Internet Security Threat Report - H1 2006

Symantec released the 10th edition of its much appreciated Internet Security Threat Report.

The very first edition of this report has been published in 2002 by Riptech, a company focused on intrusion detection which Symantec of Borg acquired in these years.

The most recent versions of the report are developed by over 1600 Symantec security analysts, the company claims. While results could be manipulated to justify old and new products, or to discredit competitors like Microsoft (and near the Windows Vista launch Symantec has all interests in doing so), it remains a useful tool for evaluation of attack and vulnerability trends.

The September 2006 edition offers a 120-pages coverage of threat activity between January 1st and June 30th.
Below significant highlights divided in categories.


Attack Trend

• Microsoft Internet Explorer was the most frequently targeted Web browser, accounting for 47% of all Web browser attacks


• Symantec observed an average of 6,110 DoS attacks per day


• The United States was the target of the most DoS attacks, accounting for 54% of the worldwide total


• The Internet service provider (ISP) sector was the most frequently targeted by DoS attacks


• China had the highest number of bot-infected computers during the first half of 2006, accounting for 20% of the worldwide total


• The United States had the highest percentage of bot command-and-control servers with 42%


• Beijing was the city with the most bot-infected computers in the world


• The United States ranked as the top country of attack origin, accounting for 37% of the worldwide total


• The home user sector was the most highly targeted sector, accounting for 86% of all targeted attacks

Vulnerability Trend

• Symantec documented 2,249 new vulnerabilities, up 18% over the second half of 2005. This is the highest number ever recorded for a six-month period


• Web application vulnerabilities made up 69% of all vulnerabilities this period


• Mozilla browsers had the most vulnerabilities, 47, compared to 38 in Microsoft Internet Explorer


• In the first six months of 2006, 80% of vulnerabilities were considered easily exploitable, up from 79%


• Seventy-eight percent of easily exploitable vulnerabilities affected Web applications


• The window of exposure for enterprise vulnerabilities was 28 days


• Internet Explorer had an average window of exposure of nine days, the largest of any Web browser. Apple Safari averaged five days, followed by Opera with two days and Mozilla with one day


• In the first half of 2006, Sun operating systems had the highest average patch development time, with 89 days, followed by Hewlett Packard with 53 days, Apple with 37 days and Microsoft and Red Hat with 13 days

Malicious Code Trend

• Eighteen percent of all distinct malicious code samples detected by Symantec honeypots were new


• Five of the top ten new malicious code families reported were Trojan horse programs


• The most prevalent new malicious code family this period was that of the Polip virus


• Worms made up 38 of the top 50 malicious code samples


• Worms made up 75% of the volume of top 50 malicious code reports


• Symantec documented 6,784 new Win32 viruses and worms


• Bots accounted for 22% of the top 50 malicious code reports, up slightly from the 20% reported in the last period


• Thirty of the top 50 malicious code samples exposed confidential information


• Modular malicious code accounted for 79% of the volume of top 50 malicious code, down from 88% in the second half of 2005

Phishing, Spam and Security Risks

• The Symantec Probe Network detected 157,477 unique phishing messages, an increase of 81%.


• Financial services was the most heavily phished sector, accounting for 84% of phishing activity.


• Spam made up 54% of all monitored email traffic, up from 50% in the last period.


• The most common type of spam detected in the first six months of 2006 was related to health services and products.


• Fifty-eight percent of all spam detected worldwide originated in the United States


• Eight of the top ten reported security risks were adware programs.


• Three of the top ten new security risks are what Symantec calls misleading applications

Two of these results are quite expected but still the most interesting: an average of 28 days for vulnerability exposure, and 54% of mail traffic made by spam.
While I'm well persuaded preventing new threats is impossible at the moment, I wonder why the security industry is failing so miserably in mitigating damage.

I strongly recommend to read the whole Internet Security Threat Report - September 2006.