Computer Crime Research Center

Internet Hacker Activity Increases

(By Riva Richmond)

Malicious activity on the Internet spawned by virus writers and hackers increased significantly during the second half of last year, according to a report released by Internet security firm Symantec Corp.

Attacks caused by "blended threats," or programs that spread like viruses while attempting hackerlike exploitation of software flaws, rose nearly 50% from their level in the last six months of 2001.

Meanwhile, targeted hacker attacks on corporate computer networks rose 20% to an average of 30 attacks a week, although the number of severe attacks fell significantly. The power-and-energy and financial-services industries continued to attract the highest attack rates. Symantec also said it found no evidence of cyberterrorism during the period.

Blended threats were by far the greatest scourge to corporate computer systems. Three particularly successful worms, Klez, Bugbear and Opaserv, accounted for nearly 80% of all the attack activity Symantec detected between July and December 2002. Worms are viruses that spread on their own.

No single outbreak in the second half was as spectacular as either the Nimda or Code Red outbreaks, which struck with great force in the summer and fall, respectively, of 2001. But as a group they amassed higher overall volume by more successfully infiltrating consumers' as well as corporate users' machines and lasting longer. In essence, 2002's worms got farther by being slow burners, rather than cases of boom and bust.

Also troubling, Symantec said the danger posed by blended threats is rising, largely because known vulnerabilities in both software and networks have increased sharply.

All of the major blended threats that have emerged in recent years attacked known software flaws. For instance, Nimda and Code Red exploited known flaws in Microsoft Corp.'s IIS Web-server software. Similarly, the devastating Slammer worm that hit in January targeted flaws in Microsoft's SQL server software, although the company had been offering fixes for six months.

Abundant numbers of serious flaws are embedded in virtually all software programs and are being discovered and disclosed publicly at a quickening rate.

Symantec documented 2,524 new flaws in 2002, up 82% from 2001. Moreover, Symantec deemed most of the flaws "severe," said Amit Yoran, vice president of managed security services, which means they are dispersed across the global Internet and can provide hackers with full control of computers they attack. Better than half of the vulnerabilities were classified as easily exploitable.

The rise is probably due in large measure to the emergence of a "responsible disclosure" movement that has led many companies to more readily acknowledge and provide fixes for flaws found in their products, Symantec said. It may also reflect new efforts to find exploitable programming flaws, perhaps in part driven by the lure of media fame, as well as the discovery of new types of these errors, including the so-called buffer overflow flaws that were revealed in abundance in 2002.

Risk has also increased with a 70% rise in unauthorized use of instant-messaging and music-swapping programs at work by employees, according to Symantec.

These programs "create significant opportunities for people to break into networks," Mr. Yoran said, and will probably attract more attention from bad actors in the coming year.

"Because of the way instant messaging and peer file-sharing programs work, we expect when worms and blended threats target those applications, the damage will be more severe," he warned.

"It's not a complete projection of doom and gloom," said Symantec's Mr. Yoran. Symantec's analysis of security systems at more than 400 companies showed a 6% decline in targeted hacker attacks, compared with the first six months of 2002, a statistic that has been rising fairly constantly for years. Reports of severe security incidents also declined. In the second half of 2002, 21% of companies studied suffered at least one severe event during the period, compared with 43% in the year-ago period and 23% in the first half of 2002.

Moreover, companies that implemented security solutions and were aggressive in their approach to network security reduced their risk of attack by over 50%, Mr. Yoran said.

Targeted attacks continued to affect very large companies the most, and some industries were more targeted than others.

Power and energy companies continued to show the highest rate of both attack volume and severe incidents. Companies in the study each sustained 987 attacks on average, and 60% had at least one severe event.

Financial-services companies, long choice targets and early adopters of security technologies, each sustained an average of 689 attacks. The incidents of serious attacks rose -- as 48% faced a serious event, compared with 28% in the first half of the year, Symantec said.

Nonprofit companies in Symantec's sample, which included several high-profile activist groups, saw a 43% rise in attack volume and organizations seeing severe events increased by five percentage points.

A look at attacks Symantec traced for customers showed that about half traced to company insiders and half to outside intruders. Attacks by insiders tend to take a much higher financial toll because the individual is more familiar with the target system and knows how to steal valuable content.

Ten countries were the point of origin for the vast majority of attacks, with the U.S. and South Korea topping the list.

In the second half of 2002, 35% of attacks originated in the U.S., which has the largest Internet infrastructure and user base in the world, up from 30% in the year-ago period. About 13% of attacks originated in South Korea, up from 8.8%.

But South Korea was the No. 1 culprit on a per-user basis among countries with more than one million Internet users. Perhaps riding rapid growth in high-speed Internet connections there, South Korea jumped from the No. 4 spot. Meanwhile, the former leader, Israel, dropped down to No. 10 as its total attack volume fell about 50%. The U.S. didn't make this list.

Iran and Kuwait topped the per-user ranking for countries with between 100,000 and a million users, with a spate of Eastern European and Latin American countries filling out the top 10.


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center 2001, 2002 All Rights Reserved.