Report: Flaws quickly spawn Net attacks

Online vandals are quickly exploiting flaws, leaving companies with little time to patch their computer systems, according to data analysis by Symantec.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Oct. 1, 2003 1:19 p.m. PT

2 min read

Online vandals are quickly exploiting flaws, leaving companies with little time to patch their computer systems, according to a report published Wednesday by Symantec.

The Internet Security Threat Report--based on an analysis of six months of data from the security company's widespread intrusion-detection network--found that two-thirds of new attacks take advantage of vulnerabilities less than a year old. The MSBlast worm, for example, appeared 26 days after Microsoft warned customers about the security flaw exploited by the worm.

"The window for us to get things fixed is a great deal smaller," said Alfred Huger, a senior director of engineering for Symantec. "If you have a window of less than a month to get things fixed, that is pretty problematic for any large enterprise."

The report, which uses data from more than 20,000 sensors in 180 countries, found that four out of 10 attacks took place less than six months after the first release of information about a flaw.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

While the last six months may have made the trend more evident, for some time attackers have been closing the gap between the release of information about vulnerabilities and the writing of code to exploit them. Moreover, the lag for some major attacks has run counter to the suggested time frame. The Code Red worm, released more than two years ago, quickly came out after the flaw on which it was based, while the more recent Slammer worm appeared six months after the vulnerability it took advantage of.

The report also found that more-complex worms and viruses--known in the antivirus industry as blended threats--are becoming the attack of choice among Internet vandals. Such threats often exploit several different flaws to increase the chance of infecting a computer system. The number of attacks that could be classified as a blended threat in the first half of 2003 was 20 percent higher than in the previous six months, according to the report.

Moreover, threats are increasingly targeting specific goals, Symantec found. Bugbear.B, which started spreading in June, targeted certain financial institutions with attacks that stole confidential information and passwords (though it's not known how effective those attacks were). The SoBig family of viruses are designed to aid spammers by allowing bulk e-mailers to use home computers infected by the virus as relay points for sending mass quantities of e-mail.

The report's conclusion that attacks are increasing reverses the findings of a Symantec report published in February. In that edition of the report, the Cupertino, Calif.-based security company found that Internet attacks against companies had fallen in the last half of 2002.