Malware takes massive jump as criminals exploit toolkits

5 Apr 2011

There were more than 286m new malware threats last year and the number of measured web-based attacks per day increased by 93pc compared to 2009, according to Symantec’s annual Norton Internet Security Threat Report.

Volume 16 of the annual report, which was released earlier today, said the sharp rise in malware volume was due to two factors. One is polymorphism, where the code for a virus or Trojan is changed slightly to evade detection by security software but the function remains the same. The other trend is delivery mechanisms, such as web attack toolkits. The report found a 93pc increase in web-based attacks last year. 

While the headline figure of 286m new threats in 2010 is an arresting number, it’s a function of the widespread availability of attack toolkits that cyber criminals can exploit without needing to be technically proficient, said Con Mallon, Symantec’s director of regional product marketing.

Toolkits like Phoenix are increasingly aimed at vulnerabilities in the Java programming language, which accounted for 17pc of all flaws affecting browser plug-ins, Symantec found. Java is an attractive target for attackers because it works across different browser types and operating systems.

These toolkits are readily available on black markets and they automate the process of building malicious software, allowing criminals can take a “shotgun approach” to distributing it. “You don’t have to be a hacker or computer programmer to do this. These toolkits are enablers that allow anybody to get into the game,” said Mallon.

At the other end of the spectrum, last year there were several highly targeted attacks against “a diverse collection of publicly traded, multinational corporations and government agencies, as well as a surprising number of smaller companies”, the report said. Due to their targeted nature, many of these attacks succeeded even when victim organisations had basic security measures in place.

Stuxnet and Hydraq attacks

Two of the most prominent such attacks last year were Stuxnet and Hydraq. Stuxnet targeted control systems in Iranian nuclear facilities with the aim of disabling them. Speaking to earlier this year, Symantec threat response director Kevin Hogan said Stuxnet’s code immediately stood out as a very different type of malware to run-of-the-mill attacks: “It was like a seven-foot tall guy with a pink Mohican,” he said.

Hydraq is understood to have been aimed at several significant technology companies because of the value of their intellectual property. Mallon said these involved hand-selected groups of programmers and heavy profiling of targets before the malware is sent.

Similar tactics can be seen in more general attacks, where criminals track individuals through social networks, building a profile of their target to increase the chances of scamming them successfully. For that reason, Mallon warned business owners against being complacent and believing they are too small to be targeted. “People can get into any of the microblogging sites or social networks and start to build up a profile of someone, and start to think about how they could go after them. (A scam) is much more convincing because they have much more information about the victim,” he said.

Social networks targets

Social networks are also becoming popular among attackers as an effective way of spreading malware, the report found. In 2010, attackers posted millions of shortened links on social sites to trick victims into phishing scams or downloading malware. Since people are more inclined to trust what they see on these sites, the rate of successful infections this way “dramatically” increased, Symantec found.

Other numbers from the report reveal on average there were 260,000 identities exposed per data breach caused by hacking during 2010. Symantec also documented more vulnerabilities in 2010 – some 6,253 new weaknesses – than in any previous reporting period and 14 new zero-day vulnerabilities which played a key role in targeted attacks, including Hydraq and Stuxnet. Symantec tracked Stuxnet closely and found it alone used four different zero-day vulnerabilities. 

The number of mobile operating system vulnerabilities increased by 42pc in 2010, although with 163 new flaws spotted, the numbers pale into insignificance next to PCs. At one point last year, more than a million computers were in the control of Rustock, the largest botnet observed in 2010. Other networks such as Grum and Cutwail had many hundreds of thousands of bots each. Criminals could rent 10,000 infected machines for US$15 on one underground forum, Symantec’s research showed.

Gordon Smith was a contributor to Silicon Republic