Volume 5, Number 7 -- February 21, 2008

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Published: February 21, 2008

by Alex Woodie

If you've noticed that attempts to steal your identity and your money on the Web have grown more sophisticated in recent months, you're not alone. In its analysis of thousands of attacks, IBM's X-Force security group confirmed that the underground criminal economy made a lot of headway last year in its quest to exploit software and human vulnerabilities in its pursuit of ill-gotten gains off the Net.

In its annual report on the state of information security, the X-Force team at Internet Security Systems (ISS) describes the trends shaping security for 2007, and what managers, administrators, and programmers should look for as they work to minimize their exposure for 2008. The group relies heavily on statistics to prove its point, and the report is chock full of statistics of all shapes and sizes.

But the most surprisingly statistic concerns software vulnerabilities. During 2007, the number of newly reported vulnerabilities actually decreased compared to the previous year, the first time in modern history (read: since 2000) that's happened. The 6,437 vulnerabilities reported last year corresponded with a 5 percent decline from 2006, following two years of 40 percent growth in vulnerabilities, according to X-Force.

X-Force said the drop could represent "an anomaly, a statistical correction, or a new trend in the amount of disclosures." Compared to the historical norm of 27 percent growth in new vulnerabilities each year (according to X-Force), perhaps the market could not sustain the pace set during the vulnerability bubble years of 2005 and 2006. Despite the overall drop in vulnerabilities, the number of critical "high priority" vulnerabilities increased by about 28 percent in 2007. However, that, too, could reflect a market correction, as 2006 was a slow year for critical vulnerabilities, in relative terms. Critical vulnerabilities accounted for about 22 percent of all vulnerabilities in 2007. Compared to years from 2000 to 2004, when critical vulnerabilities accounted for about 35 percent of all flaws, the Internet today is awash in low-to-mid-grade vulnerabilities.

So, if overall vulnerabilities are down, and high impact vulnerabilities are trending below historical averages, what's the big fuss over Internet security? If there are fewer critical vulnerabilities, isn't the Net becoming safer?

No way, according to X-Force. For one thing, only half of the vulnerabilities discovered can even be patched, the group says. And while Microsoft takes a lot of heat for its highly public flaws, it only accounted for 3.7 percent of all vulnerabilities reported in 2007. The five vendors responsible for the most vulnerabilities--Microsoft, Apple, Oracle, IBM, and Cisco, in decreasing order--accounted for only 13.6 percent of all the vulnerabilities in 2007, reflecting a healthy diversity in the market for security flaws.

Vulnerabilities may be decreasing, but the criminal underworld is making better use of them. A big reason for this is the increasing popularity of exploit toolkits, which are applications sold on the black market that allow the even least sophisticated criminals to launch attacks on people's Web browsers and steal their information. While X-Force says the total number of toolkit-using pirates on the Web is unknown (they're increasingly using "obfuscation" techniques to camouflage their activities), several finds on online file storage sites leads it to suspect exploit toolkit piracy is widespread, it says.

These toolkits are able to run through several routines before finding an unpatched vulnerability on a person's Web browser, which means being protected from the latest critical bug in Firefox or IE doesn't guarantee protection. You have to be protected from ALL vulnerabilities, including old ones and ones that haven't been disclosed publicly yet. With thousands of vulnerabilities to choose from, the law of large numbers tips the balance heavily in favor of the pirates, who only have to find one unpatched vulnerability to have their way with your computer from their secure, undisclosed location.

While the number of vulnerabilities is down, the amount of malware polluting the Internets is way up. X-Force analyzed 410,000 new malware samples during 2007, a 30 percent increase over 2006. Trojans saw a big comeback in 2007 compared to 2006, which was "the year of the drive-by downloader."

But just as the Internet's upstanding citizens are promoting "mash-ups" using Web 2.0 technologies, so, too, are the Net's denizens of evil getting creative with their programming. "The classic categories of virus, worm, spyware, and backdoor are becoming largely irrelevant. Modern malware is now the digital equivalent of the Swiss Army knife," X-Force writes.

Last year's big breadwinner for the Web's underworld, the Storm Worm, was a good example of this creativity at work, says Kris Lamb, operations manager for research and development at ISS. "The Storm Worm provides a microcosm of the kinds of threats users faced in 2007," he says. "All in all, the exploits used to spread Storm Worm are a blend of the various threats tracked by X-Force, including spam, phishing, and drive-by-downloads by way of Web browser exploitation."

On the bright side, X-Force reports that spam was way down in 2007, largely due to a sudden decrease in image-based spam during the second quarter. Spammers attempted to fill the void with PDF- and MP3-based spam, but these ultimately failed, and spammers gave up on them, according to X-Force, which said it could be considered "a win for the security industry." The only meaningful statistic that X-Force had regarding phishing was that phishing represents about 1 percent of spam.

While spam is on the run, security professionals should be careful to keep up the vigilance. The Internet continues to attract criminals, con artists, and ne'er-do-wells like flies to excrement, and will continue to do so for some time.

"Never before have such aggressive measures been sustained by Internet attackers towards infection, propagation, and security evasion," Lamb says. "While computer security professionals can claim some victories, attackers are adapting their approaches and continuing to have an impact on users' experiences."


Bleak Outlook for Information Security, According to Researchers

In Search Of a More Secure Internet

Security Attacks and Breaches on the Rise

MPack Hacker Tool Claims 10,000 Compromised Web Sites

IBM X-Force Says For-Profit Cyber Attacks to Increase in 2007

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

Get p5 technology in a p4 machine!

Save 85-90% off list price on Regatta pSeries 690 machines from Canvas Systems.
Choose from Buy, Lease, Rent and DR options.
Call 1-877-799-8226.

Buy: Check out the savings and performance with high end p4 technology.
Lease: A great way to get the technology you need without committing to a sale.
Rent: Already decided to move to p5? Test your migration strategy with a rental!
Disaster Recovery: Build a hot or warm failover solution for the same price you pay for a subscribed hot-site solution.


Editor: Timothy Prickett Morgan
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

COMMON:  Join us at the annual 2008 conference, March 30 - April 3, in Nashville, Tennessee
Vision Solutions:  AIX Disaster Recovery and Replication. Webcast Feb. 26th
NowWhatJobs.net:  NowWhatJobs.net is the resource for job transitions after age 40


IT Jungle Store Top Book Picks

Getting Started with PHP for i5/OS: List Price, $59.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket Developers' Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
iSeries Express Web Implementer's Guide: List Price, $59.00
Getting Started with WebSphere Development Studio for iSeries: List Price, $79.95
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
WebFacing Application Design and Development Guide: List Price, $55.00
Can the AS/400 Survive IBM?: List Price, $49.00
The All-Everything Machine: List Price, $29.95
Chip Wars: List Price, $29.95

The Four Hundred
IBM's Battle Plan for i5/OS Blade Servers

Sundry i5/OS V6R1 and System i Enhancements

IT Salary Increases Are Anemic in 2007, Says Dice Survey

Mad Dog 21/21: Recovering Lost Prophets

The PHP Community Starts the PHP 4 Sunset, Gears Up for PHP 6

The Linux Beacon
SGI Buys Linux Networx Assets with Stock Issue

HP Puts Out a Four-Socket Itanium Blade Server

IT Salary Increases Are Anemic in 2007, Says Dice Survey

Mad Dog 21/21: Recovering Lost Prophets

Citrix Puts the Xen Brand Everywhere, Previews XenServer 4.1

Four Hundred Stuff
LiveTime Service Desk Now Supports i5/OS

Modernizing the RPG Reputation

The Fallacy of Automated Testing, and an Original Solution

IBM Unveils New Storage Products

i5/OS Innovation Award Nominations Due February 29

Big Iron
IT Salary Increases Are Anemic in 2007, Says Dice Survey

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Getting MySQL Working With PHP

LPEX Edit in Hex Mode

Configuring Messaging Software for Overnight Monitoring

System i PTF Guide
February 16, 2008: Volume 10, Number 7

February 9, 2008: Volume 10, Number 6

February 2, 2008: Volume 10, Number 5

January 26, 2008: Volume 10, Number 4

January 19, 2008: Volume 10, Number 3

January 12, 2008: Volume 10, Number 2

The Windows Observer
Proxy Battle Looms in Microsoft's Bid for Yahoo

HP Firing on All Cylinders in the Fiscal First Quarter

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

As I See It: Why IT Will Save the Economy

February SQL Server 2008 CTP Released by Microsoft

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar


Vision Solutions
Canvas Systems
Roaring Penguin
Vibrant Technologies

Printer Friendly Version

HP Firing on All Cylinders in the Fiscal First Quarter

SCO Brought Back from the Dead by Middle East Money

Surf's Up for Web-Based Organized Crime, IBM X-Force Says

Mad Dog 21/21: Recovering Lost Prophets

IT Salary Increases Are Anemic in 2007, Says Dice Survey

But Wait, There's More:

Net Neutrality Comes Around on the Ferris Wheel Again . . . TSMC Chosen as Future Processor Foundry by Sun . . . Sun Delivers Four-Socket, Quad-Core Xeon X8450 Blade Server . . . IBM Certifies Solaris for Selected X64 Servers . . . The PHP Community Starts the PHP 4 Sunset, Gears Up for PHP 6 . . .

The Unix Guardian


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement