Symantec: spam, phishing grow, botnets shrink in '04

A new report released by security company Symantec found that incidents of online identity theft scams, also known as "phishing attacks," skyrocketed in the second half of 2004, as did spam and new software vulnerabilities. But other Internet blights, such as zombie networks of compromised computers, or "bots," actually declined.

The number of phishing e-mail messages intercepted by Symantec grew 300 percent since June 2004, while spam e-mail traffic intercepted by Symantec increased by 77 percent and reports of serious software vulnerabilities grew by 13 percent, according to the Symantec Internet Security Threat Report. Online fraud may be driving many of the trends, as attackers turn to strategies that are useful for identity theft and other online scams, said Alfred Huger, senior director of engineering at Symantec Security Response.

The Symantec Internet Security Threat Report is a semi-annual report that brings together data from Symantec's global DeepSight network, customer networks and networks of decoy servers and e-mail accounts that the company maintains.

Symantec anti-fraud filters blocked 33 million phishing e-mail messages each week by the end of the year, compared with just 9 million a week in mid July. The problem is not likely to abate, as online criminals get more sophisticated about spoofing legitimate e-mail traffic, the report said.

Phishing scams use spam to direct Internet users to Web sites that are controlled by thieves, but designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, bank account information or a credit card number, often under the guise of updating an account.

The growth is part of a larger trend in fraud-related e-mail, said Huger. "We're seeing a financial motive behind the creation of malware," he said.

In all, Symantec noted a 64 percent increase in all types of malicious software, including viruses and Trojan horse programs in the period covered by the report, a number that excludes both spyware and adware, Huger said.

One exception to that trend was PCs belonging to zombie "bot" networks. After surging in the first half of the year, the number of computers in bot networks (or botnets) decreased, from more than 30,000 bot systems scanning the Internet each day in July to fewer than 5,000 a day by the end of the year, Symantec said.

Symantec did not cite a reason for the reduction, but said that action to shut down bot activity by large, international Internet service providers and the release of Microsoft's Windows XP Service Pack 2 update could account for the decline. However, other explanations are possible, including a shift away from huge and persistent botnets, towards smaller networks that stay online for shorter periods, Symantec said.

Behind the scenes, there is still plenty of interest in bot software. The number of new variants for bot software increased dramatically in the period covered by the study. For example, Symantec collected 4,288 unique variants of Spybot, a family of bot software, in the second half of the year -- around 23 new variants of the software every day, Huger said.

"That's the biggest leap we've ever seen, and it tells us that people are iterating the code to make it more successful, and also that there are more people in the game of writing (bot) variants," he said.