Attack Trends: 2004 and 2005

Counterpane Internet Security, Inc., monitors more than 450 networks in 35 countries, in every time zone. In 2004 we saw 523 billion network events, and our analysts investigated 648,000 security "tickets." What follows is an overview of what's happening on the Internet right now, and what we expect to happen in the coming months.

In 2004, 41 percent of the attacks we saw were unauthorized activity of some kind, 21 percent were scanning, 26 percent were unauthorized access, 9 percent were DoS (denial of service), and 3 percent were misuse of applications.

Over the past few months, the two attack vectors that we saw in volume were against the Windows DCOM (Distributed Component Object Model) interface of the RPC (remote procedure call) service and against the Windows LSASS (Local Security Authority Subsystem Service). These seem to be the current favorites for virus and worm writers, and we expect this trend to continue.

The virus trend doesn't look good. In the last six months of 2004, we saw a plethora of attacks based on browser vulnerabilities (such as GDI-JPEG image vulnerability and IFRAME) and an increase in sophisticated worm and virus attacks. More than 1,000 new worms and viruses were discovered in the last six months alone.

In 2005, we expect to see ever-more-complex worms and viruses in the wild, incorporating complex behavior: polymorphic worms, metamorphic worms, and worms that make use of entry-point obscuration. For example, SpyBot.KEG is a sophisticated vulnerability assessment worm that reports discovered vulnerabilities back to the author via IRC channels.

We expect to see more blended threats: exploit code that combines malicious code with vulnerabilities in order to launch an attack. We expect Microsoft's IIS (Internet Information Services) Web server to continue to be an attractive target. As more and more companies migrate to Windows 2003 and IIS 6, however, we expect attacks against IIS to decrease.

We also expect to see peer-to-peer networking as a vector to launch viruses.

Targeted worms are another trend we're starting to see. Recently there have been worms that use third-party information-gathering techniques, such as Google, for advanced reconnaissance. This leads to a more intelligent propagation methodology; instead of propagating scattershot, these worms are focusing on specific targets. By identifying targets through third-party information gathering, the worms reduce the noise they would normally make when randomly selecting targets, thus increasing the window of opportunity between release and first detection.

Another 2004 trend that we expect to continue in 2005 is crime. Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money. Hackers can sell unknown vulnerabilities -- "zero-day exploits" -- on the black market to criminals who use them to break into computers. Hackers with networks of hacked machines can make money by selling them to spammers or phishers. They can use them to attack networks. We have started seeing criminal extortion over the Internet: hackers with networks of hacked machines threatening to launch DoS attacks against companies. Most of these attacks are against fringe industries -- online gambling, online computer gaming, online pornography -- and against offshore networks. The more these extortions are successful, the more emboldened the criminals will become.

We expect to see more attacks against financial institutions, as criminals look for new ways to commit fraud. We also expect to see more insider attacks with a criminal profit motive. Already most of the targeted attacks -- as opposed to attacks of opportunity -- originate from inside the attacked organization's network.

We also expect to see more politically motivated hacking, whether against countries, companies in "political" industries (petrochemicals, pharmaceuticals, etc.), or political organizations. Although we don't expect to see terrorism occur over the Internet, we do expect to see more nuisance attacks by hackers who have political motivations.

The Internet is still a dangerous place, but we don't foresee people or companies abandoning it. The economic and social reasons for using the Internet are still far too compelling.

This essay originally appeared in the June 2005 issue of Queue.

Posted on June 6, 2005 at 1:02 PM • 44 Comments

Comments

Davi OttenheimerJune 6, 2005 1:41 PM

Bruce,
Thanks for the summary. Useful information, especially in anticipation for the upcoming release of the CSI/FBI report. However, I'm surprised you did not mention any of the exploits that led to mass personal identity information disclosures, which have been getting increased media attention over the past year. These exploits do not necessarily fall into your categories of political and financial institutions, and they seem to have as much if not more impact on public perception of "danger" on the Internet. Moreover, they often seem to have a blend of inside/outside attacks and be a "criminal pursuit". In February, the Federal Identity Theft Data Clearinghouse reported that 38% of all fraud claims in 2004 related to identity theft. Any reason for not calling out an increased threat to all commercial entities that handle personal identity information (e.g. DSW Shoe Warehouse, Polo Ralph Lauren)?

oliverJune 6, 2005 2:53 PM

Correct me if I'm wrong, but I believe most of the `mass personal identity information disclosure' episodes were accomplished with little or no technical prowess. Rather, the criminals in those cases exploited the human element. Not that this sort of vulnerability should be down-played at all, but I think it might have been slightly out of the scope of Bruce's essay.

Israel TorresJune 6, 2005 3:52 PM

"Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money."

Ugh... Hacking hasn't "moved" - The human mind has evolved (or degenerated) into using the primal hack as something different. Hacking is still the initial stepping stone into a world of freedoms the mind denies itself.

Israel Torres
Israel Torres

xJune 6, 2005 10:08 PM

I'll take Bruce's wording over " the initial stepping stone into a world of freedoms the mind denies itself" any day. Thanks for trying, though.

BennyJune 6, 2005 10:56 PM

Thank you, x, for saying what i was going to say but in a much less polite manner. Mr. Torres, it seems to me that you feel compelled to be one of the first to post a comment every time. That sort of thing is much more palatable when you actually have something meaningful to say.

Israel TorresJune 7, 2005 12:20 AM

@Alex:
The "spirit of hacking" allows curiosities to be satisfied in non-conventional ways. It appears that world has difficulty handing such things.

@x:
Take what you will, leave what you won't.

@Benny:
What it seems... isn't. Is it my fault my meaning is not your gotten? I think not.

@All:
Don't like what I have to say? The best way to keep things moving along is to ignore me. Reply to me and I will reply back. That is the nature of the beast. :)

Israel Torres

Torben B. SørensenJune 7, 2005 2:05 AM

Bruce,
How do the numbers for 2004 compare to 2003? Do you have comparable statistics?

Torben

AnonymousJune 7, 2005 2:47 AM

How bullet-proof are Mac's? If so, how much longer is this likely to be the case?

My nearest and dearest are casual i/net users (email, occasional browsing, no need to run the latest games) so a Mac seems like a good alternative.

not troll-baiting, I just don't want to recommend one only to have it turn into a wormfarm or maintenance nightmare.

James LandisJune 7, 2005 2:48 AM

@Israel:

"Ugh... Hacking hasn't "moved" - The human mind has evolved (or degenerated) into using the primal hack as something different. Hacking is still the initial stepping stone into a world of freedoms the mind denies itself."

Being new here, I suppose IBHT, but I believe you are misinterpreting the assertion about the 'movement' of hacking. The author was addressing the fact that the prevailing trend in observable hacks is toward those of criminal intent.

I don't believe it is correct to say that this implies an evolution of any kind except that the criminals are exploring new avenues. The spirit of hacking in its original sense is still very much alive. The author seems to be blurring this distinction by allowing the characterizion of the change as old hackers trying new things, when in reality it is old criminals trying new things. 'Ethical' hacking is simply being eclipsed by this new influx of activity.

It is probably fair to generalize that this observation isn't unique to computer technologies. Criminals go where the money is, and because so much new money is being invested here, naturally it will attract more of the wrong element.

Bill GodfreyJune 7, 2005 5:45 AM

"Counterpane Internet Security, Inc., monitors more than 450 networks in 35 countries, in every time zone."

Even Kiritimati? (UTC +14 hours)

Vince ChmielewskiJune 7, 2005 7:08 AM

"How bullet-proof are Mac's? If so, how much longer is this likely to be the case?"

Considering that there has not been a single successful virus or worm attack on an OS X system in the last 5 years, I'd say they are pretty bullet-proof. I don't see any indication that that will be changing anytime soon. Save your company some money on support and get some Mac's.

SukottoJune 7, 2005 8:12 AM

"In 2005, we expect to see ever-more-complex worms and viruses in the wild, incorporating complex behavior: polymorphic worms, metamorphic worms, and worms that make use of entry-point obscuration. For example, SpyBot."

What exactly is wrong with SpyBot? Are you claiming that SpyBot is distributing worms or viruses? I've been very happy with SpyBot and regularly use it to remove nasties from my computer systems.

MihaiJune 7, 2005 8:25 AM

Vince, In my opinion the only reason Macs didn't get any viruses/worms is that it’s not popular enough. I already feel the angry Mac fans protesting, but this is the plain truth.

Most of today’s hackers/cyber criminals tend to target the best known applications in order to gain as much notoriety/money as possible. This is part of the reasons why Mac hasn’t been hit with a strong worm/virus epidemic.

If you follow the security headlines, you'll remember that Mac has recently had quite a few security updates. I think that as soon as Mac OS will begin gaining ground, it will become an interesting target for hackers.

Moving to another subject, I just wonder how everybody here sees the recent story of industrial espionage in Israel. Is this the debut of a possible trend or just an isolated case. Trojans like the one in question tend to be hard to detect and easy to insert, specially if they’re hand made to target a particular network/system. And we all now that local security isn’t at its best in today’s companies. Any thoughts?

Israel TorresJune 7, 2005 9:09 AM

@James Landis

"I believe you are misinterpreting the assertion about the 'movement' of hacking."

Hi James, being new as you mentioned you may not have seen the same author's (Bruce's) post on his interpretation of hackers. You may read his quotes on my blog here:
http://blog.israeltorres.org/?p=35

The author has proven to persist with inconsistencies in the usage of the word hacker. It appears that it is used as a matter of convenience (based on subject matter) and not as a matter of fact. Unfortunately as in the position the author sits in the audience feeds on his words as if they were also fact.

As you have stated that he also blurs relevant distinctions, I am trying to "unblur" them.

Israel Torres

Bruce SchneierJune 7, 2005 9:31 AM

"Even Kiritimati? (UTC +14 hours)."

Every time zone as in "the sun never sets on the British Empire" sense. There are some attacks -- e-mail borne stuff -- that you tend not to see unless it's working hours. We're monitoring enough time zones that it's always working hours somewhere.

jammitJune 7, 2005 10:54 AM

First thing: I don't know which came first, the hacker or the criminal, but I do know that there is now some sort of synergy between the two where their skills overlap. I doesn't mean hackers are turning into criminals, or criminals are turning into hackers.
Second thing: As far as vulnerable systems go, we could go on forever about how (great/crappy) that (Windows/Linux/Mac) (is/are). The bad guys rob gas stations and banks. Banks have lots of money and good security, gas stations have little money and bad security. You just pick an appropriate target.

samJune 7, 2005 11:27 AM

English words are defined by their usage. And hacker is used to mean cracker/criminal in the vast majority of mainstream uses. So in mainstream English that is what it means. The fact that a subculture exists that uses the term to mean something else, and that they used it first is irrelevant.

"Nice" doesn't mean foolish anymore, pretty doesn't mean clever anymore, counterfeit doesn't mean legitimate copy anymore, and tell doesn't mean count anymore (though we still have bank tellers and the phrase "all told").

And "movement" is used the way Bruce used it all the time. A random example from google "At that point, white, middle-class American youth culture moved away from the rock 'n' roll dance music that had become the staple of American Bandstand, opting instead for the drug-influenced psychedelia of the Vietnam War era" - that doesn't mean the people who were into rock'n'roll dance music gave it up and got into drug-influenced psychedelia (though some probably did). It means that the people making up "youth" became a new set of people who had different interests.

The set of people who do "hacking" now contains more people doing it with criminal intent for profit than it once did - and hence relatively fewer doing it as a hobby to impress their peers or just for fun. Or alternatively more "events" are criminal in intent than previously - the same sized (relatively) group of people might just be busier...

AnonymousJune 7, 2005 11:38 AM

Hi Bruce,
In this snip:
"In 2005, we expect to see ever-more-complex worms and viruses in the wild, incorporating complex behavior: polymorphic worms, metamorphic worms, and worms that make use of entry-point obscuration. For example, SpyBot."
are you suggesting SpyBot is malware or an attack vector or an entry point or ...?
Thanks for all the great stuff, Mike

Israel TorresJune 7, 2005 12:34 PM

@sam

"The set of people who do "hacking" now contains more people doing it with criminal intent for profit than it once did"

That certainly is not true in the least.
It can be said that criminals have expanded their technical skills... not the other way around. This is the confusion that exists in criminals vs hackers - they are not one in the same.

Israel Torres

Tim VailJune 7, 2005 1:15 PM

@Israel

I think you are probably correct that the people who normally call themselves "hackers" are not the ones doing it with criminal intent. However, the point sam was addressing is the meaning of the word itself has changed. In essence, the group you are referring to is not responsible for this. It is more that the general public has decided to include the criminal group within the definition of that word.

It does not matter who coined the word to start with, sometimes words wind up being used by the public in a way not originally intended. The creator of the word can scream on the sidelines all they want, but they have only minimal control over how their creation is going to be used. Lexicographers recognize this, and as such, they tend to change their dictionary as word usage changes. Unfortunately, I believe no amount of "education" is going to back up this trend, so you might as well get on with it.

So...what Bruce said -- there are more important things to fight than this semantic battle. Which is more important -- improving our privacy and security, or arguing about how a word should be used.

Davi OttenheimerJune 7, 2005 3:17 PM

@oliver

"Correct me if I'm wrong, but I believe most of the `mass personal identity information disclosure' episodes were accomplished with little or no technical prowess. [...] I think it might have been slightly out of the scope of Bruce's essay."

You are technically correct that today a majority of mass disclosure episodes are breaches that are not particularly technical in nature. Aside from the fact that worms and trojans also do not require much technical prowess, the trends show a significant increase in fraud-related activity directly related to Internet-borne attacks. In fact there is substantial evidence today of botnets setup specifically for the purposes of fraud-related (identity) breaches.

This paper says it is a view of "what's happening on the Internet right now, and what we expect to happen in the coming months" and Bruce gives a very high-level description of the elements that would cause massive identity theft breaches. However there is no mention of this threat or even its relevance to the companies that house massive amounts of personal identity information (health care, retail, etc.).

Israel TorresJune 7, 2005 4:10 PM

@Tim Vail

I have no problem wearing hackerism on my sleeve and neither should any hacker. I will fight the fight even if it falls upon deaf ears.

Israel Torres

afgdiasJune 7, 2005 4:45 PM

"What exactly is wrong with SpyBot? Are you claiming that SpyBot is distributing worms or viruses? I've been very happy with SpyBot and regularly use it to remove nasties from my computer systems."
I believe that Bruce is talking about other SpyBot, not the anti-spyware SpyBot S&D.
See http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
"W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file sharing and mIRC. This worm can also spread to computers that are infected with common back door Trojan horses and network shares that make use of weak passwords."

Thomas SprinkmeierJune 8, 2005 1:32 AM

@Mihai

If malware is purely a function of popularity, how do you explain IIS vs Apache? Exchange vs Sendmail (OK... recent sendmail :-)

I think security has more to do with the vendor-supplied defaults, and the security/usability tradeoffs incorporated in those defaults.
People hardly ever change the defaults, so if the default is to have priveleged user accounts then that's how most boxes will run, and the box will be less secure as a result. OpenBSD(?) has never had a remote vulnerability in it's default configuration, in part because the default configuration sacrifices 'usability' for security.

I think the question "how likely are Mac's to be configured 'friendly' rather than 'secure' in the near future?" is more important then "how popular are Mac's going to be in the near future?".

danielJune 8, 2005 1:54 AM

What I find particularly disturbing is the increase in "intelligence." Or, a worms ability to gather more information automatically about the network it resides on. One of the Internet's greatest strengths lays in its topology. However, this strength is at the same time one of its greatest weaknesses. The Internet exhibits a small-worlds network topology. Knocking out random nodes on the Internet will not take it down. Knock out a very small number of select nodes though, and poof, the Internet is gone.

DaveJune 8, 2005 2:40 AM

"If malware is purely a function of popularity, how do you explain IIS vs Apache?"

Cos the blue chips are skewed towards IIS. Most of the big money is behind IIS servers; most personal websites or shared servers run on apache. Follow the money...

DaveJune 8, 2005 2:41 AM

"Knock out a very small number of select nodes though, and poof, the Internet is gone."

Care to elaborate on how taking out a very small number of nodes can make the Internet "be gone"?

Don ParkJune 8, 2005 3:50 AM

Come on, Bruce. This trend report could have been put together using just public news. Give up some juicy stuff, will ya?

Brian FahrlanderJune 8, 2005 4:00 AM

I can't help but feel a large amount of this viral/antagonistic work is funded. Here's the world's best known OS, who's source code is protected as good as the Holy Grail, runs on tens of millions of machines, and (three years ago) it was listed as having 64,000 unique viruses.

In the other corner sits Linux. They're practically giving it away with breakfast cereal, sourcecode and all. It has at least as many installs as Macintosh, and has had so few viruses as to be counted on only one hand. This isn't about installs.

It would be so easy to think it was just a matter of technicality, but I think not. I remember when the term 'virus' was almost a myth. When CP/M roamed the Earth and no one made signifigant money with computers.

And I can't help but feel betrayed by the company that made computers ubiquitous; the same computers I helped install over the last 29 years. It's no longer about computing, it's only about money. And due to strategic, money interests, almost nothing new is happening. No one wants to create something MS will take over, steal, or otherwise 'eat' the investment on.

Yet, every day hundreds of viruses come to light, and in corporations everywhere machines are getting 'flushed and filled' instead of doing real work. Everyone knows someone that has a virus; we're always getting asked for help in removing them.

How soon until we go back to computing with our computers?

dubinJune 8, 2005 4:29 AM

"Most of today’s hackers/cyber criminals tend to target the best known applications in order to gain as much notoriety/money as possible. This is part of the reasons why Mac hasn’t been hit with a strong worm/virus epidemic."

Hackers probably spend less time writing viruses/worms for Mac because it is a less interesting target. However, the fact that there are relatively few Macs around makes it in fact harder to attack them.

Consider a basic fact of epidemiology: a virus can only spread if every infected computer infects at least one other computer. Now if a virus would spread via let's say a peer to peer network the virus could potentially infect 10 or 20 windows machines from a single infected machine for each Mac.
As a result, a virus written for Macs would have to be far more effective to start an empidemic as compared to a virus written for Windows.

AcidusJune 8, 2005 9:02 AM

To Dave:

I recently did a report for a CS class about the "connectedness" of the Internet, and its ability to withstand random -vs- deliberate failures.

http://www.memestreams.net/users/acidus/blogid4828888

The summary is: Even if 500 ASes randomly fail, 99% of the Internet is reachable. If the top 100 ASes are knocked out, 54% of the Internet is reachable. If the top 500 ASes are knocked out, only 8% of the Internet is reachable, and average distance between any two nodes is 5x larger than before.

DaveJune 8, 2005 9:11 AM

Acidus - that was a fascinating read, thanks for the link. Back to the point at hand:

"Knock out a very small number of select nodes though, and poof, the Internet is gone."

I contest that 100 autonomous systems (we're talking ISP/backbone providers here, right?) is not a very small number, and while hackers are more than capable of blackmailing a few online casinos with their zombie networks, I doubt that there are any resourceful enough to "knock out" 1 AS, let alone 100.

A government on the other hand... I could imagine in an extreme case a medium sized covert op to take out actual data centers using physical means. Cyberterrorism targetting infrastructure is much more plausible a threat than some Russian hacker gang IMHO. :)

MikeCJune 8, 2005 12:01 PM

I'm surprised we haven't seen an attack on XP/2003 that cause each system to force a re-registraton with Microsoft. Think of the denial of service potential there.

BennyJune 8, 2005 4:29 PM

@ Dave:

What about DNS servers? They're few in numbers (13?), and provide a service crucial to the functioning of the Internet. Wasn't there a DoS attack that affected 4 of the 13 for more than an hour in 2002? Since then, the size of botnets have only grown, making DDoS attacks even more powerful. And there are other ways to attack the DNS service as well (DNS cache poisoning, etc.), since the protocol is pretty insecure.

Gary W. LongsineJune 8, 2005 7:23 PM

@Sam, et. al.,

w32.spybot.worm.KEG vs. SpyBot S&D

Bruce was referring to a particular variant of the spybot worm.

http://www.symantec.com/avcenter/venc/data/w32.spybot.keg.html

This variant (and presumably many other variants since then) scan for particular vulnerabilities from an infected host and report the data back via IRC.

The naming of malware causes tremendous confusion, with different AntiVirus vendors giving the same worm different names. Naming a worm the same name as a competitor (a spyware cleanup tool) might be considered pretty rude. I haven't done a hex dump on a sample of the worm to see if it contains the string "spybot" or not, but even if it does, it's still rude.

Or perhaps brilliantly evil, like an Evil Petting Zoo!

/gary

Thomas SprinkmeierJune 8, 2005 9:41 PM

@Dave,

"Cos the blue chips are skewed towards IIS. Most of the big money is behind IIS servers; most personal websites or shared servers run on apache. Follow the money..."

You're implying that though the overall usage statistics favour apache, the usage statistics for desirable targets favour IIS.
I have no idea what proportion of bluechips use IIS vs apache, but let's assume they all do.

An attacker going after a bluechip would not want to publicise the vulerability that allows him access.
A worm that indiscrimenately roams the internet is the last thing he wants, it would gurantee a patch being supplied by the vendor, locking him out of his target(s) (assuming valuable servers get patched).

If these vulnerabilities were being found by expert hackers trying to crack bluechips, the I would expect the chronology to be:
1. vulnerability found and quietly exploited
2. victim notices, quietly alerts vendor
3. vendor patches BEFORE the first widespread public outbreak
4. users don't apply patches, patches reverse-engineered, copy-cat worms roam the 'net

Instead we're seeing patches from the vendor AFTER the first widespread public outbreak (which are still not being applied by users, leading to more copy-cat worms).


@Brian Fahrlander
"It's no longer about computing, it's only about money."

It's always been about money, that's how capitalism works.
Being a monopoly allows Microsoft to be more aggressive about getting that money, which is why monopolies are a Bad Thing for consumers.

"How soon until we go back to computing with our computers?"

As soon as you switch to an alternative.

Phil HollowsJune 8, 2005 10:42 PM

@Bruce:

Can you clarify what you mean by the term "network event"? That would help me put your metrics into terms and concepts that we use.

Thanks

Phil

Vince ChmielewskiJune 22, 2005 2:25 PM

Mihai,

In response to your comment: "Vince, In my opinion the only reason Macs didn't get any viruses/worms is that it’s not popular enough. I already feel the angry Mac fans protesting, but this is the plain truth."

Let's just say for arguments sake that your opinion was in fact reality and that Macs are mostly immune because of their relatively small number. If so, how does that change the advantage? If they don't have viruses, they don't have viruses, why do you care why? Do you suddenly expect Macs to jump to a majority marketshare and change that dynamic?

As far as your opinion, I don't see any support for it. First, I'm sure there would be a great deal of notoriety in being the first to write a virus for OS X, so I'm sure there are people trying. Second, there are known flaws in Windows and IE that make most these viruses possible. The flaws have nothing to do with market share.

Also, there is a huge difference between patching a potenial security issue as Apple has done, and dealing with actual exploits as you have on Windows.

The bottom line is OS X systems are more secure regardless of the reasons. We can argue about those reasons, but personally I prefer to argure from this side.

the dumb oneOctober 5, 2006 8:37 AM

i don't get it- i need help with my homework!!!!!!!!! i don't care what you expect i care about the history of viruses and UNDERSTANDING WHAT YOU MEAN!!!!!!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..