” or “pirated” versions of software can also contain malware or social engineering attacks. This includes malware that tries to trick you into thinking your computer is infected and getting you to pay money to have it removed;

    • Be careful which websites you visit. While malware can still come from mainstream websites, less reputable sites sharing pornography, gambling and stolen software often have a higher percentage of malware infections;

    • Read end-user license agreements (EULAs) carefully and understand all terms before agreeing to them. Some security risks can be installed after you have accepted the EULA, or because of that acceptance;

  4. Use an effective password policy:
    • Ensure that passwords are a mix of letters and numbers, and change them often. Passwords should not consist of words from the dictionary, since these are easier for cybercriminals to hack;

    • Do not use the same password for multiple applications or websites;

    • Use complex passwords (upper/lowercase, punctuation and symbols) or passphrases. (E.g., “I want to go to Paris for my birthday” becomes, “I1t2g2P4mb”);

    • Consider using a “password vault” that can help you keep track of all your passwords. These tools allow you to have more complex passwords without having to remember them all, plus they protect you from threats that record your keystrokes. You can even use these tools to help you to automatically create a strong password;

  5. Think before you click:
    • Never view, open, or execute any email attachment unless you expect it and trust the sender. Even if it is coming from trusted users, be suspicious;

    • A favorite tactic of malware authors is to try to trick you into clicking their infected links. Be cautious when clicking on URLs in emails, instant messages, and social media programs even when coming from trusted sources and friends. Remember that the attackers who have compromised a friend’s account may have lots of information about you too;

    • Do not click on shortened URLs without expanding them first using “preview” tools or plug-ins to see where they actually lead;

    • Do not click on links in social media applications with catchy titles or phrases — even from friends. If you do click on the URL, you may end up “liking it” and sending it to all of your friends — just by clicking anywhere on the page. Close or quit your browser instead;

    • When searching for things online, use security software that shows the reputation and safety rating of websites in your search results;

    • Be suspicious of search results; only click through to trusted sources when conducting searches, especially on topics that are hot in the media;

    • Be suspicious of warnings that pop-up asking you to install media players, document viewers and security updates; only download software directly from the vendor’s website;

  6. Guard your personal data:
    • Limit the amount of personal information you make publicly available on the Internet (including and especially social networks) as it may be harvested by cybercriminals and used in targeted attacks, phishing scams, or other malicious activities;

    • Never disclose any confidential personal or financial information unless and until you can confirm that any request for such information is legitimate;

    • Review your bank, credit card, and credit information frequently for irregular activity, including small discrepancies. Cybercriminals will often steal a little bit of money over a long period of time instead of just wiping out your bank account all at once;

    • Avoid banking or shopping online from public computers (such as libraries, Internet cafes, etc.) or from unencrypted Wi-Fi connections;

    • Use only secured connections (HTTPS) when connecting via Wi-Fi networks to your email, social media and sharing websites. Check the settings and preferences of the applications and websites you are using to make sure that they are not exposing your sensitive information;

    • Consider using software that protects all your Internet traffic when you are connected to a public hotspot. These “personal VPNs” will protect you from attackers who are trying to steal your email or social media information when you connect;

0 comments: (+add yours?)

Post a Comment

Note: Only a member of this blog may post a comment.