Internet threats take on new hue

The daily volume of Internet attacks dropped off in the first half of this year, and the rate at which new vulnerabilities are being reported appears to have hit a plateau, according to Symantec Corp.'s latest threat report.

Despite the relative lull in attacks, the Cupertino, Calif., company's biannual Internet Security Threat Report noted a troublesome shift in hacker activity.

From January through June, there was a sharp increase in bot networks. The number of these remotely controlled networks of compromised computers jumped from fewer than 2,000 to more than 30,000, Symantec noted in the report released today.

"We're effectively seeing a land grab" as hackers scramble to take control of as many vulnerable systems as possible, said Brian Dunphy, director of global analysis for Symantec managed security services.

The Symantec report is an analysis of security incidents observed on 20,000 devices deployed by the company's DeepSight Threat Management System and managed security services.

Hackers typically use bot networks as platforms for scanning other systems for vulnerabilities and for launching attacks. The use of compromised zombie computers can help hide the source of probes and attacks. They also can multiply the impact of an attack and be used to send spam.

There appears to be a change in motives for launching attacks, Dunphy said. Bragging rights and notoriety no longer seem to be the primary reasons.

"We have seen more of a shift to financial gain," he said.

This shift appears to be borne out by the number of online business targeted by hackers in the first half of 2004. Customer lists for these businesses can be sources of personal information and credit card numbers.

Online businesses were the single most frequent targets for attacks during the last six months, accounting for 16 percent. This is up from just 4 percent the previous six months.

The pressure on systems administrators and end users to patch security vulnerabilities continues to increase. Symantec documented 1,237 new reported vulnerabilities -- that's an average of 48 per week for first half of the year.

Although this number is down slightly from the previous six months, the average time between the announcement of a vulnerability and the appearance of code to exploit it has shrunk to less than six days.

"You can't go patching command and control systems in 5.8 days without risking leaving troops somewhere in the world unsupported," Dunphy said.

The alternative is to accept and manage a level of risk from vulnerabilities while patches are tested and validated. This includes building tolerance and redundancy into systems, layering defenses from the service provider down to the server, and leveraging third-party expertise by outsourcing appropriate functions.