September 17, 2007 08:00 ET

IBM Report: Stealthy, Targeted Online Attacks Continue to Grow in 2007

Exploit Leasing Surfaces From Underground, Trojans Become Most Popular Malware

ARMONK, NY--(Marketwire - September 17, 2007) - IBM (NYSE: IBM) today reported an increase in malware volume and sophistication, the rise of exploit leasing and a lower number of vulnerability disclosures versus the first half of 2006 as part of its security statistics report for the first half of 2007. So far for the year, the IBM Internet Security Systems (ISS) X-Force® research and development team has identified and analyzed more than 210,000 new malware samples, already exceeding the total number of malware samples observed over the entirety of 2006.

X-Force uncovers in the report that the "exploits as a service" industry continues to thrive in 2007. The 2006 X-Force report indicated that managed exploit providers had begun to purchase exploit code from the underground, encrypt it so that it could not be pirated, and then sell it for top dollar to spam distributors. In 2007, these exploit providers have added the new practice of "exploit leasing" to their repertoire. By leasing an exploit, attackers can now test exploitation techniques with a smaller initial investment, making this underground market an even more attractive option for malicious perpetrators.

According to the report, Trojans (seemingly legitimate files that are actually malware) comprise the most voluminous category of malware so far in 2007, accounting for 28 percent of all malware, in contrast to 2006 when Downloaders was the most common category. A Downloader is a low-profile piece of malware that installs itself so that it can later download and install a more sophisticated malware agent.

"The X-Force security statistics report for 2006 predicted a continued rise in the sophistication of targeted, profit-motivated cyber attacks," said Kris Lamb, director of X-Force for IBM Internet Security Systems. "This directly correlates to the rise in popularity of Trojans that we are witnessing this year, as Trojans are often used by attackers to launch sustained, targeted attacks."

The use of Web exploit obfuscation continues to rise in 2007 in an attempt to make it difficult for signature-based intrusion detection and prevention products to detect attacks. In 2006, X-Force data reported that approximately 50 percent of Web sites hosting exploit material designed to infect browsers were obfuscating, or camouflaging, their attack. In the first half of 2007, that number reached 80 percent.

Counter to historical trends, X-Force reports a slight decrease in the overall number of vulnerabilities uncovered in the first half of 2007 versus the first half of 2006. A total of 3,273 vulnerabilities were identified in the first half of this year, marking a decrease of 3.3 percent compared to the first half of 2006. This is the first time that vulnerability disclosure numbers have decreased in the first half of the year in the history of the X-Force vulnerability database, which was developed in 1997. However, the percentage of high impact vulnerabilities has gone up since 2006 from 16 percent to 21 percent for the first half of 2007.

X-Force points to several trends to explain the decrease in vulnerability disclosures in the first half of 2007 versus the exponential vulnerability growth trends observed in previous years. First, as the monetization of vulnerabilities and exploits has gained attention and maturation in the underground marketplace, a larger percentage of vulnerabilities are remaining undisclosed and are instead being used covertly for monetary and criminal gain.

Second, the increased use of fuzzing by vulnerability researchers over the last two years has uncovered many of the easier to find vulnerabilities. Fuzzing is a testing technique through which random data is supplied to a software program to try to get it to fail and therefore detect vulnerabilities. "As more technologies and software get exposed to fuzzing and automated bug finding tools, the industry begins to reach a saturation point in the discovery of these types of vulnerabilities, ultimately contributing to the decrease in overall vulnerability disclosures," said Lamb.

Finally, the number of common coding mistakes and bugs is decreasing as a result of software and technology vendors adopting more secure software development lifecycles and more prudent secure coding practices.

A similarly unexpected trend in this report is that, for the first time, spam message size decreased instead of continuing on a linear growth pattern. This decrease corresponds with a decrease in image-based spam. Since mid-2005, image-based spam has been one of the biggest anti-spam challenges, but in the first half of 2007, the percentage of image-based spam declined to the level of mid-2006, at just over 30 percent. At the end of 2006, image-based spam accounted for more than 40 percent of spam messages.

"The decrease in spam message size and image-based spam is a result of spammers adopting and experimenting with newer techniques, such as PDF- and Excel-based spam, as a means to more successfully evade detection by anti-spam technologies," said Lamb.

The X-Force has been cataloguing, analyzing and researching vulnerability disclosures since 1997. With more than 33,000 security vulnerabilities catalogued, it has the largest vulnerability database in the world. This unique database helps X-Force researchers to understand the dynamics that make up vulnerability discovery and disclosure. In addition to the vulnerabilities catalogued in its X-Force database, IBM ISS content filtering services are designed to provide a world-encompassing view of spam and phishing attacks. With millions of e-mail addresses actively monitored, ISS has identified numerous advances in the spam and phishing technologies used by online attackers.

The X-Force report also discusses the following key security statistics for the first half of 2007, among others:

--  January has so far been the busiest month of the year for
    vulnerabilities, with 600 disclosures.
--  Spain has taken South Korea's place as the highest source of phishing
    e-mails, accounting for 17.9 percent of the worldwide volume.
--  The percentage of vulnerabilities that can be exploited remotely has
    grown in the first half of 2007 to 90 percent versus 88 percent in 2006.
--  The percentage of vulnerabilities that allow an attacker to gain
    access to the host after successful exploitation has also risen slightly to
    51.6 percent from 50.6 percent in 2006.
--  Currently, about 10 percent of the Internet consists of unwanted
    content such as pornography, crime, adult or socially deviant material.

For the remainder of 2007 and into 2008, X-Force expects to observe a lack of exponential growth in vulnerabilities disclosed, the continued growth of targeted and boutique malware such as Trojans and a continued rise in obfuscation techniques for Web-based threats.

For more security trends and predictions from IBM, including graphical representations of security statistics, please access the full "Cyber Attacks on the Rise: IBM X-Force 2007 Midyear Report" at:

About IBM Internet Security Systems

IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing preemptive protection for networks, desktops and servers. An established leader in security since 1994, Internet Security Systems' Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team -- the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at or call 800-776-2362.

Internet Security Systems is a trademark and Proventia and X-Force are registered trademarks of International Business Machines Corporation in the United States, other countries, or both. All other companies and products mentioned are trademarks and property of their respective owners.

Contact Information