Chad Perrin: SOB

9 April 2007

Security Analysis: Symantec ISTR XI (Phishing, Spam, and Security Risk Highlights)

Filed under: Security — apotheon @ 11:59

In my immediately previous analysis I presented some coverage of the “Malicious Code Trends Highlights” of Symantec’s Internet Security Threat Report, volume XI. Today, I’ll present an analysis of selected parts of the Phishing, Spam, and Security Risk Highlights from the Executive Summary Highlights section of Symantec’s report. I will be providing analysis of further content of the ISTR XI on a(n almost) daily basis, until I decide I’m finished.

Interesting Trends:

Symantec’s Internet Security Thread Report volume XI provides a number of interesting statistics in its “Phishing, Spam, and Security Risks Highlights”. The following is a list of some notes from these statistics, for the period of the second half of 2006.

  1. Symantec noted significant increases in phishing messages by both volume and unique types. This is unsurprising, but confirms expected trends — as demographics with an internet presence increase in number, so does phishing become more common. This is not only a matter of simple target proliferation, but also of increasing numbers of computers are compromised for use as spam zombies.
  2. Volume and unique types of phishing messages were greater during the week than on weekends. This indicates that spam zombies are nontrivially represented in computers within business networks. In many cases, such computers are often turned off on weekends — thus rendering them inoperative as spam zombies during that period.
  3. Spam email constitutes more than half the total volume of email recorded by Symantec. Depressing, but unsurprising.
  4. All ten of the top ten security risks reported to Symantec in the last six months of 2006 employed automated updating features. This means that this malware included automated patch and version upgrade downloading capability — a sophistication commonly believed to be reserved for operating systems and certain stand-alone applications. Less impressive, but still notable, is the fact that all ten of the top ten security risks reported to Symantec in the second half of 2006 incorporated anti-removal features, including automated reinstallation routines. This is a significant increase over the five out of the top ten in the previous six months.


As noted in item 2 above, business systems are in no way exempt from use as spam zombies. It is normally believed likely that such systems are less often compromised, on a per capita basis, as spam zombies than home computers, due to the common belief that most business network security is better than typical home end-user security. A number of current trends may contradict this expectation, however:

  • As greater numbers of home users add greater numbers of computers to their home use, they begin to purchase and use retail consumer router/firewall appliances that provide greater security for the home user.
  • Individual computers are gaining ground in security as well, as more and more home end-user computers have firewall applications installed. Other security software is likely being pressed into use more often as well, as security concerns and basic, minimal security procedures for stand-alone single-user systems become more commonly known.
  • The increasing tendency toward push-button security in enterprise deployment operating systems may contribute to decreased technical involvement of business IT workers in per-system security. On one hand, simply accepting built-in security features as sufficient may constitute part of the shortfall. On the other hand, such largely automated security configuration tends to complicate processes involved in more detailed security configuration, discouraging admins from expending the time and effort to achieve the same level of per-system oversight that was once more common. Meanwhile, the same security features would likely represent a net gain in security for home users who might otherwise not employ such measures at all.
  • Increasing migration of home users toward less mainstream, but more generally secure, software configurations — such as adoption of unixlike OSes and use of open source applications such as as replacements for corporate vendor alternatives — may also account for a relative drop in vulnerability of home end-user systems. Businesses migrating to such software configurations, meanwhile, tend to be the same businesses that ensure greater security accountability regardless of what software is being used, and as such a corresponding decrease in security vulnerability may not apply in the business sector.


This has been the sixth installment in my security analysis of the Symantec Internet Security Threat Report, volume XI. This is a series of (mostly) daily posts collected under the SOB category Security. You may follow this series (and further security-specific posts) via RSS using the Security Category RSS Feed.

Next, I will provide a brief explanation of important factors to consider when reading security reports and similar publications such as Symantec’s Internet Security Threat Report volume XI, to help you avoid making incorrect assumptions and to help you discern accurate statistics and their meaning from inaccuracies borne of questionable methodology, conflicts of interest, and analytical bias. Such tips may even prove useful while reading my own analyses.

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License