Report cites savvier Internet attacks
- By William Jackson
- Jul 16, 2003
Cyberattacks dropped off during the last six months of 2002, according to a report from Symantec Corp.
Recent blended threats also caused considerably less damage than previous worms such as Code Red, said the Cupertino, Calif., company's report, which predated the SQL Slammer worm. Slammer's impact resulted from a single exploit with no payload.
SQL Slammer 'should be a warning call to us,' said Brian J. Finn, director of strategic programs and homeland security for Symantec.
More than three-quarters of the attacks during the latter part of last year came from older, blended threats such as SQL Spida and Code Red, Finn said.
'Any time the United States has been involved in a military action, we see an increase in foreign activity,' he said.
The February edition of the Internet Security Threat Report was the third to be released. The first two came from Riptech Inc., which Symantec acquired.
The 48-page report charted trends in network attack activity, vulnerabilities and malicious code, culled from 30T of data collected by millions of intrusion detection and antivirus installations.
Attack activity dropped by 6 percent in the last half of 2002, and 85 percent of all activity was classified as preattack reconnaissance, the report said. The rest was attempted exploitation.
Microsoft SQL Server was the top target for reconnaissance, accounting for 29.5 percent of all scans. The other most frequently scanned services, Hypertext Transfer Protocol, File Transfer Protocol and NetBIOS Name Service, accounted for almost three-quarters of scans.
The bulk of the efforts focused on a few industrial sectors, the report said. Power and energy companies had the highest rate of attack and severe events, and financial services had an increase in both attacks and severe incidents.
Although overall attacks were down, the number of vulnerabilities reported in software almost doubled in 2002, the report said. The vast majority were not considered particularly dangerous, but the percentage of those ranked moderately severe rose.
'Severe ones grew at a startlingly higher rate than the others,' said Tony Vincent, Symantec's principal systems engineer. Vulnerabilities rated moderately to highly severe grew by nearly 85 percent, and those rated at lower severity by 24 percent.Hackers can't keep up
The sheer number of weaknesses appears to be growing faster than hackers can write malicious code for them. In 2001, attack code was available for roughly 30 percent of vulnerabilities. The percentage dropped to about 24 last year.
'This may indicate that sophisticated writers of exploit code are not keeping up with the volume of vulnerabilities, or that they are intentionally hiding exploit code from the public,' the report concluded.
No verifiable cases of cyberterrorism were reported during the last half of 2002. The 13 countries on the cyberterror watch list'Cuba, Egypt, Indonesia, Iran, Jordan, Kuwait, Lebanon, Libya, Morocco, Pakistan, Saudi Arabia, Sudan and the United Arab Emirates'accounted for less than 1 percent of detected attacks, the report said.
See more details on Symantec's Web site, at www.symantec.com