Modular Code and Bot Nets Target Enterprises

Symantec’s biannual Internet Security Threat Report highlights the degree to which computer systems attackers now rely on modular code. Although the number of new vulnerabilities is beginning to level off, the number of malware variants is increasing. “It’s easier and more affordable for attackers to modify existing code” than it is to create new code, says Dean Turner, the report’s executive editor.

Previously, most malware was all-in-one: it would exploit a vulnerability, infect a user’s PC, take action (such as harvesting information), then replicate itself. Today, however, malware writers are creating smaller, discrete pieces of code they use just to get to a user’s computer. Once there, the modular code “phones home” to retrieve additional malicious code from the Internet.

Perhaps counterintuitively, Symantec sees the increase in variants of this more modular code as a more serious problem than it would an increase in discrete types of malware. “Variants produce a greater risk because variants can be produced more quickly, and perhaps not be detected,” says Turner. New variants may refine the attack, introducing greater functionality and evading previous detection methods. “They’re posing a greater threat now than they ever had before.”

A second key finding of the report is the degree to which bot networks—composed of compromised or “zombie” PCs criminals use to launch large-scale spam or denial-of-service attacks—are growing. For the first six months of 2005, bots accounted for 14 percent of Symantec’s top-50 list of the most malicious code.

According to the report, “Symantec observed an average of 10,352 active bot network computers per day, an increase of more than 140 percent from the previous reporting period’s 4,348 bot computers.” Not coincidentally, an average of 927 denial-of-service attacks per day were found, up from 119 per day six months before. “The most frequently targeted industry was education, followed by small business and financial services.”

Just how many discrete bot networks are there? It’s hard to say, Turner says, “because the number of computers comes on and off the network.” Overall, “there have been estimates by some organizations that there are anywhere between a million and two million bot network computers at any one time.” Attackers also offer their bot services to others. Researchers found “bot networks as large as 150,000 hosts were available for rent,” he says.