B-whitepaper Government Internet Security Threat Report 04-2009.en-us

8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us

1/78

Sym

Ante

CenterpriSe

SeCUrity

Symantec Government Internet

Security Threat Report

tds fo 2008

Volu XiV, publshd Al 2009


2/78

Marc Fossiexcuv edomaag, DvloScu tcholog ad rsos

Eric JohnsonedoScu tcholog ad rsos

Trevor MackAssoca edoScu tcholog ad rsos

Dean Turner

Dco, Global illgc nwokScu tcholog ad rsos

Gary KevelsonGlobal maagSac Cb tha Aalss poga

Andrew J. RogersCb tha AalsSac Cb tha Aalss poga

Joseph Blackbirdtha AalsSac Scu rsos

Mo King Lowtha AalsScu tcholog ad rsos

Teo Adamstha AalsScu tcholog ad rsos

David McKinneytha AalsScu tcholog ad rsos

Stephen Entwisletha AalsScu tcholog ad rsos

Marika Pauls Lauchttha AalsScu tcholog ad rsos

Greg Ahmadtha AalsScu tcholog ad rsos

Darren Kemptha AalsScu tcholog ad rsos

Ashif Samnanitha AalsScu tcholog ad rsos


3/78

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Threat Activity Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Malicious Code Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Phishing, Underground Economy Servers and Spam Trends. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Appendix ASymantec Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Appendix BThreat Activity Trends Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Appendix CMalicious Code Trends Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Appendix DPhishing, Underground Economy Servers, and Spam Trends Methodology. . . . . . . . . . . 74

Contents

Volu XiV, publshd Al 2009

Symantec Government Internet Security

Threat Report


4/78

Sac Gov i Scu tha ro

4

Introduction

th Sac Government Internet Security Threat Report ovds a aual sua ad aalss of

ds aacks, vulabls, alcous cod, hshg, ad sa as h a o ogazaos

gov ad ccal fasucu scos. ths volu wll also ovd a ovvw of obsvd

acvs o udgoud coo svs. Wh ossbl, wll also clud a ovvw of lgslav

ffos o coba hs aack as ad acvs. Fo h uoss of hs dscusso, gov

ogazaos clud aoal, sa/ovcal, ad ucal govs. ths o also cooas

daa ad dscussos lva o ha acv ha affcs ccal fasucu duss ha suo o

a volvd wh gov ad la suos.

Sac has sablshd so of h os cohsv soucs of i ha daa h wold

hough h Sac Global illgc nwok. mo ha 240,000 ssos ov 200 cous

oo aack acv hough a cobao of Sac oducs ad svcs such as Sac

DSgh tha maag Ss, Sac maagd Scu Svcs ad noo cosu

oducs, as wll as addoal hd-a daa soucs.

Sac also gahs alcous cod llgc fo o ha 130 llo cl, sv, ad gawa

sss ha hav dlod s avus oducs. Addoall, Sacs dsbud hoo wok

collcs daa fo aoud h glob, caug vousl us has ad aacks ad ovdg

valuabl sgh o aack hods.

Sac aas o of h wolds os cohsv vulabl daabass, cul cossg

of o ha 32,000 codd vulabls (sag o ha wo dcads), affcg o ha

72,000 chologs fo o ha 11,000 vdos. Sac also faclas h Bugtaq alg ls,

o of h os oula fous fo h dsclosu ad dscusso of vulabls o h i, whch

has aoxal 50,000 subscbs who cobu, cv, ad dscuss vulabl sach o a

dal bass.

Sa ad hshg daa s caud hough a va of soucs cludg: h Sac pob nwok,

a ss of o ha 2.5 llo dco accous; mssagLabs illgc, a scd souc of daa

ad aalss fo ssagg scu ssus, ds ad sascs; ad oh Sac chologs. Daa

s collcd o ha 86 cous fo aoud h glob. Ov gh bllo al ssags, as wll

as ov o bllo Wb quss a ocssd da acoss 16 daa cs. Sac also gahs

hshg foao hough a xsv afaud cou of ss, scu vdos ad

o ha 50 llo cosus.

ths soucs gv Sacs aalss uaallld soucs of daa wh whch o df, aalz, ad

ovd fod coa o gg ds aacks, alcous cod acv, hshg, ad sa.

th sul gvs ss ad cosus h ssal foao o ffcvl scu h sss

ow ad o h fuu. ths volu of h Sac Government Internet Security Threat Report wll al

ads o cu ds ad dg has ha Sac has obsvd fo 2008.


5/78


5

Executive Summary

th c global cooc css has show how xsvl cocd h global coo has

bco. th cussos of falg coas ad duss hav achd fa bod wha a

ol gh hav xcd. ev xcd acos fd hslvs uchad os.

ths s sug chagg as boh aoal gov ad cocal laos. ths a

xadg a w was, so sos o h css, ad ohs suo of dd gowh.

Slal, as h i ad boadbad cocv cou o xad, so dos h uual

sk h hs goal ad global laoshs.1 O cooal dosad b h o

daa s ha globalzao cous o chag adoal boudas ad allacs fo boh aacks

ad dfds.

Alog wh hs ssus, hs sua wll dscuss h casg sohscao of aacks ad h ools

agas adoal dfs chass. i as os, Sac has dfd ha alcous acv

has casgl bco Wb-basd, ha aacks a agg d uss sad of cous, ad

ha aacks a abl o adl ada h aack acvs.

2

ths ds a xcd o cou,as a h casgl sohscad socal gg hods lod b aacks.

Aacks cou o dvsf h ag of ha oos ad so cass hav xadd h ach

of h oaos. As vous as, Sac cous o obsv casgl sohscad aack

chqus ad h abl of aacks o adl ad h hods. i hs og od, h

casg d owad oabl bw has, hods, ad ulsag aacks has coud.

Fo xal, tojas of sall addoal back doo has ha h dowload ad sall bos. ths

ca h abl addoal cooss, such as usg h coosd cous as sa zobs. All

of hs has wok coc o ovd a coodad ad sohscad wok of alcous acv.

thas du o daa bachs ad hf also cou o b dagous, scall o goval ad

ccal fasucu ogazaos, sc hs has a of xlod fo facal ga o llgcgahg. As aacks f h hods ad cosolda h asss, h a b abl o ca global

woks ha suo coodad alcous acv.

Followg a adoal wok ao aoach squc, succssful i Cool mssag

poocol (iCmp) ssags (ohws kow as gs) ca b usd o oduc addoal scag as.

Succssful scas ca h oduc ao as, whch f ol xcud ca lad o alwa

dlo. if hs aacks a dfd as ogag fo ull ip addsss, would dca o

coodad oaos. ths scao would suggs ha hacd scu llgc could hl o

duc h sk of fuh wok cooss.

i h global ad goal ha as obsvd b Sac, aacks of ag oh cous

wh h sa cou o go.3

i hs og od, Sac xad h o gos ogalcous cod fcos, as wll as h s of alcous cod causg oal fcos ach go.

th goalzao of has ca caus dffcs bw h s of alcous cod bg obsvd

fo o aa o h x. Fo xal, has a us ca laguags o localzd vs as a of

h socal gg chqus. Bcaus of h dff oagao chass usd b dff

1 h://www.gao.gov/w.s/d08588.df : . 12 h://val.sac.co/kgfo/s/wh_as/-wha__scu_ha_o_x_gov_09_2008.-us.df : . 43 h://val.sac.co/kgfo/s/wh_as/-wha__scu_ha_o_x_gov_09_2007.-us.df : . 10


6/78


6

alcous cod s, ad h dff ffcs ha ach alcous cod a hav, foao

abou h gogahc dsbuo of alcous cod ca hl wok adsaos ov h

scu ffos.

ths s llusad b oal alcous cod fcos. Sac xas h o gos og

oal alcous cod fcos, as wll as h a s of alcous cod causg oal fcos

ach go. thas ha sal cofdal foao ca also b alod o sal foao ha s

o cool avalabl so cous ha ohs. Fo sac, tojas ha a o sal

accou foao fo Bazla baks a qu coo h La Aca go. Bcaus of h

casg abl fo aacks o b qu scfcall ad gogahcall agd, govs should a

clos ao o alcous vs ogag goall.

th Ud Sas ad h o cou fo ovall alcous acv 2008, ad aga akd fs fo

a ub of cagos wh hs, cludg fo alcous cod, hshg wbs hoss, ad ogag

aacks. roudg ou h o h cous ovall alcous acv w Cha ad Ga,

scod ad hd lac, scvl. O oabl chag s h s of Bazl fo ghh ak h

vous o o fouh 2008.

th os obvous xlaao fo a ga dal of h aack as s h colao bw hgh-sd

cocv fasucu a cou o go ad h accoag aou of alcous acv.

A xal of hs s wh sa bos, whch call qu xcssv badwdh od o oaga

lag aous of al. Sac has od ha sa bos a of cocad gos wh wll-

sablshd hgh-sd boadbad fasucus. Hgh-badwdh caac woks a also abl

aacks o hd aack ad bo affc o ffcvl, scall hough Http-basd coad-ad-

cool svs, wh h ca ffcvl hd alcous Http bo affc wh lga affchus

cofoudg ffos o fl fo has.

i 2008, Cha suassd h Ud Sas fo h lags ub of boadbad subscbs fo h

fs . ths was lkl a sgfca aso fo Chas coud oc a alcous codcagos. Aoh aso fo Chas oc s lkl lad o h fac ha i uss Cha

sd o of h lsu ol ha uss a oh cou.4 Ol lsu acvs a

call o lkl o clud acvs ha a oula ad, a sacs, vulabl aack ags.

ths cluds socal wokg wbss, ol gag ss, fous, blogs, ad ol shog ss.

Dac ss, such as fous a ags fo aacks usg bo-fcd cous o hos ad

oaga alcous co, as Wb alcao ad s-scfc vulabls ca u hs s of

s a sk.

Fo aacks scfcall agg h gov sco, 2008 akd h fs ha h Ud Sas

was o h o cou of og, as was suassd b Cha, whch akd fs wh 22 c of h

aacks o h gov sco. Chas s hs cago sd a cas fo 8 c

2007, wh was akd fouh. th Ud Sas akd scod, ad Sa akd hd hs c.

malcous cod aacks agg govs o h Wb ca b ovad b a ub of facos. pof s

of a ov bcaus govs so cosdabl aous of soal dfcao daa, whch f

sol ca b xlod fo of. i addo, aacks a also b ovad b as o sal

gov-classfd foao.

4 h://www.sglobal.co/_asss/fls/tnS_mak_rsach_Dgal_Wold_Dgal_Lf.df


7/78


7

i 2008, so acos ak b govs w ffcv a ducg alcous ha acv. Cha

ad a lag scu ffo o block addss wbss oall os suscbl o faud a ffo

o cas ol scu fo uss ahad of h 2008 Bjg Olc Gas.5 thousads of wbss

w h shu dow o blacklsd as a of hs ffo, cludg a subsaal ub of ssag

fous, whch a oula aack ags, as od. Addoall, h Chs gov cad ascal sos a o oo sss fo oal i aacks ad alcous acv.6 Lasl,

a ulcsd i cafs h w also shu dow ad suvso was ghd o h cafs

ag o hl addss ol scu sks assocad wh h casual us of ublc cous.7 publc

cous d o b o suscbl o aacks bcaus of h sgfca aou of vad affc o

such cous. publc cous a fqul usd b a ga va of ol fo a dff

acvs such as al, ol shog, ad gag. th va of usag ad h lklhood ha

as uss a lss awa ofo cocd whscu aks such cous aacv o

aacks. Shug dow h i cafs Cha hus ovd ossbl chals fo alcous acv.

Alog wh such acos ak b govs, h acos of goal cocal s w also

ffcv a ducg scu has, ad also dosa how cocd h ha ladsca has

bco. O xal occud wh wo iSps h Ud Sas w shu dow b h usa iSps

Sb ad novb 2008. ths suld a daac do woldwd boh bo coad-ad-

cool svs ad bo-fcd cous. Bo wok acv assocad wh sa dsbuo

dcasd subsaall af boh shudows.8 Ufoual, hs slowdows w ol oa,

as h bo coolls w abl o sablsh h oaos lswh soo afwad.

i hs o od, Sac also xad h SCADA (Suvso Cool ad Daa Acquso)

scu ha ladsca. ths cluds, bu s o ld o, duss such as ow gao,

aufacug, ol ad gas, wa a, ad was aag. th scu of SCADA chologs

ad oocols ca b of coc bcaus h dsuo of lad svcs ca sul h falu of

ccal fasucu. Du o h oal fo dsuo of ccal svcs, hs vulabls a

b h ag of olcall ovad o sa-sosod aacks.

Gv h ol ccal fasucu ad h sv of oal vulabls, SCADA scu s

lagl a va affa bw SCADA vdos ad h duss ad gov agcs ha l o

hs scfc oocols ad chologs. As such, Sac dos o o o a va sach,

alhough dos o o ublc sach fo h Sac Government Internet Security Threat Report.

th fdgs showd ha SCADA chologs a affcd b a of h sa s of vulabls

ha affc dsko ad s sofwa. O owoh v ook lac Sb 2008, wh

a scu sach ublcl lasd xlo cod fo a SCADA vulabl bcaus h sach

blvd ha h og vdo dd o adqual hasz h sk of h vulabl.9

Dug hs og od, h os coo aacks agg gov ogazaos w

dal-of-svc (DoS) aacks, sg a coud d fo h vous og od. ths

s oblac bcaus uch of h ccal fasucu ha fos ssal fucos a

cous as a sk o aacks who gh choos o xlo oaos wh hs of aack.

Scos ha w os of h subjc of DoS aacks cludd h facal, boch/haacucal,

ad asoao duss. Wh h asoao dus acula, DoS aacks w h os

5 S h://www.vu.co/vu/ws/2207878/cha-cacks-wb-o ad h://glsh.gov.c/2008-03/29/co_931872.h6 h://www.fowold.co/acl/08/04/24/Cha-wos-hacks-wll-sk-dug-Bjg-Olcs_1.hl7 h://www.hglobadal.co/svl/so/rtGAm.20080212.wgcha0212/BnSo/tcholog/ho8 S h://www.sac.co/scu_sos/wu.js?docd=2008-021215-0628-99 ad

h://vocs.washgoos.co/scufx/2008/10/sa_volus_lu_af_a.hl9 h://www.hgs.co.uk/2008/09/08/scada_xlo_lasd/


8/78


8

coo aack b a sgfca ag, accoug fo 74 c of aacks 2008, dcag ha hs

dus a hav b sgld ou ad scfcall agd fo hs of aack. th goal of aacks

a b o caus lag-scal dsuos h svcs ha hs sco ovds o hs aacks a

sl b ou of s du o dssasfaco wh hos svcs.

th scod os coo of aack agas gov woks was hough Sl mal tasf

poocol (Smtp), h oocol hough whch h vas ajo of al s asfd. if coosd,

Smtp offs aacks a xcll accss vco o al wok soucs. Whl coosd

al svs could b usd o ovwhl woks wh uauhozd badwdh quss, h o

lkl ovao fo coosg al svs ls h usfulss fo sdg ou sa, as wll

as havsg al addsss fo agd hshg aacks. ths aacks also off h abl o soof

gov coucaos ad o oba cdals o lauch fuh aacks. Gv how gal

ad of usdal s ha ogas wh gov s, hs s of aacks off h

oal fo coosg h g of foao ad coucaos wh govs.

Alhough dog fo fs o scod h aack-b- akg fo h boch/haacucal ad

facal scos, Smtp-basd aacks a a lavl lag ha o hs ccal scos, lklbcaus of h valu soofg h goods ad svcs aacks. Slal, h aufacug sco

akd v hgh fo hshg wbs hoss, lkl du o h fac ha aacks l uo h us ha

uss of hav fo wll-kow cocal bads.

Sac also asus h lvl o whch gov ad ccal fasucu ogazaos a hav

b coosd ad a bg usd b aacks as lauchg ads fo alcous acv. i 2008, h

lcoucaos sco aga accoud fo h hghs ooo of aacks of hs au b a

sgfca ag, wh a ovwhlg 97 c of h oal.

Aacks cou o ag h lcoucaos sco fo a ub of asos. Ogazaos hs

sco clud iSps ad Wb-hosg coas, whch of hav a lag ub of i-facg

cous ad boadbad cocos. i 2008, h ajo of aacks agas hs sco w shllcodxlos.10 ths a dca ha aacks a ag o ak cool of cous hs sco o

us h o coduc alcous acv. Cooss o h svs o woks of hs coas would

also oall xos a ga ub of h cusos o a ag of alcous aacks.

moov, govs ad ccal fasucu ogazaos l o h avalabl of ublc

coucao woks ad h lcoucao sco fo da-o-da oaos. Sc

lcoucaos ogazaos hav a ca aou of cool o h flow of daa hough woks,

succssful cooss of hs woks could gv aacks h abl o coos agd

cous sd scfc goval o ccal fasucu ogazaos.

As od, aacks agg hs lag gov osos a of ovad b of sc

govs so cosdabl aous of soal dfcao ha, f faudull obad, ca b

sold o udgoud coo svs. ths ca also clud ssv foao such as a daa,

scfc sach, ad cholog xosall of whch would b valuabl foao ha could b sold

o cog coas o oh govs.

10 Shllcod s a sall c of cod usd as h aload h xloao of a vulabl.


9/78


9

O oa ad sg aa of coc o govs s h casd us (ad caac) of ovabl

da ov h as fw as. i 2008, 66 c of oal alcous cod fcos oagad as

shad xcuabl fls, u sgfcal fo 44 c 2007. Shad xcuabl fls a h

oagao chass lod b vuss ad so wos o co hslvs oo ovabl da.

th sugc hs vco ov h as fw as cocds wh h casd us of ovabl dvsad oh oabl dvcs. i s also a as vco o xlo bcaus old alcous cod xlos dvlod

fo flo dsks ca b asl odfd fo cu ovabl da dvcs. icasg h dag of hs

sugc s ha a ogazaos lack ffcv scu asus o oc agas such dags.

i a c sud, 59 c of los add o akg coa foaosuch as al

addsss, coac foao of cusos, lo cods, ad facal codswh lavg h

ogazao.11 Of hos who add o akg daa, 53 c dowloadd foao oo a CD o DVD,

42 c ook daa usg a USB dv, ad 38 c s aachs o a soal al accou.

Fo daa bachs ha could lad o d hf, h gov sco coud o b o aga

2008, akg scod boh h ub of bachs, wh 20 c, ad h ub of ds

xosd, wh 17 c. O xal of a bach 2008 occud wh cofdal foao o sx

llo Chla ol was xosd af bg llgall obad fo gov daabass b a hack,

who h ublcl osd h foao.12 Alhough would b ualsc o hk ha all of hs daa

would b xlod, h oal of fo h aos of h aack s sll subsaal; fo xal,

2008 Sac obsvd advsd cs fo full ds o udgoud coo svs fo as

uch as $60 ach.13

Sac also asssss h dsbuo of hshg wbss ha us gov o-lvl doas

(tLDs).14 i 2008, thalads tLD accoud fo h hghs aou of hshg ss, followd b roaa

ad h idosa. As wh os hshg aacks, of ss o b h a aso fo hshg

aacks usg gov tLDs. th o cdbl a hshg aack ca aa, h o lkl s o

succd. pol d o us ha h co h a sd wh o gov wbss s vald. Also,

a govs a ug a casg aou of svcs ol ad, as wh ol bakg, ola bcog accusod o ovdg ssv foao ol fos od o cv svcs.

Aacks a also bd hs wbss wh alcous cod dsgd o coos h cous of

a subsqu s vsos. th coosd cous could h b d fo a wohwhl daa o

usd as a bo o sd ou sa ad ou hshg caags. Socal gg xlos such as hs

a bcog v sohscad ad dosa h coud d od b Sac owad focusd

aacks o d uss. Fo xal, 2008, 95 c of aackd vulabls w dfd as cl-

sd vulabls as oosd o sv-sd vulabls.

tds o o a aug ad slf-susag ak wh h ol udgoud coo, as faud

ad d hf cou o volv. Wh hs, agd hshg aacks o gov uss wll

lkl a oula du o h walh of foao daa gov daabass coa ad h

oal o cov hs daa o of hough faud. th valuao of h udgoud coo s

a labl dcao of h dg of coos of foao sss ad woks houghou h

wold, ad svs as a wag sg fo gov ad ccal fasucu woks

11 h://www.sac.co/abou/ws/las/acl.js?d=20090223_0112 S h://ws.bbc.co.uk/1/h/wold/acas/7395295.s ad h://www.sbc.s.co/d/23678909/13 All fgus a ovdd U.S. d ollas14 i a doa a, h o lvl doa s h a ha s fuhs o h gh. Fo xal, h co sac.co. th a wo s of o lvl doas:

gc ad cou scfc. exals of gc doas a co, , ad og, whl cou-scfc o lvl doas clud .c fo Cha, ad .uk fo hUd Kgdo, as wll as ohs.


10/78


10

i 2008, Sac obsvd hghd lvls of alcous acv wh scfc cass hshg,

sa, bo woks, tojas, ad zo-da aacks. ths has could wh h casd sohscao

ad coodad acvs of aacks a hav fuh lcaos fo gov ad ccal

fasucu ogazaos, who should b aculal cocd wh h abl of alcous cod

dvlos o ag scfc s ad wbss.

Aacks wll cou o adl ada ad g w chqus ad sags o ccuv scu

asus, ad h dfcao, aalss, ad dg of hs chqus acoss h ha ladsca

a ssal. i s bcog casgl cla ha scu gous d o cooa o dvlo ffcv

couasus ad llgc o sod o h volvg ha ladsca. th lag cas h

ub of w alcous cod has, could wh h us of h Wb as a dsbuo chas, also

dosas h gowg d fo o sosv ad cooav scu asus.


11/78


11

Highlights

Threat Activity Trends Highlights

Dug hs og od, 23 c of all alcous acv asud b Sac 2008 was

locad h Ud Sas; hs s a dcas fo 26 c 2007.

th Ud Sas was h o cou of aack og 2008, accoug fo 25 c of woldwd

acv; hs s a dcas fo 29 c 2007.

tlcoucaos was h o ccal fasucu sco fo alcous acv 2008, accoug

fo 97 c of h oal; hs s a slgh cas fo 96 c 2007 wh also akd fs.

i 2008, Sac docud sx ublc SCADA vulabls. ths was a dcas fo 2007 wh

h w 15 docud SCADA vulabls.

th ducao sco accoud fo 27 c of daa bachs ha could lad o d hf dug

hs od, o ha a oh sco ad a slgh cas fo 26 c 2007.

th facal sco was h o sco fo ds xosd 2008, accoug fo 29 c of h

oal ad a cas fo 10 c 2007.

i 2008, h hf o loss of a cou o oh daa-soag dvcs accoud fo 48 c of daa

bachs ha could lad o d hf ad fo 66 c of h ds xosd.

Sac obsvd a avag of 75,158 acv bo-fcd cous da 2008, a cas of

31 c fo h vous od.

Cha had h os bo-fcd cous 2008, accoug fo 13 c of h woldwd oal;

hs s a dcas fo 19 c 2007.

Buos As was h c wh h os bo-fcd cous 2008, accoug fo 4 c of h

woldwd oal.

i 2008, Sac dfd 15,197 dsc w bo coad-ad-cool svs; of hs,

43 c oad hough irC chals ad 57 c usd Http.

th Ud Sas was h locao fo h os bo coad-ad-cool svs 2008, wh

33 c of h oal, o ha a oh cou.

th o Wb-basd aack 2008 was assocad wh h mcosof i exlo ADODB.Sa

Objc Fl isallao Wakss vulabl, whch accoud fo 30 c of h oal.

th Ud Sas was h o cou of og fo Wb-basd aacks 2008, accoug fo

38 c of h woldwd oal.

th Ud Sas was h cou os fqul agd b dal-of-svc aacks 2008,

accoug fo 51 c of h woldwd oal.

th o cou of og fo aacks agg h gov sco was Cha, whch accoud fo

22 c of h oal. ths was a cas fo 8 c 2007.

th os coo of aack hs od agg gov ad ccal fasucu

ogazaos was dal-of-svc aacks, accoug fo 49 c of h o 10 2008.


12/78


12

Malicious Code Trends Highlights

i 2008, h ub of w alcous cod sgaus casd b 265 c ov 2007; ov

60 c of all cul dcd alcous cod has w dcd 2008

Of h o 10 w alcous cod fals dcd 2008, h w tojas, h w tojas wh

a back doo coo, wo w wos, o was a wo wh a back doo coo, ad o was a

wo wh back doo ad vus coos.

tojas ad u 68 c of h volu of h o 50 alcous cod sals od 2008,

a o dcas fo 69 c 2007.

Fv of h o 10 sagd dowloads 2008 w tojas, wo w tojas ha cooad a back

doo coo, o was a wo, o of was a wo ha cooad a back doo, ad o was a

wo ha cooad a vus coo.

i 2008, h oooal cas of oal alcous cod fcos was gas h euo,

h mddl eas ad Afca go.

th cag of has o cofdal foao ha cooa o accss caabls

dcld o 83 c 2008; hs s a dcas fo 91 c 2007, alhough such has

ad h os val xosu .

i 2008, 78 c of has o cofdal foao xod us daa ad 76 c had

a ksok-loggg coo; hs a cass fo 74 c ad 72 c, scvl,

2007.

poagao hough xcuabl fl shag coud o cas 2008, accoug fo 66 c of

alcous cod ha oagasu fo 44 c 2007.

O c of h volu of h o 50 alcous cod sals odfd Wb ags 2008, dow

fo 2 c 2007.

th cag of docud alcous cod sals ha xlo vulabls dcld subsaall,

fo 13 c 2007 o 3 c 2008.

i 2008, gh of h o 10 dowloadd coos w tojas, o was a toja wh a back doo

coo, ad o was a back doo.

malcous cod ha ags ol gas accoud fo 10 c of h volu of h o 50 oal

alcous cod fcos, u fo 7 c 2007.


13/78


13

Phishing, Underground Economy Servers, and Spam Trends Highlights

th ajo of bads usd hshg aacks 2008 w h facal svcs sco, accoug

fo 79 c, dow slghl fo 83 c dfd 2007.

th facal svcs sco accoud fo h hghs volu of hshg lus dug hs od, wh

76 c of h oal; hs s cosdabl hgh ha 2007, wh h volu fo facal svcs was

52 c.

i 2008, Sac dcd 55,389 hshg wbs hoss, a cas of 66 c ov 2007, wh

Sac dcd 33,428 hshg hoss.

i 2008, 43 c of all hshg wbss dfd b Sac w locad h Ud Sas;

hs s cosdabl lss ha 2007, wh 69 c of such ss w basd h.

th os coo o-lvl doa usd hshg lus dcd 2008 was .co, accoug fo

39 c of h oal; was also h hghs akg o-lvl doa 2007, wh accoud fo

46 c of h oal.

th o gov o-lvl doa ha was dcd as bg usd b hshg lus 2008 was

.go.h, h tLD fo wbss assocad wh h gov of thalad.

O acula auoad hshg oolk dfd b Sac was sosbl fo a avag of

14 c of all hshg aacks dug 2008.

Cd cad foao was h os cool advsd fo sal o udgoud coo

svs kow o Sac, accoug fo 32 c of all goods ad svcs; hs s a cas fo

2007 wh cd cad foao accoud fo 21 c of h oal.

th Ud Sas was h o cou fo cd cads advsd o udgoud coo svs,

accoug fo 67 c of h oal; hs s a dcas fo 2007 wh accoud fo 83 c

of h oal.

th os coo of sa dcd 2008 was lad o i- o cou-lad goods ad

svcs, whch ad u 24 c of all dcd sa; 2007, hs was h scod os coo

of sa, accoug fo 19 c of h oal.

Sac obsvd a 192 c cas sa dcd acoss h i, fo 119.6 bllo

ssags 2007 o 349.6 bllo 2008.

i 2008, 25 c of all sa codd b Sac ogad h Ud Sas, a subsaal

dcas fo 45 c 2007, wh h Ud Sas was also h o akd cou of og.

i 2008, bo woks w sosbl fo h dsbuo of aoxal 90 c of all

sa al.


14/78


15/78


15

i 2008, h Ud Sas was h o cou fo ovall alcous acv, akg u 23 c of h

oal (abl 1). ths s a dcas fo 2007 wh h Ud Sas was also fs, wh 26 c. Wh

scfc cago asus, h Ud Sas akd fs alcous cod, hshg wbs hoss,

ad aack og.

2008

Rank

1

2

3

4

5

6

7

8

9

10

2007

Rank

1

2

3

4

8

6

7

5

15

12

Country

United States

China

Germany

United Kingdom

Brazil

Spain

Italy

France

Turkey

Poland

2008

Overall

Percentage

23%

9%

6%

5%

4%

4%

3%

3%

3%

3%

2007

Overall

Percentage

26%

11%

7%

4%

3%

3%

3%

4%

2%

2%

Malicious

Code

Rank

1

2

12

4

16

10

11

8

15

23

Spam

Zombies

Rank

3

4

2

10

1

8

6

14

5

9

Phishing

Websites

Host Rank

1

6

2

5

16

13

14

9

24

8

Bot

Rank

2

1

4

9

5

3

6

10

8

7

Attack

Origin

Rank

1

2

4

3

9

6

8

5

12

17

Table 1. Malicious activity by country

Source: Symantec Corporation

th slgh dcas ovall alcous acv fo h Ud Sas ca b abud o h do

sa zobs h. ths s lkl du o h shudow of wo U.S.-basd Wb hosg coas ha

w allgdl hosg a lag ub of bo C&C svs assocad wh sa dsbuo bo woks

(bos).16 Sa acv dcasd woldwd af boh shudows. i o cas, Sac obsvd a

65 c dcas sa affc h 24 hous ha followd.17 Boh coas allgdl hosd a

lag ub of bo C&C svs fo sval lag sa bos: Szb,18 rusock,19 ad Ozdok (mga-D).20

Sa zobs ha lack a ccal coad ss a uabl o sd ou sa.

Cha had h scod hghs aou of ovall woldwd alcous acv 2008, accoug fo

9 c; hs s a dcas fo 11 c h vous og od. Alog wh h fac ha

Cha has h os boadbad subscbs h wold, h aou of s ol b uss h

could cobu o h hgh cag of alcous acv Cha. th log a us s ol, h log

h cou s xosd o alcous aack o coos, ad i uss Cha sd o of

h lsu ol ha uss a oh cou.21 Ol lsu acvs a also call o

lkl o clud acvs o ss ha a b vulabl o aacks. ths cluds socal wokg

wbss, ol gag ss, fous, blogs, ad ol shog ss. Dac ss, such as fous, fo

xal, a ags fo aacks usg bo-fcd cous o oaga ad hos alcous

co sc Wb alcao ad s-scfc vulabls ca u hs s of s a sk.

16 h://vocs.washgoos.co/scufx/2008/10/sa_volus_lu_af_a.hl17 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df18 h://www.sac.co/scu_sos/wu.js?docd=2007-062007-0946-9919 h://www.sac.co/scu_sos/wu.js?docd=2006-011309-5412-9920 h://www.sac.co/scu_sos/wu.js?docd=2008-021215-0628-9921 h://www.sglobal.co/_asss/fls/tnS_mak_rsach_Dgal_Wold_Dgal_Lf.df


16/78


16

th slgh do Chas cag of alcous acv 2008 was al du o h do hshg

wbs hoss ad bo-fcd cous. Cha dod fo hd fo hshg wbs hoss 2007

o sxh 2008, wh jus ud 3 c of h global oal; ad, alhough Cha aad s o

akg fo bo-fcd cous, s global sha hs gad dcasd fo 19 c 2007 o

13 c 2008.

O ossbl caus fo h dcass a b aoal avs o block wbss oall os

suscbl o faud a ffo o cas ol scu fo uss ahad of h 2008 Bjg Olc

Gas. thousads of wbss w h shu dow o blacklsd as a of hs ffo, cludg a

subsaal ub of ssag fous,22 whch, as od vousl, a oula ags of aack fo

Wb alcao ad s-scfc vulabls. thus, a duco h ub of bo-fcd

cous should sul a cosodg do oh aack acv cagos, such as sa zobs,

bcaus hs a of assocad wh bo-fcd cous. Cha dod fo hd sa

zobs 2007, wh 7 c of h woldwd oal, o fouh ad 6 c 2008.

Aoh faco ha a hav cobud o h low cag of bo-fcd cous Cha

2008 was ha a ulcsd i cafs h w also shu dow ad suvso was ghdo h ag cafs o hl addss ol scu sks assocad wh h casual us of ublc

cous.23 publc cous d o b o suscbl o aacks bcaus of h sgfca aou

of vad affc o such cou als. publc cous a fqul usd b a ga va of

ol fo a dff acvs such as al, ol shog, ad gag. th va of usag ad

lklhood ha as uss a lss awa ofo cocd whscu aks such cous

aacv o aacks.

i 2008, Ga aga akd hd wh 6 c of all i-wd alcous acv, dow slghl

fo 7 c 2007. i boh as, Ga akd hghl sa zobs ad hosg hshg

wbssacvs ha a of assocad wh bo woks. i 2008, Ga akd fouh fo bo

C&C svs, wh 5 c of h oal. ths hgh ub of bo C&C svs lkl dcas ha bos

a o Ga, whch would cobu o h hgh aou of ovall alcous acv

ogag h. Also, sa zobs a of focusd gos wh hgh boadbad ao ad

badwdh caac bcaus hs codos facla sdg ou lag aous of sa quckl.

i s asoabl o xc ha h Ud Sas, Cha ad Ga wll cou o ouak oh

cous hs asu as h hav do so fo h as sval os. Bod hs h,

howv, cous such as Bazl, tuk, polad, ida, ad russa a xcd o cou o cas

h sha of ovall alcous acv bcaus h all hav adl gowg i fasucus ad

gowg boadbad oulaos.24 Cous ha hav a lavl w ad gowg i fasucu

d o xc casg lvls of alcous acv ul scu oocols ad asus a

ovd o cou hs acvs.

22 S h://www.vu.co/vu/ws/2207878/cha-cacks-wb-o ad h://glsh.gov.c/2008-03/29/co_931872.h23 h://www.hglobadal.co/svl/so/rtGAm.20080212.wgcha0212/BnSo/tcholog/ho24 h://www.o-oc.co


17/78


17

Malicious activity by critical infrastructure sectors

ths c wll valua h aou of alcous acv ogag fo cous ad woks ha

a kow o blog o gov ad ccal fasucu scos. to asu hs, Sac coss-

fcs h ip addsss of kow alcous cous wh Sadad idusal Classfcao (SiC)

cods25 ha a assgd o ach dus ad ovdd b a hd-a svc.26 Sac has cold

daa o uous alcous acvs ha w dcd ogag fo h ip addss sac of hs

ogazaos. ths acvs clud bo-fcd cous, hosg hshg wbss, sa zobs,

ad aack ogs.

ths c dcas h lvl o whch gov ad ccal fasucu ogazaos a hav

b coosd ad a bg usd b aacks as lauchg ads fo alcous acv. ths aacks

could oall xos ssv ad cofdal foao, whch could hav sous afcaos fo

gov ad ccal fasucu ogazaos. Such foao could b usd fo sagc uoss

h cas of sa- o gou-sosod aacks, scall sc aacks who us coosd

cous fo alcous acv ca ask h acual locao.

i 2008, 97 c of all alcous acv ogag fo ccal fasucu scos ogad fo

lcoucaos ogazaos (abl 2). ths was a cas fo 2007 wh lcoucaos

accoud fo 96 c of h oal. Fo ach of h alcous acvs hs c, lcoucaos

akd fs b a sgfca ag.

2008 Rank

1

2

3

4

5

6

7

8

9

10

2007 Rank

1

2

3

4

5

6

7

8

9

10

Sector

Telecommunications

Manufacturing

Financial services

Health care

Transportation

Utilities/energy

Military

Agriculture

Biotech/pharmaceutical

Law enforcement

2008 Percentage

97%

1%


18/78


18

Aacks a b agg h lcoucaos sco fo a ub of asos. Ogazaos hs

sco clud iSps ad Wb-hosg coas ad h of hav a lag ub of cous ha a

dcl cocd o h i. ths ublcl accssbl cous a s o oous

fo aacks o coos bcaus h do o hav o bak o a wok o ga accss o h.

Ogazaos hs sco hav a challgg ask o aag hs lag ubs of i-facgcous ad, hc, cous lcoucaos ogazaos lkl s aacv ags

fo aacks. As such, hs lkl cobus o h hgh aou of alcous acv ogag fo hs

sco. Also, Sac obsvd ha 84 c of aacks agas h lcoucaos sco w

shllcod xlos,27 whch a dca ha aacks a ag o ak cool of cous hs

sco ad us h o coduc alcous acv.

Aacks a vw lcoucaos ogazaos as xcll lafos fo lauchg subsqu

aacks bcaus ogazaos wh hs sco a lkl o hav xsv boadbad fasucus wh

hgh-badwdh ad hgh-affc woks. ths would abl a aack o ca ou lag aacks, such

as DoS aacks o dsu svcs, whch d accss o ogazaos/dvduals ha subscb o h

svcs, o oh alcous acv, such as lag sa. ths s llusad b h hgh cag of

sa zobs ad bo-fcd cous foud h lcoucaos sco. Hgh-badwdh

caac woks a also allow a aack o hd aack ad bo affc o ffcvl, scall fo

Http-basd bo C&C svs, wh Http bo affc s vuall dsgushabl fo gula affc,

akg dffcul o fl.

Sc ogazaos h lcoucaos sco lkl hav uous svs, oc a aack gas

accss o h ogazao, h o sh ca oall fc all wbss ha a hosd o hos svs wh

alcous cod fo Wb-basd aacks, o coos h fo hshg aacks o alcous cod dlv

sss. i a c xal, aacks w abl o ga accss o a bll a svc wbs hough

h i doa gs ad ou all affc o alcous ss hosd o svs Uka.28

Gov ad ccal fasucu ogazaos l o h avalabl of ublc coucao

woks ad h lcoucao sco fo da-o-da oaos. Sc lcoucaos

ogazaos call cool h flow of daa hough woks, aacks a coos sagcall

locad cous sd ogazaos. Cous wh lcoucaos ogazaos a

ffcvl sv as lafos fo whch aacks ca b lauchd agas ogazaos svd b

lcoucaos fs bcaus h ovd coucaos fo oh scos as wll, cludg

gov. As such, aacks who a skg cofdal o ssv foao a scfcall

ag hs sco. Succssful coos of cous h lcoucaos sco could allow

a aack o avsdo o o dsu k coucaos oh scos.

th aufacug sco was h og of h scod hghs aou of alcous acv dug 2008,

accoug fo 1 c of h oal. ths was a dcas fo 2007, wh accoud fo 2 c of

h oal. Ogazaos h aufacug sco vs lag aous of ad o o sach

ad dvlo o w hods ad oducs. As sad h SCADA vulnerabilities dscusso

blow, alcous acv h aufacug sco ca b a aoal scu coc du o h

cussos of dsuos o ccal fasucu. i hs hghl cov sco, a ogazaos

us wbss as a ool o ak ad sll h oducs ol. Aacks lkl l uo h us ha uss

27 Shllcod s a sall c of cod usd as h aload h xloao of a vulabl.28 h://www.csool.co/acl/474365/ChckF_Was_mllo_Cusos_Af_Hack


19/78


19

hav fo hs bads, as h aufacug sco akd hgh fo hshg wbs hoss. Oc a aack

cooss a aufacus wbs, vsos hkg h a bowsg o a lga s a bco

vcs of alcous acv such as dowloadd tojas o ksok loggs.

Top countries of origin for government-targeted attacks

Aacks agg govs ca b ovad b a ub of facos. pof s of a ov bcaus

govs so cosdabl aous of soal dfcao daa ha could b usd fo faudul

uoss, such as d hf. psoal daa ca clud as, addsss, gov-ssud

dfcao ubs, ad bak accou cdals, all of whch ca b ffcvl xlod fo faud b

aacks. Gov daabass also so foao ha could aac olcall ovad aacks,

cludg ccal fasucu foao ad oh ssv llgc. As a c sud dscussd,

aacks o gov cou woks h Ud Sas ha suld a coos o sol

foao casd b 40 c fo 2007 o 2008.29

i 2008, Cha was h o cou of og fo aacks ha agd h gov sco, wh 22 c

of h oal (abl 3), a cas fo 8 c 2007 wh akd fouh. Fo i-wd aacks

2008, 13 c of ha oal ogad Cha.

A ub of da os allg ha aacks o gov cou woks cous such as h

Ud Sas, ida ad Blgu had ogad Cha.30 nvhlss, should b od ha aacks

of a o obscu h acks b dcg aacks hough o o o svs ha a b locad

awh h wold; hs as ha h aack a b locad lswh ha h cou fo wh

h aacks aa o oga.

2008 Rank

1

2

3

4

5

6

7

8

9

10

2007 Rank

4

1

2

3

8

6

5

10

19

18

Country

China

United States

Spain

France

United Kingdom

Italy

Germany

Brazil

Turkey

Russia

2008 Percentage

22%

12%

6%

5%

5%

4%

4%

3%

3%

2%

2007 Percentage

8%

20%

10%

9%

4%

7%

8%

2%

1%

1%

Table 3. Top countries of origin for government-targeted attacks

Source: Symantec

29 h://www.usaoda.co/ws/washgo/2009-02-16-cb-aacks_n.h30 h://www.f.co/cs/s/0/2931c542-ac35-11dd-bf71-000077b07658.hl,

h://sofda.das.co/ida/Cb_aacks_b_Cha_o_ida_ss/aclshow/3010288.cs,ad h://www.dofol.co.uk/coo/chs-soag-al--blgu5458.hl


20/78


20

th Ud Sas akd scod 2008 fo aacks agg gov, wh 12 c of h oal,

a dcas fo 20 c 2007. ths do s lkl du o h shudow of wo iSps Sb

ad novb 2008, whch suld a daac do bo acv woldwd. Bcaus bo-fcd

cous a usd fo lag-scal aacks, such as DoS aacks, a sgfca do h ubs

would sul a cosodg dcas h ub of alcous aacks dcd.

th cag of gov-agd aacks lauchd fo h Ud Sas was lss ha half of s

cag fo i-wd aacks, whch accoud fo 25 c of ha oal 2008. ths dcas

ha h aacks ogag fo h Ud Sas w o scfcall agg gov ogazaos,

bu w sad a of o gal, wdsad aacks.

Sa akd hd hs c ad accoud fo 6 c of aacks agg gov ogazaos

2008, dow fo 10 c 2007. th 6 c s wc h 3 c of i-wd aacks ha

ogad h, dcag ha aacks ogag Sa a hav b scfcall agg

gov ogazaos.

O aso fo Sas akg h s du o h acvs of a gou of hacks locad h. th gou

was asd fo coosg ad dfacg goval wbss h Ud Sas, Asa, La

Aca, ad Sa.31 ivsgaos show ha h gou was sosbl fo havg dsabld 21,000 Wb

ags ov a wo-a od.32

Attacks by typenotable critical infrastructure sectors

ths sco of h Sac Government Internet Security Threat Report wll focus o h s of aacks

dcd b ssos dlod oabl ccal fasucu scos. th abl o df aacks b

assss scu adsaos valuag whch asss a b agd. i dog so, hs a asss

scu adsaos scug hos asss cvg a dsoooa ub of aacks. th

followg scos wll b dscussd dal:

Gov ad ccal fasucu ogazaos

Gov

Boch/haacucal

Halh ca

Facal svcs

tasoao

31 h://www.usaoda.co/ch/ws/couscu/hackg/2008-05-17-hacks-sa_n.h32 h://www.abc..au/ws/sos/2008/05/18/2248032.h


21/78


21

Government and critical infrastructure organizations

Gov ad ccal fasucu ogazaos a h ag of a wd va of aack s. th

os coo aack s b all ssos h gov ad ccal fasucu scos 2008

was DoS aacks, whch accoud fo 49 c of h o 10 aacks (fgu 1). Smtp aacks w h

scod os coo accoug fo 44 c of h o 10 aacks.

SMTP (email) 44%

DoS 49%

Web (server) 6%

Figure 1. Top attack types, government and critical infrastructure33

Source: Symantec

DoS aacks a a ha o gov ad ccal fasucus bcaus h uos of such aacks s

o dsu h avalabl of hgh-ofl wbss o oh wok svcs, ad ak h accssbl o

uss ad los. ths could sul h dsuo of al ad xal coucaos, akg accall ossbl fo los ad uss o accss oall ccal foao. Bcaus hs

aacks of cv ga xosu ha hos ha ak a sgl us offl, scall fo hgh-ofl

gov wbss, h could also sul daag o h ogazaos uao. A succssful DoS

aack o a gov wok could also svl ud cofdc gov coc,

ad a h dfs ad oco of gov woks.

DoS aacks ca of b assocad wh olcal oss, sc h a dd o d a s

accssbl h sa wa ha a hscal os as o block accss o a svc o locao. th

ca also b assocad wh coflc whb o cou a a o block Wb affc o ak wbss

offl. As such, h hgh cag of DoS aacks a b a a o xss dsag wh

agd ogazaos o cous.

33 Du o oudg, cags a o add u o 100 c.


22/78


22

Smtp, o sl al asf oocol, s dsgd o facla h dlv of al ssags acoss h

i. eal svs usg Smtp as a svc a lkl agd b aacks bcaus xal accss s

qud o dlv al. Whl os svcs ca b blockd b a fwall o oc agas xal aacks

ad allow accss ol o usd uss ad s, fo al o fuco ffcvl fo ogazaos, has

o b avalabl boh all ad xall o oh al svs. th css of allowg boh alad xal accss cass h obabl ha a succssful aack wll ov h aacks chacs of

gag accss o h wok.

i addo o llgall accssg woks, aacks who coos al svs a also b

ag o us h al svs o sd sa o havs al addsss fo agd hshg aacks.

Bcaus sa ca of cosu hgh quas of uauhozd wok badwdh, hs als ca

dsu o ovwhl al svcs, whch could sul DoS codos. Succssful Smtp aacks agas

gov ad ccal fasucu ogazaos could also allow aacks o soof offcal gov

coucaos ad oba cdals od o lauch fuh aacks. ths ogazaos havl l

o al as a coucao hod ad, as such, s ssal ha al affc b scud. Sac

cods ha adsaos us scu al oocols, dlo a-sa ad afaud soluos,

ad su ha oag ad al soluos a full achd agas all kow vulabls.

Top attacks by types, by sectors

DoS aacks w h os coo of aack obsvd b ssos dlod h gov, boch/

haacucal, facal svcs, ad asoao scos 2008 (fgu 2). ths aacks ad u

48 c of h o 10 aacks obsvd b gov ssos, 54 c h boch/haacucal

sco, 48 c h facal svcs sco, ad 74 c of h asoao sco.

As dscussd abov, s lkl hs aacks w coducd o dsu svcs hs scos as a fo

of h os o alao. Also, b dg accss o hs wbss, hs aacks could sul a

sgfca loss of vu fo ogazaos hs scos.

DoS aacks w b fa h os coo aack obsvd h asoao sco. Sc DoS aacks

accoud fo 49 c of h aacks o gov ad ccal fasucu, hs dffc a

dca ha aacks dlog hs aacks a scfcall agg h asoao sco. Aacks

a b usg hs of aack o dsu svcs ad coucaos wh h asoao sco.

Lag-scal aacks of hs au a lav ogazaos uabl o cooda coucaos o lf

ffos h v of a gc, o h abl o ov suls ad goods fo a la dug a wa

o css. Also, bcaus dlas h asoao sco of hav a doo ffc, whch dlas o

c wll caus dlas aoh du o schdulg, aacks o a lavl sall a of hs sco could hav

a sgfca ffc o hs suaos.


23/78


23

DNS

Web (server)

DoS

STMP (email)

Percentage

11%

Biotech/pharmaceutical Financial services

Transportation

5%

4%48%

1%

54%

97%

4%

48%

6%46%

8%

16%

1%

74%

Shellcode/exploit

Web (browser)

Government


24/78


24

ths dscusso s basd o daa suoudg ublcl kow vulabls affcg SCADA chologs.

th uos of h c s o ovd sgh o h sa of scu sach as affcs o SCADA

sss. to a lss dg, hs a ovd sgh o h ovall sa of SCADA scu. Vulabls

affcg SCADA sss a s a ha o ccal fasucu ha ls o hs sss. Du

o h oal fo dsuo of ccal svcs, hs vulabls a b assocad wh olcallovad o sa-sosod aacks. ths s a coc fo govs ad/o ss ha a

volvd h ccal fasucu sco. Whl hs c ovds sgh o ublc SCADA

vulabl dsclosus, du o h ssv au of vulabls affcg ccal fasucu, h

s lkl va scu sach coducd b SCADA cholog ad scu vdos. Sac dos o

hav sgh o a va sach bcaus h suls of such sach a o ublcl dsclosd.

i 2008, Sac docud sx ublc SCADA vulabls. ths s fw ha h 15 ublc SCADA

vulabls docud b Sac 2007. th w o ublcl od SCADA vulabls

2007 du o ull sla vulabls affcg a sgl lao ha w od a

sgl aouc.35 thfo, h dffc bw 2007 ad 2008 dos o aa o b a

sgfca d.

th ub of ublc SCADA vulabls s lavl sall ad ss h sach ffos of a

sall cou of scalzd sachs. Scu sach h fld of SCADA of qus

scalzd kowldg ad soucs. Du o h ol ccal fasucu ad h sv of oal

vulabls, SCADA scu s of a va affa bw duss ha us SCADA oocols ad

chologs, h vdos hslvs, ad oh sakholds such as cou gc sos

as (Certs) ad gov agcs. th clos-k au of h SCADA dus as ha

vulabl aoucs a o cssal ad ublc. ifoao abou vulabls o gal

bugs s o lkl o b xchagd va bw vdos, h cusos, ad oh sd

as. ths facos l h ub ublcl dsclosd SCADA vulabls. th ub of ublc

vulabls s o lkl o cas ul o scu sachs bco volvd hs aa of

s o ul vdos chag h olcs abou ublc vulabl dsclosu.

ifoao abou SCADA-lad cds, whh accdal o alcous, has b ackd b

ogazaos such as h Bsh Coluba isu of tcholog (BCit), whch aad, fo a ub

of as, a o-ublc daabas of SCADA cds calld h idusal Scu icd Daabas (iSiD).

effos such as h iSiD hav b abl o ovd cdbl cdc daa ha ca b usd o gaug h

aou ad sv of aack acv affcg SCADA vos. A Sac-sosod o

assssg daa iSiD was ublshd 2007.36 i Ju of 2006, h daabas had ackd 105 lga

cds, wh h als dag back o 1982. Howv, o c daa s o avalabl bcaus h

iSiD was o aad af hs o.37

i Fbua of 2008, h SCADASeC-L alg ls was cad o fos ublc dscusso of SCADA scu

ssus.38 Howv, ulk oh asa scu alg lss, SCADASeC-L dscouags dscusso of

chcal dals suoudg vulabls. th oo of h full-dsclosu of scu vulabls s

uoula SCADA scu ccls du o h lvad sk o ccal fasucu ha s osd b

vulabls SCADA chologs. ths as ha hos affcd b vulabls a lagl

dd o vdos og scu ssus as wll as ffos b Cert ogazaos o dssa

35 h://www.scufocus.co/bd/2305936 h://h.dusal-wokg.co/acls/acldsla.as?d=182337 h://www.auoaowold.co/ws-414438 h://www.faccal.co/usag-scadasc.hl


25/78


25

foao abou vulabls. i Sb of 2008, a scu sach ublcl lasd xlo

cod fo a vulabl CcSCADA bcaus h sach blvd ha h vdo og dd o

adqual hasz h sk of h vulabl.39

Govs hav also xssd ccs owad h va sco gadg s abl o aag ad

v vulabls ha a affc ccal fasucu. i ma of 2008, a gov sav

fo h U.S. Hous Subco o egg thas, Cbscu ad Scc ad tcholog

cczd h noh Aca elcc rlabl Cooao (nerC) fo s hadlg of oal has

o h lccal gd.40

i Dcb of 2006, tabl Scu aoucd h las of SCADA lug-s fo h nssus

vulabl assss ool.41 ths dosad covgg ss bw h SCADA cou

ad h asa scu cou. Fo hs o o, scu sachs bga o dscov

vulabls SCADA-lad chologs. i has sc b alzd ha SCADA chologs a

affcd b a of h sa s of vulabls ha affc dsko ad s sofwa.

Fo xal, so fucos a ld as AcvX cools ad a hfo o o sla

vulabls ha hav b dfd oh AcvX cools gal. ma of h vulabls

docud 2007 ad 2008 affc AcvX cools ha l fucoal, such as OpC svs.

ths wll allow a mcosof Wdows-basd cou o couca wh oh alcaos ad dvcs

a SCADA vo. Sofwa such as hs s o accssbl o scu sachs ha oh

SCADA-lad alcaos ad hadwa. thfo, scu sachs a abl o dscov

vulabls hs alcaos whou qug accss o a col SCADA vo.

Addoall, wok-accssbl dvcs a us h coo o scalzd wokg oocols

ha a o o aacks such as DoS aacks. malfod wok affc a affc hs dvcs

a a sla o oh wok-accssbl svcs wh h s. Whl scu sachs

hav od vulabls scfc o SCADA chologs, h s also a oal ha fo

vulabls coos cocd o SCADA sss. ths ca clud oag sss hosgh SCADA chologs o oh coos such as daabas sofwa. Addoall, a SCADA

vos lo lgac chologs ha a o qud wh chass fo auhcao

o asus o su h avalabl, g, ad cofdal of daa. ths sss a b

aculal a sk, scall f h a o faul ola o dsgd o hadl xcoal codos

such as alfod u.

to l xosu o aacks, woks ug SCADA oocols ad dvcs should b solad fo oh

woks. ths asss should o b cocd o h i ad cog/ougog affc should b

ld o ol hos oocols ha a qud. A dfs--dh sag should b dlod so ha

scu sks lswh h ogazao cao affc h cool wok. Addoal las of dfs

should b dlod o oc k asss. Scug a SCADA vo a s dff challgs

ha hos facd wh scug a s. i a cass a o b ossbl o ca a s

vo fo audg uoss. Fuho, a dsuo of svcs a b cosl o daagg.

thfo, boh assv ass dscov as wll as vulabl scag chologs a bs ald o

l h oal fo sd ffcs. Avus ad ach aag asus should b udak wh

ca ad ogazaos should cosul scu ad cool ss vdos fo suo alg hs

soluos a a ha zs sk ad dow.

39 h://www.hgs.co.uk/2008/09/08/scada_xlo_lasd/40 h://www.cwold.co/busssc/acl/146153/lawaks_s_cb_has_o_lccal_gd.hl41 h://blog.ablscu.co/2006/12/ssus_3_scada_.hl


26/78


26

Data breaches that could lead to identity theft

id hf cous o b a hgh-ofl scu ssu, aculal fo ogazaos ha so ad

aag lag aous of soal foao. Basd o h os c foao avalabl fo

2007, oughl 8.4 llo U.S. sds w vcs of d hf, whch ss aoxal

3 c of h adul oulao.42 no ol ca cooss ha sul h loss of soal daa

ud cuso ad suoal cofdc, sul cosl daag o a ogazaos uao,

ad b cosl fo dvduals o cov fo h sulg d hf, h ca also b facall cosl

o ogazaos. i 2008, h avag cos cd of a daa bach h Ud Sas was $6.7

llo,43 a cas of 5 c fo 2007, ad los busss aoud o a avag of $4.6 llo.44

Also, ogazaos ca b hld labl fo bachs ad losss, whch a sul fs o lgao.45

B h d of 2008, 44 sas h Ud Sas (alog wh h Dsc of Coluba, puo rco, ad

h Vg islads) had acd lgslao qug ofcao of bachs volvg soal foao.

th lgslao gulas h sosbls of ogazaos coducg busss wh h acula

sa af a daa bach has occud.46 th laws qu ao who coducs busss h sa o

of ows of h foao xosd dal af a scu bach, wh falu o do sosulg ossbl cvl aco ad fs.

Govs oh cous hav also ak ss o bak o h ssu of d faud, cludg

Caada, Ausala ad nw Zalad, who ssud gudls fo dalg wh vac bach ofcao

2007-2008.47 Ulk lgslao, gudls a o hav als assocad wh h, bu h a a

s owad cag accouabl fo daa bachs ha occu. mawhl, Ausala s cosdg h

codaos b h Ausala Law rfo Cosso, s vw of h pvac Ac, o ak daa

bach ofcao adao. 48

i h Ud Kgdo, ol gov ogazaos a cul qud o o all daa bachs

o h ifoao Cossos Offc (iCO) as a of h Daa poco Ac, ad h a o las

o l bach ofcao laws.49 Followg h xals h Ud Sas, codaoshav b ad o h euoa Uo b h euoa nwok ad ifoao Scu Agc ad h

euoa Daa poco Suvso o sablsh daa bach ofcao laws.50 Cul, h euoa

pala sas ha ogazaos should o h bach bu a o qud o do so b law.51

Howv, dscussos a a h o udwa Bussls, as a of h vw of h euoa

tlcoucaos rgulao Fawok, o h ossbl oduco of a daa bach ofcao law

o h pvac ad elcoc Coucaos Dcv fo h euoa lcoucaos sco.

42 h://www.vacghs.og/a/dhfsuvs.h#Jav200743 All fgus a U.S. dollas ulss ohws od.44 h://www.coos.co/dowload/poo_COB_2008_US_090201.df45 h://www.fsa.gov.uk/ags/Lba/Coucao/pr/2007/021.shl46 h://www.csl.og/ogas/ls/c/v/bachlaws.h47 h://www.vco.gc.ca/foao/gud/2007/gl_070801_01_.as, h://www.vac.gov.au/ublcaos/bach_gud.hl,

ad h://www.vac.og.z/h-vac-ac-ad-cods/48 h://www.dc.gov.au/vac/alc.cf ad h://www.alc.gov.au/da/2008/11108.hl49 h://www.jusc.gov.uk/docs/sos-daa-shag-vw.df, rcodao 1150 h://www.sa.uoa.u/doc/df/dlvabls/sa_vac_wg_o.df ad

h://www.ds.uoa.u/eDpSWeB/wbdav/s/S/shad/Docus/Cosulao/Oos/2008/08-04-10_-vac_en.df51 h://www.uoal.uoa.u/sds/gDoc.do?ubrf=-//ep//teXt+tA+p6-tA-2008-0452+0+DOC+XmL+V0//en&laguag=en


27/78


27

th a oh oabl avs ha xs h Ud Sas fo h safguadg of soal

foao. th clud h rd Flags ruls as a of h Fa ad Accua Cd tasacos (FACt)

Ac of 2003, whch qus all facal suos ad cdos o dvlo d hf vo

ogas,52 ad h pa Cad idus Daa Scu Sadads (pCi DSS), whch lss a s of

qus fo hacg a accou daa scu such as wok qus, coassso qus, scu asssss o la scu vulabls, ad aag

scu olcs.53 th udad vso wll clud cooag bs accs ad ovg og

qus.54 th addd cosdao of uv coss a fluc ogazaos o dvlo o

obus scu sags, whch a hl duc h ub of bachs ovall.

Data breaches that could lead to identity theft by sector

Usg ublcl avalabl daa, Sac has dd h scos ha w os of affcd b hs

bachs, as wll as h os coo causs of daa loss.55 ths dscusso wll also xlo h sv

of h bach b asug h oal ub of ds xosd o aacks, usg h sa ublcl

avalabl daa. A d s cosdd o b xosd f soal o facal daa lad o h ds ad avalabl hough h daa bach.56

i should b od ha so scos a d o col wh o sg og qus fo

daa bachs ha ohs. Fo sac, gov ogazaos a o lkl o o daa bachs,

h du o gulao oblgaos o cojuco wh ublcl accssbl auds ad foac

os.57 Covsl, ogazaos ha l o cosu cofdc a b lss cld o o such

bachs fo fa of gav cosu, dus, o ak aco. As a sul, scos ha a o

qud o couagd o o daa bachs a b ud-sd hs daa s.

i 2008, h ducao sco sd h hghs ub of kow daa bachs ha could lad o

d hf, accoug fo 27 c of h oal (fgu 3). ths s a slgh cas fo 2007 wh h

ducao sco also akd fs wh 26 c of h oal.

52 h://www.fc.gov/bc/du/ubs/busss/als/al050.sh53 hs://www.cscusadads.og/scu_sadads/c_dss.shl54 hs://www.cscusadads.og/dfs/08-18-08_2.df55 O Scu Foudao (OSF) Daaloss DB, s h://daalossdb.og56 A d s cosdd o b xosd f soal o facal daa lad o h d s ad avalabl hough h daa bach.57 Cf. h://ww w.vacghs.og/fs/fs6a-faca.h ad h://www.cs.hhs.gov/HalhplasGifo/12_HipAA.as


28/78


28

4%5%

29%

20%

13%

6%

Data breaches Identities exposed

2%

10%

Health care

Education

Government

Financial

2%

2%

2%2%

20%

5%

14%

15%

Retail/wholesale

Arts/media

Manufacturing

27%

Telecom

Business consulting

Insurance

Other

Biotech/pharmaceutical

4%

17%

2%

Utilities/energy

Figure 3. Data breaches that could lead to identity theft by sector and identities exposed by sector 58

Source: Based on data provided by OSF DataLoss DB

educaoal suos so a lag aou of soal foao o suds, facul, ad saff hacould b usd fo h uoss of d hf, cludg gov-ssud dfcao ubs,

as, ad addsss. Fac das hs suos also so bak accou foao fo

aoll ad a also hold cd cad foao fo ol who us hs hod o a fo uo ad

fs. ths suosaculal lag uvssof coss of a auooous das

wh whch ssv soal dfcao foao a b sod saa locaos ad b

accssbl o a ol. ths a cas h oous fo aacks o ga uauhozd accss

o hs daa sc a b o dffcul o sadadz h scu, duca vo wh accss o h

daa o h olcs, ad cool accss o hs dssd daabass.

58 Du o oudg, cags gh o qual 100 c.


29/78


29

Ds h hgh ub of daa bachs ha occud h ducao sco dug 2008, ol

accoud fo 4 c of all ds xosd dug h od ad akd svh (fgu 1). ths

a b bcaus h ducaoal suos hav lavl sall daabass ha hos of facal o

gov suos ad, hc, fw ds would b xosd a daa bach. O of h lags

uvss h Ud Sas accoud fo lss ha 80,000 suds ad los, whl facalad gov suos a so foao o llos of ol.59

Also, o-hd of h daa bachs h ducao sco hs od w causd b h hf o loss

of cous o daa-soag dvcs. As such, daa bachs ha occud h ducao sco

hs og od w o as lkl o sul wd-scal d hf bcaus h suld h

xosu of fw ds. ths s of bachs ol xos h ld aou of daa ha s

sod o h dvcs.

i 2008, h gov sco akd scod ad accoud fo 20 c of daa bachs ha could

lad o d hf. ths s a dcas fo h vous a, wh h gov sco sd

23 c of h oal, hough sll akg scod. ths d s focd b h aual Fdal Cou

Scu o cad, wh h ub of gov agcs wh a falg gad dcasd b aloshalf.60 th halh ca sco akd hd 2008, accoug fo 15 c of daa bachs ha could

lad o d hf. i also akd hd 2007, accoug fo 14 c.

Gov ad halh ca ogazaos, lk ducaoal suos, so lag aous of foao

ha could b usd fo d hf. Sla o h ducao sco, hs ogazaos of coss of

uous auooous das ha so ssv soal foao saa locaos ad

a accssbl o uous ol. As a cosquc, hs ogazaos fac h sa scu ad

cool ssus as ducaoal suos. Fuho, halh ca ogazaos so ssv dcal

foao addo o soal foao, whch could sul v o daagg bachs

of vac.

th gov sco akd hd fo ds xosd dug 2008, accoug fo 17 c ofh oal whl h halh ca sco akd sxh, accoug fo 5 c of h oal. As wh h

ducao sco, daa bachs wh h halh ca sco suld a lavl low ub of

ds xosd.

59 h://www.osu.du/osuoda/sufo.h60 h://ublcas.ovsgh.hous.gov/da/pDFs/ros/Fy2007FiSmAroCad.df


30/78


30

Data breaches that could lead to identity theft, by cause

i 2008, h a caus of daa bachs ha could facla d hf was h hf o loss of

a cou o oh du o whch daa s sod o asd, such as a USB k o a back-u

du.61 thf o loss ad u 48 c of all daa bachs 2008, a dcas fo h

vous og od wh accoud fo 52 c of all od bachs (fgu 4).

Data breaches Identities exposed

Insider 4%

Unknown


31/78


31

to oc agas daa hf o loss, ogazaos should sc h us of ousd soal soag

dvcs wh h wok, oo h usag of such hadwa wh d, ad duca los

o o usag. Ogazaos should also clud vws ad auds of lcoc docus usd b

los uo lavg h coa. i a c sud, 59 c of los add o akg

coa foao, such as al addsss, coac foao of cusos, lo cods,ad facal cods, wh lavg h ogazao.64 Of hs fo los, 79 c ook h

foao whou cos fo h coa. i 92 c of h sacs, h foao was ak

o dsk, whl 73 c was o ovabl dvs. i s woh og ha ol 15 c of h coas

olld had coducd a vw o aud of lcoc docus ak b los. Also, ssv daa

should b sogl cd o a lao o soag dvc ha a b usd ousd of h s.

th scod os coo caus of daa bachs ha could lad o d hf dug 2008 was

scu olc, whch sd 21 c of all cds. A daa bach s cosdd o b causd

b scu olc f ca b abud o a falu o dvlo, l, ad/o col wh adqua

scu olc. i 2007, scu olc also akd scod, accoug fo 28 c of such daa

bachs. ths dcas h ub of daa bachs a b du o ogazaos bcog o

dlg ad oducg sog scu olcs such as lg accss o ssv foao o qud

sol ad h docuao of docu asfs. iscu olc accoud fo ol 8 c of

xosd ds 2008 ad, hus, ach bach xosd ol a lavl sall ub of ds.

Alhough bachs causd b scu olc 2008 w o lkl o sul wd-scal d hf,

h bachs sll xosd aoxal 6.5 llo ds.65

i 2008, hackg was h hd ladg caus of daa bachs ha could lad o d hf, accoug

fo 17 c of h oal. A daa bach s cosdd o b causd b hackg f daa lad o d

hf was xosd b aacks xal o a ogazao gag uauhozd accss o cous o

woks. Hackg also akd hd 2007, accoug fo 14 c of bachs ha could facla

d hf. Hackg s o uos-dv ha scu olc, hf, o loss: 2008, ov half of h

bachs ha xosd cd cad foao w du o hackg. Aacks ca ak advaag of s-scfc ad Wb-alcao vulabls o ga accss o woks ad sal soal foao. Fo

hs dscusso, Sac cosds hackg o b a oal ac wh a dfd uos o sal daa

ha ca b usd fo uoss of d hf o oh faud.

Hackg akd scod fo ds xosd 2008, wh 22 c; hs s a lag dcas fo 2007,

wh hackg accoud fo 62 c of oal ds xosd. th cobug faco fo s hgh

akg 2007 was a sgfca daa bach whch daa o ov 94 llo cd cads was sol b

aacks hackg o a coas daabas hough ucd wlss asssos ad sallg

ogas o cau cd cad foao.66 i s sad ha bw $63 llo ad $83 llo

cd cad faud acoss 13 cous ca b abud o hs sgl daa bach.67

i 2008, wo bachs cobud sgfcal o h hgh akg of hackg hs c: h

fs, cofdal foao o sx llo Chlas was llgall obad fo gov daabass

b a hack who ublcl osd h foao afwad; h scod, cd cad foao fo

4.2 llo cusos was sol fo a U.S.-basd goc cha b hacks oog h cd

64 h://www.sac.co/abou/ws/las/acl.js?d=20090223_0165 h://daalossdb.og66 h://www.sbc.s.co/d/21454847/67 h://www.scufocus.co/ws/11493


32/78


32

auhozao ocss.68 Bcaus of h ovao of aacks who us hackg o sal soal facal

foao, h ac of daa bachs du o hackg a sv bcaus h a lkl o sul lag-

scal faud ad hgh facal cos o affcd ogazaos, cd cad ssus, ad cosus.

ev hough h cosu o of h os challgg ssus facd b ogazaos, daa bachs

ha could lad o d hf a osl vabl. Fo a da ha aags o qus

accss o ssv foao, ogazaos should dvlo sog scu olcs such as sogl

cg all daa, sug h a cools lac ha scs accss o such foao o qud

sol, ad ovdg ducao ad soucs fo all los o o scu ocdus. nwok

adsaos should b closl oog wok affc ad ackg all acv o su ha h s

o llgal accss o daabass, as wll as sg scu ocsss ad sss gulal o su h

g. Ogazaos should clud hs ss as a of a boad scu olc, ad su ha a

scu olc s ld ad focd o oc all ssv daa fo uauhozd accss.

Bot-infected computers

Bos a ogas ha a covl salld o a uss ach od o allow a aack o

ol cool h agd ss hough a coucao chal, such as i la cha

(irC), -o- (p2p), o Http. ths chals allow h o aack o cool a lag ub

of coosd cous ov a sgl, labl chal a bo, whch ca h b usd o lauch

coodad aacks.

Bos allow fo a wd ag of fucoal ad os ca b udad o assu w fucoal b

dowloadg w cod ad faus. Aacks ca us bos o fo a va of asks, such as sg u

dal-of-svc (DoS) aacks agas a ogazaos wbs, dsbug sa ad hshg aacks,

dsbug swa ad adwa, oagag alcous cod, ad havsg cofdal foao fo

coosd cous ha a b usd d hf, all of whch ca hav sous facal ad lgal

cosqucs. Bos a also xsv ad lavl as o oaga. i 2008, Sac obsvdudgoud coo advss fo as ll as $0.04 bo. ths s uch cha ha 2007,

wh $1 was h chas c advsd fo bos. Bo-fcd cous wh a dcalzd bo C&C

odl a favod b aacks bcaus h a dffcul o dsabl, ad os oal, ca b lucav

fo h coolls. i o xal, a bo ow asd nw Zalad add o ag $21,500

ov a wo-a sa fo hs acvs.69

A bo-fcd cou s cosdd acv o a gv da f cas ou a las o aack o ha da.

ths dos o hav o b couous; ah, a sgl such cou ca b acv o a ub of dff

das. A dsc bo-fcd cou s a dsc cou ha was acv a las oc dug h od.

i 2008, Sac obsvd a avag of 75,158 acv bo-fcd cous da (fgu 5), a

31 c cas fo 2007. Sac also obsvd 9,437,536 dsc bo-fcd cous

dug hs od, a 1 c cas fo 2007.

68 Cf. h://ws.bbc.co.uk/1/h/wold/acas/7395295.s o h://www.sbc.s.co/d/23678909/69 h://www.wold.co/scu/58670/bo-as-ss-hslf-x-bll-gas


33/78


33

Date

Activebot-infectedcomp

uters

Apr 4, 2007 Jul 4, 2007 Oct 3, 2007 Jan 2, 2008

0

20,000

40,000

60,000

80,000

100,000

120,000

Apr 2, 2008 Jul 2, 2008 Oct 1, 2008Jan 3, 2007

4 per. moving average

Median daily

active bots

Dec 31, 2008

Figure 5. Active bot-infected computers, by day

Source: Symantec

th dcas acv bo-fcd cous a h bgg of 2008 a b du o h duco

sz of h bo assocad wh h paco toja.70 th ub of bo-fcd cous h

bo was ducd o 5 c of s vous sad sz, fo 2 llo bo-fcd cous

o 100,000.71 i addo, as sad Malicious activity by country, h shudow of wo U.S.-basd

hosg coas sosbl fo hosg bo C&C svs fo a ub of ajo bos lkl cobud

o h dcas acv bo-fcd cous Sb ad novb 2008. Af h shudow

Sb, ajo bos, cludg Szb ad padx,72

w abl o fd ala hosg, whchsuld a cas bo-fcd cous back o -shudow lvls. Howv, h shudow

novb svl cld Szb ad Ozdok, ad as a cosquc, cog bos, cludg

padx, w abl o fll h vod.73

Alhough h ub of acv bo-fcd cous dcasd a h d of h a, s assud ha

bo ows wll sk ou w hoss o g h bos back ol, ad s xcd ha bo ubs

wll s aga 2009.74 O sul of all h acv 2008 s ha hs shows ha bos ca b cld

b dfg ad shug dow h bo C&C sv hoss, bu ha hs sag s dffcul o l

gv h vaous global hosg oos ha bo coolls hav a h dsosal.

70 Also kow as h So bo.71 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3272 h://www.sac.co/scu_sos/wu.js?docd=2007-042001-1448-9973 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 252674 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df


34/78


34

Bot command-and-control servers

Sac acks h ub of bo C&C svs globall bcaus hs a wha bo ows us o la

coads o bo-fcd cous o h woks. Fo h fs , hs volu of h Sac

Government Internet Security Threat Report, bo C&C svs coolld ov Http a cludd hs

aalss alogsd irC bo C&C svs.75 ths chag asu was ad du o h d of bo

ows shfg awa fo adoal irC bo C&C coucao fawoks ad owad aagg h

bos hough Http bo C&C svs. i 2008, Sac dfd 15,197 dsc w bo C&C svs

(fgu 6), of whch 43 c w ov irC chals ad 57 c ov Http.

IRC 43%

HTTP 57%

Figure 6. Bot command-and-control servers, by type

Source: Symantec

Bo ows a ovg awa fo adoal irC-basd bos sc h a as o dc,

ack, fl, ad block ha bos basd o Http affc. Http coucaos ca b usd o dsgus

bo affc aog oh Wb affc od o ak dffcul o dsgush alcous affc fo

lga Http affc. (mos Http bo asssos a cd o avod dco.) to fl h affc,

ogazaos would hav o sc h cd Http affc ad df ad ov bo-lad affc

whl sll allowg lga affc o ass hough. Bcaus of hs, s v dffcul o o ad

dsabl a bo C&C sucu. i s also uasoabl o block Http affc sc ogazaos dd o

lga Http affc o coduc da-o-da busss. Bo ows hav also b swchg awa

fo usg p2p fo bo C&C sv coucaos bcaus such affc s o asl dcd du

o h os cas assso. moov, a ss ad oh ogazaos also

block p2p os o v such hgh-badwdh affc fo g h woks.

75 no cludd hs asu a bo C&C svs ov p2p oocols; also, as hs s h fs o whch Http bo C&C svs a cludd hs aalss,2007 coasos a uavalabl.


35/78


35

Sac also obsvd a avag of 42 w acv bo C&C svs da 2008, of whch 18 w

irC-basd ad 24 w Http (fgu 7). th h lags bos dfd b Sac 2008Szb,

rusock, ad padxa all Http-basd.

Date

Botcomand-and-controlservers

0

10

30

50

20

40

60

HTTP

IRC

3 per. moving average (HTTP)

3 per. moving average (IRC)

Apr 2, 2008 Jul 2, 2008 Oct 1, 2008Jan 2, 2008 Dec 31, 2008

Figure 7. Bot command-and-control servers, by day

Source: Symantec

th do w ad acv Http bo C&C svs Fbua 2008 s lkl du o bo C&C svs fo a

ajo Http-basd bo, Ozdok, gog offl fo 10 das dug ha oh.76 Also, h sgfca

ducos ha occud Sb ad novb 2008 a lkl du o h shudow of wo U.S.-basd iSps, as was od vousl hs dscusso. th Sb shudow suld a da

dcas acv assocad wh h Szb ad padx bos.77 As od, s assud ha

hs bos foud ala hosg, whch would xla h subsqu s acv.

th scod shudow novb suld a 30 c dcas ovall bo affc ad s

hough o hav svl wakd wo of h lags bos, Szb ad rusock.78 th sgfca do

w ad acv Http bo C&C svs novb 2008 a b bcaus o of hs iSps was allgdl

hosg a lag ub of bo C&C svs fo Szb ad rusock, ad bos w had-codd o coc o

hs svs.79 i was sad ha h Szb bo had 300,000 bos o o h shudow80 ad h

rusock bo had cludd ov 150,000 bos.81

76 h://www.scagazus.co/trACe-Sx-bos-ga-85-c-of-sa/acl/107603/77 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 2578 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 2679 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df80 h://kowldgxchag.chag.co/scu-bs/szb-bo-s-h-bggs-bu-dos-sz-a/81 h://www.scagazus.co/th-rusock-bo-sas-aga/acl/112940/


36/78


36

Top Web-based attacks

th wdsad dlo of Wb alcaos alog wh h ubqu of as-o-xlo Wb alcao

scu vulabls hav suld h valc of Wb-basd has. Aacks wag o ak

advaag of cl-sd vulabls o log d o acvl coos scfc woks o ga

accss o hos cous. isad, h a ow focusd o aackg ad coosg wbss

od o ou addoal, cl-sd aacks.

ths aack s ca b foud globall ad Sac dfs ach b a assocad dsc dco

sgau. mos aack s ag scfc vulabls o waksss Wb bowss o oh cl-

sd alcaos ha ocss co ogag fo h Wb. ths c wll assss h o dsc

Wb-basd aacks ogag fo coosd lga ss ad alcous ss ha hav b

cad o oall ag Wb uss.

th aacks dscussd ca volv socal gg o c a vc o vw a alcous wbs, bu

os aacks xlo usd hgh-affc wbss. Wh h us vss a coosd wbs, a ub

of aack hods a usd. malcous co fo h wbs ca dcl xlo a vulabl h

bows, a bows lug-, o a dsko alcao. A aack such as hs a qu ohg o ha

h us vsg h s fo wh h aack ogas. i h cas of a dv-b dowload, h aack

wll occu whou a aco qud fo h us.82

Aacks also us alcous wbss fo cooss, such as sladg h us o dcl auhoz

a scfc cholog ha h dowloads alcous cod, o og h us o clck o a o-u o

ba ad. Aacks ca also dc all affc fo a lga wbs o a alcous wbs fo

whch h uss cou wll h b aackd. i all of hs s of Wb-basd aacks, h us s

uawa of h coos. Oc a aack has coosd a wbs ad jcd alcous co,

h o sh ca assvl aack vsos of h coosd s. ths of aack s v ffc fo

aacks bcaus h ol hav o coos o Wb ag od o affc ull uss. Wh a

us vss a coosd Wb ag, h aack s cad ou hough h uss bows. th aack wllh ag vulabls h bows slf o wll ag hd-a alcaos ha a acvad

b h bows.

All Wb-basd aack affc gos hough h Http o HttpS oocols. th bf of hs fo aacks

s ha s uasoabl o block hs oocols bcaus lga ogazaos dd o h fo

h da-o-da busss. i addo, flg a lag volu of Http affc would sgfcal slow

houghu affc. Http affc s also dffcul o fl wh uso dco/uso vo

sss (iDS/ipS) bcaus s dffcul o dsgush alcous affc fo lga affc, ad Http

affc ca b cd, hus ablg aacks o b obfuscad wh lga affc.

Aacks a o ol log aual hods o xlo hs ssus, bu h a also usg

auoad ools, such as noslo,83 o xlo cl-sd vulabls o a assv scal. Such oolks

a wdl avalabl ad ackagd so ha ol wh al chcal kowldg a abl o us

h ffcvl.

82 A dv-b dowload s a dowload ha occus whou a uss o kowldg o auhozao ad dos o qu us aco. tcall hs sa xcuabl fl.

83 h://www.couwold.co/aco/acl.do?coad=vwAclBasc&axoona=Scu&aclid=9115599&axooid=17&agnub=1


37/78


37

Aoh aaco of h Wb fo xloao s h ofuso of dac ss ha us Wb-basd

alcaos, such as fous, hoo-shag galls, blogs, ad ol shog alcaos. Dac

ss a ags fo aacks usg bo-fcd cous o oaga ad hos alcous

co sc Wb alcao ad s-scfc vulabls ca u hs s of s a sk.

Aacks a also scall aacd o lag, oula wbss wh usd uaos. ths s o ol

bcaus a succssful coos ca ach a ga ub of ol (who d o hav a h

us fo lga wbss ad a hus o suscbl o aack), bu, as od, a b dffcul

o block aacks o hs ss usg scu ools whou dsug lga affc.

ths dvlos ad ds dca ha Wb-basd has hav o ol bco wdsad, bu

ha h also hav casd sohscao ad sv. i acula, Sac has ocd ha

bos (such as Asox,84 whch was all usd fo hshg scas) a bg dsgd o scfcall

xlo coss-s scg vulabls ad jc alcous cod o coosd wbss.85

ma Wb-basd aacks xlo vulabls ha a cosdd du sv. ths as ha

h ca coos h accou of h cul loggd us bcaus h us dos o qu

adsav vlgs o u h affcd alcaos. Whl h dag of cl-sd vulabls

a b ld b bs accs, such as scg Wb alcaos o h adsav lvl, hs s

of uasoabl gv how gal Wb alcaos a o h dlv of co fo a bussss.

mdu-sv vulabls affcg cl o dsko alcaos a of suffc fo a aack

o ou succssful alcous aacks o sgl cls, as wll as a h s lvl.

i 2008, h o Wb-basd aack was assocad wh h mcosof i exlo ADODB.Sa

Objc Fl isallao Wakss,86 whch accoud fo 29 c of h oal globall (abl 4).

th wakss allows aacks o sall alcous fls o a vulabl cou wh a us vss

a wbs hosg a xlo. to ca ou hs aack, a aack us xlo aoh vulabl ha

basss i exlo scu sgs o allow h aack o xcu alcous fls salld b

h al scu wakss. ths ssu was ublshd o Augus 23, 2003, ad fxs hav b avalablsc Jul 2, 2004. Sc hs was h o Wb-basd aack 2008, hs a dca ha a

cous ug i exlo hav o b achd o udad ad a ug wh hs

xosd vulabl.

Rank

1

2

3

4

5

6

7

8

9

10

Web-based Attack

Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness

Acrobat PDF Suspicious File Download

ANI File Header Size Buffer Overflow

Adobe SWF Remote Code Executable

Microsoft Internet Explorer DHTML CreateControlRange Code Executable

SnapShot Viewer ActiveX File Download

Microsoft Internet Explorer XML Core Services XMLHTTP Buffer Overload

Quicktime RTSP URI Buffer Overload

AOL SuperBuddy ActiveX Code Executable

Microsoft Internet Explorer WebViewFolderIcon ActiveX Control Buffer Overflow

Percentage

30%

11%

7%

7%

6%

5%

4%

3%

3%

2%

Table 4. Top Web-based attacks

Source: Symantec

84 h://www.sac.co/scu_sos/wu.js?docd=2007-060812-4603-9985 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3386 Cf. h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=50031 o h://www.scufocus.co/bd/10514


38/78


38

A lag ub of xlos ad alcous alcaos a dd o hs vulabl as a coo

wa of coosg cous, ad wh oh kow vulabls. thfo, h aou of

aack acv s lad o h cuulav ub of xlos, aack oolks, ad wos agg hs

vulabl as o ossbl as of coosg cous. i s also lkl ha h lag ak

sha of mcosof i exlo las a ol h oula of hs aack.87

Whl h vulablwas achd 2004, h a lkl sll ough uachd cous ha a affcd b hs

vulabl fo aacks o bf.

th scod os coo Wb-basd aack 2008 was lad o alcous Adob Acoba pDF

acv,88 whch accoud fo 11 c of Wb-basd aacks. Scfcall, as o dowload

suscous pDF docus w obsvd. ths a dca as b aacks o dsbu alcous

pDF co o vcs va h Wb. th aack s o dcl lad o a scfc vulabl, alhough

h cos of h alcous fl would b dsgd o xlo a aba vulabl a alcao

ha ocsss , such as Adob Acoba rad. A succssful aack could ulal sul h

coos of h g ad scu of a affcd cou. ths aack s assud o b oula

o du h coo us ad dsbuo of pDF docus o h Wb. Also, bowss ca b s u o

auoacall d a pDF docu b dfaul. Scfc xlo acv lad o alcous pDF fls

was obsvd 2008.89

i 2008, h hd os coo Wb-basd aack xlod h mcosof Wdows Us32.DLL Ani Fl

Had Hadlg Sack-Basd Buff Ovflow Vulabl,90 accoug fo 7 c of Wb-basd

aacks 2008. th Ani (aad cuso fl) hadl s a dfaul coo of h mcosof Wdows

oag ss ad s usd b a sgfca ub of wdl usd mcosof alcaos as wll as h

Wdows shll. if succssfull xlod, h vulabl allows a aack o xcu aba cod

bddd a alfod Ani fl ogag fo h Wb o oh soucs. ths vulabl was

ublshd o Jaua 11, 2005, ad fxs hav also b avalabl sc ha . exlo cod was ublcl

avalabl h followg da. As wh h mcosof i exlo ADODB.Sa Objc Fl isallao

Wakss, h oc of hs of aack dcas ha cous h go a lkl o bgsuffcl achd ad udad.

Vulabls such as hos dscussd h cou o ga a lag aou of obsvd aack acv

bcaus h ca b labl xlod. ths aks hs vulabls caddas fo auoao.

Ds h fac ha fxs a avalabl, as od, s lkl ha h a sll ough uachd

sss xsc ha hs aacks cou o jo succss. Wh aacks ov succssful, h

a of adod b a lag ub alcous cod vaas ad aack oolks. ths ca cuulavl

ca a lag aou of obsvd aack acv. i s also lkl ha old alcous cod vaas

cou o a o auoacall xlo hs vulabls as a as of oagao.

87 h://aksha.hslk.co/bows-ak-sha.asx?qd=0&q=100&qd=1&qc=3&qfa=y&qs=2008&q=288 h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=2315389 hs://fous2.sac.co/5/Vulabls-exlos/pdf-h-Wod-fo-exlos/ba-/305564#A14190 Cf. h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=21719 o h://www.scufocus.co/bd/12233


39/78


39

Top countries of origin for Web-based attacks

ths c wll assss h o cous of og fo Wb-basd aacks agas uss 2008 b

dg h locao of cous fo whch h aacks occud. no ha aacks, od

o hd h acks, of dc uss hough o o o svs ha a b locad vuall

awh globall.

Oc a aack has coosd a lga wbs, uss who vs h wbs wll b aackd b

sval addoal as. O wa s hough a dv-b dowload, whch suls h sallao of

alcous cod whou h uss kowldg o cos. Aoh wa s o dc h us o aoh

wbs ha s usd o hos alcous cod. Ss ad svs hosg a va of alcous xlos ca

b foud woldwd. mull doas ca b assocad wh o coosd s, whch s usd o

xlo o o o scu vulabls affcd cl bowss.

i 2008, cous fo h Ud Sas w h ladg souc of Wb-basd aacks agas uss,

accoug fo 38 c of h oal (abl 5). th a a ub of facos ha ak h Ud Sas

h o cou of og fo Wb-basd aacks. ths akg a b du o h o ha half a llo

wbss ha w coosd ma 2008 wh alcous cod ha was hosd russa ad h

Ud Sas. Wb fous hosd b pHp-basd bull boad alcaos w xlod o jc

alcous JavaSc o fou co. ths fous would h fc vsos wh vaas of h Zlob

toja91 dsgusd as a vdo codc sall. th xlo chags bows ad DnS sgs o h fcd

cou ad abls addoal aacks, cludg ug h fcd cou o a zob.92 ths

aack follows h d of aacks sg alcous cod o lga hgh-affc wbss wh

uss a lkl o b o usg of h co, ah ha ag o lu uss o vs scall

dsgd alcous ss.

Rank

12

3

4

5

6

7

8

9

10

Country

United StatesChina

Ukraine

Netherlands

Russia

United Kingdom

Canada

Japan

Latvia

France

Percentage

38%13%

12%

8%

5%

5%

3%

2%

1%

1%

Table 5. Top countries of origin for Web-based attacks

Source: Symantec

91 h://www.sac.co/scu_sos/wu.js?docd=2005-042316-2917-9992 h://www.chalgs.co.uk/2008/05/13/zlob_oja_fou_coos_aack/


40/78


40

i 2008, Cha akd as h scod cou of og fo Wb-basd aacks, wh 13 c of h

woldwd oal. th a aso fo h hgh ak of Cha 2008 s du o coosd wbss

lag o h 2008 Bjg Olc Gas. th gas w o of h lags vs of 2008 ad

aacks xlod h oula of h v h as o lu ad coos uss, as has b

s vousl wh oh ajo sog ad a vs.93

O xal s h rusock bo,whch s ou als wh lks o a ws o abou h gas. Uss w od o clck a lk

h al ad vs a s, whch h od h o dowload a ssg codc od o lauch a

vdo. Clckg o oba h codc acuall suld h sallao of a toja.

Aacks a hav also usd socal gg o lu uss o coosd wbss ud h gus

of bg assocad wh h 2008 Bjg Olc Gas, as aacks agas Chs-laguag wbss

casd sgfcal dug h gas.94 th x of hs aacks was gad, howv, b

avs o cas ol scu fo uss ahad of h Gas b shug dow o blacklsg

housads of wbss oall os suscbl o faud, whch a oula ags of aack fo Wb

alcao ad s-scfc vulabls. Also, housads of wbss Cha w coosd wh

ca Wb alcaos w fcd wh alcous JavaSc ha was lad hough h us of SQL-

jco aacks.95 Vsos o hs coosd ss had h cous aackd ad, f h aacks

w succssful, tojas w dowloadd oo h cous.96

Uka akd hd 2008 fo o cou of og fo Wb-basd aacks, accoug fo 12 c

of such aacks woldwd. th oc of Uka hs c s lkl du o h coos of h

wbs of a U.S.-basd lcoc bll a ocssg coa.97 th aacks w abl o oba

accou cdals o h coas doa usg a hshg aack, ad w h abl o ga accss

o h coas wbs. Cusos, hkg h w vsg h lga wbs, w dcd

o a alcous wbs hosd o svs Uka wh h w aackd wh a toja.98 i addo

o h coos of h bll a coas wbs, h w a las 71 doas ha w

dcd o h alcous Ukaa sv dug hs .99

Of o, sx of h o 10 cous fo Wb-basd aacks h euo, mddl eas, ad Afca (emeA)

go w also h o 10 cous of og fo Wb-basd aacks globall, ad cous h

emeA go accoud fo 41 c of h woldwd oal, o ha a oh go. exlo acks

a b o of asos bhd h oc of h emeA go hs asu. ma xlo

acks, cludg mpack,100 icpack,101 ad noslo,102 ogad russa ad s lkl ha h

russas who dvlod hs aack ks a sosbl fo uch of h coud oagao. ths

aacks could ossbl b coosg wbss aoud h wold ad dcg vsos o cous

emeA ha hos h xlo cod bg usd o ag cl-sd vulabls Wb bowss.

93 h://ws.bbc.co.uk/1/h/cholog/7548870.s94 h://www.wokwold.co/wsls/gw/2008/090808sg1.hl95 h://www.h-ol.co/scu/Chs-wbss-ud-ass-aack--/ws/11076496 ibd.97 h://www.wokwold.co/ws/2008/120508-wok-soluos-hshg-ca-bfo.hl98 h://www.csool.co/acl/474365/ChckF_Was_mllo_Cusos_Af_Hack99 h://blog.kvuka.fo/2008/12/dggg-d-o-chckf-aack.hl100 hs://fous2.sac.co/5/blogs/blogaclag/blog-d/vulabls_xlos/acl-d/93#m93101 hs://fous2.sac.co/5/blogs/blogaclag/blog-d/gab_bag/acl-d/81102 h://blogs.zd.co/scu/?=1593


41/78


41

Also cobug o h oc of h emeA go hs od w a ub of hgh-ofl Wb-

basd aacks ha occud h. O xal was Jaua 2008, wh h bass wbs of h

nhlads russa was coosd ad vsos o h s w sld o sallg alcous

cod.103 Aoh xal occud Augus 2008 wh sval hudd doas h nhlads w

coosd ad dfacd.104

A hd cas was wh o ha a housad UK wbss w coosdad uss vsg hs ss skd bg fcd wh h Asox toja.105 th succss of hs aacks

o gov ss ca b abud, a, o h h us ha vsos o such ss wll hav,

akg hs vsos o labl o acc os o dowload fls f qusd.

Wb-basd aacks a a ajo ha o cou woks fo boh ss ad d uss. Aacks

such as dv-b dowloads a cov ad v dffcul o ga bcaus os uss a uawa ha

h a bg aackd. Ogazaos a hus cofod wh h colcad ask of havg o dc

ad fl aack affc fo lga affc. Sc a ogazaos l o Wb-basd ools ad

alcaos o coduc busss, s lkl ha h Wb wll cou o b h a codu fo aack

acv favod b alcous cod dvlos.

Threat activityprotection and mitigation

th a a ub of asus ha ss, adsaos, ad d uss ca lo o oc

agas alcous acv. Ogazaos should oo all wok-cocd cous fo sgs of

alcous acv, cludg bo acv ad oal scu bachs, sug ha a fcd

cous a ovd fo h wok ad dsfcd as soo as ossbl. Ogazaos should lo

dfs--dh sags, cludg h dlo of avus sofwa ad a fwall.106 Adsaos

should uda avus dfos gulal ad su ha all dsko, lao, ad sv cous a

udad wh all cssa scu achs fo h oag ss vdo. As coosd cous

ca b a ha o oh sss, Sac also cods ha ss of h iSps of a

oall alcous acv.

Sac cods ha ogazaos fo boh gss ad gss flg o all wok affc o

su ha alcous acv ad uauhozd coucaos a o akg lac. Ogazaos should

also fl ou oall alcous al aachs o duc xosu o ss ad d uss. i

addo, gss flg s o of h bs was o ga a DoS aack. DoS vcs fqul d o

gag h usa iSp o hl fl h affc o ga h ffcs of aacks.

Sac also advss ha uss v vw, o, o xcu a al aach ulss h aach

s xcd ad cos fo a kow ad usd souc, ad ulss h uos of h aach s

kow. B cag ad focg olcs ha df ad sc alcaos ha ca accss h

wok, ogazaos ca z h ffc of alcous acv, ad hc, z h ffc o

da-o-da oaos. Also, adsaos should l vlgs o sss fo uss ha do o qu

such accss ad h should also sc uauhozd dvcs, such as xal oabl had-dvs ad

oh ovabl da.

103 h://www.hgs.co.uk/2008/01/23/bass_ss_sv_alwa/104 h://blogs.zd.co/scu/?=1788105 h://cholog.sol.co.uk/ol/ws/ch_ad_wb/h_wb/acl4381034.c106 Dfs--dh haszs ull, ovlag, ad uuall suov dfsv sss o guad agas sgl-o falus a scfc cholog o

oco hodolog. Dfs--dh should clud h dlo of avus, fwalls, ad uso dco sss, aog oh scu asus.


42/78


42

to duc h lklhood of d hf, ogazaos ha so soal foao should ak h

cssa ss o oc daa asd ov h i o sod o h cous. ths should

clud h dvlo, lao, ad foc of a scu olc qug ha all ssv

daa s cd. Ogazaos should l a daa loss oco (DLp) soluo ha o ol

vs daa bachs, bu also gas oal daa laks fo wh a ogazao. Accss ossv foao should b scd ad ogazaos should also foc colac o foao

soag ad assso sadads such as h pCi sadad.107 polcs ha su ha cous

coag ssv foao a k scu locaos ad a accssd ol b auhozd

dvduals should b u lac ad focd. Ssv daa should o b sod o obl dvcs ha

could b asl slacd o sol. ths s should b a of a boad scu olc ha ogazaos

should dvlo ad l od o su ha a ssv daa s ocd fo uauhozd

accss. ths would su ha v f h cou o du o whch h daa w los o sol, h

daa would o b accssbl. ths s should b a of a boad scu olc ha ogazaos should

dvlo ad l od o su ha a ssv daa s ocd fo uauhozd accss.

107 hs://www.cscusadads.og/


43/78


43

Malicious Code Trends

Sac also gahs alcous cod llgc fo o ha 130 llo cl, sv, ad gawa

sss ha hav dlod s avus oducs. Udg hs oducs a h Sac Dgal

iu Ss ad Sac Sca ad Dlv chologs, as wll as noo Cou Wach, whch

allow cusos o auoa h ocss of og vuss ad oh alcous cod has.

ths sco of h Sac Government Internet Security Threat Report wll dscuss h followg

alcous cod ds fo 2008:

nw alcous cod has

Golocao b of alcous cod

thas o cofdal foao

poagao chass

malcous codoco ad gao

New malicious code threats

Sac oos h olfao of alcous cod b xag h ub of w alcous cod

sgaus cad o dc has fo od o od. Coag w sgaus agas sgaus

cad vousl dcas how quckl w alcous cod has a bg dvlod. pods

whch a sgfca ub of w alcous cod has a cad dcas how ccal s fo boh

ss ad ho uss o aa udad avus sgaus, ad o l ad aa

obus scu asus such as sofwa achs.

i 2008, Sac cad 1,656,227 w alcous cod sgaus (fgu 8). ths s a 265 c

cas ov 2007, wh 624,267 w alcous cod sgaus w addd. Alhough h cag

cas sgaus addd s lss ha h fal saggg 445 c cas fo 2006 o 2007,

h ovall ub of alcous cod sgaus b h d of 2008 gw o 2,674,171. ths as ha

of all h alcous cod sgaus cad b Sac, o ha 60 c of ha oal was cad

2008. Fuho, Sac blockd a avag of o ha 245 llo ad alcous cod

aacks woldwd ach oh 2008.


44/78


44

Numberofnew

threats

0

200,000

1,000,000

800,000

1,800,000

1,600,000

Period

600,000

400,000

1,400,000

1,200,000

2002

20,547

2003

18,827

2004

69,107

2005

113,025

2006

140,690

2007

624,267

2008

1,656,227

Figure 8. New malicious code signatures

Source: Symantec

pvous volus of h Sac Global Internet Security Threat Report hav dscussd h casg

ofssoalzao of alcous cod dvlo.108 th sul s a cas h sd ad ffcc

wh whch alcous cod s bough o ak, whch would abl a casd ub of has o

b dvlod. A dvg foc bhd h gowg sd ad ffcc of hs dvlos s h dad

fo goods ad svcs ha facla ol faud. ths s xlfd b h floushg ofabl of

cofdal foao sals, as was dscu

Documents

B-whitepaper Government Internet Security Threat Report 04-2009.en-us