X-Force report at mid-2008

Date : September 04, 2008

IBM Internet Security Systems - X-Force has just released a report that enables to show several new trends for the first half of 2008. The present article sums it up by successively looking at three directions : vulnerabilities, spam (and phishing), and malware.


1/ Vulnerabilities

The first established fact regarding vulnerabilities is that their number is in constant increase, as well as their severity level. These vulnerabilities do not target operating systems but mainly web browsers, multimedia applications or document readers (e.g. Office and Adobe). This point has been confirmed by the arrival of new editors in the Top 10 of vendors with the most vulnerability disclosures: Joomla!, WordPress and Drupal (all three written in PHP). On the other hand, the three editors with the highest percentage of public exploits are Microsoft, HP and Apple.

Regarding vulnerability discoverers, 16% are made anonymously, the rest is made either by official organisations (around 30%), or by independent researchers (70%).

Web application vulnerabilities

The beginning of the year has confirmed the increase of web server vulnerabilities (see on this topic the Cert-IST crisis response hub named "Infections web"), these vulnerabilities represent now 51% of the discovered flaws. The techniques used for these attacks have changed since 2006. If "Cross-Site Scripting" attacks are still there (at a constant level), SQL injections have increased a lot, on the detriment of "file include" attacks.

Web browsers vulnerabilities

On the browser side as well, the increase is obvious with less of 5% of vulnerabilities with a public exploit in 2004, to around 30% for the first half of 2008. The speed with which these exploits are released has also considerably increased: nowadays, more than 80% of the exploits are released the same day than the flaw (and even before), which is an increase of 70% compared to 2007. This affects in particular web browser flaws. We will notice that researchers dot not only look for flaws in the browser itself but also in its plug-ins (51% of the browser vulnerabilities affect plug-ins and 78% of public exploits related to browsers are those impacting plug-ins).

Virtualization vulnerabilities

These technologies are victim or their success and they excited security researcher's curiosity. Since 2006, the number of vulnerabilities discovered in these tools has constantly increased, so has their complexity.

 

2/ Spam and phishing

Starting at the end of 2007, the decrease of complex spam (based on images, animated images, PDF documents, text generators, etc...) has been confirmed. Spam technologies have move back to a more simple scheme: a text e-mail embedding a malicious URL. The interest for spammers is to lure the users (using trusted domain names) and to bypass anti-spam software. This trend has also been confirmed by Sophos antivirus editor in its July 2008 report.

As for phishing, even if the number of phishing messages has increased, the percentage of spam related to phishing has decreased to 0,4% in the second quarter of 2008. This simply means that the overall volume of spam is increasing faster than the overall volume of phishing.

 

3/ Malware

During the first half of 2008, in the Top 10 malware list is a family of password stealer targeting on-line games. And for the whole password stealer category, 50% of malicious codes affect games.

A last section of the X-Force document is devoted to the "Top Behaviors" of malicious codes. The most common behavior is dropping a file in the "Windows/System" folder. Then comes installing a service, with the modifications of the associated registry keys so that this service is run at each system reboot. Another behavior frequently reported is setting the "Hide" attribute on files in order to hide the files dropped by the malware. Other behaviors end this "Top Behaviors" list, among which injecting code into trusted processes, disabling security software, file downloading and installing spyware codes.

 

The trends for this first half of 2008 enable to give a summary at mid-year. They highlight in particular the problem of the faster and faster exploit release: nowadays, there is very little time between a flaw discovery and its exploitation. The recent DNS flaw is a typical example of this matter.

 

For more information

 

Previous Previous Next Next Print Print