The Internet Security Threat Report is derived from data collected by millions of Internet sensors, first-hand research, and active monitoring of hacker communications, and provides a global view of the state of Internet security. The study period for the ISTR XIV covers January 2008 to December 2008.
The report noted that Web surfing remained the primary source of new infections in 2008, and that attackers are relying more and more on customized malicious code toolkits to develop and distribute their threats. Furthermore, 90 percent of all threats detected during the study period attempt to steal confidential information. Threats with a keystroke-logging capability - which can be used to steal information such as online bank account credentials - made up 76 percent of threats to confidential information, up from 72 percent in 2007.
There continues to be a well-organized underground economy specializing in the sale of stolen confidential data, particularly credit card and bank account credentials. This underground economy is thriving; whereas prices for goods in the legitimate market have fallen, prices for goods in the underground economy have remained consistent from 2007 through 2008.
The report also points to the increased resilience of malware authors against attempts to halt their activities. As an example, the shutdown of two U.S.-based botnet hosting outfits contributed to a significant decrease in active botnet activity during September and November 2008; however, botnet operators found alternate hosting Web sites and botnet infections quickly rose to their pre-shutdown levels.
Web application platforms were common sources of vulnerabilities during the evaluation period. These pre-built software products are designed to simplify the deployment of new Web sites and are in widespread use around the Internet. Many of these platforms were not designed with security in mind and consequently harbor numerous flaws leaving them potentially vulnerable to attack. Of all the vulnerabilities identified in 2008, 63 percent affected Web applications, up from 59 percent in 2007. Of the 12,885 site-specific cross-site scripting vulnerabilities reported in 2008 only 3 percent (394) had been fixed at the time the report was written.
The report also found that Web-based attacks originated from countries around the globe, with the most originating from the United States (38 percent), followed by China (13 percent) and the Ukraine (12 percent). Six of the top 10 countries where Web-based attacks were prominent were from the Europe and Middle East Africa (EMEA) region ‚Äì these countries accounted for 45 percent of the worldwide total, more than any other region.
The report found that phishing continued to grow. In 2008, Symantec detected 55,389 phishing website hosts, an increase of 66 percent over 2007, when were detected 33,428 phishing hosts. Financial services accounted for 76 percent of phishing lures in 2008 compared to 52 percent in 2007.
Finally, the report found that the volume of spam continued to grow. Over the past year, Symantec observed a 192 percent increase in spam detected across the Internet as a whole, from 119.6 billion messages in 2007 to 349.6 billion in 2008. In 2008, bot networks were responsible for the distribution of approximately 90 percent of all spam e-mail.
- By the end of 2008, there were more than 1 million individual computers infected by the worm Downadup (also known as Conficker); this worm was able to spread rapidly across the Internet due to a number of advanced propagation mechanisms. The number of Downadup/Conficker infections worldwide grew to more than 3 million infected systems during the first quarter of 2009
- According to Symantec data, in 2008, the growth of malicious code activity was greatest in the Europe, Middle East and Africa region
- In 2008, Symantec observed an average of more than 75, 000 active bot-infected computers each day, a 31 percent increase from 2007.