Chad Perrin: SOB

7 April 2007

Security Analysis: Symantec ISTR XI (Malicious Code Trends Highlights, Part 2)

Filed under: Security — apotheon @ 09:28

In yesterday’s analysis I presented some coverage of the “Malicious Code Trends Highlights” of Symantec’s Internet Security Threat Report, volume XI, with specific focus on Symantec’s report that 23% of malicious code instances “exploited vulnerabilities”. Today, I’ll present continued analysis of the Malicious Code Trends Highlights from the Executive Summary Highlights section of Symantec’s report. I will be providing analysis of further content of the ISTR XI on a (hopefully) daily basis, until I decide I’m finished.

Interesting Numbers:

Symantec’s Internet Security Thread Report volume XI provides a number of interesting statistics in its “Malicious Code Trends Highlights”. The following is commentary on some of the more suggestive statistics.

  • 8,258 new variants in the Win32 family were reported to Symantec in the second half of 2006. It seems that to Symantec the interesting part of this is that 8,258 is a 22% increase over the number from the Win32 virus family from the first half of the year. From where I’m sitting, the interesting part of that is the fact that it is such an effective reinforcement of the importance of patching virus exploitable vulnerabilities rather than letting third party antivirus vendors handle it with new virus definitions, as I detailed in yesterday’s analysis.
  • Worms are down from 75% to 52%, and trojans up from 23% to 45%, of malicious code threats by volume in the second half of 2006, according to Symantec. This fits well with the observed trends that indicate an increase in targeted attacks rather than scattershot infection tactics by malicious security crackers, as well as other signs of the increasingly financial motivations of these criminals and the advancing maturity and sophistication of the security cracker criminal underground.
  • The percentage of polymorphic malicious code threats in the second half of 2006 tripled from the first half of the year from 1% to 3%, according to Symantec. Polymorphic malicious code is mobile code such as viruses and worms that alter their own signatures as they operate and propagate, making it far more difficult for security companies like Symantec to generate effective definitions. Again, this highlights the importance of fixing the vulnerabilities that these threats exploit proactively, at the source, rather than rely on the reactive practice of attempting to define all malicious code in the wild and deal with it as you recognize it.
  • 79% of threats to confidential information, by volume of reports, involved keystroke loggers according to Symantec. This is a significant increase over the same period of 2005, at 66%. This suggests that malicious security crackers are developing better information filtering capabilities to more easily and accurately find valuable needles in haystacks of data. It also points out the weakness of many security policies that provide a sort of gateway defense but fail to effectively audit systems internal to the organization for signs of compromise.
  • 78% of propagating malicious code used SMTP as its contagion vector, making email by far still the most common means of threat propagation and zombie mailer systems — usually MS Windows desktop systems and mail servers that have been compromised so that malicious security crackers can use networks of them to send out mass mailings — a continuing growth industry.
  • At 35% of new instant messaging threats, MSN Messenger took the lion’s share of the market for IM security threats, according to Symantec.

Be safe. Account for these threat trends in planning your security policy, whether at work or at home.


This has been the fifth installment in my security analysis of the Symantec Internet Security Threat Report, volume XI. This is a series of (mostly) daily posts collected under the SOB category Security. You may follow this series (and further security-specific posts) via RSS using the Security Category RSS Feed.

Next, I will continue my overview of Symantec’s “Executive Summary Highlights”, with specific attention on the “Phishing, Spam, and Security Risks Highlights”, in brief.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License