Symantec Internet Security Threat Report 1

Symantec Security Intelligence

Internet Security Threat ReportVolume XVI

June, 2011

Tiffany JonesDirector – Programs and StrategySymantec Public Sector Division

Global Intelligence NetworkIdentifies more threats, takes action faster & prevents impact

Information ProtectionPreemptive Security Alerts Threat Triggered Actions

Global Scope and ScaleWorldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity• 240,000 sensors• 200+ countries

Malware Intelligence• 133M client, server,

gateways monitored• Global coverage

Vulnerabilities• 40,000+ vulnerabilities• 14,000 vendors• 105,000 technologies

Spam/Phishing• 5M decoy accounts• 8B+ email messages/day• 1B+ web requests/day

Austin, TXMountain View, CACulver City, CA

San Francisco, CA

Taipei, Taiwan

Tokyo, Japan

Dublin, IrelandCalgary, Alberta

Chengdu, China

Chennai, India

Pune, India

3Symantec Internet Security Threat Report

Threat Activity TrendsAV Signatures in Perspective

Symantec Internet Security Threat Report 5

3.1B

286M

Malware Variants Malware AttacksSignatures10M

10M

Threat Landscape2010 Trends

Symantec Internet Security Threat Report (ISTR), Volume 16 7

Social Networking

+ social engineering = compromise

Attack Kits get a caffeine boost

Targeted Attacks continued to evolve

Hide and Seek

(zero-day vulnerabilities and rootkits)

Mobile Threats increase

Threat Landscape Targeted attacks continue to evolve

Symantec Internet Security Threat Report 8

• High profile targeted attacks in 2010 – Hydraq and Stuxnet – raised awareness of the consequences of APTs

• Stuxnet signaled a leap in the sophistication of these types of attacks– Four zero-day vulnerabilities

– Stolen digital signatures

– Ability to “leap” the air gap

– Potential damage to infrastructure

Detailed review in the:W32.Stuxnet Dossier& W32.Stuxnet

More Info:

Threat Landscape Targeted attacks continue to evolve

Symantec Internet Security Threat Report 9

• Less sophisticated attacks also cause significant damage

• The average cost to resolve a data breach in 2010 was $7.2 million USD.

Average Number of Identities Exposed per Data Breach by Cause

Threat Landscape Social networking + social engineering = compromise

Symantec Internet Security Threat Report 10

• Hackers have adopted social networking – Use profile information to create targeted social engineering

– Impersonate friends to launch attacks

– Leverage news feeds to spread SPAM, scams and massive attacks

Detailed review of Social Media threats available in The Risks of Social Networking

More Info:

Threat Landscape Social networking + social engineering = compromise

Symantec Internet Security Threat Report 11

• Shortened URLs hide malicious links, increasinginfections

• Shortened URLS leading to malicious websites observed on social networking sites, 73% were clicked 11 times or more

Regular URL35%

Short URL65%

Threat Landscape Hide and seek (zero-day vulnerabilities and rootkits)

• Although the short term trend in exploitsof zero-days vulnerabilities is up, the long term is not

• Nevertheless, zero daysare being used in amore aggressive way, e.g. they featured heavilyin the targeted attacksof 2010

• Attack toolkits help to spread knowledge of exploits that leverage vulnerabilities• Rootkits taking more aggressive hold

– Tidserv, Mebratix, and Mebroot are current front-runners

Symantec Internet Security Threat Report 12

Number of documented ‘zero-day’ vulnerabilities

Threat Landscape Attack kits get a caffeine boost

Symantec Internet Security Threat Report 13

• Attack kits continue to see widespread use – 61% of web based attacks are due to toolkits.

• Java exploits added to many existing kits• Kits exclusively exploiting Java vulnerabilities appeared

More Info:

Detailed information available in ISTR Mid-Term: Attack Toolkits and Malicious Websites

Threat Landscape Mobile threats• Currently most malicious code for mobile devices consists of

Trojans that pose as legitimate applications

• Will be increasingly targeted as they are used for financial transactions

Symantec Internet Security Threat Report 14

More Info:

Security Issues for Mobile Devices and a review of Apple iOS and Google Android

163 vulnerabilities

2010

115 vulnerabilities

2009

42% increase

Threat Activity TrendsMalicious Activity by Country

Symantec Internet Security Threat Report (ISTR), Volume 16 16

Threat Activity TrendsMalicious Activity by Country

Symantec Internet Security Threat Report 17

• The US is the main source of bot-infected computers

• Higher broadband capacity allows more attacks per second

• Large-scale attacks using the ZeuS attack kit contributed to the high-ranking of China for Web-based attacks.

For the botnet associated with the Tidserv Trojan over half of all infected computers are in the US.

Threat Activity TrendsMalicious Activity by Country

Symantec Internet Security Threat Report 18

• Spam zombies dropped significantly in China but continue to be a major source of malicious activity in Brazil.

• Phishing host in a country are tied to the broadband connectivity in that country as well as web hosting providers. Many phishing sites are hosted on free web space provided by ISPs.

New regulations requiring ISPs to register email servers and maintain logs in China likely contributed to this drop

Threat Activity TrendsData Breaches by Sector• Top three sectors only accounted for a

quarter of all identities exposed

• The average cost to resolve a data breach in 2010 was $7.2 million USD

• Customer data accounted for 85% of identities exposed

Symantec Internet Security Threat Report 19

Average Number of Identities Exposed per Data Breach by Sector

Average Number of Identities Exposed per Data Breach by Cause

Volume of Data Breaches by Sector

Malicious Code TrendsThreats to confidential information• 64% of potential infections by the top 50 malicious code

samples were threats to confidential information • Malicious code that allows remote access accounted for 92% of

threats to confidential information in 2010, up from 85%

Symantec Internet Security Threat Report 22

Fraud Activity TrendsPhishing categories• Banks were spoofed by 56% of phishing attacks• Many email-based fraud attempts referred to major events in

2010

Symantec Internet Security Threat Report 23

Fraud Activity TrendsSpam by category• Approximately three quarters of all spam in 2010 was related to

pharmaceutical products • Symantec estimates that 95.5 billion spam emails were sent

globally each day in 2010

Symantec Internet Security Threat Report 25

Defenses Against Targeted Attacks

• Detect and block new and unknown threats based on reputation and ranking

Advanced Reputation Security

• Implement host lock-down as a means of hardening against malware infiltration

Host Intrusion Prevention

• Restrict removable devices and functions to prevent malware infection

Removable Media Device Control

• Scan and monitor inbound/outbound email and web traffic and block accordingly

Email & Web Gateway Filtering

• Discover data spills of confidential information that are targeted by attackers

Data Loss Prevention

• Create and enforce security policy so all confidential information is encrypted

Encryption

• Monitor for network intrusions, propagation attempts and other suspicious traffic patterns

Network Threat and Vulnerability Monitoring

Symantec Internet Security Threat Report (ISTR), Volume 16 27