Symantec Government Internet Security Threat Report Trends for July December 07. Volume XIII, Published April 2008

Symantec enterprise security Symantec Government Internet Security Threat Report Trends for July December 07 Volume XIII, Published April 2008

Dean Turner Executive Editor Director, Global Intelligence Network Symantec Security Response Marc Fossi Manager, Development Symantec Security Response Eric Johnson Editor Symantec Security Response Trevor Mack Associate Editor Symantec Security Response Joseph Blackbird Threat Analyst Symantec Security Response Stephen Entwisle Threat Analyst Symantec Security Response Mo King Low Threat Analyst Symantec Security Response David McKinney Threat Analyst Symantec Security Response Candid Wueest Analyst Symantec Security Response

Volume XIII, Published April 2008 Symantec Government Internet Security Threat Report Contents Overview...4 Highlights...6 Attack Trends... 10 Malicious Code Trends... 39 Phishing Trends... 49 Spam Trends... 59 Appendix A Symantec Best Practices... 63 Appendix B Attack Trends Methodology... 65 Appendix C Malicious Code Trends Methodology... 68 Appendix D Phishing and Spam Trends Methodology... 69

Overview The Symantec Government Internet Security Threat Report provides a six-month summary and analysis of trends in attacks, vulnerabilities, malicious code, phishing, and spam as they pertain to organizations in government and critical infrastructure sectors. Where possible, it will also include an overview of legislative efforts to combat these activities. Over the past several reporting periods, Symantec has observed a shift in the threat landscape in which attackers have increasingly moved away from nuisance and destructive attacks towards targets and methods that are driven by financial motives. Today s attackers are increasingly sophisticated, determined, and organized, and have begun to adopt methods that are similar to traditional software development and business practices. The previous volume of the Symantec Internet Security Threat Report observed that global, decentralized networks of malicious activity were continuing to rise and that, increasingly, regional threat patterns were beginning to emerge. Today, the threat landscape is arguably more dynamic than ever. As security measures are developed and implemented to protect the data of end users and organizations, attackers are rapidly adapting new techniques and strategies to circumvent them. As a result, the identification, analysis, and trending of these techniques and strategies must also evolve. The Government Internet Security Threat Report will provide an analysis of attack activity that Symantec observed between July 1 and December 31, 2007 that targets or affects services, organizations, and/or industries of concern to government organizations around the world. For the purposes of this discussion, these government organizations include national, state/provincial, and municipal governments. Furthermore, this discussion will incorporate data and discussion that is relevant to threat activity that affects critical infrastructure industries that support or affect government and military institutions, which include: Aerospace Agriculture Biotech/pharmaceutical Financial services Health care Internet service providers Manufacturing Telecommunications Transportation Utilities and energy 4

Symantec has established some of the most comprehensive sources of Internet threat data in the world. The Symantec Global Intelligence Network encompasses worldwide security intelligence data gathered from a wide range of sources, including more than 40,000 sensors monitoring networks in over 180 countries through Symantec products and services such as Symantec DeepSight Threat Management System and Symantec Managed Security Services, and from other third-party sources. Symantec gathers malicious code reports from over 120 million client, server, and gateway systems that have deployed its antivirus product, and also maintains one of the world s most comprehensive vulnerability databases, currently consisting of over 25,000 recorded vulnerabilities (spanning more than two decades) affecting more than 55,000 technologies from over 8,000 vendors. Symantec also operates the BugTraq mailing list, one of the most popular forums for the disclosure and discussion of vulnerabilities on the Internet, which has approximately 50,000 direct subscribers who contribute, receive, and discuss vulnerability research on a daily basis. As well, the Symantec Probe Network, a system of over two million decoy accounts in more than 30 countries, attracts email from around the world to gauge global spam and phishing activity. Symantec also gathers phishing information through the Symantec Phish Report Network, an extensive antifraud community of enterprises and consumers whose members contribute and receive fraudulent Web site addresses for alerting and filtering across a broad range of solutions. These resources give Symantec s analysts unparalleled sources of data with which to identify, analyze, and provide informed commentary on emerging trends in attacks, malicious code activity, phishing, and spam. The Symantec Government Internet Security Threat Report gives government organizations essential information to effectively secure their systems now and into the future. 5

Highlights This section provides highlights of the security trends that Symantec observed during this period based on the data gathered from the sources listed above. Selected metrics will be discussed in greater depth in their respective sections following these highlights. Attack Trends Highlights During this reporting period, the United States accounted for 31 percent of all malicious activity, an increase from 30 percent in the first half of 2007. The United States was the top country of attack origin in the second half of 2007, accounting for 24 percent of worldwide activity, a decrease from 25 percent in the first half of 2007. Peru was the country with the highest rate of malicious activity per broadband subscriber in the second half of 2007, accounting for nine percent of the total. Telecommunications was the top critical infrastructure sector for malicious activity in the last half of 2007, accounting for 95 percent of the total. This was an increase from 90 percent in the first half of 2007. The education sector accounted for 24 percent of data breaches that could lead to identity theft during this period, more than any other sector. This was a decrease from the previous reporting period, when it accounted for 30 percent of the total. Government was the top sector for identities exposed, accounting for 60 percent of the total, a significant increase from 12 percent in the first half of 2007. Theft or loss of computer or other data-storage medium was the cause of the most data breaches that could lead to identity theft during this reporting period, accounting for 57 percent of the total. It accounted for 61 percent of the identities exposed in the second half of 2007, more than any other sector. The United States was the top country for hosting underground economy servers, accounting for 58 percent of the total identified by Symantec, a decrease from the first half of 2007, when it accounted for 64 percent of the total. Bank accounts were the most commonly advertised item for sale on underground economy servers known to Symantec, accounting for 22 percent of all items, an increase from the first half of 2007, when they made up 21 percent. Symantec observed an average of 61,940 active bot-infected computers per day in the second half of 2007, an increase of 17 percent from the previous period. The average lifespan of a bot-infected computer during the last six months of 2007 was four days, unchanged from the first half of 2007. The United States had the most bot-infected computers, accounting for 14 percent of the worldwide total, a slight increase from 13 percent in first half of 2007. 6

Madrid was the city with the most bot-infected computers, accounting for three percent of the worldwide total. In the last six months of 2007, Symantec identified 4,091 bot command-and-control servers. This is an 11 percent decrease from the previous reporting period, when 4,622 bot command-and-control servers were identified. Of these, 45 percent were located in the United States, more than any other country. The United States was the country most frequently targeted by denial-of-service attacks, accounting for 56 percent of the worldwide total. This is a decrease from 61 percent reported in the first half of 2007. The top country of origin for attacks targeting the government sector was the United States, which accounted for 21 percent of the total. This was an increase from the first half of 2007 when the United States accounted for 19 percent of the total. Denial-of-service attacks were the most common attack type targeting government and critical infrastructure organizations, accounting for 46 percent of the top 10 attacks. This is a decrease from the first half of 2007, when denial-of-service attacks accounted for 35 percent of the top 10 and ranked second. Malicious Code Trends Highlights In the second half of 2007, 499,811 new malicious code threats were reported to Symantec, a 136 percent increase over the first half of 2007. Of the top 10 new malicious code families detected in the last six months of 2007, five were Trojans, two were worms, two were worms with a back door component, and one was a worm with a virus component. During the second half of 2007, Trojans made up 71 percent of the volume of the top 50 malicious code samples, a decrease from 73 percent in the first six months of 2007. Forty-three percent of worms originated in the Europe, Middle East, and Africa (EMEA) region. North America accounted for 46 percent of Trojans for this period. Threats to confidential information made up 68 percent of the volume of the top 50 potential malicious code infections reported to Symantec. Of all confidential information threats detected this period, 76 percent had a keystroke logging component and 86 percent had remote access capabilities, a decrease for each from 88 percent in the previous period. Forty percent of malicious code that propagated did so through executable file sharing, a significant increase from 14 percent in the first half of 2007, making this the most commonly used propagation mechanism during this period. Seven percent of the volume of the top 50 malicious code samples modified Web pages this period, up from three percent in the previous period. 7

During the second half of 2007, 10 percent of the 1,032 documented malicious code samples exploited vulnerabilities. This is lower than the 18 percent proportion of the 1,509 malicious code instances documented in the first half of 2007. Seven of the top 10 staged downloaders this period were Trojans, two were worms, and one was a worm with a viral infection component. Of the top 10 downloaded components for this period, eight were Trojans and two were back doors. Malicious code that targets online games made up eight percent of the volume of the top 50 potential malicious code infections, up from five percent in the previous period. Phishing Trends Highlights The Symantec Probe Network detected a total of 207,547 unique phishing messages, a five percent increase over the first six months of 2007. This equates to an average of 1,134 unique phishing messages per day for the second half of 2007. Eighty percent of all unique brands used in phishing attacks were in the financial sector, compared to 79 percent in the previous period. One percent of phishing attacks spoofed the government sector this period. During this period, 66 percent of all phishing Web sites spoofed financial services brands, down from 72 percent in the first half of 2007. In the second half of 2007, 66 percent of all phishing Web sites identified by Symantec were located in the United States. Two social networking sites together were the target of 91 percent of phishing attacks for Web sites hosted in the United States. The most common top-level domain used in phishing Web sites for this period was.com, accounting for 44 percent; the second most common top-level domain used by phishing Web sites was.cn, accounting for 23 percent. The most common government top-level domain used in phishing Web sites for this period was gov.br, which was used by Web sites that are registered to the government of Brazil, with 19 percent of the total. Symantec observed 87,963 phishing hosts worldwide this period, an increase of 167 percent from the 32,939 observed in the first half of the year. Sixty-three percent of all phishing hosts identified were in the United States, a much higher proportion than any other country. Three phishing toolkits were responsible for 26 percent of all phishing attacks observed by Symantec in the second half of 2007. 8

Spam Highlights Between July 1 and December 31, 2007, spam made up 71 percent of all email traffic monitored at the gateway, a 16 percent increase over the first six months of 2007, when 61 percent of email was classified as spam. Eighty percent of all spam detected during this period was composed in English, up from 60 percent in the previous reporting period. In the second half of 2007, 0.16 percent of all spam email contained malicious code, compared to 0.43 percent of spam that contained malicious code in the first half of 2007. This means that one out of every 617 spam messages blocked by Symantec Brightmail AntiSpam contained malicious code. Spam related to commercial products made up 27 percent of all spam during this period, the most of any category and an increase from 22 percent in the previous period. During the last six months of 2007, 42 percent of all spam detected worldwide originated in the United States, compared to 50 percent in the previous period. The United States hosted the most spam zombies of any country, with 10 percent of the worldwide total, representing no change from the first six months of 2007. In the second half of 2007, the daily average percentage of spam that was image spam was seven percent. This is down from a daily average of 27 percent during the first six months of 2007. 9

Attack Trends This section of the Government Internet Security Threat Report will provide an analysis of attack activity, data breaches that could lead to identity theft, and the advertisement and trade of stolen information and services on underground economy servers that Symantec observed between July 1 and December 31, 2007. The malicious activity discussed in this section includes not only attack activity, but also phishing Web site hosts, malicious code, spam zombies, and command-and-control server activity. Attacks are defined as any malicious activity carried out over a network that has been detected by an intrusion detection system (IDS) or firewall. Definitions for the other types of malicious activity can be found in their respective sections of this report. This section will discuss the following metrics in greater depth, providing analysis and discussion of the trends indicated by the data: Malicious activity by country Malicious activity by country per broadband subscriber Malicious activity by critical infrastructure sectors Top countries of origin for government-targeted attacks Attacks by type notable critical infrastructure sectors Data breaches that could lead to identity theft Underground economy servers Bot-infected computers Bot command-and-control servers Attacks protection and mitigation Malicious activity by country This metric will assess the countries in which the largest amount of malicious activity takes place or originates. To determine this, Symantec has compiled geographic data on numerous malicious activities, namely: bot-infected computers, bot command-and-control servers, phishing Web site hosts, malicious code reports, spam zombies, and Internet attack origins. The rankings are determined by calculating the mean average of the proportion of these malicious activities that originated in each country. Between July 1 and December 31, 2007, the United States was the top country for malicious activity, making up 31 percent of worldwide malicious activity (table 1). This represents a small change from the first half of 2007, when the United States was also first, with 30 percent. For each of the malicious activities in this metric, the United States ranked first by a large margin. 10

Current Rank 1 2 3 4 5 6 7 8 9 10 Previous Rank 1 2 3 4 7 5 6 8 12 9 Country United States China Germany United Kingdom Spain France Canada Italy Brazil South Korea Table 1. Malicious activity by country Source: TableXX_MalicousCountry_v4.eps Symantec Corporation Current Percentage 31% 7% 7% 4% 4% 4% 3% 3% 3% 2% Previous Percentage 30% 10% 7% 4% 3% 4% 4% 3% 2% 3% Bot Rank 1 3 2 9 4 8 13 5 6 15 Commandand-Control Server Rank 1 5 2 6 19 13 3 10 7 4 Phishing Web Sites Host Rank 1 2 3 7 15 6 5 11 13 9 Malicious Code Rank 1 2 7 3 9 11 4 10 21 14 Spam Zombies Rank 1 4 2 12 9 7 35 6 3 13 Attack Origin Rank 1 2 3 5 4 6 7 8 9 10 Malicious activity usually affects computers that are connected to high-speed broadband Internet. Broadband connections provide larger bandwidth capacities than other connection types, and the connections are frequently continuous. The United States has the most established broadband infrastructure in the world: 94 percent of U.S. households have access to broadband connectivity. Furthermore, the 65.5 million broadband subscribers there represent over 20 percent of the world s total, the most of any country. As a result, it is not surprising that the U.S. is the site of the most malicious activity in the world. 1 China had the second highest amount of worldwide malicious activity during the last six months of 2007, accounting for seven percent, a decrease from 10 percent in the previous reporting period. China ranked high in most of the contributing criteria, which is not surprising since China has the second highest number of broadband subscribers in the world, with 19 percent of the worldwide broadband total. 2 The main reason for China s percentage decrease was the large drop in bot-infected computers there in the second half of 2007. China dropped to third for bot-infected computers in the second half of 2007, with eight percent, a large decrease from the first half of 2007, when it had 29 percent and ranked first. This decrease is attributable to a significant reduction in the availability of many Web sites, forums, and blogs in China for several months during this period. 3 Dynamic sites such as forums and blogs are prime targets for attackers using bots to propagate and host malicious content. Symantec believes that, because of their scalability, bots are responsible for much of the malicious attack activity that is observed, and any serious reduction in the number of bots should result in a corresponding drop in total attack activity. This is also supported by the decrease in China of spam zombies, which are often associated with bot-infected computers. China dropped from third in spam zombies in the first half of 2007, with nine percent of the worldwide total, to fourth and six percent in the second half of 2007. 1 http://www.point-topic.com 2 http://www.point-topic.com 3 http://www.msnbc.msn.com/id/21268635/ 11

Another possible reason for the change in malicious activity originating in China this period was that China ranked second for hosting phishing Web sites, accounting for four percent of the worldwide total. This was a large increase from the previous reporting period, when it ranked eighteenth with one percent of the total. One possible cause for the increase may be the recent rise in phishing scams and fraudulent Web sites attempting to exploit the popularity of the upcoming 2008 Beijing Olympics. 4 Such activities will likely continue in the lead-up to the August 8, 2008 Olympics start date. Furthermore, the increase may have been influenced by the shutdown of the Russian Business Network (RBN) in November 2007 and its subsequent emergence in China, which may have a less well-established security infrastructure or security laws than Russia. 5 Russia dropped in rank for hosting phishing Web sites, from fifth in the previous period to eighth in this period. The RBN reputedly specializes in the distribution of malicious code, hosting malicious Web sites, and other malicious activities, including the development and sale of the MPack toolkit. The RBN has been credited for creating approximately half of the phishing incidents that occurred worldwide last year, and hosts Web sites that are responsible for a large amount of the world s Internet crime. 6 In the last six months of 2007, Germany again ranked third, with seven percent of all Internet-wide malicious activity, the same percentage as in the first half of 2007. As with the previous reporting period, Germany ranked high in spam zombies, command-and-control servers, hosting phishing Web sites, and bot-infected computers. Factors that influence its high rank include a well-established Internet infrastructure and a high number of broadband subscribers, as Germany ranks in the top five countries for broadband subscribers in the world, with six percent of the total. 7 It is reasonable to expect that the United States, Germany, and China will continue to rank as the top three countries for the highest amount of malicious activity since they also added the greatest number of broadband subscribers over the course of 2007: the United States added 4.2 million broadband subscribers, China added 6.8 million, and Germany added 2.4 million. 8 On a global scale, the distribution of malicious activity seems to be relatively static, with the countries listed in the top 20 remaining unchanged from the first half of 2007. This follows a trend first noted in the Symantec Internet Security Threat Report Volume XII that a country that is established as a frequent source of malicious activity tends to remain so. 9 This is likely to remain the case until more effective measures such as increased filtering for malicious activity, securely-coded applications, and more education for end users are taken to reduce the amount of originating malicious activity. Also, increased cooperation between government agencies, private sector ISPs and vendors, and law enforcement may help reduce the amount of malicious activity in countries. 12 4 http://www.symantec.com/enterprise/security_response/weblog/2007/11/scam_related_to_the_2008_beiji.html and http://www.chinaeconomicreview.com/it/2007/10/10/man-convicted-of-fraud-for-phony-olympics-web-site/ 5 http://www.scmagazineus.com/is-this-the-end-of-the-russian-business-network/article/96289/ and http://www.pcworld.com/article/id,139465-page,1-c,privacysecurity/article.html 6 http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/ar2007101202461_pf.html 7 http://www.point-topic.com 8 http://www.point-topic.com 9 http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xii_09_2007.en-us.pdf : p. 31

Having a higher proportion of malicious activity indicates that each computer in the country is more likely to be involved with some form of attack activity. Symantec has observed previously that computers often target computers within their own region or country. 10 As a result, countries with higher proportions of malicious activity are more likely to suffer the effects of such malicious activity. This includes computers in the government sector, as well as other sectors that make up critical infrastructure. Furthermore, as discussed in the Underground economy servers metric, Symantec has observed that attackers may be more motivated by profit from their activities. Many malicious activities reported in this metric can be made profitable using the sensitive personal, financial, and proprietary information often gained from these attacks. As a result, attacks and malicious activity are likely to remain prominent within a country as long as they remain profitable. Malicious activity by country per broadband subscriber In addition to assessing the top countries by malicious activity, Symantec also evaluates malicious activity in the top 25 countries according to the number of broadband subscribers located there. Symantec has observed that malicious activity most often affects computers with high-speed broadband Internet connections through large ISPs, and that malicious activity often increases in correlation with the expansion of broadband infrastructure. Rapidly expanding ISPs may often focus their resources on meeting growing broadband demand at the expense of implementing adequate security measures, such as port blocking and ingress and egress filtering, 11 resulting in security infrastructures and practices that are insufficient for their needs. Also, new broadband subscribers may not be aware of the security measures necessary to protect themselves from attacks. Measurement of this metric has changed from previous reports, when Symantec assessed malicious activity by country per Internet user. This is in order to provide a more precise look into malicious activity because it is more likely that broadband subscribers are the major contributors to malicious activity. To determine the top countries by malicious activity, Symantec divided the amount of malicious activity originating in each of the top 25 countries by the number of broadband subscribers located in that country. The percentage assigned to each country in this discussion thus represents the percentage of malicious activity that could be attributed to broadband subscribers in that country. This is intended to remove the inherent bias towards countries with high numbers of broadband subscribers from the consideration of the Malicious activity by country metric. During the last six months of 2007, Peru had the most malicious activity per broadband subscriber, with nine percent (table 2). In other words, for attacks occurring in the top 25 countries averaged out by broadband subscriber per country, there is a nine percent probability that the attack came from a broadband subscriber in Peru. Peru did not rank in the top 25 countries for malicious activity in the first half of 2007 and, thus, was not ranked in the previous period for malicious activity by country per broadband subscriber. 10 http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xii_gov_09_2007.en-us.pdf : p. 10 11 ingress traffic refers to traffic that is coming into a network from the Internet or another network. Egress traffic refers to traffic that is leaving a network, bound for the Internet or another network. 13

Current Rank Previous Rank Country/Region Current Percentage Previous Percentage 1 2 3 4 5 6 7 8 9 10 N/A 5 3 6 2 4 8 N/A 7 14 Peru United States Poland Argentina Israel India Taiwan Chile Canada Sweden 9% 7% 6% 6% 6% 5% 5% 5% 5% 4% N/A 6% 7% 6% 8% 7% 5% N/A 5% 3% Table 2. Malicious activity by country per broadband subscriber Source: Symantec Corporation TableXX_MalActBBUser_v3.eps Peru ranked high in bot-infected computers, spam zombies, and command-and-control servers, all of which are often associated with bot networks (botnets). In fact, the number of bot-infected computers in Peru increased by 261 percent from the first half of 2007. Also, ISPs in Peru may not be adequately performing ingress and egress filtering on their network traffic, nor implementing security controls that would inhibit this type of activity. Peru s major ISP, Telefónica del Peru, dominates with 99 percent of broadband subscribers in the country. 12 Its parent company, Telefónica, is headquartered in Spain and ranked third for malicious activity identified on computers registered to ISPs in the second half of 2007. Most Internet users in Peru do not own their own computer, with 80 percent using cabinas públicas, public Internet booths located in virtually every city and small town in the country, most of which have broadband connections. 13 Security programs on these public computers, such as antivirus software, may not be adequately maintained, especially since maintenance could make them inaccessible to potential customers, resulting in a loss of profit. As such, these computers may be more vulnerable to malicious activity. Also, since the computers are frequently shared by large numbers of people for a wide variety of purposes such as email, banking, and gaming criminals wanting to gain access to customers personal information may take advantage of these high traffic areas to compromise the computers and track customers activities by installing malicious code, such as keystroke loggers. It is also possible that users may not be taking sufficient precautions such as not opening email attachments or not visiting insecure Web sites when they are on shared public computers. The United States ranked second in malicious activity per broadband subscriber, accounting for seven percent of the worldwide total. In the first half of 2007, the United States ranked fifth in this category, with six percent. Although its rise to second from fifth can be attributed to the change in ranking of other countries in this metric, factors that may contribute to its high rank include that the United States had the fourth highest number of hours spent online per unique Internet user, 14 and that broadband penetration increased to 86 percent among active Internet users in the second half of 2007. 15 14 12 http://www.point-topic.com 13 http://globaltechforum.eiu.com/index.asp?layout=rich_story&doc_id=9031&categoryid=&channelid=&search=alliance 14 http://www.websiteoptimization.com/bw/0703/ 15 http://www.websiteoptimization.com/bw/0712/

Poland ranked third for this period, accounting for six percent of malicious activity per broadband subscriber. It also ranked third in the first half of the year, with seven percent. The prominence of Poland in this metric is due to its high ranking in the number of bot-infected computers, which increased 91 percent in Poland from the first half of 2007. One reason for Poland s position may be the recent rapid growth in broadband connectivity. Poland experienced a large increase in broadband subscribers in 2006, a growth of 56 percent from the previous year, 16 as well as a rapid growth in the number of broadband lines. 17 As noted, the rapid growth of broadband availability in a country often comes at a cost to security measures if companies become more focused on obtaining clients than on securing their networks. 18 Another reason may be the Internet landscape in Poland. For one thing, the former state monopoly carrier, Telekomunikacja Polska S.A. (TP SA), is the major ISP in Poland with a 61 percent share of broadband subscribers. 19 In the second half of 2007, it ranked sixth for malicious activity identified on ISPs globally. Along with its growth in broadband infrastructure, Poland also introduced measures to stimulate competition, 20 including the removal of international trade restrictions and local loop unbundling of the telecommunications sector. 21 To compete with TP SA, smaller ISPs have offered special deals at lower prices to increase their market share. One of Poland s alternative operators, Netia, recently offered 1 PLN (approx. $0.40 USD) subscription packages, which facilitated Netia s 28 percent broadband subscriber growth from the first half of 2007. 22 Another carrier, Tele2, offered free Internet connectivity for 15 months with the signing of a three-year contract. 23 These smaller ISPs may be more focused on increasing their market share and maximizing profits, by promoting cheap high-speed connections, than on maintaining security measures more commonly seen with other major ISPs, such as network traffic filtering. As well, customers may not be inclined to purchase extra services that include premium computer security when subscribing to a relatively inexpensive product. Malicious activity by critical infrastructure sectors This metric will evaluate the amount of malicious activity originating from computers and networks that are known to belong to government and critical infrastructure sectors. Symantec cross-references the IP addresses of known malicious computers with Standard Industrial Classification (SIC) codes 24 assigned to each industry and provided by a third-party service. 25 Symantec has compiled data on numerous malicious activities that were detected originating from the IP address space of these organizations. These activities include: bot-infected computers, hosting phishing Web sites, spam zombies, and attack origins. This metric is significant because it indicates the level to which government and critical infrastructure organizations may have been compromised and are being used by attackers as launching pads for malicious activity. These attacks could potentially expose sensitive information, which could have serious ramifications for government and critical infrastructure organizations. Such information could be used for 16 http://www.point-topic.com 17 http://point-topic.com/ 18 http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xii_gov_09_2007.en-us.pdf : p. 32 19 http://www.point-topic.com 20 http://globaltechforum.eiu.com/index.asp?layout=rich_story&doc_id=8939&country_id=pl&title=poland+telecoms%3a+infrastructure+and+investment& channelid=4&categoryid=29&country=poland 21 Local loop unbundling is the process of allowing multiple telecommunications operators the use of connections from the telephone exchange to the subscriber s premises (local loops). This process provides more equal competitive access to the local loops. For more information, see http://www.oecd.org/document/22/0,3343,en_2649_201185_25596246_1_1_1_1,00.html 22 http://www.itandtelecompoland.com/next.php?id=52549 23 http://www.itandtelecompoland.com/next.php?id=51801 24 SIC codes are the standard industry codes that are used by the United States Securities and Exchange Commission to identify organizations belonging to each industry. For more, on this, please see http://www.sec.gov 25 http://www.digitalenvoy.net 15

strategic purposes in the case of state- or group-sponsored attacks, especially since attackers who use compromised computers for malicious activity can mask their actual location. For instance, it was recently reported that each month approximately 500,000 attacks are attempted against Kazakhstan s state information networks. 26 In the last six months of 2007, 95 percent of all malicious activity originating from critical infrastructure sectors originated from telecommunications organizations (table 3). This was an increase from the first half of 2007 when telecommunications accounted for 90 percent of the total. For each of the malicious activities in this metric, telecommunications ranked first by a significant margin. Current Rank Previous Rank Sector Current Percentage Previous Percentage 1 2 3 4 5 6 7 8 9 10 1 2 3 4 7 6 5 10 9 11 Telecommunications Manufacturing Financial services Health care Transportation Utilities/energy Military Agriculture Biotech/pharmaceutical Law enforcement 95% 2% 1% <1% <1% <1% <1% <1% <1% <1% 90% 7% 1% 1% <1% <1% <1% <1% <1% <1% Table 3. Malicious activity by critical infrastructure sector Source: Symantec Corporation Table03_GovMaliciousCIS_v1.eps There are several reasons why attackers may target computers in the telecommunications sector. These organizations, which include ISPs and Web hosting companies, are likely to have a large number of Internet-facing computers. For example, call centers often use a large number of computers to interact with customers; the challenges of managing such computers may contribute to the extremely high proportion of malicious activity originating from this sector. As a consequence, computers in telecommunications organizations likely represent fertile targets for attackers. Attackers may also view telecommunications organizations as excellent platforms for launching subsequent attacks, as organizations within this sector are likely to have high-bandwidth and hightraffic networks. This would enable an attacker to carry out large attacks, such as denial-of-service (DoS) attacks, or other malicious activity, such as spam hosting. This is illustrated by the high percentage of spam zombies found in the telecommunications sector. High-bandwidth capacity networks may also allow an attacker to hide attack and bot traffic more effectively. During the current reporting period, 94 percent of attacks and 96 percent of bot-infected computers were situated on the networks of telecommunications organizations. Also, Symantec observed that 73 percent of attacks against the telecommunications sector were shellcode exploits, 27 which may indicate that attackers are attempting to take control of computers in this sector and use them to conduct malicious activity. 16 26 http://www.crime-research.org/analytics/cybercrimes3078/ 27 Shellcode is a small piece of code used as the payload in the exploitation of a vulnerability.

Since telecommunications organizations typically control the flow of data through networks, attackers may compromise strategically located computers inside organizations within the industry. This is important as government organizations, such as the military, are reliant on the telecommunications sector for their day-to-day communications and command-and-control systems. Computers within telecommunications organizations may effectively serve as platforms from which to launch attacks against organizations served by telecommunications firms because they provide communications for other sectors as well, including government. As such, attackers who are seeking confidential or sensitive information may specifically target this sector. Successful compromise of computers in the telecommunications sector could allow an attacker to eavesdrop on or disrupt key communications in other sectors. Finally, attackers using compromised computers within telecommunications organizations could deny access to confidential communications by authorized personnel, allowing the attacker to impose his or her own command, control, and communication processes on the compromised systems. This could result in the loss of situational awareness. Were such an attack to be state- or group-sponsored, access to critical infrastructures could be used to disable key services as a prelude to a larger event or attack. The manufacturing sector was the origin of the second highest amount of malicious activity during the last half of 2007, accounting for two percent of the total. This was a decrease from the first half of 2007, when it accounted for seven percent of the total. The manufacturing sector is highly competitive, with organizations investing large amounts of time and money into research and development into new methods and products, as well as using the Internet to sell their products online. The importance of implementing effective security measures to prevent industrial espionage and data leakage has become a major issue with many organizations in this sector as these issues can result in the loss of intellectual property, resulting in financial loss. The main reason for the drop in percentage was the large decrease in phishing Web sites hosted, from 22 percent in the first half of 2007 to four percent in this reporting period. This decrease is due to the proportional increase in phishing Web sites hosts in the telecommunications sector, which rose from 77 percent in the first half of 2007 to 90 percent in the second half of 2007. Because attackers can more easily hide their traffic in larger bandwidths, they may be targeting the higher number of servers in the telecommunications sector. The financial services sector ranked third for malicious activity within critical infrastructure sectors, accounting for one percent of the total detected during this period. Financial services also ranked third in the first half of 2007, also with one percent of malicious activity. Computers in the financial services sector may represent a lucrative opportunity for attackers with profit motives. This sector increased in phishing Web sites hosts from one percent in the first half of 2007 to three percent in the second half of 2007. Attackers are likely using financial services servers to host phishing Web sites because this adds legitimacy to their phishing sites and can more easily fool consumers. 17

Top countries of origin for government-targeted attacks Attacks targeting governments are largely driven by criminal intent and political motivation. Governments store considerable amounts of personal identification data that could be used for fraudulent purposes, such as identity theft, which could be exploited for profit (as discussed in Data breaches that could lead to identity theft section, in this report). Government databases also store sensitive information that could facilitate politically motivated attacks, including critical infrastructure information, sensitive but unclassified information, or other intelligence. Attacks targeting government organizations may serve as a means of expressing disagreement with policies and programs that the government has developed and implemented. These attacks may result in the disruption of critical services, as with DoS attacks, or the exposure of highly sensitive information. An attack that disrupts the availability of a high-profile government organization Web site, such as the DoS attacks on Estonia in 2007, 28 will get much wider notice than one that takes a single user offline. In addition, attacks may also be motivated by espionage and attempts to steal government classified information. In the second half of 2007, the top country of origin for attacks that targeted the government sector was the United States, which accounted for 21 percent of the total (table 4), an increase from 19 percent in the first half of 2007. The percentage of attacks against government organizations that originated in the United States was lower than the number of Internet-wide attacks originating there, which accounted for 24 percent of the total in the last half of 2007. This may indicate that attacks originating from within the United States were not specifically targeting the government sector. Current Rank Previous Rank Country/Region Current Percentage Previous Percentage 1 2 3 4 5 6 7 8 9 10 1 2 6 13 3 4 5 7 8 12 United States Spain China South Korea France Germany Italy United Kingdom Canada Taiwan 21% 11% 8% 7% 7% 7% 6% 4% 4% 3% 19% 14% 6% 2% 10% 9% 7% 4% 3% 2% Table 4. Top countries/regions of origin for government-targeted attacks Source: Symantec Corporation Table04_GovAttackOrigin_v1.eps 18 28 http://www.infoworld.com/article/08/01/24/student-fined-for-attack-against-estonian-web-site_1.html

Spain accounted for 11 percent of attacks targeting government in the last half of 2007, a decrease from 14 percent in the first half of 2007. This percentage was five points higher than the percentage of worldwide attacks originating there. This indicates that a large number of attacks originating in Spain are targeting the government sector. There are a number of factors that likely contribute to this. Spain ranked high in bot-infected computers and originating attacks worldwide, which may indicate politically motivated attacks against government organizations. Such attacks are likely to be carried out for a variety of reasons, including blocking access to government Internet-based resources, gaining access to potentially sensitive information, and discrediting the government itself. In the case of Spain, the current political climate there may contribute to the high number of attacks targeting the government. Spain is conducting general elections in March 2008, and there have been protests against the current government, which is seeking re-election. The protests have been from groups who are in favor of traditional family views and are against controversial legislation introduced by the current government. 29 Many young voters are also dissatisfied with low wages and job opportunities available in the country. 30 Also, ongoing government negotiations with the Basque separatist organization, Euskadi Ta Askatasuna (ETA), have met with widespread opposition among the population in Spain, who accuse the government of easing up on ETA. 31 Supporters of ETA have held demonstrations protesting judicial orders to dissolve a Basque-affiliated political wing as well as the government s ban of Basque political parties from the federal government. 32 These political issues may contribute to the motivation of attackers targeting Spanish government organizations. China accounted for eight percent of attacks targeting government organizations, which is two percent less than the ten percent of worldwide attacks that originate there. The small difference indicates that attacks originating from China are not specifically targeting government organizations in China, but are part of worldwide attacks in general. China s increase in rank to third for this period from sixth in the previous period may be attributable to attacks originating in China that were reputed to be specifically targeting foreign governments, including the United States, the United Kingdom, Germany and France. Chinese hackers are suspected of compromising the servers of high-security government networks, such as the Pentagon in the United States, the office of the Chancellor of Germany, and French government systems. 33,34,35,36 29 http://www.abc.net.au/news/stories/2007/12/31/2129362.htm 30 http://www.iht.com/articles/reuters/2007/12/30/europe/oukwd-uk-spain-catholics.php 31 http://www.nytimes.com/2007/06/09/world/europe/09eta.html?_r=1&oref=slogin 32 http://www.haaba.com/news/2008/01/26/7-81815/thousands-protest-ruling-against-basque-politicians-tv.html 33 http://www.ft.com/cms/s/0/9dba9ba2-5a3b-11dc-9bcd-0000779fd2ac.html?nclick_check=1 34 http://www.vnunet.com/vnunet/news/2198370/france-joins-chinese-hacking 35 http://www.securityfocus.com/brief/577 36 http://www.securityfocus.com/brief/588 19

Attacks by type notable critical infrastructure sectors This section of the Government Internet Security Threat Report will focus on the types of attacks detected Government Fig1_v1 03-24-08 by sensors deployed in notable critical infrastructure sectors. The ability to identify attacks by type assists security administrators in evaluating which assets may be targeted. In doing so, this may assist security administrators in securing those assets receiving a disproportionate number of attacks. The following sectors will be discussed in detail: Government and critical infrastructure organizations Government Biotech/pharmaceutical Health care Financial services Transportation Government and critical infrastructure organizations Government and critical infrastructure organizations are the target of a wide variety of attack types. The most common attack type seen by all sensors in the government and critical infrastructure sectors in the last six months of 2007 was DoS attacks, which accounted for 46 percent of the top 10 attacks (figure 1). SMTP (email) 38% Backscatter 12% Shellcode/exploit 5% DoS 46% Figure 1. Top attack types, government and critical infrastructure 37 Source: Symantec Corporation 20 37 Due to rounding, percentages may not add up to 100 percent.