The financial-services, healthcare, and power and energy industries were among the hardest hit by severe security attacks in 2003.
Assaults on I.T. systems increasingly targeted back doors left by previous attackers and worms.

Those are among the conclusions drawn in a comprehensive new report issued by Internet-security firm Symantec.

The number of Symantec customers reporting a serious security breach rose from one-sixth in the first half of the year to one-half in the second six months, the company says, attributing the increase to more effective worms, which remain the most common form of attack.

Multi-Pronged Offensive

Symantec's findings are based on anonymous data from some 120 million antivirus applications customers, as well as from 20,000 DeepSight Threat Management System registered sensors monitoring activity in more than 180 countries.

"Worm activity is an ever-increasing threat, and the quantity of blended, multi-vector worms was on the rise last year," said Tony Vincent, head global security architect for Symantec. The MyDoom and Blaster worms, in particular, were able to use back doors to deliver follow-up attacks that wreaked havoc worldwide, he told NewsFactor.

Blended threats comprised 54 percent of the top 10 malicious code submissions over the last six months of 2003. What is troubling, said Vincent, is that these threats cause widespread damage more quickly because of increased propagation speed, aided in part by improved bandwidth and decreased latency.

Blaster targeted a vulnerability in core Windows components, creating a more widespread threat than the server software targeted by previous network-based worms, and resulting in a much higher density of vulnerable systems.

In January, for example, MyDoom began spreading at rates similar to SoBig.F, exposing infected systems through a back door and carrying out a targeted attack. Two new worms, Doomjuice and Deadhat, followed MyDoom, both propagating via the back door left by MyDoom.

Mass-Mailers a Growing Concern

Among the top 10 malcode submissions, the number of mass-mailer worms rose by 61 percent in the second half of 2003 over the first half of the year, Symantec reports. These are especially troublesome, because the e-mail messages generated by the built-in engine of malicious code do not interact with the user's e-mail system, and there are few signs of an active infection, Vincent said.

On average, customers reported about seven new vulnerabilities a day during 2003, he pointed out. "The time between the release of a worm or virus and widespread attacks has been reduced dramatically, which we saw with the Blaster worm," said Vincent. Consequently, a "zero-day" threat that targets a vulnerability before it is announced and patches are made available, may be imminent.

Assaults Leveling Off

The good news is that attacks appear to have leveled off in the second half of 2003, although that could mean either that vendors are providing better security code or that fewer security reports are being filed, Vincent said. During the second half of 2003, threats to privacy and confidentiality were the fastest growing threat.

Peer-to-peer file-sharing network and instant-messaging network protocols are becoming more frequent targets, according to Symantec research.

Mind-boggling Numbers

In the report, Symantec offers guidelines for best practices to help businesses and consumers better protect their I.T. assets. These include:

- turning off and removing unneeded services;

- keeping patch levels up-to-date, especially on computers that host public services and are accessible through the firewall;

- enforcing a password policy;

- configuring e-mail servers to block or remove messages that contain file attachments commonly used to spread viruses; and

- isolating infected computers promptly to prevent further compromise.

Forrester research analyst Michael Rasmussen agreed with findings indicating that an increasing number of organizations are affected by security threats and noted that Symantec has helped slow the trend.

But, he said, the data provided are only as good as the information submitted to the company by its clients.

"We are seeing more attacks this year. The number of virus attacks has been mind-boggling," said Rasmussen. That number is slowing down, he added, but that could well be just a lull in the storm.