Surf’s Up for Web-Based Organized Crime, IBM X-Force Says

March 4, 2008 Alex Woodie

If you’ve noticed that attempts to steal your identity and your money on the Web have grown more sophisticated in recent months, you’re not alone. In its analysis of thousands of attacks, IBM‘s X-Force security group confirmed that the underground criminal economy made a lot of headway last year in its quest to exploit software and human vulnerabilities in its pursuit of ill-gotten gains off the Net.

In its annual report on the state of information security, the X-Force team at Internet Security Systems (ISS) describes the trends shaping security for 2007, and what managers, administrators, and programmers should look for as they work to minimize their exposure for 2008. The group relies heavily on statistics to prove its point, and the report is chock full of statistics of all shapes and sizes.

But the most surprisingly statistic concerns software vulnerabilities. During 2007, the number of newly reported vulnerabilities actually decreased compared to the previous year, the first time in modern history (read: since 2000) that’s happened. The 6,437 vulnerabilities reported last year corresponded with a 5 percent decline from 2006, following two years of 40 percent growth in vulnerabilities, according to X-Force.

X-Force said the drop could represent “an anomaly, a statistical correction, or a new trend in the amount of disclosures.” Compared to the historical norm of 27 percent growth in new vulnerabilities each year (according to X-Force), perhaps the market could not sustain the pace set during the vulnerability bubble years of 2005 and 2006. Despite the overall drop in vulnerabilities, the number of critical “high priority” vulnerabilities increased by about 28 percent in 2007. However, that, too, could reflect a market correction, as 2006 was a slow year for critical vulnerabilities, in relative terms. Critical vulnerabilities accounted for about 22 percent of all vulnerabilities in 2007. Compared to years from 2000 to 2004, when critical vulnerabilities accounted for about 35 percent of all flaws, the Internet today is awash in low-to-mid-grade vulnerabilities.

So, if overall vulnerabilities are down, and high impact vulnerabilities are trending below historical averages, what’s the big fuss over Internet security? If there are fewer critical vulnerabilities, isn’t the Net becoming safer?

No way, according to X-Force. For one thing, only half of the vulnerabilities discovered can even be patched, the group says. And while Microsoft takes a lot of heat for its highly public flaws, it only accounted for 3.7 percent of all vulnerabilities reported in 2007. The five vendors responsible for the most vulnerabilities–Microsoft, Apple, Oracle, IBM, and Cisco, in decreasing order–accounted for only 13.6 percent of all the vulnerabilities in 2007, reflecting a healthy diversity in the market for security flaws.

Vulnerabilities may be decreasing, but the criminal underworld is making better use of them. A big reason for this is the increasing popularity of exploit toolkits, which are applications sold on the black market that allow the even least sophisticated criminals to launch attacks on people’s Web browsers and steal their information. While X-Force says the total number of toolkit-using pirates on the Web is unknown (they’re increasingly using “obfuscation” techniques to camouflage their activities), several finds on online file storage sites leads it to suspect exploit toolkit piracy is widespread, it says.

These toolkits are able to run through several routines before finding an unpatched vulnerability on a person’s Web browser, which means being protected from the latest critical bug in Firefox or IE doesn’t guarantee protection. You have to be protected from ALL vulnerabilities, including old ones and ones that haven’t been disclosed publicly yet. With thousands of vulnerabilities to choose from, the law of large numbers tips the balance heavily in favor of the pirates, who only have to find one unpatched vulnerability to have their way with your computer from their secure, undisclosed location.

While the number of vulnerabilities is down, the amount of malware polluting the Internets is way up. X-Force analyzed 410,000 new malware samples during 2007, a 30 percent increase over 2006. Trojans saw a big comeback in 2007 compared to 2006, which was “the year of the drive-by downloader.”

But just as the Internet’s upstanding citizens are promoting “mash-ups” using Web 2.0 technologies, so, too, are the Net’s denizens of evil getting creative with their programming. “The classic categories of virus, worm, spyware, and backdoor are becoming largely irrelevant. Modern malware is now the digital equivalent of the Swiss Army knife,” X-Force writes.

Last year’s big breadwinner for the Web’s underworld, the Storm Worm, was a good example of this creativity at work, says Kris Lamb, operations manager for research and development at ISS. “The Storm Worm provides a microcosm of the kinds of threats users faced in 2007,” he says. “All in all, the exploits used to spread Storm Worm are a blend of the various threats tracked by X-Force, including spam, phishing, and drive-by-downloads by way of Web browser exploitation.”

On the bright side, X-Force reports that spam was way down in 2007, largely due to a sudden decrease in image-based spam during the second quarter. Spammers attempted to fill the void with PDF- and MP3-based spam, but these ultimately failed, and spammers gave up on them, according to X-Force, which said it could be considered “a win for the security industry.” The only meaningful statistic that X-Force had regarding phishing was that phishing represents about 1 percent of spam.

While spam is on the run, security professionals should be careful to keep up the vigilance. The Internet continues to attract criminals, con artists, and ne’er-do-wells like flies to excrement, and will continue to do so for some time.

“Never before have such aggressive measures been sustained by Internet attackers towards infection, propagation, and security evasion,” Lamb says. “While computer security professionals can claim some victories, attackers are adapting their approaches and continuing to have an impact on users’ experiences.”