By Brian Krebs
Special to The Washington Post
Tuesday, September 20, 2005
Online criminal activity of nearly every variety surged in the first half of 2005, fueled in large part by an increase in software security flaws and in the number of home computers being used against their owners' wishes to distribute spam, spyware and viruses, according to a new report.
The six-month period saw the discovery of a record 1,862 new software vulnerabilities, according to the survey from Cupertino, Calif.-based Symantec Corp., a computer security firm. The report classified nearly all of those flaws as moderate to high security threats and found that about 60 percent of them were in programs that run over the Internet.
Security holes in Web-based programs are especially serious threats for businesses because attackers can use them to bypass a company's outer security measures -- such as Internet firewalls -- or to access confidential information.
Some of the most common and dangerous vulnerabilities are found in Internet browsers. While Mozilla's Firefox browser gained popularity this year after being touted as a more secure alternative to Microsoft's ubiquitous Internet Explorer, security researchers uncovered 25 security holes in Firefox during the first half of 2005, nearly twice the number found in Explorer.
But Arthur Wong, Symantec's vice president for response and managed security services, said Firefox's flaws "certainly [don't] mean it's any more vulnerable than other browsers," because Mozilla tends to issue security patches to mend problems much sooner than Microsoft does for Explorer.
Symantec also tracked a massive increase in "denial-of-service" attacks. These online attacks employ thousands of "bots" -- usually personal computers that have been hacked into so they can be controlled remotely -- to overwhelm target Web sites with so much junk data that the sites can no longer accommodate legitimate visitors.
According to Symantec, denial-of-service attacks during the first half of 2005 spiked from an average of 119 a day to 927.
The rise is directly related to the increase in home-computer bots, Wong said. During the study period, the number of such hacker-hijacked computers observed each day more than doubled, to 10,352 from 4,348.
But security experts say Symantec's estimates represent a small fraction of the global bot epidemic. The nonprofit SANS Internet Storm Center, which tracks hacking trends, sees an average of 260,000 bots each day being used to locate other vulnerable computers, said Johannes Ullrich, the center's chief technology officer.
Groups of attackers are increasingly assembling armies of hacked computers -- called botnets -- available for sale or rent as distribution networks for spam, spyware and viruses, Wong added.
One form of spam known as phishing -- in which scam artists use e-mails to lure people into entering their personal and financial information at fake bank and e-commerce Web sites -- also saw a dramatic rise this year. In six months, the volume of phishing e-mails grew from an average of about 3 million a day to about 5.7 million, according to the Symantec report.
Krebs is a staff writer for washingtonpost.com.