A New 'Malicious Marketplace' for Internet Attacks

— -- Internet criminals are increasingly targeting popular applications like backup software and Web browsers instead of the operating systems that run them, according to a new report from government and industry security experts.

Attackers now target backup and recovery programs, as well as "the antivirus and other security tools that most organizations think are keeping them safe," according to the SANS Top 20 report for 2005 on the most critical Internet vulnerabilities, released today.

The shift toward finding and exploiting vulnerabilities in programs represents a major change from past years, when Windows and other operating systems and Internet services like Web and e-mail servers were the preferred targets.

"Attackers are now targeting the whole range of applications that users are now installing on their systems," says Alan Paller, Director of Research at SANS.

That puts us back five or six years in terms of Internet security, says Paller, because while operating systems and other frequent targets of Internet attacks have implemented automatic updates to quickly close security holes, many programs with critical vulnerabilities don't have any such features.

"That means we're back to the Stone Age," Paller says. "Everything you worried about five or six years ago" is a concern once again, he says, when people have to discover and fix new vulnerabilities themselves.

In addition to holes in security and backup programs, critical vulnerabilities in instant messaging programs, Web browsers, file sharing applications, and media players are all listed among the Top 20.

About 60 percent of new vulnerabilities now affect client-side applications like Web browsers and media players, according to Gerhard Eschelbeck of Internet security company Qualys, which also participated in the report's research.

And those vulnerabilities are drawing all the wrong sorts of attention. According to SANS, unwanted network traffic targeting Symantec Veritas BackupExec rocketed to 500,000 instances within days of an announced security hole in the product, up from a previous maximum of about 50,000 instances.

Symantec wasn't alone. Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes. Also, according to a previous report from the Yankee Group, the number of flaws reported in antivirus and other security programs is increasing at a far faster rate than for Windows.

Applications represent an increasingly attractive target because operating systems and Internet services have become more resilient after years of steady attacks. Many programs, on the other hand, lack any means for automatic program updates. The delay between an announced vulnerability and the time that an administrator or home user manually updates the software represents a window of opportunity for Internet criminals.

New awareness of critical security holes in the network devices that guide Internet traffic represents the second important shift in the Top 20, according to the report.

"Compromises of network devices can provide attackers one of the most fruitful platforms for eavesdropping and launching targeted attacks," it states.

Additionally, "individuals are writing exploits . . .largely for profit," says Roger Cummings, director of the British Government's National Infrastructure Security Co-Ordination Centre. Cummings co-presented the report.

The marketplace could put major exploits in the hands of terrorists interested in threatening our countries' infrastructure, according to Cummings. That threat grows as we become increasingly dependent on larger networks that combine services and tasks, he says.

The public nature of the Internet, one of its great strengths, also can contribute to its vulnerability, Cummings says. Because the technologies that power the Internet are public knowledge, anyone can examine them for weaknesses. In the long run, that may result in more problems being fixed. But in the short term, before a program patch or other fix is available, those vulnerabilities can be exploited for real profit.

Government organizations within the United States, the United Kingdom, and Canada all contributed to the report, as did Internet security company TippingPoint. The SANS Institute has been producing the Top 20 report since 2000.

PC World earlier this year explored the new waves of criminal activity in a five-part series called Web of Crime.