-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
1/110
Sym
Ante
CenterpriSe
SeCUrity
Symantec Global Internet
Security Threat Report
tds fo 2008
Volu XiV, publshd Al 2009
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
2/110
Marc Fossiexcuv edomaag, DvloScu tcholog ad rsos
Eric JohnsonedoScu tcholog ad rsos
Trevor MackAssoca edoScu tcholog ad rsos
Dean Turner
Dco, Global illgc nwokScu tcholog ad rsos
Joseph Blackbirdtha AalsSac Scu rsos
Mo King Lowtha AalsScu tcholog ad rsos
Teo Adamstha AalsScu tcholog ad rsos
David McKinneytha AalsScu tcholog ad rsos
Stephen Entwisletha AalsScu tcholog ad rsos
Marika Pauls Lauchttha AalsScu tcholog ad rsos
Candid Wueesttha AalsScu tcholog ad rsos
Paul WoodSo AalsmssagLabs illgc, Sac
Dan Bleakentha AalsmssagLabs illgc, Sac
Greg Ahmadtha AalsScu tcholog ad rsos
Darren Kemptha AalsScu tcholog ad rsos
Ashif Samnanitha AalsScu tcholog ad rsos
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
3/110
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Threat Activity Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Vulnerability Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Malicious Code Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Phishing, Underground Economy Servers, and Spam Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Appendix ASymantec Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Appendix BThreat Activity Trends Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Appendix CVulnerability Trends Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Appendix DMalicious Code Trends Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Appendix EPhishing, Underground Economy Servers, and Spam Trends Methodology . . . . . . . . . . 105
Contents
Volu XiV, publshd Al 2009
Symantec Global Internet Security
Threat Report
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
4/110
Sac Global i Scu tha ro
4
Introduction
th Sac Global Internet Security Threat Report ovds a aual ovvw ad aalss of
woldwd i ha acv, a vw of kow vulabls, ad hghlghs of alcous cod.
tds hshg ad sa a also assssd, as a obsvd acvs o udgoud coo
svs. pvousl sd v sx ohs, hs volu of h Sac Global Internet Security
Threat Report wll al ads o ds ad dg has ha Sac has obsvd fo 2008.
Sac has sablshd so of h os cohsv soucs of i ha daa h wold
hough h Sac Global illgc nwok. mo ha 240,000 ssos ov 200 cous
oo aack acv hough a cobao of Sac oducs ad svcs such as Sac
DSgh tha maag Ss, Sac maagd Scu Svcs ad noo cosu
oducs, as wll as addoal hd-a daa soucs.
Sac also gahs alcous cod llgc fo o ha 130 llo cl, sv, ad gawa
sss ha hav dlod s avus oducs. Addoall, Sacs dsbud hoo wok
collcs daa fo aoud h glob, caug vousl us has ad aacks ad ovdgvaluabl sgh o aack hods.
Sac aas o of h wolds os cohsv vulabl daabass, cul cossg
of o ha 32,000 codd vulabls (sag o ha wo dcads) affcg o ha
72,000 chologs fo o ha 11,000 vdos. Sac also faclas h Bugtaq alg ls,
o of h os oula fous fo h dsclosu ad dscusso of vulabls o h i, whch
has aoxal 50,000 subscbs who cobu, cv, ad dscuss vulabl sach o a
dal bass.
Sa ad hshg daa s caud hough a va of soucs cludg: h Sac pob nwok,
a ss of o ha 2.5 llo dco accous; mssagLabs illgc, a scd souc of daa
ad aalss fo ssagg scu ssus, ds ad sascs; ad oh Sac chologs. Daas collcd o ha 86 cous fo aoud h glob. Ov gh bllo al ssags, as wll
as ov o bllo Wb quss a ocssd da acoss 16 daa cs. Sac also gahs
hshg foao hough a xsv afaud cou of ss, scu vdos ad
o ha 50 llo cosus.
ths soucs gv Sacs aalss uaallld soucs of daa wh whch o df, aalz, ad
ovd fod coa o gg ds aacks, alcous cod acv, hshg, ad sa.
th sul s h Sac Global Internet Security Threat Report, whch gvs ss ad cosus
h ssal foao o ffcvl scu h sss ow ad o h fuu.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
5/110
Sac Global i Scu tha ro
5
Executive Summary
th Sac Internet Security Threat Report cosss al of fou os: h Global Internet Security
Threat Report; h EMEA Internet Security Threat Report, fo h euo, h mddl eas, ad Afca
(emeA) go; hAPJ Internet Security Threat Report, fo h Asa-pacfc/Jaa (ApJ) go; ad h
Government Internet Security Threat Report, whch focuss o has of scfc s o govs
ad ccal fasucu scos. togh, hs os ovd a dald ovvw ad aalss of
i ha acv, alcous cod, ad kow vulabls. tds hshg ad sa a also
assssd, as a obsvd acvs o udgoud coo svs.
ths sua wll dscuss cu ds, dg has, ad h coug voluo of h i
ha ladsca basd o daa fo 2008 dscussd wh h fou os. ths sua wll also dscuss
how goal dffcs ca affc alcous acv globall.
th a a ub of ds od vous volus of h Sac Internet Security Threat Report
ha coud 2008: alcous acv has casgl bco Wb-basd; aacks a agg d
uss sad of cous; h ol udgoud coo has cosoldad ad aud; ad aacksa abl o adl ada h aack acvs.1
Sac cl xad hs ds alog wh h coud cosoldao of alcous acvs
h ol udgoud coo h Sac Report on the Underground Economy.2 tha o foud
ha h udgoud coo s gogahcall dvs ad abl o ga llos of dollas vu
fo (of) wll-ogazd gous. th udgoud coo s also casgl bcog a slf-
susag ss wh ools scfcall dvlod o facla faud ad hf a fl bough ad
sold. ths ools a h usd fo foao hf ha a h b covd o of o fud h
dvlo of addoal ools.
Basd o h daa ad dscussos sd h cu Sac Internet Security Threat Report, hs
sua wll xa h a hods bg usd o coos d uss ad ogazaos, who sgag hs aacks, ad wha hs aacks a af. Fall, hs sua wll look a gg
ds ha Sac blvs wll bco val h da fuu.
How users are being compromised
Wb-basd aacks a ow h a vco fo alcous acv ov h i. th coud
gowh of h i ad h ub of ol casgl usg fo a xsv aa of acvs
ss aacks wh a gowg ag of ags as wll as vaous as o lauch alcous acv.3
Wh hs acv, Sac has od ha os Wb-basd aacks a lauchd agas uss who vs
lga wbss ha hav b coosd b aacks od o sv alcous co.
So of h coo chqus usd b aacks o coos a wbs clud xlog a
vulabl Wb alcao ug o h sv (b aackg hough ol scud u flds),
o xlog so vulabl s h udlg hos oag ss. i 2008 alo, h w
12,885 s-scfc vulabls dfd (fgu 1) ad 63 c of vulabls docud b
Sac affcd Wb alcaos. Aacks ca xlo hs vulabls a wbs o udlg
alcao o odf h ags svd o uss vsg h s. ths ca clud dcl svg alcous
1 h://val.sac.co/kgfo/s/wh_as/b-wha_xc_sua__scu_ha_o_x_04-2008.-us.df2 h://val.sac.co/kgfo/s/wh_as/b-wha_udgoud_coo_o_11-2008-14525717.-us.df3 h://www.vsg.co/sac/043939.df
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
6/110
Sac Global i Scu tha ro
6
co fo h s slf, o bddg a alcous fa o ags ha ca dc a uss bows o
aoh Wb sv ha s ud h aacks cool.4 i hs wa, h coos of a sgl wbs
ca caus aacks o b lauchd agas v vso o ha s.
Period
2007 2008
12,885
17,697
Figure 1. Site-specific vulnerabilities
Source: Based on data provided by the XSSed Project5
i h cas of a oula, usd s wh a lag ub of vsos, hs ca ld housads of
cooss fo a sgl aack. Fo xal, o aack ha agd h wbss of boh h Ud
naos ad h UK gov, aog ohs, jcd alcous cod ha was dsgd o load co
fo a aack-coolld locao o vsos bowss.6 Aoh saa aack succssfull dfacdh aoal Albaa osal svc wbs.7 ths s of aacks ovd a oal bachhad fo
dsbug alcous cod bcaus h ag hgh-affc wbss of uabl ogazaos.
i od o coos h lags ossbl ub of wbss wh a sgl chas, aacks wll
a o coos a class of vulabl b sachg fo cooals wh h ad
gcall auoag h dscov ad xloao. ths allows aacks o coos wbss
wh h ffcc cool foud wok wos.
th lgh ad colcad ss bg usud o lauch succssful Wb-basd aacks also dosa
h casg colx of h hods usd b aacks. Whl a sgl hgh-sv flaw ca b
xlod o full coos a us, aacks a ow fqul sgg ogh ull xlos fo
du-sv vulabls o achv h sa goal. A dcao of hs s ha gh of h o 10vulabls xlod 2008 w ad as du sv.
4 A fa s a HtmL l ha ca clud Wb co fo oh ags o Wb svs o b dd wh h us vss h ogal ag. ths ag ca bcosucd so ha s ffcvl vsbl ad h us wll o s a of h bddd co wh vwg h ogal ag.
5 Daa was ovdd b h XSSd pojc, a s dvod o ackg ad vfg os of s-scfc coss-s scg vulabls: h://www.xssd.co.6 h://ws.c.co/8301-10789_3-9925637-57.hl7 h://albass.co/?=3
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
7/110
Sac Global i Scu tha ro
7
ma ss ad d uss wll of ak achg hgh-sv vulabls a o o,
whl du- ad low-sv vulabls a b god. ths could sul h ossbl of o
cous ag xosd fo log ods o hs vulabls. Fo xal, of h 12,885 s-
scfc coss-s scg vulabls dfd b Sac 2008, ol 394 (3 c) a kow
b Sac o hav b fxd.8
ths dvlos ad ds dca ha Wb-basd has hav o ol bco wdsad, bu
ha h hav also casd sohscao. i acula, Sac has ocd ha so bos
(such as Asox,9 whch was all usd fo hshg scas) a bg dsgd o scfcall xlo
coss-s scg vulabls od o jc alcous cod o coosd wbss.10
i a cass, du-sv vulabls a suffc o ou succssful aacks f aacks
a abl o xcu aba cod ad fo acos such as accssg cofdal foao o
akg wok cocos. ths s ad ossbl bcaus a d uss do o qu adsav
vlgs o u o odf h agd alcaos. Whl h dag of cl-sd vulabls a
b ld b bs accs, such as scg Wb alcaos a h adsav lvl, hs s of
ualsc gv how gal Wb alcaos a o h dlv of co fo a bussss. mdu-sv vulabls affcg cl o dsko alcaos a of suffc fo a aack o ou
succssful alcous aacks o dvdual d uss as wll as a h s lvl.
tha sad, howv, a sgl hgh-sv vulabl was h o aackd flaw 2008. pvous dos
of h Sac Internet Security Threat Report od ha h has b a dcas h volu of
wok wos, al du o a lack of asl xloabl o vulabls dfaul oag ss
coos. ma wok wos xlod such vulabls od o oaga. Hghl succssful
wossuch as Codrd,11 nda,12 ad Sla13all xlod hgh-sv vulabls ol
accssbl svcs o sad. ths wos od chags scu asus, such as h cluso
of soal fwall alcaos oag sss ha a ud o b dfaul. ths hld oc
uss fo os wok wos, v f h vulabl bg xlod was o dal achd.
th hgh-sv vulabl quso was a zo-da vulabl ha was dscovd la 2008
h mcosof Wdows Sv Svc rpC Hadlg coo ha allowd o cod xcuo.14
Bcaus o coucao wh hs svc s allowd hough h Wdows fwall wh fl ad
shag s ud o, a uss would hav o al h ach o b ocd fo xloao
as. Soo af, a w wo calld Dowadu (also kow as Cofck) gd ha xlod
hs vulabl.15 Dowadu was abl o sad adl, aall du o s advacd oagao
chass ad s abl o sad hough ovabl da dvcs.16 B h d of 2008 h w
wll ov a llo dvdual cous fcd b Dowadu. Oc Dowadu has fcd a cou,
uss a Wb o -o- (p2p) uda chas o dowload udad vsos of slf, o o sall
oh alcous cod oo h coosd cou.
8 Fo h uos of hs o, h coss-s scg casulas wo boad classs of vulabl; hs cluds adoal coss-s scg ad a cagokow as HtmL jco (o ss coss-s scg).
9 h://www.sac.co/scu_sos/wu.js?docd=2007-060812-4603-9910 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3311 h://www.sac.co/scu_sos/wu.js?docd=2001-071911-5755-9912 h://www.sac.co/scu_sos/wu.js?docd=2001-091816-3508-9913 h://www.sac.co/scu_sos/wu.js?docd=2003-012502-3306-9914 h://www.scufocus.co/bd/3187415 h://www.sac.co/scu_sos/wu.js?docd=2008-112203-2408-9916 hs://fous2.sac.co/5/malcous-Cod/Dowadu-As-a-Sa-nwok-Scag/ba-/382114 - A233
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
8/110
Sac Global i Scu tha ro
8
Dowadu has b aculal olfc h ApJ ad La Aca (LAm) gos.17 ths gos a
also wh so of h hghs sofwa ac as a codd.18 Bcaus ad vsos of sofwa
a fqul uabl o us auoad uda chass fo scu achs ( cas h a dcd
ad dsabld), s lkl a cous hs wo gos hav o b achd agas Dowadu.
Sofwa ac as a of hgh a gg aks wh adl gowg i adboadbad fasucus.19
Fo h daa gahd fo hs og od, Sac has also od oh sgfca alcous
acvs occug cous wh adl gg i fasucus. Fo xal, whl h
Ud Sas s sll ho o a lag aou of ha acv ad cous o b h o akd cou
fo alcous acval du o s xsv boadbad ao ad sgfcal dvlod
i fasucuSac has od a sad cas alcous acv cous o
vousl assocad wh such acvs. O sul of hs d s ha hs cous ca aal o
aacks as oal bass fo hosg hshg wbss, sa las, ad oh alcous co,
ossbl bcaus adl gowg iSps hs aas a hav dffcul oog ad flg h
gowg volu of affc acoss h woks.
Aacks a also ogazd ough o l cogc las cas h acvs a dcd.
B locag h acvs o a va of cous, aacks ca z h chacs of bg aall
o coll shu dow. ths s dosad b vs af h shudow of a U.S.-basd iSp owad
h d of 2008.20 i ss ha h bo coolls gag uch of h aack acv fo hs iSp
had alav hosg las.21 As a sul, alhough Sac od a sgfca do alcous
acv af h shudow, aculal sa, h ubs ud o vous lvls soo afwad.
i bca aa ha h bo coolls had b abl o succssfull loca ough of h bo
coad-ad-cool (C&C) svs o oh hoss, ad w hus abl o buld h bos back u o
vous ubs. Gv ha h affcd bos w h of h wolds lags, s o susg ha
w locaos w quckl foud o hos hs svs du o h sgfca ofs such bos a abl
o ga.
What attackers want
mo ha v bfo, aacks a cocag o coosg d uss fo facal ga. i 2008,
78 c of cofdal foao has xod us daa, ad 76 c usd a ksok-loggg
coo o sal foao such as ol bakg accou cdals. Addoall, 76 c of
hshg lus agd bads h facal svcs sco (fgu 2) ad hs sco also had h os
ds xosd du o daa bachs. Slal, 12 c of all daa bachs ha occud 2008
xosd cd cad foao. i 2008 h avag cos cd of a daa bach h Ud
Sas was $6.7 llo22whch s a cas of 5 c fo 2007ad los busss aoud o
a avag of $4.6 llo.23
17 hs://fous2.sac.co/5/malcous-Cod/Dowadu-Go-locao-Fgg-ad-pac/ba-/380993 - A22818 h://aschca.co/old/co/2008/01/bsa-ac-cooc-ac-s-s-of-bllos-of-dollas.as19 h://fdacls.co//acls/_0ein/s_2008_ma_14/a_2541179520 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df : . 721 h://www.hgs.co.uk/2008/11/18/sho_ccolo_suco/22 All fgus a U.S. dollas ulss ohws od.23 h://www.coos.co/dowload/poo_COB_2008_US_090201.df
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
9/110
Sac Global i Scu tha ro
9
4%
1%
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
10/110
Sac Global i Scu tha ro
10
2008
Rank
1
2
3
4
5
6
7
8
9
10
2007
Rank
1
2
9
3
12
4
6
5
17
8
Item
Credit card information
Bank account credentials
Email accounts
Email addresses
Proxies
Full identities
Mailers
Cash out services
Shell scripts
Scams
2008
Percentage
32%
19%
5%
5%
4%
4%
3%
3%
3%
3%
2007
Percentage
21%
17%
4%
6%
3%
6%
5%
5%
2%
5%
Range of Prices
$0.06$30
$10$1000
$0.10$100
$0.33/MB$100/MB
$0.16$20
$0.70$60
$2$40
8%50% or flat rate of$200$2000 per item
$2$20
$3$40/week for hosting,$2$20 design
Table 1. Goods and services available for sale on underground economy servers
Source: Symantec
O sul ha Sac has daw fo h obsvac of casd ofssoalzao h
udgoud coo s ha h coodao of scalzd ad, so cass, cov gous fo
h oduco ad dsbuo of s such as cusozd alcous cod ad hshg ks has ld o a
daac cas h gal olfao of alcous cod. i 2008, Sac dcd 1,656,227
alcous cod has (fgu 3). ths ss ov 60 c of h aoxal 2.6 llo
alcous cod has ha Sac has dcd oal ov .
Numberofnew
threats
0
200,000
1,000,000
800,000
1,800,000
1,600,000
Period
600,000
400,000
1,400,000
1,200,000
2002
20,547
2003
18,827
2004
69,107
2005
113,025
2006
140,690
2007
624,267
2008
1,656,227
Figure 3. New malicious code threats
Source: Symantec
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
11/110
Sac Global i Scu tha ro
11
A xal of hs of udgoud ofssoal ogazao s h russa Busss nwok
(rBn). th rBn udl scalzs h dsbuo of alcous cod, hosg alcous wbss,
ad oh alcous acv. th rBn has b cdd wh cag aoxal half of h hshg
cds ha occud woldwd las a. i s also hough o b assocad wh a sgfca aou
of h alcous acvs o h i 2007.
Sc ha h hav b wo sgfca cass of iSps ha w shu dow bcaus of alcous
acv. ths iSps w hosg alcous cod, hshg wbss, bo C&C svs, ad sa las.
ths cluds h sac od abov, wh Sac saw a 65 c do sa ad a 30 c
dcas bo acv wh 24 hous of o acula iSp bg ak offl.25 Whl a s
akabl ha h shudow of a sgl iSp ca sul such dasc dcass alcous acv
wh a sho od, as od, alcous acv s casgl ogazd ad aacks a ow
adl ad fo cogcs ha gh affc h oaos. much of h alcous acv was
sl shfd o oh locaos. i hs sac, h iSp v sufacd bfl o affod h gou a
oou o uda h bos ud h cool.26
i hs casgl sohscad i ha ladsca, h s a gowg us fo gacooao o addss h hgh dg of ogazao of gous cag has o h i. ths
was dosad b h aggssv sad of h Dowadu wo h la ohs of 2008 ad o
2009. Du o s ull oagao chass, h wo was abl o sad adl. mo woso
s h fac ha h wo coas a uda chas ha could allow w vsos of h wo o
oh has, such as a bo, o b salld o coosd cous. to coba s ad sad ad
aggssv ofl, a coalo was fod b sakholds volvd i scu.27 th succss of
hs coalo of dfg how h wo oas, slowg s gowh, ad lg s oal dag
dosas h bfs of casd cooao aog i scu sakholds.
Conclusion
Chags h cu ha ladscasuch as h casg colx ad sohscao of
aacks, h voluo of aacks ad aack as, ad alcous acvs bg ushd o gg
cousshow o jus h bfs of, bu also h d fo casd cooao aog scu
coas, govs, acadcs, ad oh ogazaos ad dvduals o coba hs chags.
Sac xcs alcous acv o cou o b ushd o gos wh gg fasucus
ha a sll lack h soucs o coba h gowg volv of ogazd c h ol
udgoud coo. th ous wll b o ogazaos, suos, ad oh kowldgabl gous
o co ogh fo h bf of h affcd gos. i ha acv s ul global, ad
alcous acv allowd o floush o aa could quckl sad woldwd.
Wh h casg adaabl of alcous cod dvlos ad h abl o vad dco,
Sac also xcs ha ov aack acvs wll h b abadod o ushd fuh udgoud.
Fo xal, f h ffo o s u alcous iSps ouwghs h u fo aacks bfo bg ak
offl, s lkl ha aacks wll abado hs aoach fo oh aack vcos od o cou o
vad dco ad oal ahso o oscuo. ths has alad b s wh h us of
25 Cf. h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df : . 7ad h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 26
26 h://www.cwold.co/busssc/acl/154554/sas_gag_cool_ov_szb_bo.hl27 hs://fous2.sac.co/5/malcous-Cod/Coalo-Fod--rsos-o-W32-Dowadu/ba-/388129 - A241
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
12/110
Sac Global i Scu tha ro
12
Http ad p2p coucao chals has such as Dowadu. Bcaus of h dsbud au of
hs cool chals, s uch o dffcul o dsabl a wok ad loca h dvdual o
gou bhd h aacks.
th lag cas h ub of w alcous cod has, could wh h us of h Wb as a
dsbuo chas, also dosas h gowg d fo o sosv ad cooav scu
asus. Whl avus sgau scag, husc dco, ad uso vo cou o b
val fo h scu of ogazaos as wll as d uss, w chologs, such as uao-basd
scu, wll bco casgl oa.
th focus of has 2008 coud o b ad a xlog d uss fo of, ad aacks
hav coud o volv ad f h abls fo ol faud. Whl so cal gous hav co
ad go, oh lag ogazaos ss ad cou o cosolda h acvs. ths sudo-
cooaos ad h u-ad-cog coos wll lkl a a h fofo of alcous acv
h cog a.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
13/110
Sac Global i Scu tha ro
13
Highlights
ths sco ovds hghlghs of h scu ds ha Sac obsvd 2008 basd o h daa
gahd fo h soucs lsd h oduco o hs o. Slcd cs wll b dscussd
ga dh h scos ha follow.
Threat Activity Trends Highlights
Dug hs og od, 23 c of all alcous acv asud b Sac 2008 was
locad h Ud Sas; hs s a dcas fo 26 c 2007.
th Ud Sas was h o cou of aack og 2008, accoug fo 25 c of woldwd
acv; hs s a dcas fo 29 c 2007.
th ducao sco accoud fo 27 c of daa bachs ha could lad o d hf dug
hs od, o ha a oh sco ad a slgh cas fo 26 c 2007.
th facal sco was h o sco fo ds xosd 2008, accoug fo 29 c of h
oal ad a cas fo 10 c 2007.
i 2008, h hf o loss of a cou o oh daa-soag dvcs accoud fo 48 c of daa
bachs ha could lad o d hf ad fo 66 c of h ds xosd.
Sac obsvd a avag of 75,158 acv bo-fcd cous da 2008, a cas of
31 c fo h vous od.
Cha had h os bo-fcd cous 2008, accoug fo 13 c of h woldwd oal;
hs s a dcas fo 19 c 2007.
Buos As was h c wh h os bo-fcd cous 2008, accoug fo 4 c of h
woldwd oal.
i 2008, Sac dfd 15,197 dsc w bo coad-ad-cool svs; of hs,
43 c oad hough irC chals ad 57 c usd Http.
th Ud Sas was h locao fo h os bo coad-ad-cool svs 2008, wh
33 c of h oal, o ha a oh cou.
th o Wb-basd aack 2008 was assocad wh h mcosof i exlo ADODB.Sa
Objc Fl isallao Wakss vulabl, whch accoud fo 30 c of h oal.
th Ud Sas was h o cou of og fo Wb-basd aacks 2008, accoug fo
38 c of h woldwd oal.
th Ud Sas was h cou os fqul agd b dal-of-svc aacks 2008,
accoug fo 51 c of h woldwd oal.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
14/110
Sac Global i Scu tha ro
14
Vulnerability Trends Highlights
Sac docud 5,491 vulabls 2008; hs s a 19 c cas ov h
4,625 vulabls docud 2007.
two c of vulabls 2008 w classfd as hgh sv, 67 c as du sv,
ad 30 c as low sv.28 i 2007, 4 c of vulabls w classfd as hgh sv,
61 c as du sv, ad 35 c as low sv.
egh c of docud vulabls w classfd as asl xloabl 2008; hs s a
cas fo 2007, wh 74 c of docud vulabls w classfd as asl xloabl.
Of a bows aalzd 2008, Al Safa had h logs wdow of xosu (h bw
h las of xlo cod fo a vulabl ad a vdo lasg a ach), wh a -da avag;
mozlla bowss had h shos wdow of xosu 2008, avagg lss ha o da.
mozlla bowss w affcd b 99 w vulabls 2008, o ha a oh bows; h
w 47 w vulabls dfd i exlo, 40 Al Safa, 35 Oa, ad 11
Googl Cho.29
th w 415 bows lug- vulabls dfd 2008, fw ha h 475 dfd 2007.
AcvX chologs sll cosud h ajo of w bows lug- vulabls, wh a oal of
287; howv, hs s subsaall dow fo h 399 AcvX vulabls dfd 2007.
mo couo vulabls aga ad u h ajo of h of vulabls bows
lug- chologs fo 2008, wh 271 vulabls classfd as such.
i 2008, 63 c of vulabls affcd Wb alcaos, a cas fo 59 c 2007.
Dug 2008, h w 12,885 s-scfc coss-s scg vulabls dfd, coad o
17,697 2007; of h vulabls dfd 2008, ol 3 c (394 vulabls) had b
fxd a h of wg.
i 2008, Sac docud zo-da vulabls, coad o 15 2007.
th o aackd vulabl fo 2008 was h mcosof Wdows Sv Svc rpC Hadlg
ro Cod excuo Vulabl.
i 2008, 95 c of aackd vulabls w cl-sd vulabls ad 5 c w
sv-sd vulabls, coad o 93 c ad 7 c, scvl, 2007.
28 pcags a oudd off o h closs whol ub ad cags a o qual 100 c so sacs.29 Googl Cho was lasd Sb 2008.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
15/110
Sac Global i Scu tha ro
15
Malicious Code Trends Highlights
i 2008, h ub of w alcous cod sgaus casd b 265 c ov 2007; ov
60 c of all cul dcd alcous cod has w dcd 2008.
Of h o 10 w alcous cod fals dcd 2008, h w tojas, h w tojas
wh a back doo coo, wo w wos, o was a wo wh a back doo coo, ad
o was a wo wh back doo ad vus coos.
tojas ad u 68 c of h volu of h o 50 alcous cod sals od 2008, a
o dcas fo 69 c 2007.
Fv of h o 10 sagd dowloads 2008 w tojas, wo w tojas ha cooad a back
doo coo, o was a wo, o of was a wo ha cooad a back doo, ad o was a
wo ha cooad a vus coo.
i 2008, h oooal cas of oal alcous cod fcos was gas h euo,
h mddl eas ad Afca go.
th cag of has o cofdal foao ha cooa o accss caabls
dcld o 83 c 2008; hs s a dcas fo 91 c 2007, alhough such has
ad h os val xosu .
i 2008, 78 c of has o cofdal foao xod us daa ad 76 c had
a ksok-loggg coo; hs a cass fo 74 c ad 72 c, scvl,
2007.
poagao hough xcuabl fl shag coud o cas 2008, accoug fo 66 c
of alcous cod ha oagasu fo 44 c 2007.
O c of h volu of h o 50 alcous cod sals odfd Wb ags 2008, dow
fo 2 c 2007.
th cag of docud alcous cod sals ha xlo vulabls dcld subsaall,
fo 13 c 2007 o 3 c 2008.
i 2008, gh of h o 10 dowloadd coos w tojas, o was a toja wh a back doo
coo, ad o was a back doo.
malcous cod ha ags ol gas accoud fo 10 c of h volu of h o 50 oal
alcous cod fcos, u fo 7 c 2007.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
16/110
Sac Global i Scu tha ro
16
Phishing, Underground Economy Servers, and Spam Trends Highlights
th ajo of bads usd hshg aacks 2008 w h facal svcs sco, accoug
fo 79 c, dow slghl fo 83 c dfd 2007.
th facal svcs sco accoud fo h hghs volu of hshg lus dug hs od, wh
76 c of h oal; hs s cosdabl hgh ha 2007, wh h volu fo facal svcs was
52 c.
i 2008, Sac dcd 55,389 hshg wbs hoss, a cas of 66 c ov 2007, wh
Sac dcd 33,428 hshg hoss.
i 2008, 43 c of all hshg wbss dfd b Sac w locad h Ud Sas,
cosdabl lss ha 2007, wh 69 c of such ss w basd h.
th os coo o-lvl doa usd hshg lus dcd 2008 was .co, accoug fo
39 c of h oal; was also h hghs akg o-lvl doa 2007, wh accoud fo
46 c of h oal.
O acula auoad hshg oolk dfd b Sac was sosbl fo a avag of
14 c of all hshg aacks dug 2008.
Cd cad foao was h os cool advsd fo sal o udgoud coo
svs kow o Sac, accoug fo 32 c of all goods ad svcs; hs s a cas
fo 2007 wh cd cad foao accoud fo 21 c of h oal.
th Ud Sas was h o cou fo cd cads advsd o udgoud coo svs,
accoug fo 67 c of h oal; hs s a dcas fo 2007 wh accoud fo 83 c
of h oal.
th os coo of sa dcd 2008 was lad o i- o cou-lad goods ad
svcs, whch ad u 24 c of all dcd sa; 2007, hs was h scod os coo
of sa, accoug fo 19 c of h oal.
Sac obsvd a 192 c cas sa dcd acoss h i, fo 119.6 bllo
ssags 2007 o 349.6 bllo 2008.
i 2008, 25 c of all sa codd b Sac ogad h Ud Sas, a subsaal
dcas fo 45 c 2007, wh h Ud Sas was also h o akd cou of og.
i 2008, bo woks w sosbl fo h dsbuo of aoxal 90 c of all
sa al.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
17/110
Sac Global i Scu tha ro
17
Threat Activity Trends
ths sco of h Sac Global Internet Security Threat Report wll ovd a aalss of ha
acv, as wll as oh alcous acv, daa bachs, ad Wb-basd aacks ha Sac obsvd
2008. th alcous acv dscussd hs sco o ol cluds ha acv, bu also hshg,
alcous cod, sa zobs, bo-fcd cous, ad bo C&C sv acv. Aacks a dfd as
a alcous acv cad ou ov a wok ha has b dcd b a uso dco ss
(iDS) o fwall. Dfos fo h oh s of alcous acvs ca b foud h scv
scos wh hs o.
ths sco wll dscuss h followg cs, ovdg aalss ad dscusso of h ds dcad b
h daa:
malcous acv b cou
Daa bachs ha could lad o d hf b sco
Daa bachs ha could lad o d hf b caus
Bo-fcd cous
Bo coad-ad-cool svs
to Wb-basd aacks
to cous of og fo Wb-basd aacks
tha acvoco ad gao
Malicious activity by country
ths c wll assss h cous whch h lags aou of alcous acv aks lac o
ogas. to d hs, Sac has cold gogahcal daa o uous alcous acvs,
cludg: bo-fcd cous, hshg wbs hoss, alcous cod os, sa zobs, ad
aack og. th akgs a dd b calculag h a avag of h ooo of hs
alcous acvs ha ogad ach cou.
malcous acv usuall affcs cous ha a cocd o hgh-sd boadbad i bcaus
hs cocos a aacv ags fo aacks. Boadbad cocos ovd lag badwdh
caacs ha oh coco s, fas sds, h oal of cosal cocd sss, ad
call o sabl cocos. th o h cous hs ch Ud Sas, Cha, ad
Gaall hav xsvl dvlod ad gowg boadbad fasucus.30 Cha, whch assd
h Ud Sas fo h lags ub of boadbad subscbs fo h fs 2008, has 21 c
of h woldwd boadbad subscb oal wh 83.3 llo subscbs. th Ud Sas s scod
wh 20 c, whl Ga s fouh wh 6 c. each cou also xcd a gowh of
ov 20 c boadbad subscbs fo 2007.
i 2008, h Ud Sas was h o cou fo ovall alcous acv, akg u 23 c of h
oal (abl 2). ths s a dcas fo 2007 wh h Ud Sas was also fs, wh 26 c. Wh
scfc cago asus, h Ud Sas akd fs alcous cod, hshg wbs hoss,
ad aack og.
30 h://www.o-oc.co
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
18/110
Sac Global i Scu tha ro
18
2008
Rank
1
2
3
4
5
6
7
8
9
10
2007
Rank
1
2
3
4
8
6
7
5
15
12
Country
United States
China
Germany
United Kingdom
Brazil
Spain
Italy
France
Turkey
Poland
2008
Overall
Percentage
23%
9%
6%
5%
4%
4%
3%
3%
3%
3%
2007
Overall
Percentage
26%
11%
7%
4%
3%
3%
3%
4%
2%
2%
Malicious
Code
Rank
1
2
12
4
16
10
11
8
15
23
Spam
Zombies
Rank
3
4
2
10
1
8
6
14
5
9
Phishing
Websites
Host Rank
1
6
2
5
16
13
14
9
24
8
Bot
Rank
2
1
4
9
5
3
6
10
8
7
Attack
Origin
Rank
1
2
4
3
9
6
8
5
12
17
Table 2. Malicious activity by country
Source: Symantec
th slgh dcas ovall alcous acv fo h Ud Sas ca b abud o h do
sa zobs h. ths s l kl du o h shudow of wo U.S.-basd Wb hosg coas ha
w allgdl hosg a lag ub of bo C&C svs assocad wh sa dsbuo bo woks
(bos).31 Sa acv dcasd woldwd af boh shudows. i o cas, Sac obsvd a
65 c dcas sa affc h 24 hous ha followd.32 Boh coas allgdl hosd a
lag ub of bo C&C svs fo sval lag sa bos: Szb,33 rusock,34 ad Ozdok (mga-D).35
Sa zobs ha lack a ccal coad ss a uabl o sd ou sa.
Cha had h scod hghs aou of ovall woldwd alcous acv 2008, accoug fo
9 c; hs s a dcas fo 11 c h vous og od. Alog wh h fac ha
Cha has h os boadbad subscbs h wold, h aou of s ol b uss h
could cobu o h hgh cag of alcous acv Cha. th log a us s ol, h
log h cou s xosd o alcous aack o coos, ad i uss Cha sd
o of h lsu ol ha uss a oh cou.36 Ol lsu acvs a also
call o lkl o clud acvs o ss ha a b vulabl o aacks. ths cluds socal
wokg wbss, ol gag ss, fous, blogs, ad ol shog ss. Dac ss, such as
fous, fo xal, a ags fo aacks usg bo-fcd cous o oaga ad hos
alcous co sc Wb alcao ad s-scfc vulabls ca u hs s of s a sk.
th slgh do Chas cag of alcous acv 2008 was al du o h do hshg
wbs hoss ad bo-fcd cous. Cha dod fo hd fo hshg wbs hoss 2007
o sxh 2008, wh jus ud 3 c of h global oal; ad, alhough Cha aad s o
akg fo bo-fcd cous, s global sha hs gad dcasd fo 19 c 2007 o
13 c 2008.
O ossbl caus fo h dcass a b aoal avs o block wbss oall os
suscbl o faud a ffo o cas ol scu fo uss ahad of h 2008 Bjg Olc
Gas. thousads of wbss w h shu dow o blacklsd as a of hs ffo, cludg a
31h://vocs.washgoos.co/scufx/2008/10/sa_volus_lu_af_a.hl32 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df33 h://www.sac.co/scu_sos/wu.js?docd=2007-062007-0946-9934 h://www.sac.co/scu_sos/wu.js?docd=2006-011309-5412-9935 h://www.sac.co/scu_sos/wu.js?docd=2008-021215-0628-9936 h://www.sglobal.co/_asss/fls/tnS_mak_rsach_Dgal_Wold_Dgal_Lf.df
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
19/110
Sac Global i Scu tha ro
19
subsaal ub of ssag fous,37 whch, as od vousl, a oula ags of aack fo
Wb alcao ad s-scfc vulabls. thus, a duco h ub of bo-fcd
cous should sul a cosodg do oh aack acv cagos, such as sa zobs,
bcaus hs a of assocad wh bo-fcd cous. Cha dod fo hd sa zobs
2007, wh 7 c of h woldwd oal, o fouh ad 6 c 2008.
Aoh faco ha a hav cobud o h low cag of bo-fcd cous Cha
2008 was ha a ulcsd i cafs h w also shu dow ad suvso was ghd
o h ag cafs o hl addss ol scu sks assocad wh h casual us of ublc
cous.38 publc cous d o b o suscbl o aacks bcaus of h sgfca aou
of vad affc o such cou als. publc cous a fqul usd b a ga va of
ol fo a dff acvs such as al, ol shog, ad gag. th va of usag ad
lklhood ha as uss a lss awa ofo cocd whscu aks such cous
aacv o aacks.
i 2008, Ga aga akd hd wh 6 c of all i-wd alcous acv, dow slghl
fo 7 c 2007. i boh as, Ga akd hghl sa zobs ad hosg hshgwbssacvs ha a of assocad wh bo woks. i 2008, Ga akd fouh fo bo
C&C svs, wh 5 c of h oal. ths hgh ub of bo C&C svs lkl dcas ha bos
a o Ga, whch would cobu o h hgh aou of ovall alcous acv
ogag h. Also, sa zobs a of focusd gos wh hgh boadbad ao ad
badwdh caac bcaus hs codos facla sdg ou lag aous of sa quckl.
i s asoabl o xc ha h Ud Sas, Cha ad Ga wll cou o ouak oh
cous hs asu as h hav do so fo h as sval os. Bod hs h,
howv, cous such as Bazl, tuk, polad, ida, ad russa a xcd o cou o cas
h sha of ovall alcous acv bcaus h all hav adl gowg i fasucus ad
gowg boadbad oulaos.39 Cous ha hav a lavl w ad gowg i fasucu
d o xc casg lvls of alcous acv ul scu oocols ad asus a
ovd o cou hs acvs.
Data breaches that could lead to identity theft, by sector
id hf cous o b a hgh-ofl scu ssu, aculal fo ogazaos ha so ad
aag lag aous of soal foao. Basd o h os c foao avalabl fo 2007,
oughl 8.4 llo U.S. sds w vcs of d hf, whch ss aoxal 3 c
of h adul oulao.40 no ol ca cooss ha sul h loss of soal daa ud
cuso ad suoal cofdc, sul cosl daag o a ogazaos uao, ad b
cosl fo dvduals o cov fo h sulg d hf, h ca also b facall cosl o
ogazaos. i 2008, h avag cos cd of a daa bach h Ud Sas was $6.7 llo,
a cas of 5 c fo 2007, ad los busss aoud o a avag of $4.6 llo.41 Also,
ogazaos ca b hld labl fo bachs ad losss, whch a sul fs o lgao.42
37 S h://www.vu.co/vu/ws/2207878/cha-cacks-wb-o ad h://glsh.gov.c/2008-03/29/co_931872.h38 h://www.hglobadal.co/svl/so/rtGAm.20080212.wgcha0212/BnSo/tcholog/ho39 h://www.o-oc.co40 h://www.vacghs.og/a/dhfsuvs.h#Jav200741 h://www.coos.co/dowload/poo_COB_2008_US_090201.df.42 h://www.fsa.gov.uk/ags/Lba/Coucao/pr/2007/021.shl
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
20/110
Sac Global i Scu tha ro
20
Usg ublcl avalabl daa, Sac has dd h scos ha w os of affcd b
hs bachs ad h os coo causs of daa loss.43 ths dscusso wll also xlo h sv
of h bach b asug h oal ub of ds xosd o aacks, usg h sa ublcl
avalabl daa.44
i should b od ha so scos a d o col wh o sg og qus fo
daa bachs ha ohs. Fo sac, gov ogazaos a o l kl o o daa bachs,
h du o gulao oblgaos o cojuco wh ublcl accssbl auds ad foac
os.45 Covsl, ogazaos ha l o cosu cofdc a b lss cld o o such
bachs fo fa of gav cosu, dus, o ak aco. As a sul, scos ha a o
qud o couagd o o daa bachs a b ud-sd hs daa s.
i 2008, h ducao sco sd h hghs ub of kow daa bachs ha could lad o
d hf, accoug fo 27 c of h oal (fgu 4). ths s a slgh cas fo 2007 wh h
ducao sco also akd fs wh 26 c of h oal.
4%5%
29%
20%
13%
6%
Data breaches Identities exposed
2%
10%
Health care
Education
Government
Financial
2%
2%
2%2%
20%
5%
14%
15%
Retail/wholesale
Arts/media
Manufacturing
27%
Telecom
Business consulting
Insurance
Other
Biotech/pharmaceutical
4%
17%
2%
Utilities/energy
Figure 4. Data breaches that could lead to identity theft by sector and identities exposed by sector 46
Source: Based on data provided by OSF DataLoss DB
43 O Scu Foudao (OSF) Daaloss DB, s h://daalossdb.og44 A d s cosdd o b xosd f soal o facal daa lad o h d s ad avalabl hough h daa bach.45 Cf. h://ww w.vacghs.og/fs/fs6a-faca.h ad h://www.cs.hhs.gov/HalhplasGifo/12_HipAA.as46 Du o oudg, cags gh o qual 100 c.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
21/110
Sac Global i Scu tha ro
21
educaoal suos so a lag aou of soal foao o suds, facul, ad saff ha
could b usd fo h uoss of d hf, cludg gov-ssud dfcao ubs,
as, ad addsss. Fac das hs suos also so bak accou foao fo
aoll ad a also hold cd cad foao fo ol who us hs hod o a fo uo ad
fs. ths suosaculal lag uvssof coss of a auooous daswh whch ssv soal dfcao foao a b sod saa locaos ad b
accssbl o a ol. ths a cas h oous fo aacks o ga uauhozd accss
o hs daa sc a b o dffcul o sadadz h scu, duca vo wh accss o h
daa o h olcs, ad cool accss o hs dssd daabass.
Ds h hgh ub of daa bachs ha occud h ducao sco dug 2008, ol
accoud fo 4 c of all ds xosd dug h od ad akd svh (fgu 4). ths
a b bcaus h ducaoal suos hav lavl sall daabass ha hos of facal o
gov suos ad, hc, fw ds would b xosd a daa bach. O of h lags
uvss h Ud Sas accoud fo lss ha 80,000 suds ad los, whl facal
ad gov suos a so foao o llos of ol.47
Also, o-hd of h daa bachs h ducao sco hs od w causd b h hf o loss
of cous o daa-soag dvcs. As such, daa bachs ha occud h ducao sco
hs og od w o as lkl o sul wd-scal d hf bcaus h suld h
xosu of fw ds. ths s of bachs ol xos h ld aou of daa ha s
sod o h dvcs.
i 2008, h gov sco akd scod ad accoud fo 20 c of daa bachs ha could
lad o d hf. ths s a dcas fo h vous a, wh h gov sco sd
23 c of h oal, hough sll akg scod. ths d s focd b h aual Fdal Cou
Scu o cad, wh h ub of gov agcs wh a falg gad dcasd b alos
half.48 th halh ca sco akd hd 2008, accoug fo 15 c of daa bachs ha could
lad o d hf. i also akd hd 2007, accoug fo 14 c.
Gov ad halh ca ogazaos, lk ducaoal suos, so lag aous of foao
ha could b usd fo d hf. Sla o h ducao sco, hs ogazaos of coss of
uous auooous das ha so ssv soal foao saa locaos ad
a accssbl o uous ol. As a cosquc, hs ogazaos fac h sa scu ad
cool ssus as ducaoal suos. Fuho, halh ca ogazaos so ssv dcal
foao addo o soal foao, whch could sul v o daagg bachs
of vac.
th gov sco akd hd fo ds xosd dug 2008, accoug fo 17 c of
h oal whl h halh ca sco akd sxh, accoug fo 5 c of h oal. As wh h
ducao sco, daa bachs wh h halh ca sco suld a lavl low ub of
ds xosd.
47 h://www.osu.du/osuoda/sufo.h48 h://ublcas.ovsgh.hous.gov/da/pDFs/ros/Fy2007FiSmAroCad.df
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
22/110
Sac Global i Scu tha ro
22
Data breaches that could lead to identity theft, by cause
i 2008, h a caus of daa bachs ha could facla d hf was h hf o loss of
a cou o oh du o whch daa s sod o asd, such as a USB k o a back-u
du.49 thf o loss ad u 48 c of all daa bachs 2008, a dcas fo h
vous og od wh accoud fo 52 c of all od bachs (fgu 5).
Data breaches Identities exposed
Insider 4%
Unknown
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
23/110
Sac Global i Scu tha ro
23
to oc agas daa hf o loss, ogazaos should sc h us of ousd soal soag
dvcs wh h wok, oo h usag of such hadwa wh d, ad duca los
o o usag. Ogazaos should also clud vws ad auds of lcoc docus usd b
los uo lavg h coa. i a c sud, 59 c of los add o akg
coa foao, such as al addsss, coac foao of cusos, lo cods,ad facal cods, wh lavg h ogazao.52 Of hs fo los, 79 c ook h
foao whou cos fo h coa. i 92 c of h sacs, h foao was ak
o dsk, whl 73 c was o ovabl dvs. i s woh og ha ol 15 c of h coas
olld had coducd a vw o aud of lcoc docus ak b los. Also, ssv daa
should b sogl cd o a lao o soag dvc ha a b usd ousd of h s.
th scod os coo caus of daa bachs ha could lad o d hf dug 2008 was
scu olc, whch sd 21 c of all cds. A daa bach s cosdd o b causd
b scu olc f ca b abud o a falu o dvlo, l, ad/o col wh adqua
scu olc. i 2007, scu olc also akd scod, accoug fo 28 c of such daa
bachs. ths dcas h ub of daa bachs a b du o ogazaos bcog o
dlg ad oducg sog scu olcs such as lg accss o ssv foao o qud
sol ad h docuao of docu asfs. iscu olc accoud fo ol 8 c of
xosd ds 2008 ad, hus, ach bach xosd ol a lavl sall ub of ds.
Alhough bachs causd b scu olc 2008 w o lkl o sul wd-scal d hf,
h bachs sll xosd aoxal 6.5 llo ds.53
i 2008, hackg was h hd ladg caus of daa bachs ha could lad o d hf, accoug
fo 17 c of h oal. A daa bach s cosdd o b causd b hackg f daa lad o d
hf was xosd b aacks xal o a ogazao gag uauhozd accss o cous o
woks. Hackg also akd hd 2007, accoug fo 14 c of bachs ha could facla
d hf. Hackg s o uos-dv ha scu olc, hf, o loss: 2008, ov half of h
bachs ha xosd cd cad foao w du o hackg. Aacks ca ak advaag of s-scfc ad Wb-alcao vulabls o ga accss o woks ad sal soal foao. Fo
hs dscusso, Sac cosds hackg o b a oal ac wh a dfd uos o sal daa
ha ca b usd fo uoss of d hf o oh faud.
Hackg akd scod fo ds xosd 2008, wh 22 c; hs s a lag dcas fo 2007,
wh hackg accoud fo 62 c of oal ds xosd. th cobug faco fo s hgh
akg 2007 was a sgfca daa bach whch daa o ov 94 llo cd cads was sol b
aacks hackg o a coas daabas hough ucd wlss asssos ad sallg
ogas o cau cd cad foao.54 i s sad ha bw $63 llo ad $83 llo
cd cad faud acoss 13 cous ca b abud o hs sgl daa bach.55
i 2008, wo bachs cobud sgfcal o h hgh akg of hackg hs c: h
fs, cofdal foao o sx llo Chlas was llgall obad fo gov daabass
b a hack who ublcl osd h foao afwad; h scod, cd cad foao fo
4.2 llo cusos was sol fo a U.S.-basd goc cha b hacks oog h cd
52 h://www.sac.co/abou/ws/las/acl.js?d=20090223_0153 h://daalossdb.og54 h://www.sbc.s.co/d/21454847/55 h://www.scufocus.co/ws/11493
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
24/110
Sac Global i Scu tha ro
24
auhozao ocss.56 Bcaus of h ovao of aacks who us hackg o sal soal facal
foao, h ac of daa bachs du o hackg a sv bcaus h a lkl o sul
lag-scal faud ad hgh facal cos o affcd ogazaos, cd cad ssus, ad cosus.
ev hough h cosu o of h os challgg ssus facd b ogazaos, daa bachs
ha could lad o d hf a osl vabl. Fo a da ha aags o qus
accss o ssv foao, ogazaos should dvlo sog scu olcs such as sogl
cg all daa, sug h a cools lac ha scs accss o such foao o qud
sol, ad ovdg ducao ad soucs fo all los o o scu ocdus. nwok
adsaos should b closl oog wok affc ad ackg all acv o su ha h s
o llgal accss o daabass, as wll as sg scu ocsss ad sss gulal o su h
g. Ogazaos should clud hs ss as a of a boad scu olc, ad su ha a
scu olc s ld ad focd o oc all ssv daa fo uauhozd accss.
Bot-infected computers
Bos a ogas ha a covl salld o a uss ach od o allow a aack o ol
cool h agd ss hough a coucao chal, such as i la cha (irC), p2p, o
Http. ths chals allow h o aack o cool a lag ub of coosd cous ov
a sgl, labl chal a bo, whch ca h b usd o lauch coodad aacks.
Bos allow fo a wd ag of fucoal ad os ca b udad o assu w fucoal b
dowloadg w cod ad faus. Aacks ca us bos o fo a va of asks, such as sg u
dal-of-svc (DoS) aacks agas a ogazaos wbs, dsbug sa ad hshg aacks,
dsbug swa ad adwa, oagag alcous cod, ad havsg cofdal foao fo
coosd cous ha a b usd d hf, all of whch ca hav sous facal ad lgal
cosqucs. Bos a also xsv ad lavl as o oaga. i 2008, Sac obsvd
udgoud coo advss fo as ll as $0.04 bo. ths s uch cha ha 2007,wh $1 was h chas c advsd fo bos. Bo-fcd cous wh a dcalzd bo C&C
odl a favod b aacks bcaus h a dffcul o dsabl, ad os oal, ca b lucav
fo h coolls. i o xal, a bo ow asd nw Zalad add o ag $21,500
ov a wo-a sa fo hs acvs.57
A bo-fcd cou s cosdd acv o a gv da f cas ou a las o aack o ha da.
ths dos o hav o b couous; ah, a sgl such cou ca b acv o a ub of dff
das. A dsc bo-fcd cou s a dsc cou ha was acv a las oc dug h od.
i 2008, Sac obsvd a avag of 75,158 acv bo-fcd cous da (fgu 6), a
31 c cas fo 2007. Sac also obsvd 9,437,536 dsc bo-fcd cous
dug hs od, a 1 c cas fo 2007.
56 Cf. h://ws.bbc.co.uk/1/h/wold/acas/7395295.s o h://www.sbc.s.co/d/23678909/57 h://www.wold.co/scu/58670/bo-as-ss-hslf-x-bll-gas
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
25/110
Sac Global i Scu tha ro
25
Date
Activebot-infectedcomp
uters
Apr 4, 2007 Jul 4, 2007 Oct 3, 2007 Jan 2, 2008
0
20,000
40,000
60,000
80,000
100,000
120,000
Apr 2, 2008 Jul 2, 2008 Oct 1, 2008Jan 3, 2007
4 per. moving average
Median daily
active bots
Dec 31, 2008
Figure 6. Active bot-infected computers, by day
Source: Symantec
th dcas acv bo-fcd cous a h bgg of 2008 a b du o h duco
sz of h bo assocad wh h paco toja.58 th ub of bo-fcd cous h
bo was ducd o 5 c of s vous sad sz, fo 2 llo bo-fcd cous
o 100,000.59 i addo, as sad Malicious activity by country, h shudow of wo U.S.-basd
hosg coas sosbl fo hosg bo C&C svs fo a ub of ajo bos lkl cobud
o h dcas acv bo-fcd cous Sb ad novb 2008. Af h shudow
Sb, ajo bos, cludg Szb ad padx,60
w abl o fd ala hosg, whchsuld a cas bo-fcd cous back o -shudow lvls. Howv, h shudow
novb svl cld Szb ad Ozdok, ad as a cosquc, cog bos, cludg
padx, w abl o fll h vod.61
Alhough h ub of acv bo-fcd cous dcasd a h d of h a, s assud ha
bo ows wll sk ou w hoss o g h bos back ol, ad s xcd ha bo ubs
wll s aga 2009.62 O sul of all h acv 2008 s ha hs shows ha bos ca b cld
b dfg ad shug dow h bo C&C sv hoss, bu ha hs sag s dffcul o l
gv h vaous global hosg oos ha bo coolls hav a h dsosal.
58 Also kow as h So bo.59 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3260 h://www.sac.co/scu_sos/wu.js?docd=2007-042001-1448-9961 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 252662 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
26/110
Sac Global i Scu tha ro
26
Bot command-and-control servers
Sac acks h ub of bo C&C svs globall bcaus hs a wha bo ows us o
la coads o bo-fcd cous o h woks. Fo h fs , hs volu of h
Sac Global Internet Security Threat Report, bo C&C svs coolld ov Http a cludd hs
aalss alogsd irC bo C&C svs.63 ths chag asu was ad du o h d of
bo ows shfg awa fo adoal irC bo C&C coucao fawoks ad owad
aagg h bos hough Http bo C&C svs. i 2008, Sac dfd 15,197 dsc w
bo C&C svs (fgu 7), of whch 43 c w ov irC chals ad 57 c ov Http.
IRC 43%
HTTP 57%
Figure 7. Bot command-and-control servers, by type
Source: Symantec
Bo ows a ovg awa fo adoal irC-basd bos sc h a as o dc,
ack, fl, ad block ha bos basd o Http affc. Http coucaos ca b usd o dsgus
bo affc aog oh Wb affc od o ak dffcul o dsgush alcous affc fo
lga Http affc. (mos Http bo asssos a cd o avod dco.) to fl h
affc, ogazaos would hav o sc h cd Http affc ad df ad ov bo-lad
affc whl sll allowg lga affc o ass hough. Bcaus of hs, s v dffcul o o
ad dsabl a bo C&C sucu. i s also uasoabl o block Http affc sc ogazaos dd
o lga Http affc o coduc da-o-da busss. Bo ows hav also b swchg awa
fo usg p2p fo bo C&C sv coucaos bcaus such affc s o asl dcd du o h
os cas assso. moov, a ss ad oh ogazaos also block p2p
os o v such hgh-badwdh affc fo g h woks.
63 no cludd hs asu a bo C&C svs ov p2p oocols; also, as hs s h fs o whch Http bo C&C svs a cludd hs aalss,2007 coasos a uavalabl.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
27/110
Sac Global i Scu tha ro
27
Sac also obsvd a avag of 42 w acv bo C&C svs da 2008, of whch 18 w
irC-basd ad 24 w Http (fgu 8). th h lags bos dfd b Sac 2008Szb,
rusock, ad padxa all Http-basd.
Date
Botcomand-and-controlservers
0
10
30
50
20
40
60
HTTP
IRC
3 per. moving average (HTTP)
3 per. moving average (IRC)
Apr 2, 2008 Jul 2, 2008 Oct 1, 2008Jan 2, 2008 Dec 31, 2008
Figure 8. Bot command-and-control servers, by day
Source: Symantec
th do w ad acv Http bo C&C svs Fbua 2008 s lkl du o bo C&C svs fo
a ajo Http-basd bo, Ozdok, gog offl fo 10 das dug ha oh.64 Also, h sgfca
ducos ha occud Sb ad novb 2008 a lkl du o h shudow of wo U.S.-basd iSps, as was od vousl hs dscusso. th Sb shudow suld a da
dcas acv assocad wh h Szb ad padx bos.65 As od, s assud ha
hs bos foud ala hosg, whch would xla h subsqu s acv.
th scod shudow novb suld a 30 c dcas ovall bo affc ad s
hough o hav svl wakd wo of h lags bos, Szb ad rusock.66 th sgfca do
w ad acv Http bo C&C svs novb a b bcaus o of hs iSps was allgdl hosg
a lag ub of bo C&C svs fo Szb ad rusock, ad bos w had-codd o coc o hs
svs.67 i was sad ha h Szb bo had 300,000 bos o o h shudow68 ad h
rusock bo had cludd ov 150,000 bos.69
64 h://www.scagazus.co/trACe-Sx-bos-ga-85-c-of-sa/acl/107603/65 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 2566 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 2667 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df68 h://kowldgxchag.chag.co/scu-bs/szb-bo-s-h-bggs-bu-dos-sz-a/69 h://www.scagazus.co/th-rusock-bo-sas-aga/acl/112940/
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
28/110
Sac Global i Scu tha ro
28
Top Web-based attacks
th wdsad dlo of Wb alcaos alog wh h ubqu of as-o-xlo Wb alcao
scu vulabls hav suld h valc of Wb-basd has. Aacks wag o ak
advaag of cl-sd vulabls o log d o acvl coos scfc woks o ga
accss o hos cous. isad, h a ow focusd o aackg ad coosg wbss
od o ou addoal, cl-sd aacks.
ths aack s ca b foud globall ad Sac dfs ach b a assocad dsc dco
sgau. mos aack s ag scfc vulabls o waksss Wb bowss o oh cl-
sd alcaos ha ocss co ogag fo h Wb. ths c wll assss h o dsc
Wb-basd aacks ogag fo coosd lga ss ad alcous ss ha hav b
cad o oall ag Wb uss.
th aacks dscussd ca volv socal gg o c a vc o vw a alcous wbs, bu
os aacks xlo usd hgh-affc wbss. Wh h us vss a coosd wbs, a ub
of aack hods a usd. malcous co fo h wbs ca dcl xlo a vulabl
h bows, a bows lug-, o a dsko alcao. A aack such as hs a qu v ll
aco aa fo h us vsg h s fo wh h aack ogas. i h cas of a dv-b
dowload, h aack wll occu whou a aco qud fo h us.70
Aacks also us alcous wbss fo cooss, such as sladg h us o dcl auhoz
a scfc cholog ha h dowloads alcous cod, o og h us o clck o a o-u o
ba ad. Aacks ca also dc all affc fo a lga wbs o a alcous wbs fo
whch h uss cou wll h b aackd. i all of hs s of Wb-basd aacks, h us s
uawa of h coos. Oc a aack has coosd a wbs ad jcd alcous co,
h o sh ca assvl aack vsos of h coosd s. ths of aack s v ffc fo
aacks bcaus h ol hav o coos o Wb ag od o affc ull uss. Wh a
us vss a coosd Wb ag, h aack s cad ou hough h uss bows.71 th aack wllh ag vulabls h bows slf o wll ag hd-a alcaos ha a acvad
b h bows.
All Wb-basd aack affc gos hough h Http o HttpS oocols. th bf of hs fo aacks
s ha s uasoabl o block hs oocols bcaus lga ogazaos dd o h fo
h da-o-da busss. i addo, flg a lag volu of Http affc would sgfcal slow
houghu affc. Http affc s also dffcul o fl wh uso dco/uso vo
sss (iDS/ipS) bcaus s dffcul o dsgush alcous affc fo lga affc, ad Http
affc ca b cd, hus ablg aacks o b obfuscad wh lga affc.
Aacks a o ol log aual hods o xlo hs ssus, bu h a also usg
auoad ools, such as noslo,72 o xlo cl-sd vulabls o a assv scal. Such oolks
a wdl avalabl ad ackagd so ha ol wh al chcal kowldg a abl o us
h ffcvl.
70 A dv-b dowload s a dowload ha occus whou a uss o kowldg o auhozao ad dos o qu us aco. tcall hs sa xcuabl fl.
71 Cf. Vulabl ds sco fo dscusso o cooss o wbss wh Wb-basd vulabls.72 h://www.couwold.co/aco/acl.do?coad=vwAclBasc&axoona=Scu&aclid=9115599&axooid=17&agnub=1
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
29/110
Sac Global i Scu tha ro
29
Aoh aaco of h Wb fo xloao s h ofuso of dac ss ha us Wb-basd
alcaos, such as fous, hoo-shag galls, blogs, ad ol shog alcaos. Dac
ss a ags fo aacks usg bo-fcd cous o oaga ad hos alcous
co sc Wb alcao ad s-scfc vulabls ca u hs s of s a sk.
Aacks a also scall aacd o lag, oula wbss wh usd uaos. ths s o ol
bcaus a succssful coos ca ach a ga ub of ol (who d o hav a h
us fo lga wbss ad a hus o suscbl o aack), bu, as od, a b dffcul
o block aacks o hs ss usg scu ools whou dsug lga affc.
ths dvlos ad ds dca ha Wb-basd has hav o ol bco wdsad, bu
ha h also hav casd sohscao ad sv. i acula, Sac has ocd ha
bos (such as Asox, whch was all usd fo hshg scas) a bg dsgd o scfcall
xlo coss-s scg vulabls ad jc alcous cod o coosd wbss.73
ma Wb-basd aacks xlo vulabls ha a cosdd du sv. ths as ha
h ca coos h accou of h cul loggd us bcaus h us dos o qu
adsav vlgs o u h affcd alcaos. Whl h dag of cl-sd vulabls
a b ld b bs accs, such as scg Wb alcaos o h adsav lvl, hs s
of uasoabl gv how gal Wb alcaos a o h dlv of co fo a bussss.
mdu-sv vulabls affcg cl o dsko alcaos a of suffc fo a aack
o ou succssful alcous aacks o sgl cls, as wll as a h s lvl.
i 2008, h o Wb-basd aack was assocad wh h mcosof i exlo ADODB.Sa
Objc Fl isallao Wakss,74 whch accoud fo 29 c of h oal globall (abl 3).
th wakss allows aacks o sall alcous fls o a vulabl cou wh a us vss
a wbs hosg a xlo. to ca ou hs aack, a aack us xlo aoh vulabl ha
basss i exlo scu sgs o allow h aack o xcu alcous fls salld b
h al scu wakss. ths ssu was ublshd o Augus 23, 2003, ad fxs hav b avalablsc Jul 2, 2004. Sc hs was h o Wb-basd aack 2008, hs a dca ha a
cous ug i exlo hav o b achd o udad ad a ug wh hs
xosd vulabl.
Rank
1
2
3
4
5
6
7
8
9
10
Web-based Attack
Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness
Acrobat PDF Suspicious File Download
ANI File Header Size Buffer Overflow
Adobe SWF Remote Code Executable
Microsoft Internet Explorer DHTML CreateControlRange Code Executable
SnapShot Viewer ActiveX File Download
Microsoft Internet Explorer XML Core Services XMLHTTP Buffer Overload
Quicktime RTSP URI Buffer Overload
AOL SuperBuddy ActiveX Code Executable
Microsoft Internet Explorer WebViewFolderIcon ActiveX Control Buffer Overflow
Percentage
30%
11%
7%
7%
6%
5%
4%
3%
3%
2%
Table 3. Top Web-based attacks
Source: Symantec
73 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3374 Cf. h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=50031 o h://www.scufocus.co/bd/10514
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
30/110
Sac Global i Scu tha ro
30
A lag ub of xlos ad alcous alcaos a dd o hs vulabl as a coo
wa of coosg cous, ad wh oh kow vulabls. thfo, h aou of
aack acv s lad o h cuulav ub of xlos, aack oolks, ad wos agg hs
vulabl as o ossbl as of coosg cous. i s also lkl ha h lag ak
sha of mcosof i exlo las a ol h oula of hs aack.75
Whl h vulablwas achd 2004, h a lkl sll ough uachd cous ha a affcd b hs
vulabl fo aacks o cou o bf fo s xloao.
th scod os coo Wb-basd aack 2008 was lad o alcous Adob Acoba pDF
acv,76 whch accoud fo 11 c of Wb-basd aacks. Scfcall, as o dowload
suscous pDF docus w obsvd. ths a dca as b aacks o dsbu alcous
pDF co o vcs va h Wb. th aack s o dcl lad o a scfc vulabl, alhough
h cos of h alcous fl would b dsgd o xlo a aba vulabl a alcao
ha ocsss , such as Adob Acoba rad. A succssful aack could ulal sul h
coos of h g ad scu of a affcd cou. ths aack s assud o b oula
o du h coo us ad dsbuo of pDF docus o h Wb. Also, bowss ca b s u o
auoacall d a pDF docu b dfaul. Scfc xlo acv lad o alcous pDF fls
was obsvd 2008.77
th Vulnerability Trends sco of hs o os ha h cag of lug- vulabls
affcg Adob Acoba rad coaso o h oal ub of bows lug- vulabls
casd o 4 c 2008 fo 1 c 2007. ths dosas ha Adob Acoba rad s
casgl agd b aacks. i addo, h aaac of h noslo oolk 2008 a hav
cobud o h oula of hs of aack as ha oolk s dsgd o xlo vulabls
pDF docus.78
i 2008, h hd os coo Wb-basd aack xlod h mcosof Wdows Us32.DLL Ani Fl
Had Hadlg Sack-Basd Buff Ovflow Vulabl,79 accoug fo 7 c of Wb-basd
aacks 2008. th Ani (aad cuso fl) hadl s a dfaul coo of h mcosof Wdows
oag ss ad s usd b a sgfca ub of wdl usd mcosof alcaos as wll as h
Wdows shll. if succssfull xlod, h vulabl allows a aack o xcu aba cod
bddd a alfod Ani fl ogag fo h Wb o oh soucs. ths vulabl was
ublshd o Jaua 11, 2005, ad fxs hav also b avalabl sc ha . exlo cod was
ublcl avalabl h followg da. As wh h mcosof i exlo ADODB.Sa Objc Fl
isallao Wakss, h oc of hs of aack dcas ha cous h go a
lkl o bg suffcl achd ad udad.
Vulabls such as hos dscussd h cou o ga a lag aou of obsvd aack
acv bcaus h ca b labl xlod. ths aks hs vulabls caddas fo
auoao. Ds h fac ha fxs a avalabl, as od, s lkl ha h a sll ough
uachd sss xsc ha hs aacks cou o jo succss. Wh aacks ov
succssful, h a of adod b a lag ub alcous cod vaas ad aack oolks. ths ca
cuulavl ca a lag aou of obsvd aack acv. i s also lkl ha old alcous cod
vaas cou o a o auoacall xlo hs vulabls as a as of oagao.
75 h://aksha.hslk.co/bows-ak-sha.asx?qd=0&q=100&qd=1&qc=3&qfa=y&qs=2008&q=276 h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=2315377 hs://fous2.sac.co/5/Vulabls-exlos/pdf-h-Wod-fo-exlos/ba-/305564#A14178 h://www.couwold.co/aco/acl.do?coad=vwAclBasc&axoona=Scu&aclid=9115599&axooid=17&agnub=279 Cf. h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=21719 o h://www.scufocus.co/bd/12233
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
31/110
Sac Global i Scu tha ro
31
Top countries of origin for Web-based attacks
ths c wll assss h o cous of og fo Wb-basd aacks agas uss 2008 b
dg h locao of cous fo whch h aacks occud. no ha aacks, od o
hd h acks, of dc uss hough o o o svs ha a b locad awh globall.
Oc a aack has coosd a lga wbs, uss who vs h wbs wll b aackd b
sval addoal as. O wa s hough a dv-b dowload, whch suls h sallao of
alcous cod whou h uss kowldg o cos. Aoh wa s o dc h us o aoh
wbs ha s usd o hos alcous cod. Ss ad svs hosg a va of alcous xlos ca
b foud woldwd. mull doas ca b assocad wh o coosd s, whch s usd o
xlo o o o scu vulabls affcd cl bowss.
i 2008, cous fo h Ud Sas w h ladg souc of Wb-basd aacks agas uss,
accoug fo 38 c of h oal (abl 4). th a a ub of facos ha ak h Ud Sas
h o cou of og fo Wb-basd aacks. ths akg a b du o h o ha half a llo
wbss ha w coosd ma 2008 wh alcous cod ha was hosd russa ad h
Ud Sas. Wb fous hosd b pHp-basd bull boad alcaos w xlod o jc
alcous JavaSc o fou co. ths fous would h fc vsos wh vaas of h Zlob
toja80 dsgusd as a vdo codc sall. th xlo chags bows ad DnS sgs o h fcd
cou ad abls addoal aacks, cludg ug h fcd cou o a zob.81 ths
aack follows h d of aacks sg alcous cod o lga hgh-affc wbss wh
uss a lkl o b o usg of h co, ah ha ag o lu uss o vs scall
dsgd alcous ss.
Rank
1
23
4
5
6
7
8
9
10
Country
United States
ChinaUkraine
Netherlands
Russia
United Kingdom
Canada
Japan
Latvia
France
Percentage
38%
13%12%
8%
5%
5%
3%
2%
1%
1%
Table 4. Top countries of origin for Web-based attacks
Source: Symantec
80 h://www.sac.co/scu_sos/wu.js?docd=2005-042316-2917-9981 h://www.chalgs.co.uk/2008/05/13/zlob_oja_fou_coos_aack/
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
32/110
Sac Global i Scu tha ro
32
i 2008, Cha akd as h scod cou of og fo Wb-basd aacks, wh 13 c of h
woldwd oal. th a aso fo h hgh ak of Cha 2008 s du o coosd wbss
lag o h 2008 Bjg Olc Gas. th gas w o of h lags vs of 2008 ad
aacks xlod h oula of h v h as o lu ad coos uss, as has
b s vousl wh oh ajo sog ad a vs.82
O xal s h rusockbo, whch s ou als wh lks o a ws o abou h gas. Uss w od o clck
a lk h al ad vs a s, whch h od h o dowload a ssg codc od o
lauch a vdo. Clckg o oba h codc acuall suld h sallao of a toja.
Aacks a hav also usd socal gg o lu uss o coosd wbss ud h gus
of bg assocad wh h 2008 Bjg Olc Gas, as aacks agas Chs-laguag wbss
casd sgfcal dug h gas.83 th x of hs aacks was gad, howv, b
avs o cas ol scu fo uss ahad of h Gas b shug dow o blacklsg
housads of wbss oall os suscbl o faud, whch a oula ags of aack fo Wb
alcao ad s-scfc vulabls. Also, housads of wbss Cha w coosd wh
ca Wb alcaos w fcd wh alcous JavaSc ha was lad hough h us of SQL-
jco aacks.84 Vsos o hs coosd ss had h cous aackd ad, f h aacks
w succssful, tojas w dowloadd oo h cous.85
Uka akd hd 2008 fo o cou of og fo Wb-basd aacks, accoug fo 12 c
of such aacks woldwd. th oc of Uka hs c s lkl du o h coos of h
wbs of a U.S.-basd lcoc bll a ocssg coa.86 th aacks w abl o oba
accou cdals o h coas doa usg a hshg aack, ad w h abl o ga accss
o h coas wbs. Cusos, hkg h w vsg h lga wbs, w dcd o
a alcous wbs hosd o svs h Uka wh h w aackd wh a toja.87 i addo
o h coos of h bll a coas wbs, h w a las 71 doas ha w
dcd o h alcous Ukaa sv dug hs .88
Of o, sx of h o 10 cous fo Wb-basd aacks h emeA go w also h o 10
cous of og fo Wb-basd aacks globall, ad cous h emeA go accoud fo
41 c of h woldwd oal, o ha a oh go. exlo acks a b o of asos
bhd h oc of h emeA go hs asu. ma xlo acks, cludg mpack,89
icpack,90 ad noslo,91 ogad russa ad s lkl ha h russas who dvlod hs
aack ks a sosbl fo uch of h coud oagao. ths aacks could ossbl b
coosg wbss aoud h wold ad dcg vsos o cous emeA ha hos h
xlo cod bg usd o ag cl-sd vulabls Wb bowss.
Also cobug o h oc of h emeA go hs od w a ub of hgh-ofl Wb-
basd aacks ha occud h. O xal was Jaua 2008, wh h bass wbs of h
nhlads russa was coosd ad vsos o h s w sld o sallg alcous
cod.92 Aoh xal occud Augus 2008 wh sval hudd doas h nhlads w
coosd ad dfacd.93 A hd cas was wh o ha a housad UK wbss w coosd
82 h://ws.bbc.co.uk/1/h/cholog/7548870.s83 h://www.wokwold.co/wsls/gw/2008/090808sg1.hl84 h://www.h-ol.co/scu/Chs-wbss-ud-ass-aack--/ws/11076485 ibd.86 h://www.wokwold.co/ws/2008/120508-wok-soluos-hshg-ca-bfo.hl87 h://www.csool.co/acl/474365/ChckF_Was_mllo_Cusos_Af_Hack88 h://blog.kvuka.fo/2008/12/dggg-d-o-chckf-aack.hl89 hs://fous2.sac.co/5/blogs/blogaclag/blog-d/vulabls_xlos/acl-d/93#m9390 hs://fous2.sac.co/5/Vulabls-exlos/Hoo-Aog-thvs/ba-/306084#A19391 h://blogs.zd.co/scu/?=159392 h://www.hgs.co.uk/2008/01/23/bass_ss_sv_alwa/93 h://blogs.zd.co/scu/?=1788
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
33/110
Sac Global i Scu tha ro
33
ad uss vsg hs ss skd bg fcd wh h Asox toja.94 th succss of hs aacks
o gov ss ca b abud, a, o h h us ha vsos o such ss wll hav,
akg hs vsos o labl o acc os o dowload fls f qusd.
Wb-basd aacks a a ajo ha o cou woks fo boh ss ad d uss. Aacks
such as dv-b dowloads a cov ad v dffcul o ga bcaus os uss a uawa ha
h a bg aackd. Ogazaos a hus cofod wh h colcad ask of havg o dc
ad fl aack affc fo lga affc. Sc a ogazaos l o Wb-basd ools ad
alcaos o coduc busss, s lkl ha h Wb wll cou o b h a codu fo
aack acv favod b alcous cod dvlos.
Threat activityprotection and mitigation
th a a ub of asus ha ss, adsaos, ad d uss ca lo o oc
agas alcous acv. Ogazaos should oo all wok-cocd cous fo sgs of
alcous acv, cludg bo acv ad oal scu bachs, sug ha a fcd
cous a ovd fo h wok ad dsfcd as soo as ossbl. Ogazaos should
lo dfs--dh sags, cludg h dlo of avus sofwa ad a fwall.95
Adsaos should uda avus dfos gulal ad su ha all dsko, lao, ad
sv cous a udad wh all cssa scu achs fo h oag ss vdo.
As coosd cous ca b a ha o oh sss, Sac also cods ha
ss of h iSps of a oall alcous acv.
Sac cods ha ogazaos fo boh gss ad gss flg o all wok affc
o su ha alcous acv ad uauhozd coucaos a o akg lac. Ogazaos
should also fl ou oall alcous al aachs o duc xosu o ss ad d
uss. i addo, gss flg s o of h bs was o ga a DoS aack. DoS vcs fqul
d o gag h usa iSp o hl fl h affc o ga h ffcs of aacks.
Sac also advss ha uss v vw, o, o xcu a al aach ulss h aach
s xcd ad cos fo a kow ad usd souc, ad ulss h uos of h aach s
kow. B cag ad focg olcs ha df ad sc alcaos ha ca accss h
wok, ogazaos ca z h ffc of alcous acv, ad hc, z h ffc o
da-o-da oaos. Also, adsaos should l vlgs o sss fo uss ha do o qu
such accss ad h should also sc uauhozd dvcs, such as xal oabl had-dvs ad
oh ovabl da.
94 h://cholog.sol.co.uk/ol/ws/ch_ad_wb/h_wb/acl4381034.c95 Dfs--dh haszs ull, ovlag, ad uuall suov dfsv sss o guad agas sgl-o falus a scfc cholog o
oco hodolog. Dfs--dh should clud h dlo of avus, fwalls, ad uso dco sss, aog oh scu asus.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
34/110
Sac Global i Scu tha ro
34
to duc h lklhood of d hf, ogazaos ha so soal foao should ak h
cssa ss o oc daa asd ov h i o sod o h cous. ths should
clud h dvlo, lao, ad foc of a scu olc qug ha all ssv
daa s cd. Ogazaos should l a daa loss oco (DLp) soluo ha o ol
vs daa bachs, bu also gas oal daa laks fo wh a ogazao. Accss ossv foao should b scd ad ogazaos should also foc colac o foao
soag ad assso sadads such as h pCi sadad.96 polcs ha su ha cous
coag ssv foao a k scu locaos ad a accssd ol b auhozd
dvduals should b u lac ad focd. Ssv daa should o b sod o obl dvcs ha
could b asl slacd o sol. ths s should b a of a boad scu olc ha ogazaos
should dvlo ad l od o su ha a ssv daa s ocd fo uauhozd
accss. ths would su ha v f h cou o du o whch h daa w los o sol, h
daa would o b accssbl. ths s should b a of a boad scu olc ha ogazaos should
dvlo ad l od o su ha a ssv daa s ocd fo uauhozd accss.
96 hs://www.cscusadads.og/
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
35/110
Sac Global i Scu tha ro
35
Vulnerability Trends
ths sco wll dscuss slcd vulabl ds ga dh, ovdg aalss ad dscusso
of h ds dcad b h daa. th followg cs wll b dscussd:
Wdow of xosu fo Wb bowss
Wb bows vulabls
Wb bows lug- vulabls
Wb bows lug- vulabls, b
Wb alcao vulabls
S-scfc coss-s scg vulabls
Zo-da vulabls
to aackd vulabls
Aackd vulabls b aack vco (cl vsus sv)
Vulablsoco ad gao
Window of exposure for Web browsers
th wdow of xosu fo Wb bowss s h dffc das bw h wh xlo cod
affcg a vulabl s ad ublc ad h wh h affcd vdo aks a ach ublcl
avalabl fo ha vulabl. Dug hs , h cou o ss o whch h affcd alcao
s dlod a b suscbl o aack. th c s dvd fo h avag aou of ook o
las a ach coaso o h avag aou of ook fo xlo cod o b ad ublcl
avalabl. ths c also cluds axu ach s, whch s h axu aou of qud
o las a ach fo all of h achd vulabls h daa s.
B asug h aou of aks fo vdos o las achs fo vulabls, s ossbl o
ga so sgh o h ovall scu sosvss. So of h vulabls xad hs
c w achd b h vdo a h h w aoucd. ths a b flcv of a al
scu aud b h vdo, whch a hav vald h vulabl. i a also dca ha scu
sachs dscovd h vulabl ad sosbl dsclosd o h vdo. Oh vulabls
a ddl od b scu sachs o o h las of a ach. ths dcas ha
scu sachs dd o cooda wh h vdo o dsclos h vulabl. i so cass, hs
a a ha h sach dd o sosbl dsclos h vulabl, ad oh cass s
ossbl ha h sach ad o sosbl o h vulabl bu h vdo was
usosv. th ach las s coad agas h avag aks fo vulabl
xlos o bco ublcl avalabl o d h wdow of xosu.
th wdow of xosu aks all of hs facos o accou o calcula h avag dug whch
d uss ad ogazaos a xosd o xlos. Dug h wdow of xosu, adsaos add uss d o ga h ossbl of xloao b log cu bs accs ad h bs
avalabl gao chologs. Fo hgh o vulabls, ogazaos us dvo soucs o
gao ul h vulabl s adqual addssd ad lad as a sk.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
36/110
Sac Global i Scu tha ro
36
ths c wll xa h wdow of xosu fo h followg Wb bowss:97
Al Safa
Googl Cho
mcosof i exlo
mozlla bowss
Oa
i 2008, h avag wdow of xosu fo Safa was das, basd o a sal s of 31 achd
vulabls (fgu 9). th wdow of xosu fo 2007 was o da, basd o a sal s of 31
achd vulabls. th gh-da cas h wdow of xosu fo Safa s du o a ub
of ddl dscovd vulabls. th axu fo Al o ach a Safa vulabl
2008 was 156 das, whch gavl affcd h avag ad s sgfcal log ha h axu
ach of gh das 2007
1
9
Opera
Mozilla
Internet Explorer
Chrome
Average time in days
0 2 4 6 8
Period
10
22007
8
2008 Safari
3
3
1
7
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
37/110
Sac Global i Scu tha ro
37
Fo h fs , hs o, Cho s cludd h bowss bg assssd b Sac. Bcaus
was lasd ol cl (Sb 2008), s bg cludd h al o ovd sgh o s
foac agas oh bowss hus fa ad o s a basl fo fuu os. i 2008, Sac
docud a avag wdow of xosu of h das fo Cho basd o a sal s of sx achd
vulabls. th axu ach fo a vulabl was 11 das.
th wdow of xosu fo Oa 2008 was o da, basd o a sal s of 33 achd
vulabls. i 2008, h axu o ach a vulabl was 29 das. i 2007, h wdow of
xosu fo Oa was wo das, basd o a sal s of 14 achd vulabls, ad h axu
ach was 23 das.
mozlla bowss had a wdow of xosu of lss ha o da 2008, basd o a sal s of
83 achd vulabls, ad h axu ach was 30 das. i 2007, mozlla bowss had
a wdow of xosu of h das, fo a sal s of 103 vulabls, ad h axu ach
was 109 das.
Of all h bows vdos xad, mozlla bowss aad h shos wdow of xosu whl
achg o vulabls ha oh vdos. ths a b dcav of h ffos o ashal h
scu cou o sosbl o vulabls hough avs such as h Bug Bou
oga.98 th sul of hs ffo s ha o vulabls a aoucd b h vdo a h
h a fxd, sad of bg ublcl od b scu sachs ddl of h vdo.
i s also woh og ha dd bows vdos, such as Oa ad h mozlla Foudao,
had a sho wdow of xosu 2008 ha h ajo oag ss vdos, such as Al ad
mcosof. ths a b du o h ossbl ha vdos whos a oduc s a Wb bows do o
hav o sad h scu sos ffos acoss ull, dsaa oducs, ad ca sad focus
o h bows. Coaabl, ajo oag ss vdos call hav o cooda scu
sos ffos acoss a lag ub of uachd vulabls affcg a o dvs oduc
ofolo ad ogazao. Vulabls oh oducs a ak o basd o a ub of facossuch as h sv of h vulabl, aack acv h wld, o h lav as of dvlog a
ach. Bcaus Cho s a w addo fo hs volu, as o b s how Googl wll fa h
log as a lag vdo whos Wb bows cholog ss ol a sall oo of h oducs
ad svcs offs.
Web browser vulnerabilities
Wb bows vulabls a a sous scu coc du o h ol ol faud ad h
oagao of alcous cod, swa, ad adwa. th a aculal o o scu cocs
bcaus h a xosd o a ga aou of oall uusd o hosl co ha os oh
alcaos. ths s a coc bcaus aacks ca oga fo alcous wbss as wll as lga
wbss ha hav b coosd o sv alcous co. Bowss ca also facla cl-sd
aacks bcaus of h us of lug-s ad oh alcaos hadlg oall alcous co
svd fo h Wb such as docus ad da fls.
98 h://www.ozlla.og/scu/bug-bou-faq.hl
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
38/110
Sac Global i Scu tha ro
38
ths c wll xa h oal ub of vulabls affcg h followg Wb bowss:
Al Safa
Googl Cho
mcosof i exlo
mozlla bowss
Oa
Dug 2008, 99 vulabls affcd mozlla bowss (fgu 10). Fo of hs vulabls w
cosdd low sv ad 59 w cosdd du sv. ths s fw ha h 122 vulabls
ha w docud 2007 fo mozlla bowss, of whch 91 w cosdd low sv ad 31 w
cosdd du sv.
Safari
Mozilla
47
122
99
Opera
Internet Explorer
Chrome
Documented vulnerabilities
0 20 60 100 120
Period
140
19
2007
57
2008 40
35
47
11
40 80
Figure 10. Web browser vulnerabilities
Source: Symantec
i exlo was subjc o 47 w vulabls 2008. Sx of hs vulabls w
cosdd low sv ad 31 w cosdd du sv. ths s fw ha h 57 w
vulabls docud i exlo 2007, of whch 28 w cosdd low sv,
28 w cosdd du sv, ad o was cosdd hgh sv.
Safa was affcd b 40 w vulabls 2008, of whch 16 w cosdd low sv ad
24 w cosdd du sv. ths s lss ha h 47 vulabls dfd Safa 2007,
of whch 27 w cosdd low sv, 19 w cosdd du sv, ad o was cosdd
hgh sv.
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
39/110
Sac Global i Scu tha ro
39
i 2008, Sac docud 35 w vulabls Oa, of whch 12 w cosdd low sv
ad 23 w cosdd du sv. ths s o ha h 19 vulabls dscovd Oa
2007, of whch gh w cosdd low sv ad 11 w cosdd du sv.
Cho was affcd b 11 vulabls 2008, of whch sv w cosdd low sv ad fou
w cosdd du sv. Cho was lasd Sb 2008 ad o coaso wh
vous as s ossbl.
Wh h xco of Oa (ad, as od, Cho), h w fw bows vulabls dfd
2008 ha hos 2007. th ac of Cho o h bows ak ad casg bows ak
sha of Oa a hav flucd scu sach o hs bowss ad shfd ao awa fo
oh bowss. th d owad fw oal vulabls bowss a also dca a shf b h
vdos o ov h scu of bowss.
Howv, s also woh og ha h d 2008 was owad o du-sv vulabls
bowss. ths a cola wh h ovall d owad a hgh ooo of du-sv
vulabls lao o all vulabls docud 2008. ths a also b dcav of volvg
sklls aog scu sachs ad aacks, who a dfg fw low-sv vulabls
as a sul. i should b od ha, a cass, du-sv vulabls a suffc o ou
succssful aacks f aacks a abl o xcu aba cod ad fo acos such as accssg
cofdal foao o akg wok cocos.
i s oa fo bows vdos o cou o ov bows scu gv h couous
coo aog vdos o dvlo ad clud o fau-ch oducs h oducs. i
2008, a ub of bows vdos ad cocd ffos o dosa h co o
scu. i acula, Googl lasd h Bows Scu Hadbook, whch ouls coo bows
scu ssus.99 th goal of hs ojc s o ad bows dvlos ad scu sachs h
udsadg of hs vulabls o hl df ad fx hs ssus. mozlla has also sad h
mozlla Scu mcs ojc as a a o quaf h lav scu of h bows oducs.100
Wb bowss cou o b a aacv ag fo aacks. i 2008, i exlo was h ag of
a zo-da vulabl s XmL-hadlg cod.101 ths vulabl was lkd wh SQL-jco aacks
ha coosd usd wbss fo h uos of hosg xlo cod fo h vulabl.102 ths
chqu was dald h vous volu of h Sac Global Internet Security Threat Report.103 i
s a coug d 2008 fo aacks o us Wb-alcao vulabls o coos lga
wbss fo whch fuh aacks ca h b lauchd. ths xlo s also owoh bcaus
as o obfusca sgs of a aack b closg h bows clal whou a os oc xloao
has occud. ths s a asu udak b aacks o xd h suvvabl of zo-da xlos. A
zo-da bows vulabl s a hghl valud ass ha aacks wok o oc agas dscov b
vcs ad scu vdos. pologg h dscov of a zo-da vulabl dlas h dvlo
of vdo achs ad scu co, such as uso v sgaus ha hl wh gao.
99 h://cod.googl.co//bowssc/wk/ma100 h://blog.ozlla.co/scu/2008/07/02/ozlla-scu-cs-ojc/101hs://fous2.sac.co/5/Vulabls-exlos/ys-th-s-a-Zo-Da-exlo-fo-i-exlo-Ou-th/ba-/371628#A180102hs://fous2.sac.co/5/Vulabls-exlos/rs-of-ie-Zo-Da-though-SQL-ijco/ba-/372832#A182103 h://val.sac.co/kgfo/s/wh_as/b-wha__scu_ha_o_x_04-2008.-us.df : . 34
https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Yes-There-s-a-Zero-Day-Exploit-for-Internet-Explorer-Out-There/ba-p/371628#A180https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Rise-of-IE-Zero-Day-Through-SQL-Injection/ba-p/372832#A182https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Rise-of-IE-Zero-Day-Through-SQL-Injection/ba-p/372832#A182https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Yes-There-s-a-Zero-Day-Exploit-for-Internet-Explorer-Out-There/ba-p/371628#A180 -
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
40/110
Sac Global i Scu tha ro
40
Aoh owoh bows scu ssu 2008 was h ca bobg flaw dscovd Safa.104
th vulabl would caus h bows o dowload aba fls o h vcs dsko. i was la
dscovd ha hs could fuh b xlod o xcu cod. ths ssu was acuall a cobao of
scu waksss Safa fo Wdows, i exlo, ad mcosof Wdows ha, wh xlod
ad, could sul h dlo of a alcous xcuabl. ths s sg bcaus hdlod vo of h bows was a faco ha lvad a lavl o vulabl o a
ajo o. ths ss a sk fo bows vdos wh h las oducs fo w lafos, as
Al dd wh s fs o-ba las of Safa 3.1 fo Wdows mach 2008. ths coc a b
lva fo Cho, as Googl s xcd o las vsos of h bows fo Lux ad mac OS X
2009.105
Adsaos should aa a scv olc gadg whch alcaos a allowd wh h
ogazao. th scu of alcaos should b valuad o a lafo-b-lafo bass o su
ha lafo-scfc scu ssus do o as wh h alcao s salld.
Web browser plug-in vulnerabilities
ths c wll xa h ub of vulabls affcg lug-s fo Wb bowss. Bows
lug-s a chologs ha u sd h Wb bows ad xd s faus. Of hs lug-s
allow addoal ulda co fo Wb ags o b dd h bows. th ca also
abl xcuo vos ha allow alcaos o b u sd h bows. Bows lug-
vulabls a also usd a ag of cl-sd aacks. ma bowss clud vaous lug-s
h dfaul sallao ad ovd a fawok o as h sallao of addoal lug-s.
plug-s ow ovd uch of h xcd o dsd fucoal of Wb bowss ad so a
v b qud o ffcvl us h al ss of ss.
th followg lug- chologs wll b xad:
Adob Acoba
Adob Flash
Al Quckt
mcosof AcvX
mcosof Wdows mda pla
mozlla bows xsos
Su Java
i 2008, Sac docud a oal of 419 vulabls lug- chologs fo Wb bowss.
ths s fw ha h 475 vulabls affcg bows lug-s dfd 2007. Of h oal
fo 2008, 287 vulabls affcd AcvX, whch s sgfcal o ha a oh lug-
cholog (fgu 11). Of h ag lug-s fo whch vulabls w docud, h
w 45 vulabls dfd Java, 40 Quckt, 17 Acoba rad, 16 Flash pla,
fv affcd mozlla xsos, ad fv ha affcd Wdows mda pla.
104 h://www.scufocus.co/bf/746105 h://ws.c.co/cho-gs-ac-dadl-xsos-foudao/?ag=col;wsnow
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
41/110
Sac Global i Scu tha ro
41
20082007
QuickTime 8%
Acrobat 1%
Mozilla extensions 1%
Java 4%
ActiveX 83%
Flash 2%
Windows Media Player 1%QuickTime 10%
Acrobat 4%
Mozilla extensions 1%
Java 11%
ActiveX 69%
Flash 4%
Windows Media Player 1%
Figure 11. Web browser plug-in vulnerabilities
Source: Symantec
AcvX was also affcd b h os vulabls 2007, wh a oal of 399 ou of h 475
vulabls dfd. Af ha, Quckt akd scod wh 37 vulabls, Java was affcd
b 17, Flash pla had 11, fou affcd mozlla xsos, h affcd Wdows mda pla, ad
h affcd Adob Acoba rad.
AcvX vulabls a sll a oula od of aack fo dvlos of aack oolks such as noSlo.
i 2008, a ub of addoal xlos fo AcvX addd o h noSlo oolk w dfd. ths
cluds a vulabl h Sasho Vw fo mcosof Accss,106 ad aoh h Cou
Assocas BghSo alcao.107 i fac, o xlo h mcosof Accss Sasho Vw vulabl,
aacks w o h lgh of sll sallg h vulabl cool o cl cous o vousl
affcd b h vulabl.108 ths hghlghs udlg scu ssus h AcvX scu odl
hough whch aacks a abl o sll sall vulabl AcvX coos ha a
cogahcall sgd b a vdo wh h usd cfca so of i exlo.
th valc of AcvX vulabls oss a acula coc o d uss ad ogazaos ha
us i exlo. Whl h ak sha of i exlo 7 suassd ha of i exlo 6
2008, h fac ha AcvX vulabls a sll a oula avu of aack suggss ha h scu
faus of i exlo 7 hav o lad h AcvX ha.109 i aas ha d uss a
ovdg hs scu faus ad cou o allow scu AcvX cools o b salld ad
xcud. mcosof i exlo 8 s slad o clud addoal scu faus o aag h
ha of scu AcvX cools.110 i s uca whh b AcvX scu i exlo 8
wll hav a ffc o h ub of vulabls h sho , sc h a sll a scu
106 hs://fous2.sac.co/5/Vulabls-exlos/mcosof-Accss-Sasho-Vw-exlod--noslo-Wa/ba-/335199#A164107 hs://fous2.sac.co/5/Vulabls-exlos/noslo-Udad-wh-exlo/ba-/314840#A151108 hs://fous2.sac.co/5/Vulabls-exlos/AcvX-Vulabls-ev-Wh-you-A--Vulabl-you-ma/ba-/341705#A165109 h://www.w3schools.co/bowss/bowss_sas.as110 h://blogs.sd.co//achv/2008/05/07/8-scu-a--acvx-ovs.asx
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
42/110
Sac Global i Scu tha ro
42
AcvX cools avalabl fo dowload o h i. Howv, h a b fw cds ad
xals of hs vulabls bg cooad o aack oolks f h scu asus bg
ld b mcosof a ffcv.
Oh lug- chologs such as Acoba w also subjc o xloao h wld.111 Fo sac,
h ub of lug- vulabls Java os du o casd s fo h scu sach
cou. Java s a aacv ag bcaus us os Wb bows vsos o os oag
sss. ths as ha a of h vulabls h Java lug- facla h dvlo of
coss-lafo xlo cod. ths ss a dal scao fo aacks bcaus xoss a lag
ub of ags o sl ad labl xloao. Aacks sk vulabls ha affc wdl
dlod alcaos ha ca b aackd hough h Wb bows.
Web browser plug-in vulnerabilities, by type
ths dscusso wll xa so scfc vulabls ha affc bows lug-s. to do so, h
vulabls covd h vous c a classfd o vaous cagos basd o h scu
ac. th ac of a vulabl hls o d h as b whch a aack accolshs s
goal b xlog h vulabl. i also hls adsaos oz h sks osd b a scfc
vulabl ad dvlo gaos ha a ooo o h ha.
th cagos blow a a o hghlgh h a ac o d uss. i should b od ha
so vulabls df cagozao du o adqua ublc foao abou h au of
h vulabl ad s oal ac. Vulabls ha could o b cagozd a od
h dscusso.
Vulabls affcg bows lug- chologs a classfd o h followg dsc cagos:112
Memory corruption: ths vulabls allow aacks o cou h o of a alcao
ocss wh alcous u ad ca allow aacks o xcu aba cod.
Denial-of-service (DoS): DoS vulabls call sul a alcao cash wh xlod.
Alhough hs could b du o a o couo ssu, hs vulabls a classfd as DoS
wh o oal of aba cod xcuo s aa.
Information disclosure: ths vulabls os of xos ssv foao o a
uauhozd a, h as a sul of acv xloao o as a adv sd ffc of a
oous codo h alcao.
Content injection: ths vulabls allow h jco of alcous co o allow aacks o
bass hd-a u valdao fls; h ca also abl coss-s scg aacks.
Spoofing: ths vulabls allow a aack o soof ls of h bows-us fac.
Unauthorized file system access: ths vulabls allow aacks o vw, odf, o dl fls o
h cou hosg h affcd bows lug-.
111 hs://fous2.sac.co/5/Vulabls-exlos/Acoba-ul-f-exlo-Dcd-wh-exsg-ipS/ba-/364088#A176112 Fo a o col dsco of hs cagos, las s Adx CVulabl tds mhodologs
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
43/110
Sac Global i Scu tha ro
43
Command execution: ths vulabls allow a o aack o xcu oag ss
coads hough a affcd bows lug-.
Origin validation: ths vulabls ca occu wh co fo a vald o uauhozd
ogag souc s ad as vald b a lug-.
Elevated security context: ths vulabls vola a scu olc dd o v o
co fo accssg ss os ad caabls. i should b od ha so vulabls
a s a oou fo lvad scu bass bu a o accual dscbd b
aoh cago.
i 2008, of h 415 vulabls dfd bows lug-s, 271 w classfd as o couo
vulabls (fgu 12). ths s followd b 61 uauhozd fl ss accss vulabls, 27 lvad
scu cox vulabls, 14 DoS aack vulabls, 13 foao dsclosu vulabls,
coad xcuo vulabls, gh og valdao vulabls, fou co jco
vulabls, ad o vulabl ha faclad soofg aacks. th ag sv vulabls
could o b classfd du o suffc foao abou h causs ad ffcs.
11%
-
8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us
44/110
Sac Global i Scu tha ro
44
mo couo vulabls also ad u h ajo of lug- vulabls 2007, wh 288
bg classfd as such ou of 475 oal vulabls dfd (abl 5). Of h ag, 76 w
cosdd DoS ssus, 54 allowd uauhozd fl ss accss, 24 allowd lvad scu cox,
allowd coad xcuo, gh allowd co jco, fv vulabls allowd foao
dsclosu, ad wo w lad o og valdao. th w o soofg vulabls bows lug- chologs 2007 ad vulabls could o b classfd du o a lack of foao abou
h causs ad ffcs of h vulabls.
mo couo vulabls cosud h ajo of bows lug- vulabls boh 2007
ad 2008. Howv, h daa dcas ha DoS vulabls w lss val 2008 ha h w
2007. i 2008, h w dslacd b uauhozd fl ss accss vulabls as h scod
hghs ooo of lug- cholog vulabls. i Ocob of 2008, Sac od h s
uauhozd fl ss accss vulabls affcg AcvX cools.113 A ha , aacks had
gad a ub of xlos fo hs ssus o aack oolks, ovg h ffcvss ad
oula aog aacks. i h sa oh, Sac also obsvd w aack as fo
uauhozd fl ss accss vulabls ha affcd AcvX cools.114 ths aack as
ca allow aacks o xlo uauhozd fl ss accss vulabls o xcu aba cod.
th dcas of DoS vulabls ad cas vulabls such as uauhozd fl ss accss
ad lvad scu cox dca a volvg skll s aog scu sachs ad aacks. i
acula, sachs ad aacks a dvlog h sklls o o hgh-sv vulabls
ha allow o cod xcuo ad oh sous cosqucs. ths also xlas h valc of
o couo vulabls bows lug-s bcaus, f succssfull xlod, h wll l a
aack u aba cod o h affcd cou. DoS vulabls lug- chologs a of
h sul of usklld scu sach ffos bcaus h ffc o cl alca