Upload
risspa
View
219
Download
0
Embed Size (px)
Citation preview
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
1/78
Sym
Ante
CenterpriSe
SeCUrity
Symantec Government Internet
Security Threat Report
tds fo 2008
Volu XiV, publshd Al 2009
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
2/78
Marc Fossiexcuv edomaag, DvloScu tcholog ad rsos
Eric JohnsonedoScu tcholog ad rsos
Trevor MackAssoca edoScu tcholog ad rsos
Dean Turner
Dco, Global illgc nwokScu tcholog ad rsos
Gary KevelsonGlobal maagSac Cb tha Aalss poga
Andrew J. RogersCb tha AalsSac Cb tha Aalss poga
Joseph Blackbirdtha AalsSac Scu rsos
Mo King Lowtha AalsScu tcholog ad rsos
Teo Adamstha AalsScu tcholog ad rsos
David McKinneytha AalsScu tcholog ad rsos
Stephen Entwisletha AalsScu tcholog ad rsos
Marika Pauls Lauchttha AalsScu tcholog ad rsos
Greg Ahmadtha AalsScu tcholog ad rsos
Darren Kemptha AalsScu tcholog ad rsos
Ashif Samnanitha AalsScu tcholog ad rsos
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
3/78
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Threat Activity Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Malicious Code Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Phishing, Underground Economy Servers and Spam Trends. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Appendix ASymantec Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Appendix BThreat Activity Trends Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Appendix CMalicious Code Trends Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Appendix DPhishing, Underground Economy Servers, and Spam Trends Methodology. . . . . . . . . . . 74
Contents
Volu XiV, publshd Al 2009
Symantec Government Internet Security
Threat Report
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
4/78
Sac Gov i Scu tha ro
4
Introduction
th Sac Government Internet Security Threat Report ovds a aual sua ad aalss of
ds aacks, vulabls, alcous cod, hshg, ad sa as h a o ogazaos
gov ad ccal fasucu scos. ths volu wll also ovd a ovvw of obsvd
acvs o udgoud coo svs. Wh ossbl, wll also clud a ovvw of lgslav
ffos o coba hs aack as ad acvs. Fo h uoss of hs dscusso, gov
ogazaos clud aoal, sa/ovcal, ad ucal govs. ths o also cooas
daa ad dscussos lva o ha acv ha affcs ccal fasucu duss ha suo o
a volvd wh gov ad la suos.
Sac has sablshd so of h os cohsv soucs of i ha daa h wold
hough h Sac Global illgc nwok. mo ha 240,000 ssos ov 200 cous
oo aack acv hough a cobao of Sac oducs ad svcs such as Sac
DSgh tha maag Ss, Sac maagd Scu Svcs ad noo cosu
oducs, as wll as addoal hd-a daa soucs.
Sac also gahs alcous cod llgc fo o ha 130 llo cl, sv, ad gawa
sss ha hav dlod s avus oducs. Addoall, Sacs dsbud hoo wok
collcs daa fo aoud h glob, caug vousl us has ad aacks ad ovdg
valuabl sgh o aack hods.
Sac aas o of h wolds os cohsv vulabl daabass, cul cossg
of o ha 32,000 codd vulabls (sag o ha wo dcads), affcg o ha
72,000 chologs fo o ha 11,000 vdos. Sac also faclas h Bugtaq alg ls,
o of h os oula fous fo h dsclosu ad dscusso of vulabls o h i, whch
has aoxal 50,000 subscbs who cobu, cv, ad dscuss vulabl sach o a
dal bass.
Sa ad hshg daa s caud hough a va of soucs cludg: h Sac pob nwok,
a ss of o ha 2.5 llo dco accous; mssagLabs illgc, a scd souc of daa
ad aalss fo ssagg scu ssus, ds ad sascs; ad oh Sac chologs. Daa
s collcd o ha 86 cous fo aoud h glob. Ov gh bllo al ssags, as wll
as ov o bllo Wb quss a ocssd da acoss 16 daa cs. Sac also gahs
hshg foao hough a xsv afaud cou of ss, scu vdos ad
o ha 50 llo cosus.
ths soucs gv Sacs aalss uaallld soucs of daa wh whch o df, aalz, ad
ovd fod coa o gg ds aacks, alcous cod acv, hshg, ad sa.
th sul gvs ss ad cosus h ssal foao o ffcvl scu h sss
ow ad o h fuu. ths volu of h Sac Government Internet Security Threat Report wll al
ads o cu ds ad dg has ha Sac has obsvd fo 2008.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
5/78
Sac Gov i Scu tha ro
5
Executive Summary
th c global cooc css has show how xsvl cocd h global coo has
bco. th cussos of falg coas ad duss hav achd fa bod wha a
ol gh hav xcd. ev xcd acos fd hslvs uchad os.
ths s sug chagg as boh aoal gov ad cocal laos. ths a
xadg a w was, so sos o h css, ad ohs suo of dd gowh.
Slal, as h i ad boadbad cocv cou o xad, so dos h uual
sk h hs goal ad global laoshs.1 O cooal dosad b h o
daa s ha globalzao cous o chag adoal boudas ad allacs fo boh aacks
ad dfds.
Alog wh hs ssus, hs sua wll dscuss h casg sohscao of aacks ad h ools
agas adoal dfs chass. i as os, Sac has dfd ha alcous acv
has casgl bco Wb-basd, ha aacks a agg d uss sad of cous, ad
ha aacks a abl o adl ada h aack acvs.
2
ths ds a xcd o cou,as a h casgl sohscad socal gg hods lod b aacks.
Aacks cou o dvsf h ag of ha oos ad so cass hav xadd h ach
of h oaos. As vous as, Sac cous o obsv casgl sohscad aack
chqus ad h abl of aacks o adl ad h hods. i hs og od, h
casg d owad oabl bw has, hods, ad ulsag aacks has coud.
Fo xal, tojas of sall addoal back doo has ha h dowload ad sall bos. ths
ca h abl addoal cooss, such as usg h coosd cous as sa zobs. All
of hs has wok coc o ovd a coodad ad sohscad wok of alcous acv.
thas du o daa bachs ad hf also cou o b dagous, scall o goval ad
ccal fasucu ogazaos, sc hs has a of xlod fo facal ga o llgcgahg. As aacks f h hods ad cosolda h asss, h a b abl o ca global
woks ha suo coodad alcous acv.
Followg a adoal wok ao aoach squc, succssful i Cool mssag
poocol (iCmp) ssags (ohws kow as gs) ca b usd o oduc addoal scag as.
Succssful scas ca h oduc ao as, whch f ol xcud ca lad o alwa
dlo. if hs aacks a dfd as ogag fo ull ip addsss, would dca o
coodad oaos. ths scao would suggs ha hacd scu llgc could hl o
duc h sk of fuh wok cooss.
i h global ad goal ha as obsvd b Sac, aacks of ag oh cous
wh h sa cou o go.3
i hs og od, Sac xad h o gos ogalcous cod fcos, as wll as h s of alcous cod causg oal fcos ach go.
th goalzao of has ca caus dffcs bw h s of alcous cod bg obsvd
fo o aa o h x. Fo xal, has a us ca laguags o localzd vs as a of
h socal gg chqus. Bcaus of h dff oagao chass usd b dff
1 h://www.gao.gov/w.s/d08588.df : . 12 h://val.sac.co/kgfo/s/wh_as/-wha__scu_ha_o_x_gov_09_2008.-us.df : . 43 h://val.sac.co/kgfo/s/wh_as/-wha__scu_ha_o_x_gov_09_2007.-us.df : . 10
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
6/78
Sac Gov i Scu tha ro
6
alcous cod s, ad h dff ffcs ha ach alcous cod a hav, foao
abou h gogahc dsbuo of alcous cod ca hl wok adsaos ov h
scu ffos.
ths s llusad b oal alcous cod fcos. Sac xas h o gos og
oal alcous cod fcos, as wll as h a s of alcous cod causg oal fcos
ach go. thas ha sal cofdal foao ca also b alod o sal foao ha s
o cool avalabl so cous ha ohs. Fo sac, tojas ha a o sal
accou foao fo Bazla baks a qu coo h La Aca go. Bcaus of h
casg abl fo aacks o b qu scfcall ad gogahcall agd, govs should a
clos ao o alcous vs ogag goall.
th Ud Sas ad h o cou fo ovall alcous acv 2008, ad aga akd fs fo
a ub of cagos wh hs, cludg fo alcous cod, hshg wbs hoss, ad ogag
aacks. roudg ou h o h cous ovall alcous acv w Cha ad Ga,
scod ad hd lac, scvl. O oabl chag s h s of Bazl fo ghh ak h
vous o o fouh 2008.
th os obvous xlaao fo a ga dal of h aack as s h colao bw hgh-sd
cocv fasucu a cou o go ad h accoag aou of alcous acv.
A xal of hs s wh sa bos, whch call qu xcssv badwdh od o oaga
lag aous of al. Sac has od ha sa bos a of cocad gos wh wll-
sablshd hgh-sd boadbad fasucus. Hgh-badwdh caac woks a also abl
aacks o hd aack ad bo affc o ffcvl, scall hough Http-basd coad-ad-
cool svs, wh h ca ffcvl hd alcous Http bo affc wh lga affchus
cofoudg ffos o fl fo has.
i 2008, Cha suassd h Ud Sas fo h lags ub of boadbad subscbs fo h
fs . ths was lkl a sgfca aso fo Chas coud oc a alcous codcagos. Aoh aso fo Chas oc s lkl lad o h fac ha i uss Cha
sd o of h lsu ol ha uss a oh cou.4 Ol lsu acvs a
call o lkl o clud acvs ha a oula ad, a sacs, vulabl aack ags.
ths cluds socal wokg wbss, ol gag ss, fous, blogs, ad ol shog ss.
Dac ss, such as fous a ags fo aacks usg bo-fcd cous o hos ad
oaga alcous co, as Wb alcao ad s-scfc vulabls ca u hs s of
s a sk.
Fo aacks scfcall agg h gov sco, 2008 akd h fs ha h Ud Sas
was o h o cou of og, as was suassd b Cha, whch akd fs wh 22 c of h
aacks o h gov sco. Chas s hs cago sd a cas fo 8 c
2007, wh was akd fouh. th Ud Sas akd scod, ad Sa akd hd hs c.
malcous cod aacks agg govs o h Wb ca b ovad b a ub of facos. pof s
of a ov bcaus govs so cosdabl aous of soal dfcao daa, whch f
sol ca b xlod fo of. i addo, aacks a also b ovad b as o sal
gov-classfd foao.
4 h://www.sglobal.co/_asss/fls/tnS_mak_rsach_Dgal_Wold_Dgal_Lf.df
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
7/78
Sac Gov i Scu tha ro
7
i 2008, so acos ak b govs w ffcv a ducg alcous ha acv. Cha
ad a lag scu ffo o block addss wbss oall os suscbl o faud a ffo
o cas ol scu fo uss ahad of h 2008 Bjg Olc Gas.5 thousads of wbss
w h shu dow o blacklsd as a of hs ffo, cludg a subsaal ub of ssag
fous, whch a oula aack ags, as od. Addoall, h Chs gov cad ascal sos a o oo sss fo oal i aacks ad alcous acv.6 Lasl,
a ulcsd i cafs h w also shu dow ad suvso was ghd o h cafs
ag o hl addss ol scu sks assocad wh h casual us of ublc cous.7 publc
cous d o b o suscbl o aacks bcaus of h sgfca aou of vad affc o
such cous. publc cous a fqul usd b a ga va of ol fo a dff
acvs such as al, ol shog, ad gag. th va of usag ad h lklhood ha
as uss a lss awa ofo cocd whscu aks such cous aacv o
aacks. Shug dow h i cafs Cha hus ovd ossbl chals fo alcous acv.
Alog wh such acos ak b govs, h acos of goal cocal s w also
ffcv a ducg scu has, ad also dosa how cocd h ha ladsca has
bco. O xal occud wh wo iSps h Ud Sas w shu dow b h usa iSps
Sb ad novb 2008. ths suld a daac do woldwd boh bo coad-ad-
cool svs ad bo-fcd cous. Bo wok acv assocad wh sa dsbuo
dcasd subsaall af boh shudows.8 Ufoual, hs slowdows w ol oa,
as h bo coolls w abl o sablsh h oaos lswh soo afwad.
i hs o od, Sac also xad h SCADA (Suvso Cool ad Daa Acquso)
scu ha ladsca. ths cluds, bu s o ld o, duss such as ow gao,
aufacug, ol ad gas, wa a, ad was aag. th scu of SCADA chologs
ad oocols ca b of coc bcaus h dsuo of lad svcs ca sul h falu of
ccal fasucu. Du o h oal fo dsuo of ccal svcs, hs vulabls a
b h ag of olcall ovad o sa-sosod aacks.
Gv h ol ccal fasucu ad h sv of oal vulabls, SCADA scu s
lagl a va affa bw SCADA vdos ad h duss ad gov agcs ha l o
hs scfc oocols ad chologs. As such, Sac dos o o o a va sach,
alhough dos o o ublc sach fo h Sac Government Internet Security Threat Report.
th fdgs showd ha SCADA chologs a affcd b a of h sa s of vulabls
ha affc dsko ad s sofwa. O owoh v ook lac Sb 2008, wh
a scu sach ublcl lasd xlo cod fo a SCADA vulabl bcaus h sach
blvd ha h og vdo dd o adqual hasz h sk of h vulabl.9
Dug hs og od, h os coo aacks agg gov ogazaos w
dal-of-svc (DoS) aacks, sg a coud d fo h vous og od. ths
s oblac bcaus uch of h ccal fasucu ha fos ssal fucos a
cous as a sk o aacks who gh choos o xlo oaos wh hs of aack.
Scos ha w os of h subjc of DoS aacks cludd h facal, boch/haacucal,
ad asoao duss. Wh h asoao dus acula, DoS aacks w h os
5 S h://www.vu.co/vu/ws/2207878/cha-cacks-wb-o ad h://glsh.gov.c/2008-03/29/co_931872.h6 h://www.fowold.co/acl/08/04/24/Cha-wos-hacks-wll-sk-dug-Bjg-Olcs_1.hl7 h://www.hglobadal.co/svl/so/rtGAm.20080212.wgcha0212/BnSo/tcholog/ho8 S h://www.sac.co/scu_sos/wu.js?docd=2008-021215-0628-99 ad
h://vocs.washgoos.co/scufx/2008/10/sa_volus_lu_af_a.hl9 h://www.hgs.co.uk/2008/09/08/scada_xlo_lasd/
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
8/78
Sac Gov i Scu tha ro
8
coo aack b a sgfca ag, accoug fo 74 c of aacks 2008, dcag ha hs
dus a hav b sgld ou ad scfcall agd fo hs of aack. th goal of aacks
a b o caus lag-scal dsuos h svcs ha hs sco ovds o hs aacks a
sl b ou of s du o dssasfaco wh hos svcs.
th scod os coo of aack agas gov woks was hough Sl mal tasf
poocol (Smtp), h oocol hough whch h vas ajo of al s asfd. if coosd,
Smtp offs aacks a xcll accss vco o al wok soucs. Whl coosd
al svs could b usd o ovwhl woks wh uauhozd badwdh quss, h o
lkl ovao fo coosg al svs ls h usfulss fo sdg ou sa, as wll
as havsg al addsss fo agd hshg aacks. ths aacks also off h abl o soof
gov coucaos ad o oba cdals o lauch fuh aacks. Gv how gal
ad of usdal s ha ogas wh gov s, hs s of aacks off h
oal fo coosg h g of foao ad coucaos wh govs.
Alhough dog fo fs o scod h aack-b- akg fo h boch/haacucal ad
facal scos, Smtp-basd aacks a a lavl lag ha o hs ccal scos, lklbcaus of h valu soofg h goods ad svcs aacks. Slal, h aufacug sco
akd v hgh fo hshg wbs hoss, lkl du o h fac ha aacks l uo h us ha
uss of hav fo wll-kow cocal bads.
Sac also asus h lvl o whch gov ad ccal fasucu ogazaos a hav
b coosd ad a bg usd b aacks as lauchg ads fo alcous acv. i 2008, h
lcoucaos sco aga accoud fo h hghs ooo of aacks of hs au b a
sgfca ag, wh a ovwhlg 97 c of h oal.
Aacks cou o ag h lcoucaos sco fo a ub of asos. Ogazaos hs
sco clud iSps ad Wb-hosg coas, whch of hav a lag ub of i-facg
cous ad boadbad cocos. i 2008, h ajo of aacks agas hs sco w shllcodxlos.10 ths a dca ha aacks a ag o ak cool of cous hs sco o
us h o coduc alcous acv. Cooss o h svs o woks of hs coas would
also oall xos a ga ub of h cusos o a ag of alcous aacks.
moov, govs ad ccal fasucu ogazaos l o h avalabl of ublc
coucao woks ad h lcoucao sco fo da-o-da oaos. Sc
lcoucaos ogazaos hav a ca aou of cool o h flow of daa hough woks,
succssful cooss of hs woks could gv aacks h abl o coos agd
cous sd scfc goval o ccal fasucu ogazaos.
As od, aacks agg hs lag gov osos a of ovad b of sc
govs so cosdabl aous of soal dfcao ha, f faudull obad, ca b
sold o udgoud coo svs. ths ca also clud ssv foao such as a daa,
scfc sach, ad cholog xosall of whch would b valuabl foao ha could b sold
o cog coas o oh govs.
10 Shllcod s a sall c of cod usd as h aload h xloao of a vulabl.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
9/78
Sac Gov i Scu tha ro
9
O oa ad sg aa of coc o govs s h casd us (ad caac) of ovabl
da ov h as fw as. i 2008, 66 c of oal alcous cod fcos oagad as
shad xcuabl fls, u sgfcal fo 44 c 2007. Shad xcuabl fls a h
oagao chass lod b vuss ad so wos o co hslvs oo ovabl da.
th sugc hs vco ov h as fw as cocds wh h casd us of ovabl dvsad oh oabl dvcs. i s also a as vco o xlo bcaus old alcous cod xlos dvlod
fo flo dsks ca b asl odfd fo cu ovabl da dvcs. icasg h dag of hs
sugc s ha a ogazaos lack ffcv scu asus o oc agas such dags.
i a c sud, 59 c of los add o akg coa foaosuch as al
addsss, coac foao of cusos, lo cods, ad facal codswh lavg h
ogazao.11 Of hos who add o akg daa, 53 c dowloadd foao oo a CD o DVD,
42 c ook daa usg a USB dv, ad 38 c s aachs o a soal al accou.
Fo daa bachs ha could lad o d hf, h gov sco coud o b o aga
2008, akg scod boh h ub of bachs, wh 20 c, ad h ub of ds
xosd, wh 17 c. O xal of a bach 2008 occud wh cofdal foao o sx
llo Chla ol was xosd af bg llgall obad fo gov daabass b a hack,
who h ublcl osd h foao.12 Alhough would b ualsc o hk ha all of hs daa
would b xlod, h oal of fo h aos of h aack s sll subsaal; fo xal,
2008 Sac obsvd advsd cs fo full ds o udgoud coo svs fo as
uch as $60 ach.13
Sac also asssss h dsbuo of hshg wbss ha us gov o-lvl doas
(tLDs).14 i 2008, thalads tLD accoud fo h hghs aou of hshg ss, followd b roaa
ad h idosa. As wh os hshg aacks, of ss o b h a aso fo hshg
aacks usg gov tLDs. th o cdbl a hshg aack ca aa, h o lkl s o
succd. pol d o us ha h co h a sd wh o gov wbss s vald. Also,
a govs a ug a casg aou of svcs ol ad, as wh ol bakg, ola bcog accusod o ovdg ssv foao ol fos od o cv svcs.
Aacks a also bd hs wbss wh alcous cod dsgd o coos h cous of
a subsqu s vsos. th coosd cous could h b d fo a wohwhl daa o
usd as a bo o sd ou sa ad ou hshg caags. Socal gg xlos such as hs
a bcog v sohscad ad dosa h coud d od b Sac owad focusd
aacks o d uss. Fo xal, 2008, 95 c of aackd vulabls w dfd as cl-
sd vulabls as oosd o sv-sd vulabls.
tds o o a aug ad slf-susag ak wh h ol udgoud coo, as faud
ad d hf cou o volv. Wh hs, agd hshg aacks o gov uss wll
lkl a oula du o h walh of foao daa gov daabass coa ad h
oal o cov hs daa o of hough faud. th valuao of h udgoud coo s
a labl dcao of h dg of coos of foao sss ad woks houghou h
wold, ad svs as a wag sg fo gov ad ccal fasucu woks
11 h://www.sac.co/abou/ws/las/acl.js?d=20090223_0112 S h://ws.bbc.co.uk/1/h/wold/acas/7395295.s ad h://www.sbc.s.co/d/23678909/13 All fgus a ovdd U.S. d ollas14 i a doa a, h o lvl doa s h a ha s fuhs o h gh. Fo xal, h co sac.co. th a wo s of o lvl doas:
gc ad cou scfc. exals of gc doas a co, , ad og, whl cou-scfc o lvl doas clud .c fo Cha, ad .uk fo hUd Kgdo, as wll as ohs.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
10/78
Sac Gov i Scu tha ro
10
i 2008, Sac obsvd hghd lvls of alcous acv wh scfc cass hshg,
sa, bo woks, tojas, ad zo-da aacks. ths has could wh h casd sohscao
ad coodad acvs of aacks a hav fuh lcaos fo gov ad ccal
fasucu ogazaos, who should b aculal cocd wh h abl of alcous cod
dvlos o ag scfc s ad wbss.
Aacks wll cou o adl ada ad g w chqus ad sags o ccuv scu
asus, ad h dfcao, aalss, ad dg of hs chqus acoss h ha ladsca
a ssal. i s bcog casgl cla ha scu gous d o cooa o dvlo ffcv
couasus ad llgc o sod o h volvg ha ladsca. th lag cas h
ub of w alcous cod has, could wh h us of h Wb as a dsbuo chas, also
dosas h gowg d fo o sosv ad cooav scu asus.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
11/78
Sac Gov i Scu tha ro
11
Highlights
Threat Activity Trends Highlights
Dug hs og od, 23 c of all alcous acv asud b Sac 2008 was
locad h Ud Sas; hs s a dcas fo 26 c 2007.
th Ud Sas was h o cou of aack og 2008, accoug fo 25 c of woldwd
acv; hs s a dcas fo 29 c 2007.
tlcoucaos was h o ccal fasucu sco fo alcous acv 2008, accoug
fo 97 c of h oal; hs s a slgh cas fo 96 c 2007 wh also akd fs.
i 2008, Sac docud sx ublc SCADA vulabls. ths was a dcas fo 2007 wh
h w 15 docud SCADA vulabls.
th ducao sco accoud fo 27 c of daa bachs ha could lad o d hf dug
hs od, o ha a oh sco ad a slgh cas fo 26 c 2007.
th facal sco was h o sco fo ds xosd 2008, accoug fo 29 c of h
oal ad a cas fo 10 c 2007.
i 2008, h hf o loss of a cou o oh daa-soag dvcs accoud fo 48 c of daa
bachs ha could lad o d hf ad fo 66 c of h ds xosd.
Sac obsvd a avag of 75,158 acv bo-fcd cous da 2008, a cas of
31 c fo h vous od.
Cha had h os bo-fcd cous 2008, accoug fo 13 c of h woldwd oal;
hs s a dcas fo 19 c 2007.
Buos As was h c wh h os bo-fcd cous 2008, accoug fo 4 c of h
woldwd oal.
i 2008, Sac dfd 15,197 dsc w bo coad-ad-cool svs; of hs,
43 c oad hough irC chals ad 57 c usd Http.
th Ud Sas was h locao fo h os bo coad-ad-cool svs 2008, wh
33 c of h oal, o ha a oh cou.
th o Wb-basd aack 2008 was assocad wh h mcosof i exlo ADODB.Sa
Objc Fl isallao Wakss vulabl, whch accoud fo 30 c of h oal.
th Ud Sas was h o cou of og fo Wb-basd aacks 2008, accoug fo
38 c of h woldwd oal.
th Ud Sas was h cou os fqul agd b dal-of-svc aacks 2008,
accoug fo 51 c of h woldwd oal.
th o cou of og fo aacks agg h gov sco was Cha, whch accoud fo
22 c of h oal. ths was a cas fo 8 c 2007.
th os coo of aack hs od agg gov ad ccal fasucu
ogazaos was dal-of-svc aacks, accoug fo 49 c of h o 10 2008.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
12/78
Sac Gov i Scu tha ro
12
Malicious Code Trends Highlights
i 2008, h ub of w alcous cod sgaus casd b 265 c ov 2007; ov
60 c of all cul dcd alcous cod has w dcd 2008
Of h o 10 w alcous cod fals dcd 2008, h w tojas, h w tojas wh
a back doo coo, wo w wos, o was a wo wh a back doo coo, ad o was a
wo wh back doo ad vus coos.
tojas ad u 68 c of h volu of h o 50 alcous cod sals od 2008,
a o dcas fo 69 c 2007.
Fv of h o 10 sagd dowloads 2008 w tojas, wo w tojas ha cooad a back
doo coo, o was a wo, o of was a wo ha cooad a back doo, ad o was a
wo ha cooad a vus coo.
i 2008, h oooal cas of oal alcous cod fcos was gas h euo,
h mddl eas ad Afca go.
th cag of has o cofdal foao ha cooa o accss caabls
dcld o 83 c 2008; hs s a dcas fo 91 c 2007, alhough such has
ad h os val xosu .
i 2008, 78 c of has o cofdal foao xod us daa ad 76 c had
a ksok-loggg coo; hs a cass fo 74 c ad 72 c, scvl,
2007.
poagao hough xcuabl fl shag coud o cas 2008, accoug fo 66 c of
alcous cod ha oagasu fo 44 c 2007.
O c of h volu of h o 50 alcous cod sals odfd Wb ags 2008, dow
fo 2 c 2007.
th cag of docud alcous cod sals ha xlo vulabls dcld subsaall,
fo 13 c 2007 o 3 c 2008.
i 2008, gh of h o 10 dowloadd coos w tojas, o was a toja wh a back doo
coo, ad o was a back doo.
malcous cod ha ags ol gas accoud fo 10 c of h volu of h o 50 oal
alcous cod fcos, u fo 7 c 2007.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
13/78
Sac Gov i Scu tha ro
13
Phishing, Underground Economy Servers, and Spam Trends Highlights
th ajo of bads usd hshg aacks 2008 w h facal svcs sco, accoug
fo 79 c, dow slghl fo 83 c dfd 2007.
th facal svcs sco accoud fo h hghs volu of hshg lus dug hs od, wh
76 c of h oal; hs s cosdabl hgh ha 2007, wh h volu fo facal svcs was
52 c.
i 2008, Sac dcd 55,389 hshg wbs hoss, a cas of 66 c ov 2007, wh
Sac dcd 33,428 hshg hoss.
i 2008, 43 c of all hshg wbss dfd b Sac w locad h Ud Sas;
hs s cosdabl lss ha 2007, wh 69 c of such ss w basd h.
th os coo o-lvl doa usd hshg lus dcd 2008 was .co, accoug fo
39 c of h oal; was also h hghs akg o-lvl doa 2007, wh accoud fo
46 c of h oal.
th o gov o-lvl doa ha was dcd as bg usd b hshg lus 2008 was
.go.h, h tLD fo wbss assocad wh h gov of thalad.
O acula auoad hshg oolk dfd b Sac was sosbl fo a avag of
14 c of all hshg aacks dug 2008.
Cd cad foao was h os cool advsd fo sal o udgoud coo
svs kow o Sac, accoug fo 32 c of all goods ad svcs; hs s a cas fo
2007 wh cd cad foao accoud fo 21 c of h oal.
th Ud Sas was h o cou fo cd cads advsd o udgoud coo svs,
accoug fo 67 c of h oal; hs s a dcas fo 2007 wh accoud fo 83 c
of h oal.
th os coo of sa dcd 2008 was lad o i- o cou-lad goods ad
svcs, whch ad u 24 c of all dcd sa; 2007, hs was h scod os coo
of sa, accoug fo 19 c of h oal.
Sac obsvd a 192 c cas sa dcd acoss h i, fo 119.6 bllo
ssags 2007 o 349.6 bllo 2008.
i 2008, 25 c of all sa codd b Sac ogad h Ud Sas, a subsaal
dcas fo 45 c 2007, wh h Ud Sas was also h o akd cou of og.
i 2008, bo woks w sosbl fo h dsbuo of aoxal 90 c of all
sa al.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
14/78
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
15/78
Sac Gov i Scu tha ro
15
i 2008, h Ud Sas was h o cou fo ovall alcous acv, akg u 23 c of h
oal (abl 1). ths s a dcas fo 2007 wh h Ud Sas was also fs, wh 26 c. Wh
scfc cago asus, h Ud Sas akd fs alcous cod, hshg wbs hoss,
ad aack og.
2008
Rank
1
2
3
4
5
6
7
8
9
10
2007
Rank
1
2
3
4
8
6
7
5
15
12
Country
United States
China
Germany
United Kingdom
Brazil
Spain
Italy
France
Turkey
Poland
2008
Overall
Percentage
23%
9%
6%
5%
4%
4%
3%
3%
3%
3%
2007
Overall
Percentage
26%
11%
7%
4%
3%
3%
3%
4%
2%
2%
Malicious
Code
Rank
1
2
12
4
16
10
11
8
15
23
Spam
Zombies
Rank
3
4
2
10
1
8
6
14
5
9
Phishing
Websites
Host Rank
1
6
2
5
16
13
14
9
24
8
Bot
Rank
2
1
4
9
5
3
6
10
8
7
Attack
Origin
Rank
1
2
4
3
9
6
8
5
12
17
Table 1. Malicious activity by country
Source: Symantec Corporation
th slgh dcas ovall alcous acv fo h Ud Sas ca b abud o h do
sa zobs h. ths s lkl du o h shudow of wo U.S.-basd Wb hosg coas ha
w allgdl hosg a lag ub of bo C&C svs assocad wh sa dsbuo bo woks
(bos).16 Sa acv dcasd woldwd af boh shudows. i o cas, Sac obsvd a
65 c dcas sa affc h 24 hous ha followd.17 Boh coas allgdl hosd a
lag ub of bo C&C svs fo sval lag sa bos: Szb,18 rusock,19 ad Ozdok (mga-D).20
Sa zobs ha lack a ccal coad ss a uabl o sd ou sa.
Cha had h scod hghs aou of ovall woldwd alcous acv 2008, accoug fo
9 c; hs s a dcas fo 11 c h vous og od. Alog wh h fac ha
Cha has h os boadbad subscbs h wold, h aou of s ol b uss h
could cobu o h hgh cag of alcous acv Cha. th log a us s ol, h log
h cou s xosd o alcous aack o coos, ad i uss Cha sd o of
h lsu ol ha uss a oh cou.21 Ol lsu acvs a also call o
lkl o clud acvs o ss ha a b vulabl o aacks. ths cluds socal wokg
wbss, ol gag ss, fous, blogs, ad ol shog ss. Dac ss, such as fous, fo
xal, a ags fo aacks usg bo-fcd cous o oaga ad hos alcous
co sc Wb alcao ad s-scfc vulabls ca u hs s of s a sk.
16 h://vocs.washgoos.co/scufx/2008/10/sa_volus_lu_af_a.hl17 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df18 h://www.sac.co/scu_sos/wu.js?docd=2007-062007-0946-9919 h://www.sac.co/scu_sos/wu.js?docd=2006-011309-5412-9920 h://www.sac.co/scu_sos/wu.js?docd=2008-021215-0628-9921 h://www.sglobal.co/_asss/fls/tnS_mak_rsach_Dgal_Wold_Dgal_Lf.df
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
16/78
Sac Gov i Scu tha ro
16
th slgh do Chas cag of alcous acv 2008 was al du o h do hshg
wbs hoss ad bo-fcd cous. Cha dod fo hd fo hshg wbs hoss 2007
o sxh 2008, wh jus ud 3 c of h global oal; ad, alhough Cha aad s o
akg fo bo-fcd cous, s global sha hs gad dcasd fo 19 c 2007 o
13 c 2008.
O ossbl caus fo h dcass a b aoal avs o block wbss oall os
suscbl o faud a ffo o cas ol scu fo uss ahad of h 2008 Bjg Olc
Gas. thousads of wbss w h shu dow o blacklsd as a of hs ffo, cludg a
subsaal ub of ssag fous,22 whch, as od vousl, a oula ags of aack fo
Wb alcao ad s-scfc vulabls. thus, a duco h ub of bo-fcd
cous should sul a cosodg do oh aack acv cagos, such as sa zobs,
bcaus hs a of assocad wh bo-fcd cous. Cha dod fo hd sa
zobs 2007, wh 7 c of h woldwd oal, o fouh ad 6 c 2008.
Aoh faco ha a hav cobud o h low cag of bo-fcd cous Cha
2008 was ha a ulcsd i cafs h w also shu dow ad suvso was ghdo h ag cafs o hl addss ol scu sks assocad wh h casual us of ublc
cous.23 publc cous d o b o suscbl o aacks bcaus of h sgfca aou
of vad affc o such cou als. publc cous a fqul usd b a ga va of
ol fo a dff acvs such as al, ol shog, ad gag. th va of usag ad
lklhood ha as uss a lss awa ofo cocd whscu aks such cous
aacv o aacks.
i 2008, Ga aga akd hd wh 6 c of all i-wd alcous acv, dow slghl
fo 7 c 2007. i boh as, Ga akd hghl sa zobs ad hosg hshg
wbssacvs ha a of assocad wh bo woks. i 2008, Ga akd fouh fo bo
C&C svs, wh 5 c of h oal. ths hgh ub of bo C&C svs lkl dcas ha bos
a o Ga, whch would cobu o h hgh aou of ovall alcous acv
ogag h. Also, sa zobs a of focusd gos wh hgh boadbad ao ad
badwdh caac bcaus hs codos facla sdg ou lag aous of sa quckl.
i s asoabl o xc ha h Ud Sas, Cha ad Ga wll cou o ouak oh
cous hs asu as h hav do so fo h as sval os. Bod hs h,
howv, cous such as Bazl, tuk, polad, ida, ad russa a xcd o cou o cas
h sha of ovall alcous acv bcaus h all hav adl gowg i fasucus ad
gowg boadbad oulaos.24 Cous ha hav a lavl w ad gowg i fasucu
d o xc casg lvls of alcous acv ul scu oocols ad asus a
ovd o cou hs acvs.
22 S h://www.vu.co/vu/ws/2207878/cha-cacks-wb-o ad h://glsh.gov.c/2008-03/29/co_931872.h23 h://www.hglobadal.co/svl/so/rtGAm.20080212.wgcha0212/BnSo/tcholog/ho24 h://www.o-oc.co
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
17/78
Sac Gov i Scu tha ro
17
Malicious activity by critical infrastructure sectors
ths c wll valua h aou of alcous acv ogag fo cous ad woks ha
a kow o blog o gov ad ccal fasucu scos. to asu hs, Sac coss-
fcs h ip addsss of kow alcous cous wh Sadad idusal Classfcao (SiC)
cods25 ha a assgd o ach dus ad ovdd b a hd-a svc.26 Sac has cold
daa o uous alcous acvs ha w dcd ogag fo h ip addss sac of hs
ogazaos. ths acvs clud bo-fcd cous, hosg hshg wbss, sa zobs,
ad aack ogs.
ths c dcas h lvl o whch gov ad ccal fasucu ogazaos a hav
b coosd ad a bg usd b aacks as lauchg ads fo alcous acv. ths aacks
could oall xos ssv ad cofdal foao, whch could hav sous afcaos fo
gov ad ccal fasucu ogazaos. Such foao could b usd fo sagc uoss
h cas of sa- o gou-sosod aacks, scall sc aacks who us coosd
cous fo alcous acv ca ask h acual locao.
i 2008, 97 c of all alcous acv ogag fo ccal fasucu scos ogad fo
lcoucaos ogazaos (abl 2). ths was a cas fo 2007 wh lcoucaos
accoud fo 96 c of h oal. Fo ach of h alcous acvs hs c, lcoucaos
akd fs b a sgfca ag.
2008 Rank
1
2
3
4
5
6
7
8
9
10
2007 Rank
1
2
3
4
5
6
7
8
9
10
Sector
Telecommunications
Manufacturing
Financial services
Health care
Transportation
Utilities/energy
Military
Agriculture
Biotech/pharmaceutical
Law enforcement
2008 Percentage
97%
1%
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
18/78
Sac Gov i Scu tha ro
18
Aacks a b agg h lcoucaos sco fo a ub of asos. Ogazaos hs
sco clud iSps ad Wb-hosg coas ad h of hav a lag ub of cous ha a
dcl cocd o h i. ths ublcl accssbl cous a s o oous
fo aacks o coos bcaus h do o hav o bak o a wok o ga accss o h.
Ogazaos hs sco hav a challgg ask o aag hs lag ubs of i-facgcous ad, hc, cous lcoucaos ogazaos lkl s aacv ags
fo aacks. As such, hs lkl cobus o h hgh aou of alcous acv ogag fo hs
sco. Also, Sac obsvd ha 84 c of aacks agas h lcoucaos sco w
shllcod xlos,27 whch a dca ha aacks a ag o ak cool of cous hs
sco ad us h o coduc alcous acv.
Aacks a vw lcoucaos ogazaos as xcll lafos fo lauchg subsqu
aacks bcaus ogazaos wh hs sco a lkl o hav xsv boadbad fasucus wh
hgh-badwdh ad hgh-affc woks. ths would abl a aack o ca ou lag aacks, such
as DoS aacks o dsu svcs, whch d accss o ogazaos/dvduals ha subscb o h
svcs, o oh alcous acv, such as lag sa. ths s llusad b h hgh cag of
sa zobs ad bo-fcd cous foud h lcoucaos sco. Hgh-badwdh
caac woks a also allow a aack o hd aack ad bo affc o ffcvl, scall fo
Http-basd bo C&C svs, wh Http bo affc s vuall dsgushabl fo gula affc,
akg dffcul o fl.
Sc ogazaos h lcoucaos sco lkl hav uous svs, oc a aack gas
accss o h ogazao, h o sh ca oall fc all wbss ha a hosd o hos svs wh
alcous cod fo Wb-basd aacks, o coos h fo hshg aacks o alcous cod dlv
sss. i a c xal, aacks w abl o ga accss o a bll a svc wbs hough
h i doa gs ad ou all affc o alcous ss hosd o svs Uka.28
Gov ad ccal fasucu ogazaos l o h avalabl of ublc coucao
woks ad h lcoucao sco fo da-o-da oaos. Sc lcoucaos
ogazaos call cool h flow of daa hough woks, aacks a coos sagcall
locad cous sd ogazaos. Cous wh lcoucaos ogazaos a
ffcvl sv as lafos fo whch aacks ca b lauchd agas ogazaos svd b
lcoucaos fs bcaus h ovd coucaos fo oh scos as wll, cludg
gov. As such, aacks who a skg cofdal o ssv foao a scfcall
ag hs sco. Succssful coos of cous h lcoucaos sco could allow
a aack o avsdo o o dsu k coucaos oh scos.
th aufacug sco was h og of h scod hghs aou of alcous acv dug 2008,
accoug fo 1 c of h oal. ths was a dcas fo 2007, wh accoud fo 2 c of
h oal. Ogazaos h aufacug sco vs lag aous of ad o o sach
ad dvlo o w hods ad oducs. As sad h SCADA vulnerabilities dscusso
blow, alcous acv h aufacug sco ca b a aoal scu coc du o h
cussos of dsuos o ccal fasucu. i hs hghl cov sco, a ogazaos
us wbss as a ool o ak ad sll h oducs ol. Aacks lkl l uo h us ha uss
27 Shllcod s a sall c of cod usd as h aload h xloao of a vulabl.28 h://www.csool.co/acl/474365/ChckF_Was_mllo_Cusos_Af_Hack
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
19/78
Sac Gov i Scu tha ro
19
hav fo hs bads, as h aufacug sco akd hgh fo hshg wbs hoss. Oc a aack
cooss a aufacus wbs, vsos hkg h a bowsg o a lga s a bco
vcs of alcous acv such as dowloadd tojas o ksok loggs.
Top countries of origin for government-targeted attacks
Aacks agg govs ca b ovad b a ub of facos. pof s of a ov bcaus
govs so cosdabl aous of soal dfcao daa ha could b usd fo faudul
uoss, such as d hf. psoal daa ca clud as, addsss, gov-ssud
dfcao ubs, ad bak accou cdals, all of whch ca b ffcvl xlod fo faud b
aacks. Gov daabass also so foao ha could aac olcall ovad aacks,
cludg ccal fasucu foao ad oh ssv llgc. As a c sud dscussd,
aacks o gov cou woks h Ud Sas ha suld a coos o sol
foao casd b 40 c fo 2007 o 2008.29
i 2008, Cha was h o cou of og fo aacks ha agd h gov sco, wh 22 c
of h oal (abl 3), a cas fo 8 c 2007 wh akd fouh. Fo i-wd aacks
2008, 13 c of ha oal ogad Cha.
A ub of da os allg ha aacks o gov cou woks cous such as h
Ud Sas, ida ad Blgu had ogad Cha.30 nvhlss, should b od ha aacks
of a o obscu h acks b dcg aacks hough o o o svs ha a b locad
awh h wold; hs as ha h aack a b locad lswh ha h cou fo wh
h aacks aa o oga.
2008 Rank
1
2
3
4
5
6
7
8
9
10
2007 Rank
4
1
2
3
8
6
5
10
19
18
Country
China
United States
Spain
France
United Kingdom
Italy
Germany
Brazil
Turkey
Russia
2008 Percentage
22%
12%
6%
5%
5%
4%
4%
3%
3%
2%
2007 Percentage
8%
20%
10%
9%
4%
7%
8%
2%
1%
1%
Table 3. Top countries of origin for government-targeted attacks
Source: Symantec
29 h://www.usaoda.co/ws/washgo/2009-02-16-cb-aacks_n.h30 h://www.f.co/cs/s/0/2931c542-ac35-11dd-bf71-000077b07658.hl,
h://sofda.das.co/ida/Cb_aacks_b_Cha_o_ida_ss/aclshow/3010288.cs,ad h://www.dofol.co.uk/coo/chs-soag-al--blgu5458.hl
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
20/78
Sac Gov i Scu tha ro
20
th Ud Sas akd scod 2008 fo aacks agg gov, wh 12 c of h oal,
a dcas fo 20 c 2007. ths do s lkl du o h shudow of wo iSps Sb
ad novb 2008, whch suld a daac do bo acv woldwd. Bcaus bo-fcd
cous a usd fo lag-scal aacks, such as DoS aacks, a sgfca do h ubs
would sul a cosodg dcas h ub of alcous aacks dcd.
th cag of gov-agd aacks lauchd fo h Ud Sas was lss ha half of s
cag fo i-wd aacks, whch accoud fo 25 c of ha oal 2008. ths dcas
ha h aacks ogag fo h Ud Sas w o scfcall agg gov ogazaos,
bu w sad a of o gal, wdsad aacks.
Sa akd hd hs c ad accoud fo 6 c of aacks agg gov ogazaos
2008, dow fo 10 c 2007. th 6 c s wc h 3 c of i-wd aacks ha
ogad h, dcag ha aacks ogag Sa a hav b scfcall agg
gov ogazaos.
O aso fo Sas akg h s du o h acvs of a gou of hacks locad h. th gou
was asd fo coosg ad dfacg goval wbss h Ud Sas, Asa, La
Aca, ad Sa.31 ivsgaos show ha h gou was sosbl fo havg dsabld 21,000 Wb
ags ov a wo-a od.32
Attacks by typenotable critical infrastructure sectors
ths sco of h Sac Government Internet Security Threat Report wll focus o h s of aacks
dcd b ssos dlod oabl ccal fasucu scos. th abl o df aacks b
assss scu adsaos valuag whch asss a b agd. i dog so, hs a asss
scu adsaos scug hos asss cvg a dsoooa ub of aacks. th
followg scos wll b dscussd dal:
Gov ad ccal fasucu ogazaos
Gov
Boch/haacucal
Halh ca
Facal svcs
tasoao
31 h://www.usaoda.co/ch/ws/couscu/hackg/2008-05-17-hacks-sa_n.h32 h://www.abc..au/ws/sos/2008/05/18/2248032.h
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
21/78
Sac Gov i Scu tha ro
21
Government and critical infrastructure organizations
Gov ad ccal fasucu ogazaos a h ag of a wd va of aack s. th
os coo aack s b all ssos h gov ad ccal fasucu scos 2008
was DoS aacks, whch accoud fo 49 c of h o 10 aacks (fgu 1). Smtp aacks w h
scod os coo accoug fo 44 c of h o 10 aacks.
SMTP (email) 44%
DoS 49%
Web (server) 6%
Figure 1. Top attack types, government and critical infrastructure33
Source: Symantec
DoS aacks a a ha o gov ad ccal fasucus bcaus h uos of such aacks s
o dsu h avalabl of hgh-ofl wbss o oh wok svcs, ad ak h accssbl o
uss ad los. ths could sul h dsuo of al ad xal coucaos, akg accall ossbl fo los ad uss o accss oall ccal foao. Bcaus hs
aacks of cv ga xosu ha hos ha ak a sgl us offl, scall fo hgh-ofl
gov wbss, h could also sul daag o h ogazaos uao. A succssful DoS
aack o a gov wok could also svl ud cofdc gov coc,
ad a h dfs ad oco of gov woks.
DoS aacks ca of b assocad wh olcal oss, sc h a dd o d a s
accssbl h sa wa ha a hscal os as o block accss o a svc o locao. th
ca also b assocad wh coflc whb o cou a a o block Wb affc o ak wbss
offl. As such, h hgh cag of DoS aacks a b a a o xss dsag wh
agd ogazaos o cous.
33 Du o oudg, cags a o add u o 100 c.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
22/78
Sac Gov i Scu tha ro
22
Smtp, o sl al asf oocol, s dsgd o facla h dlv of al ssags acoss h
i. eal svs usg Smtp as a svc a lkl agd b aacks bcaus xal accss s
qud o dlv al. Whl os svcs ca b blockd b a fwall o oc agas xal aacks
ad allow accss ol o usd uss ad s, fo al o fuco ffcvl fo ogazaos, has
o b avalabl boh all ad xall o oh al svs. th css of allowg boh alad xal accss cass h obabl ha a succssful aack wll ov h aacks chacs of
gag accss o h wok.
i addo o llgall accssg woks, aacks who coos al svs a also b
ag o us h al svs o sd sa o havs al addsss fo agd hshg aacks.
Bcaus sa ca of cosu hgh quas of uauhozd wok badwdh, hs als ca
dsu o ovwhl al svcs, whch could sul DoS codos. Succssful Smtp aacks agas
gov ad ccal fasucu ogazaos could also allow aacks o soof offcal gov
coucaos ad oba cdals od o lauch fuh aacks. ths ogazaos havl l
o al as a coucao hod ad, as such, s ssal ha al affc b scud. Sac
cods ha adsaos us scu al oocols, dlo a-sa ad afaud soluos,
ad su ha oag ad al soluos a full achd agas all kow vulabls.
Top attacks by types, by sectors
DoS aacks w h os coo of aack obsvd b ssos dlod h gov, boch/
haacucal, facal svcs, ad asoao scos 2008 (fgu 2). ths aacks ad u
48 c of h o 10 aacks obsvd b gov ssos, 54 c h boch/haacucal
sco, 48 c h facal svcs sco, ad 74 c of h asoao sco.
As dscussd abov, s lkl hs aacks w coducd o dsu svcs hs scos as a fo
of h os o alao. Also, b dg accss o hs wbss, hs aacks could sul a
sgfca loss of vu fo ogazaos hs scos.
DoS aacks w b fa h os coo aack obsvd h asoao sco. Sc DoS aacks
accoud fo 49 c of h aacks o gov ad ccal fasucu, hs dffc a
dca ha aacks dlog hs aacks a scfcall agg h asoao sco. Aacks
a b usg hs of aack o dsu svcs ad coucaos wh h asoao sco.
Lag-scal aacks of hs au a lav ogazaos uabl o cooda coucaos o lf
ffos h v of a gc, o h abl o ov suls ad goods fo a la dug a wa
o css. Also, bcaus dlas h asoao sco of hav a doo ffc, whch dlas o
c wll caus dlas aoh du o schdulg, aacks o a lavl sall a of hs sco could hav
a sgfca ffc o hs suaos.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
23/78
Sac Gov i Scu tha ro
23
DNS
Web (server)
DoS
STMP (email)
Percentage
11%
Biotech/pharmaceutical Financial services
Transportation
5%
4%48%
1%
54%
97%
4%
48%
6%46%
8%
16%
1%
74%
Shellcode/exploit
Web (browser)
Government
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
24/78
Sac Gov i Scu tha ro
24
ths dscusso s basd o daa suoudg ublcl kow vulabls affcg SCADA chologs.
th uos of h c s o ovd sgh o h sa of scu sach as affcs o SCADA
sss. to a lss dg, hs a ovd sgh o h ovall sa of SCADA scu. Vulabls
affcg SCADA sss a s a ha o ccal fasucu ha ls o hs sss. Du
o h oal fo dsuo of ccal svcs, hs vulabls a b assocad wh olcallovad o sa-sosod aacks. ths s a coc fo govs ad/o ss ha a
volvd h ccal fasucu sco. Whl hs c ovds sgh o ublc SCADA
vulabl dsclosus, du o h ssv au of vulabls affcg ccal fasucu, h
s lkl va scu sach coducd b SCADA cholog ad scu vdos. Sac dos o
hav sgh o a va sach bcaus h suls of such sach a o ublcl dsclosd.
i 2008, Sac docud sx ublc SCADA vulabls. ths s fw ha h 15 ublc SCADA
vulabls docud b Sac 2007. th w o ublcl od SCADA vulabls
2007 du o ull sla vulabls affcg a sgl lao ha w od a
sgl aouc.35 thfo, h dffc bw 2007 ad 2008 dos o aa o b a
sgfca d.
th ub of ublc SCADA vulabls s lavl sall ad ss h sach ffos of a
sall cou of scalzd sachs. Scu sach h fld of SCADA of qus
scalzd kowldg ad soucs. Du o h ol ccal fasucu ad h sv of oal
vulabls, SCADA scu s of a va affa bw duss ha us SCADA oocols ad
chologs, h vdos hslvs, ad oh sakholds such as cou gc sos
as (Certs) ad gov agcs. th clos-k au of h SCADA dus as ha
vulabl aoucs a o cssal ad ublc. ifoao abou vulabls o gal
bugs s o lkl o b xchagd va bw vdos, h cusos, ad oh sd
as. ths facos l h ub ublcl dsclosd SCADA vulabls. th ub of ublc
vulabls s o lkl o cas ul o scu sachs bco volvd hs aa of
s o ul vdos chag h olcs abou ublc vulabl dsclosu.
ifoao abou SCADA-lad cds, whh accdal o alcous, has b ackd b
ogazaos such as h Bsh Coluba isu of tcholog (BCit), whch aad, fo a ub
of as, a o-ublc daabas of SCADA cds calld h idusal Scu icd Daabas (iSiD).
effos such as h iSiD hav b abl o ovd cdbl cdc daa ha ca b usd o gaug h
aou ad sv of aack acv affcg SCADA vos. A Sac-sosod o
assssg daa iSiD was ublshd 2007.36 i Ju of 2006, h daabas had ackd 105 lga
cds, wh h als dag back o 1982. Howv, o c daa s o avalabl bcaus h
iSiD was o aad af hs o.37
i Fbua of 2008, h SCADASeC-L alg ls was cad o fos ublc dscusso of SCADA scu
ssus.38 Howv, ulk oh asa scu alg lss, SCADASeC-L dscouags dscusso of
chcal dals suoudg vulabls. th oo of h full-dsclosu of scu vulabls s
uoula SCADA scu ccls du o h lvad sk o ccal fasucu ha s osd b
vulabls SCADA chologs. ths as ha hos affcd b vulabls a lagl
dd o vdos og scu ssus as wll as ffos b Cert ogazaos o dssa
35 h://www.scufocus.co/bd/2305936 h://h.dusal-wokg.co/acls/acldsla.as?d=182337 h://www.auoaowold.co/ws-414438 h://www.faccal.co/usag-scadasc.hl
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
25/78
Sac Gov i Scu tha ro
25
foao abou vulabls. i Sb of 2008, a scu sach ublcl lasd xlo
cod fo a vulabl CcSCADA bcaus h sach blvd ha h vdo og dd o
adqual hasz h sk of h vulabl.39
Govs hav also xssd ccs owad h va sco gadg s abl o aag ad
v vulabls ha a affc ccal fasucu. i ma of 2008, a gov sav
fo h U.S. Hous Subco o egg thas, Cbscu ad Scc ad tcholog
cczd h noh Aca elcc rlabl Cooao (nerC) fo s hadlg of oal has
o h lccal gd.40
i Dcb of 2006, tabl Scu aoucd h las of SCADA lug-s fo h nssus
vulabl assss ool.41 ths dosad covgg ss bw h SCADA cou
ad h asa scu cou. Fo hs o o, scu sachs bga o dscov
vulabls SCADA-lad chologs. i has sc b alzd ha SCADA chologs a
affcd b a of h sa s of vulabls ha affc dsko ad s sofwa.
Fo xal, so fucos a ld as AcvX cools ad a hfo o o sla
vulabls ha hav b dfd oh AcvX cools gal. ma of h vulabls
docud 2007 ad 2008 affc AcvX cools ha l fucoal, such as OpC svs.
ths wll allow a mcosof Wdows-basd cou o couca wh oh alcaos ad dvcs
a SCADA vo. Sofwa such as hs s o accssbl o scu sachs ha oh
SCADA-lad alcaos ad hadwa. thfo, scu sachs a abl o dscov
vulabls hs alcaos whou qug accss o a col SCADA vo.
Addoall, wok-accssbl dvcs a us h coo o scalzd wokg oocols
ha a o o aacks such as DoS aacks. malfod wok affc a affc hs dvcs
a a sla o oh wok-accssbl svcs wh h s. Whl scu sachs
hav od vulabls scfc o SCADA chologs, h s also a oal ha fo
vulabls coos cocd o SCADA sss. ths ca clud oag sss hosgh SCADA chologs o oh coos such as daabas sofwa. Addoall, a SCADA
vos lo lgac chologs ha a o qud wh chass fo auhcao
o asus o su h avalabl, g, ad cofdal of daa. ths sss a b
aculal a sk, scall f h a o faul ola o dsgd o hadl xcoal codos
such as alfod u.
to l xosu o aacks, woks ug SCADA oocols ad dvcs should b solad fo oh
woks. ths asss should o b cocd o h i ad cog/ougog affc should b
ld o ol hos oocols ha a qud. A dfs--dh sag should b dlod so ha
scu sks lswh h ogazao cao affc h cool wok. Addoal las of dfs
should b dlod o oc k asss. Scug a SCADA vo a s dff challgs
ha hos facd wh scug a s. i a cass a o b ossbl o ca a s
vo fo audg uoss. Fuho, a dsuo of svcs a b cosl o daagg.
thfo, boh assv ass dscov as wll as vulabl scag chologs a bs ald o
l h oal fo sd ffcs. Avus ad ach aag asus should b udak wh
ca ad ogazaos should cosul scu ad cool ss vdos fo suo alg hs
soluos a a ha zs sk ad dow.
39 h://www.hgs.co.uk/2008/09/08/scada_xlo_lasd/40 h://www.cwold.co/busssc/acl/146153/lawaks_s_cb_has_o_lccal_gd.hl41 h://blog.ablscu.co/2006/12/ssus_3_scada_.hl
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
26/78
Sac Gov i Scu tha ro
26
Data breaches that could lead to identity theft
id hf cous o b a hgh-ofl scu ssu, aculal fo ogazaos ha so ad
aag lag aous of soal foao. Basd o h os c foao avalabl fo
2007, oughl 8.4 llo U.S. sds w vcs of d hf, whch ss aoxal
3 c of h adul oulao.42 no ol ca cooss ha sul h loss of soal daa
ud cuso ad suoal cofdc, sul cosl daag o a ogazaos uao,
ad b cosl fo dvduals o cov fo h sulg d hf, h ca also b facall cosl
o ogazaos. i 2008, h avag cos cd of a daa bach h Ud Sas was $6.7
llo,43 a cas of 5 c fo 2007, ad los busss aoud o a avag of $4.6 llo.44
Also, ogazaos ca b hld labl fo bachs ad losss, whch a sul fs o lgao.45
B h d of 2008, 44 sas h Ud Sas (alog wh h Dsc of Coluba, puo rco, ad
h Vg islads) had acd lgslao qug ofcao of bachs volvg soal foao.
th lgslao gulas h sosbls of ogazaos coducg busss wh h acula
sa af a daa bach has occud.46 th laws qu ao who coducs busss h sa o
of ows of h foao xosd dal af a scu bach, wh falu o do sosulg ossbl cvl aco ad fs.
Govs oh cous hav also ak ss o bak o h ssu of d faud, cludg
Caada, Ausala ad nw Zalad, who ssud gudls fo dalg wh vac bach ofcao
2007-2008.47 Ulk lgslao, gudls a o hav als assocad wh h, bu h a a
s owad cag accouabl fo daa bachs ha occu. mawhl, Ausala s cosdg h
codaos b h Ausala Law rfo Cosso, s vw of h pvac Ac, o ak daa
bach ofcao adao. 48
i h Ud Kgdo, ol gov ogazaos a cul qud o o all daa bachs
o h ifoao Cossos Offc (iCO) as a of h Daa poco Ac, ad h a o las
o l bach ofcao laws.49 Followg h xals h Ud Sas, codaoshav b ad o h euoa Uo b h euoa nwok ad ifoao Scu Agc ad h
euoa Daa poco Suvso o sablsh daa bach ofcao laws.50 Cul, h euoa
pala sas ha ogazaos should o h bach bu a o qud o do so b law.51
Howv, dscussos a a h o udwa Bussls, as a of h vw of h euoa
tlcoucaos rgulao Fawok, o h ossbl oduco of a daa bach ofcao law
o h pvac ad elcoc Coucaos Dcv fo h euoa lcoucaos sco.
42 h://www.vacghs.og/a/dhfsuvs.h#Jav200743 All fgus a U.S. dollas ulss ohws od.44 h://www.coos.co/dowload/poo_COB_2008_US_090201.df45 h://www.fsa.gov.uk/ags/Lba/Coucao/pr/2007/021.shl46 h://www.csl.og/ogas/ls/c/v/bachlaws.h47 h://www.vco.gc.ca/foao/gud/2007/gl_070801_01_.as, h://www.vac.gov.au/ublcaos/bach_gud.hl,
ad h://www.vac.og.z/h-vac-ac-ad-cods/48 h://www.dc.gov.au/vac/alc.cf ad h://www.alc.gov.au/da/2008/11108.hl49 h://www.jusc.gov.uk/docs/sos-daa-shag-vw.df, rcodao 1150 h://www.sa.uoa.u/doc/df/dlvabls/sa_vac_wg_o.df ad
h://www.ds.uoa.u/eDpSWeB/wbdav/s/S/shad/Docus/Cosulao/Oos/2008/08-04-10_-vac_en.df51 h://www.uoal.uoa.u/sds/gDoc.do?ubrf=-//ep//teXt+tA+p6-tA-2008-0452+0+DOC+XmL+V0//en&laguag=en
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
27/78
Sac Gov i Scu tha ro
27
th a oh oabl avs ha xs h Ud Sas fo h safguadg of soal
foao. th clud h rd Flags ruls as a of h Fa ad Accua Cd tasacos (FACt)
Ac of 2003, whch qus all facal suos ad cdos o dvlo d hf vo
ogas,52 ad h pa Cad idus Daa Scu Sadads (pCi DSS), whch lss a s of
qus fo hacg a accou daa scu such as wok qus, coassso qus, scu asssss o la scu vulabls, ad aag
scu olcs.53 th udad vso wll clud cooag bs accs ad ovg og
qus.54 th addd cosdao of uv coss a fluc ogazaos o dvlo o
obus scu sags, whch a hl duc h ub of bachs ovall.
Data breaches that could lead to identity theft by sector
Usg ublcl avalabl daa, Sac has dd h scos ha w os of affcd b hs
bachs, as wll as h os coo causs of daa loss.55 ths dscusso wll also xlo h sv
of h bach b asug h oal ub of ds xosd o aacks, usg h sa ublcl
avalabl daa. A d s cosdd o b xosd f soal o facal daa lad o h ds ad avalabl hough h daa bach.56
i should b od ha so scos a d o col wh o sg og qus fo
daa bachs ha ohs. Fo sac, gov ogazaos a o lkl o o daa bachs,
h du o gulao oblgaos o cojuco wh ublcl accssbl auds ad foac
os.57 Covsl, ogazaos ha l o cosu cofdc a b lss cld o o such
bachs fo fa of gav cosu, dus, o ak aco. As a sul, scos ha a o
qud o couagd o o daa bachs a b ud-sd hs daa s.
i 2008, h ducao sco sd h hghs ub of kow daa bachs ha could lad o
d hf, accoug fo 27 c of h oal (fgu 3). ths s a slgh cas fo 2007 wh h
ducao sco also akd fs wh 26 c of h oal.
52 h://www.fc.gov/bc/du/ubs/busss/als/al050.sh53 hs://www.cscusadads.og/scu_sadads/c_dss.shl54 hs://www.cscusadads.og/dfs/08-18-08_2.df55 O Scu Foudao (OSF) Daaloss DB, s h://daalossdb.og56 A d s cosdd o b xosd f soal o facal daa lad o h d s ad avalabl hough h daa bach.57 Cf. h://ww w.vacghs.og/fs/fs6a-faca.h ad h://www.cs.hhs.gov/HalhplasGifo/12_HipAA.as
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
28/78
Sac Gov i Scu tha ro
28
4%5%
29%
20%
13%
6%
Data breaches Identities exposed
2%
10%
Health care
Education
Government
Financial
2%
2%
2%2%
20%
5%
14%
15%
Retail/wholesale
Arts/media
Manufacturing
27%
Telecom
Business consulting
Insurance
Other
Biotech/pharmaceutical
4%
17%
2%
Utilities/energy
Figure 3. Data breaches that could lead to identity theft by sector and identities exposed by sector 58
Source: Based on data provided by OSF DataLoss DB
educaoal suos so a lag aou of soal foao o suds, facul, ad saff hacould b usd fo h uoss of d hf, cludg gov-ssud dfcao ubs,
as, ad addsss. Fac das hs suos also so bak accou foao fo
aoll ad a also hold cd cad foao fo ol who us hs hod o a fo uo ad
fs. ths suosaculal lag uvssof coss of a auooous das
wh whch ssv soal dfcao foao a b sod saa locaos ad b
accssbl o a ol. ths a cas h oous fo aacks o ga uauhozd accss
o hs daa sc a b o dffcul o sadadz h scu, duca vo wh accss o h
daa o h olcs, ad cool accss o hs dssd daabass.
58 Du o oudg, cags gh o qual 100 c.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
29/78
Sac Gov i Scu tha ro
29
Ds h hgh ub of daa bachs ha occud h ducao sco dug 2008, ol
accoud fo 4 c of all ds xosd dug h od ad akd svh (fgu 1). ths
a b bcaus h ducaoal suos hav lavl sall daabass ha hos of facal o
gov suos ad, hc, fw ds would b xosd a daa bach. O of h lags
uvss h Ud Sas accoud fo lss ha 80,000 suds ad los, whl facalad gov suos a so foao o llos of ol.59
Also, o-hd of h daa bachs h ducao sco hs od w causd b h hf o loss
of cous o daa-soag dvcs. As such, daa bachs ha occud h ducao sco
hs og od w o as lkl o sul wd-scal d hf bcaus h suld h
xosu of fw ds. ths s of bachs ol xos h ld aou of daa ha s
sod o h dvcs.
i 2008, h gov sco akd scod ad accoud fo 20 c of daa bachs ha could
lad o d hf. ths s a dcas fo h vous a, wh h gov sco sd
23 c of h oal, hough sll akg scod. ths d s focd b h aual Fdal Cou
Scu o cad, wh h ub of gov agcs wh a falg gad dcasd b aloshalf.60 th halh ca sco akd hd 2008, accoug fo 15 c of daa bachs ha could
lad o d hf. i also akd hd 2007, accoug fo 14 c.
Gov ad halh ca ogazaos, lk ducaoal suos, so lag aous of foao
ha could b usd fo d hf. Sla o h ducao sco, hs ogazaos of coss of
uous auooous das ha so ssv soal foao saa locaos ad
a accssbl o uous ol. As a cosquc, hs ogazaos fac h sa scu ad
cool ssus as ducaoal suos. Fuho, halh ca ogazaos so ssv dcal
foao addo o soal foao, whch could sul v o daagg bachs
of vac.
th gov sco akd hd fo ds xosd dug 2008, accoug fo 17 c ofh oal whl h halh ca sco akd sxh, accoug fo 5 c of h oal. As wh h
ducao sco, daa bachs wh h halh ca sco suld a lavl low ub of
ds xosd.
59 h://www.osu.du/osuoda/sufo.h60 h://ublcas.ovsgh.hous.gov/da/pDFs/ros/Fy2007FiSmAroCad.df
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
30/78
Sac Gov i Scu tha ro
30
Data breaches that could lead to identity theft, by cause
i 2008, h a caus of daa bachs ha could facla d hf was h hf o loss of
a cou o oh du o whch daa s sod o asd, such as a USB k o a back-u
du.61 thf o loss ad u 48 c of all daa bachs 2008, a dcas fo h
vous og od wh accoud fo 52 c of all od bachs (fgu 4).
Data breaches Identities exposed
Insider 4%
Unknown
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
31/78
Sac Gov i Scu tha ro
31
to oc agas daa hf o loss, ogazaos should sc h us of ousd soal soag
dvcs wh h wok, oo h usag of such hadwa wh d, ad duca los
o o usag. Ogazaos should also clud vws ad auds of lcoc docus usd b
los uo lavg h coa. i a c sud, 59 c of los add o akg
coa foao, such as al addsss, coac foao of cusos, lo cods,ad facal cods, wh lavg h ogazao.64 Of hs fo los, 79 c ook h
foao whou cos fo h coa. i 92 c of h sacs, h foao was ak
o dsk, whl 73 c was o ovabl dvs. i s woh og ha ol 15 c of h coas
olld had coducd a vw o aud of lcoc docus ak b los. Also, ssv daa
should b sogl cd o a lao o soag dvc ha a b usd ousd of h s.
th scod os coo caus of daa bachs ha could lad o d hf dug 2008 was
scu olc, whch sd 21 c of all cds. A daa bach s cosdd o b causd
b scu olc f ca b abud o a falu o dvlo, l, ad/o col wh adqua
scu olc. i 2007, scu olc also akd scod, accoug fo 28 c of such daa
bachs. ths dcas h ub of daa bachs a b du o ogazaos bcog o
dlg ad oducg sog scu olcs such as lg accss o ssv foao o qud
sol ad h docuao of docu asfs. iscu olc accoud fo ol 8 c of
xosd ds 2008 ad, hus, ach bach xosd ol a lavl sall ub of ds.
Alhough bachs causd b scu olc 2008 w o lkl o sul wd-scal d hf,
h bachs sll xosd aoxal 6.5 llo ds.65
i 2008, hackg was h hd ladg caus of daa bachs ha could lad o d hf, accoug
fo 17 c of h oal. A daa bach s cosdd o b causd b hackg f daa lad o d
hf was xosd b aacks xal o a ogazao gag uauhozd accss o cous o
woks. Hackg also akd hd 2007, accoug fo 14 c of bachs ha could facla
d hf. Hackg s o uos-dv ha scu olc, hf, o loss: 2008, ov half of h
bachs ha xosd cd cad foao w du o hackg. Aacks ca ak advaag of s-scfc ad Wb-alcao vulabls o ga accss o woks ad sal soal foao. Fo
hs dscusso, Sac cosds hackg o b a oal ac wh a dfd uos o sal daa
ha ca b usd fo uoss of d hf o oh faud.
Hackg akd scod fo ds xosd 2008, wh 22 c; hs s a lag dcas fo 2007,
wh hackg accoud fo 62 c of oal ds xosd. th cobug faco fo s hgh
akg 2007 was a sgfca daa bach whch daa o ov 94 llo cd cads was sol b
aacks hackg o a coas daabas hough ucd wlss asssos ad sallg
ogas o cau cd cad foao.66 i s sad ha bw $63 llo ad $83 llo
cd cad faud acoss 13 cous ca b abud o hs sgl daa bach.67
i 2008, wo bachs cobud sgfcal o h hgh akg of hackg hs c: h
fs, cofdal foao o sx llo Chlas was llgall obad fo gov daabass
b a hack who ublcl osd h foao afwad; h scod, cd cad foao fo
4.2 llo cusos was sol fo a U.S.-basd goc cha b hacks oog h cd
64 h://www.sac.co/abou/ws/las/acl.js?d=20090223_0165 h://daalossdb.og66 h://www.sbc.s.co/d/21454847/67 h://www.scufocus.co/ws/11493
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
32/78
Sac Gov i Scu tha ro
32
auhozao ocss.68 Bcaus of h ovao of aacks who us hackg o sal soal facal
foao, h ac of daa bachs du o hackg a sv bcaus h a lkl o sul lag-
scal faud ad hgh facal cos o affcd ogazaos, cd cad ssus, ad cosus.
ev hough h cosu o of h os challgg ssus facd b ogazaos, daa bachs
ha could lad o d hf a osl vabl. Fo a da ha aags o qus
accss o ssv foao, ogazaos should dvlo sog scu olcs such as sogl
cg all daa, sug h a cools lac ha scs accss o such foao o qud
sol, ad ovdg ducao ad soucs fo all los o o scu ocdus. nwok
adsaos should b closl oog wok affc ad ackg all acv o su ha h s
o llgal accss o daabass, as wll as sg scu ocsss ad sss gulal o su h
g. Ogazaos should clud hs ss as a of a boad scu olc, ad su ha a
scu olc s ld ad focd o oc all ssv daa fo uauhozd accss.
Bot-infected computers
Bos a ogas ha a covl salld o a uss ach od o allow a aack o
ol cool h agd ss hough a coucao chal, such as i la cha
(irC), -o- (p2p), o Http. ths chals allow h o aack o cool a lag ub
of coosd cous ov a sgl, labl chal a bo, whch ca h b usd o lauch
coodad aacks.
Bos allow fo a wd ag of fucoal ad os ca b udad o assu w fucoal b
dowloadg w cod ad faus. Aacks ca us bos o fo a va of asks, such as sg u
dal-of-svc (DoS) aacks agas a ogazaos wbs, dsbug sa ad hshg aacks,
dsbug swa ad adwa, oagag alcous cod, ad havsg cofdal foao fo
coosd cous ha a b usd d hf, all of whch ca hav sous facal ad lgal
cosqucs. Bos a also xsv ad lavl as o oaga. i 2008, Sac obsvdudgoud coo advss fo as ll as $0.04 bo. ths s uch cha ha 2007,
wh $1 was h chas c advsd fo bos. Bo-fcd cous wh a dcalzd bo C&C
odl a favod b aacks bcaus h a dffcul o dsabl, ad os oal, ca b lucav
fo h coolls. i o xal, a bo ow asd nw Zalad add o ag $21,500
ov a wo-a sa fo hs acvs.69
A bo-fcd cou s cosdd acv o a gv da f cas ou a las o aack o ha da.
ths dos o hav o b couous; ah, a sgl such cou ca b acv o a ub of dff
das. A dsc bo-fcd cou s a dsc cou ha was acv a las oc dug h od.
i 2008, Sac obsvd a avag of 75,158 acv bo-fcd cous da (fgu 5), a
31 c cas fo 2007. Sac also obsvd 9,437,536 dsc bo-fcd cous
dug hs od, a 1 c cas fo 2007.
68 Cf. h://ws.bbc.co.uk/1/h/wold/acas/7395295.s o h://www.sbc.s.co/d/23678909/69 h://www.wold.co/scu/58670/bo-as-ss-hslf-x-bll-gas
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
33/78
Sac Gov i Scu tha ro
33
Date
Activebot-infectedcomp
uters
Apr 4, 2007 Jul 4, 2007 Oct 3, 2007 Jan 2, 2008
0
20,000
40,000
60,000
80,000
100,000
120,000
Apr 2, 2008 Jul 2, 2008 Oct 1, 2008Jan 3, 2007
4 per. moving average
Median daily
active bots
Dec 31, 2008
Figure 5. Active bot-infected computers, by day
Source: Symantec
th dcas acv bo-fcd cous a h bgg of 2008 a b du o h duco
sz of h bo assocad wh h paco toja.70 th ub of bo-fcd cous h
bo was ducd o 5 c of s vous sad sz, fo 2 llo bo-fcd cous
o 100,000.71 i addo, as sad Malicious activity by country, h shudow of wo U.S.-basd
hosg coas sosbl fo hosg bo C&C svs fo a ub of ajo bos lkl cobud
o h dcas acv bo-fcd cous Sb ad novb 2008. Af h shudow
Sb, ajo bos, cludg Szb ad padx,72
w abl o fd ala hosg, whchsuld a cas bo-fcd cous back o -shudow lvls. Howv, h shudow
novb svl cld Szb ad Ozdok, ad as a cosquc, cog bos, cludg
padx, w abl o fll h vod.73
Alhough h ub of acv bo-fcd cous dcasd a h d of h a, s assud ha
bo ows wll sk ou w hoss o g h bos back ol, ad s xcd ha bo ubs
wll s aga 2009.74 O sul of all h acv 2008 s ha hs shows ha bos ca b cld
b dfg ad shug dow h bo C&C sv hoss, bu ha hs sag s dffcul o l
gv h vaous global hosg oos ha bo coolls hav a h dsosal.
70 Also kow as h So bo.71 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3272 h://www.sac.co/scu_sos/wu.js?docd=2007-042001-1448-9973 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 252674 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
34/78
Sac Gov i Scu tha ro
34
Bot command-and-control servers
Sac acks h ub of bo C&C svs globall bcaus hs a wha bo ows us o la
coads o bo-fcd cous o h woks. Fo h fs , hs volu of h Sac
Government Internet Security Threat Report, bo C&C svs coolld ov Http a cludd hs
aalss alogsd irC bo C&C svs.75 ths chag asu was ad du o h d of bo
ows shfg awa fo adoal irC bo C&C coucao fawoks ad owad aagg h
bos hough Http bo C&C svs. i 2008, Sac dfd 15,197 dsc w bo C&C svs
(fgu 6), of whch 43 c w ov irC chals ad 57 c ov Http.
IRC 43%
HTTP 57%
Figure 6. Bot command-and-control servers, by type
Source: Symantec
Bo ows a ovg awa fo adoal irC-basd bos sc h a as o dc,
ack, fl, ad block ha bos basd o Http affc. Http coucaos ca b usd o dsgus
bo affc aog oh Wb affc od o ak dffcul o dsgush alcous affc fo
lga Http affc. (mos Http bo asssos a cd o avod dco.) to fl h affc,
ogazaos would hav o sc h cd Http affc ad df ad ov bo-lad affc
whl sll allowg lga affc o ass hough. Bcaus of hs, s v dffcul o o ad
dsabl a bo C&C sucu. i s also uasoabl o block Http affc sc ogazaos dd o
lga Http affc o coduc da-o-da busss. Bo ows hav also b swchg awa
fo usg p2p fo bo C&C sv coucaos bcaus such affc s o asl dcd du
o h os cas assso. moov, a ss ad oh ogazaos also
block p2p os o v such hgh-badwdh affc fo g h woks.
75 no cludd hs asu a bo C&C svs ov p2p oocols; also, as hs s h fs o whch Http bo C&C svs a cludd hs aalss,2007 coasos a uavalabl.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
35/78
Sac Gov i Scu tha ro
35
Sac also obsvd a avag of 42 w acv bo C&C svs da 2008, of whch 18 w
irC-basd ad 24 w Http (fgu 7). th h lags bos dfd b Sac 2008Szb,
rusock, ad padxa all Http-basd.
Date
Botcomand-and-controlservers
0
10
30
50
20
40
60
HTTP
IRC
3 per. moving average (HTTP)
3 per. moving average (IRC)
Apr 2, 2008 Jul 2, 2008 Oct 1, 2008Jan 2, 2008 Dec 31, 2008
Figure 7. Bot command-and-control servers, by day
Source: Symantec
th do w ad acv Http bo C&C svs Fbua 2008 s lkl du o bo C&C svs fo a
ajo Http-basd bo, Ozdok, gog offl fo 10 das dug ha oh.76 Also, h sgfca
ducos ha occud Sb ad novb 2008 a lkl du o h shudow of wo U.S.-basd iSps, as was od vousl hs dscusso. th Sb shudow suld a da
dcas acv assocad wh h Szb ad padx bos.77 As od, s assud ha
hs bos foud ala hosg, whch would xla h subsqu s acv.
th scod shudow novb suld a 30 c dcas ovall bo affc ad s
hough o hav svl wakd wo of h lags bos, Szb ad rusock.78 th sgfca do
w ad acv Http bo C&C svs novb 2008 a b bcaus o of hs iSps was allgdl
hosg a lag ub of bo C&C svs fo Szb ad rusock, ad bos w had-codd o coc o
hs svs.79 i was sad ha h Szb bo had 300,000 bos o o h shudow80 ad h
rusock bo had cludd ov 150,000 bos.81
76 h://www.scagazus.co/trACe-Sx-bos-ga-85-c-of-sa/acl/107603/77 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 2578 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 2679 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df80 h://kowldgxchag.chag.co/scu-bs/szb-bo-s-h-bggs-bu-dos-sz-a/81 h://www.scagazus.co/th-rusock-bo-sas-aga/acl/112940/
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
36/78
Sac Gov i Scu tha ro
36
Top Web-based attacks
th wdsad dlo of Wb alcaos alog wh h ubqu of as-o-xlo Wb alcao
scu vulabls hav suld h valc of Wb-basd has. Aacks wag o ak
advaag of cl-sd vulabls o log d o acvl coos scfc woks o ga
accss o hos cous. isad, h a ow focusd o aackg ad coosg wbss
od o ou addoal, cl-sd aacks.
ths aack s ca b foud globall ad Sac dfs ach b a assocad dsc dco
sgau. mos aack s ag scfc vulabls o waksss Wb bowss o oh cl-
sd alcaos ha ocss co ogag fo h Wb. ths c wll assss h o dsc
Wb-basd aacks ogag fo coosd lga ss ad alcous ss ha hav b
cad o oall ag Wb uss.
th aacks dscussd ca volv socal gg o c a vc o vw a alcous wbs, bu
os aacks xlo usd hgh-affc wbss. Wh h us vss a coosd wbs, a ub
of aack hods a usd. malcous co fo h wbs ca dcl xlo a vulabl h
bows, a bows lug-, o a dsko alcao. A aack such as hs a qu ohg o ha
h us vsg h s fo wh h aack ogas. i h cas of a dv-b dowload, h aack
wll occu whou a aco qud fo h us.82
Aacks also us alcous wbss fo cooss, such as sladg h us o dcl auhoz
a scfc cholog ha h dowloads alcous cod, o og h us o clck o a o-u o
ba ad. Aacks ca also dc all affc fo a lga wbs o a alcous wbs fo
whch h uss cou wll h b aackd. i all of hs s of Wb-basd aacks, h us s
uawa of h coos. Oc a aack has coosd a wbs ad jcd alcous co,
h o sh ca assvl aack vsos of h coosd s. ths of aack s v ffc fo
aacks bcaus h ol hav o coos o Wb ag od o affc ull uss. Wh a
us vss a coosd Wb ag, h aack s cad ou hough h uss bows. th aack wllh ag vulabls h bows slf o wll ag hd-a alcaos ha a acvad
b h bows.
All Wb-basd aack affc gos hough h Http o HttpS oocols. th bf of hs fo aacks
s ha s uasoabl o block hs oocols bcaus lga ogazaos dd o h fo
h da-o-da busss. i addo, flg a lag volu of Http affc would sgfcal slow
houghu affc. Http affc s also dffcul o fl wh uso dco/uso vo
sss (iDS/ipS) bcaus s dffcul o dsgush alcous affc fo lga affc, ad Http
affc ca b cd, hus ablg aacks o b obfuscad wh lga affc.
Aacks a o ol log aual hods o xlo hs ssus, bu h a also usg
auoad ools, such as noslo,83 o xlo cl-sd vulabls o a assv scal. Such oolks
a wdl avalabl ad ackagd so ha ol wh al chcal kowldg a abl o us
h ffcvl.
82 A dv-b dowload s a dowload ha occus whou a uss o kowldg o auhozao ad dos o qu us aco. tcall hs sa xcuabl fl.
83 h://www.couwold.co/aco/acl.do?coad=vwAclBasc&axoona=Scu&aclid=9115599&axooid=17&agnub=1
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
37/78
Sac Gov i Scu tha ro
37
Aoh aaco of h Wb fo xloao s h ofuso of dac ss ha us Wb-basd
alcaos, such as fous, hoo-shag galls, blogs, ad ol shog alcaos. Dac
ss a ags fo aacks usg bo-fcd cous o oaga ad hos alcous
co sc Wb alcao ad s-scfc vulabls ca u hs s of s a sk.
Aacks a also scall aacd o lag, oula wbss wh usd uaos. ths s o ol
bcaus a succssful coos ca ach a ga ub of ol (who d o hav a h
us fo lga wbss ad a hus o suscbl o aack), bu, as od, a b dffcul
o block aacks o hs ss usg scu ools whou dsug lga affc.
ths dvlos ad ds dca ha Wb-basd has hav o ol bco wdsad, bu
ha h also hav casd sohscao ad sv. i acula, Sac has ocd ha
bos (such as Asox,84 whch was all usd fo hshg scas) a bg dsgd o scfcall
xlo coss-s scg vulabls ad jc alcous cod o coosd wbss.85
ma Wb-basd aacks xlo vulabls ha a cosdd du sv. ths as ha
h ca coos h accou of h cul loggd us bcaus h us dos o qu
adsav vlgs o u h affcd alcaos. Whl h dag of cl-sd vulabls
a b ld b bs accs, such as scg Wb alcaos o h adsav lvl, hs s
of uasoabl gv how gal Wb alcaos a o h dlv of co fo a bussss.
mdu-sv vulabls affcg cl o dsko alcaos a of suffc fo a aack
o ou succssful alcous aacks o sgl cls, as wll as a h s lvl.
i 2008, h o Wb-basd aack was assocad wh h mcosof i exlo ADODB.Sa
Objc Fl isallao Wakss,86 whch accoud fo 29 c of h oal globall (abl 4).
th wakss allows aacks o sall alcous fls o a vulabl cou wh a us vss
a wbs hosg a xlo. to ca ou hs aack, a aack us xlo aoh vulabl ha
basss i exlo scu sgs o allow h aack o xcu alcous fls salld b
h al scu wakss. ths ssu was ublshd o Augus 23, 2003, ad fxs hav b avalablsc Jul 2, 2004. Sc hs was h o Wb-basd aack 2008, hs a dca ha a
cous ug i exlo hav o b achd o udad ad a ug wh hs
xosd vulabl.
Rank
1
2
3
4
5
6
7
8
9
10
Web-based Attack
Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness
Acrobat PDF Suspicious File Download
ANI File Header Size Buffer Overflow
Adobe SWF Remote Code Executable
Microsoft Internet Explorer DHTML CreateControlRange Code Executable
SnapShot Viewer ActiveX File Download
Microsoft Internet Explorer XML Core Services XMLHTTP Buffer Overload
Quicktime RTSP URI Buffer Overload
AOL SuperBuddy ActiveX Code Executable
Microsoft Internet Explorer WebViewFolderIcon ActiveX Control Buffer Overflow
Percentage
30%
11%
7%
7%
6%
5%
4%
3%
3%
2%
Table 4. Top Web-based attacks
Source: Symantec
84 h://www.sac.co/scu_sos/wu.js?docd=2007-060812-4603-9985 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3386 Cf. h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=50031 o h://www.scufocus.co/bd/10514
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
38/78
Sac Gov i Scu tha ro
38
A lag ub of xlos ad alcous alcaos a dd o hs vulabl as a coo
wa of coosg cous, ad wh oh kow vulabls. thfo, h aou of
aack acv s lad o h cuulav ub of xlos, aack oolks, ad wos agg hs
vulabl as o ossbl as of coosg cous. i s also lkl ha h lag ak
sha of mcosof i exlo las a ol h oula of hs aack.87
Whl h vulablwas achd 2004, h a lkl sll ough uachd cous ha a affcd b hs
vulabl fo aacks o bf.
th scod os coo Wb-basd aack 2008 was lad o alcous Adob Acoba pDF
acv,88 whch accoud fo 11 c of Wb-basd aacks. Scfcall, as o dowload
suscous pDF docus w obsvd. ths a dca as b aacks o dsbu alcous
pDF co o vcs va h Wb. th aack s o dcl lad o a scfc vulabl, alhough
h cos of h alcous fl would b dsgd o xlo a aba vulabl a alcao
ha ocsss , such as Adob Acoba rad. A succssful aack could ulal sul h
coos of h g ad scu of a affcd cou. ths aack s assud o b oula
o du h coo us ad dsbuo of pDF docus o h Wb. Also, bowss ca b s u o
auoacall d a pDF docu b dfaul. Scfc xlo acv lad o alcous pDF fls
was obsvd 2008.89
i 2008, h hd os coo Wb-basd aack xlod h mcosof Wdows Us32.DLL Ani Fl
Had Hadlg Sack-Basd Buff Ovflow Vulabl,90 accoug fo 7 c of Wb-basd
aacks 2008. th Ani (aad cuso fl) hadl s a dfaul coo of h mcosof Wdows
oag ss ad s usd b a sgfca ub of wdl usd mcosof alcaos as wll as h
Wdows shll. if succssfull xlod, h vulabl allows a aack o xcu aba cod
bddd a alfod Ani fl ogag fo h Wb o oh soucs. ths vulabl was
ublshd o Jaua 11, 2005, ad fxs hav also b avalabl sc ha . exlo cod was ublcl
avalabl h followg da. As wh h mcosof i exlo ADODB.Sa Objc Fl isallao
Wakss, h oc of hs of aack dcas ha cous h go a lkl o bgsuffcl achd ad udad.
Vulabls such as hos dscussd h cou o ga a lag aou of obsvd aack acv
bcaus h ca b labl xlod. ths aks hs vulabls caddas fo auoao.
Ds h fac ha fxs a avalabl, as od, s lkl ha h a sll ough uachd
sss xsc ha hs aacks cou o jo succss. Wh aacks ov succssful, h
a of adod b a lag ub alcous cod vaas ad aack oolks. ths ca cuulavl
ca a lag aou of obsvd aack acv. i s also lkl ha old alcous cod vaas
cou o a o auoacall xlo hs vulabls as a as of oagao.
87 h://aksha.hslk.co/bows-ak-sha.asx?qd=0&q=100&qd=1&qc=3&qfa=y&qs=2008&q=288 h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=2315389 hs://fous2.sac.co/5/Vulabls-exlos/pdf-h-Wod-fo-exlos/ba-/305564#A14190 Cf. h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=21719 o h://www.scufocus.co/bd/12233
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
39/78
Sac Gov i Scu tha ro
39
Top countries of origin for Web-based attacks
ths c wll assss h o cous of og fo Wb-basd aacks agas uss 2008 b
dg h locao of cous fo whch h aacks occud. no ha aacks, od
o hd h acks, of dc uss hough o o o svs ha a b locad vuall
awh globall.
Oc a aack has coosd a lga wbs, uss who vs h wbs wll b aackd b
sval addoal as. O wa s hough a dv-b dowload, whch suls h sallao of
alcous cod whou h uss kowldg o cos. Aoh wa s o dc h us o aoh
wbs ha s usd o hos alcous cod. Ss ad svs hosg a va of alcous xlos ca
b foud woldwd. mull doas ca b assocad wh o coosd s, whch s usd o
xlo o o o scu vulabls affcd cl bowss.
i 2008, cous fo h Ud Sas w h ladg souc of Wb-basd aacks agas uss,
accoug fo 38 c of h oal (abl 5). th a a ub of facos ha ak h Ud Sas
h o cou of og fo Wb-basd aacks. ths akg a b du o h o ha half a llo
wbss ha w coosd ma 2008 wh alcous cod ha was hosd russa ad h
Ud Sas. Wb fous hosd b pHp-basd bull boad alcaos w xlod o jc
alcous JavaSc o fou co. ths fous would h fc vsos wh vaas of h Zlob
toja91 dsgusd as a vdo codc sall. th xlo chags bows ad DnS sgs o h fcd
cou ad abls addoal aacks, cludg ug h fcd cou o a zob.92 ths
aack follows h d of aacks sg alcous cod o lga hgh-affc wbss wh
uss a lkl o b o usg of h co, ah ha ag o lu uss o vs scall
dsgd alcous ss.
Rank
12
3
4
5
6
7
8
9
10
Country
United StatesChina
Ukraine
Netherlands
Russia
United Kingdom
Canada
Japan
Latvia
France
Percentage
38%13%
12%
8%
5%
5%
3%
2%
1%
1%
Table 5. Top countries of origin for Web-based attacks
Source: Symantec
91 h://www.sac.co/scu_sos/wu.js?docd=2005-042316-2917-9992 h://www.chalgs.co.uk/2008/05/13/zlob_oja_fou_coos_aack/
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
40/78
Sac Gov i Scu tha ro
40
i 2008, Cha akd as h scod cou of og fo Wb-basd aacks, wh 13 c of h
woldwd oal. th a aso fo h hgh ak of Cha 2008 s du o coosd wbss
lag o h 2008 Bjg Olc Gas. th gas w o of h lags vs of 2008 ad
aacks xlod h oula of h v h as o lu ad coos uss, as has b
s vousl wh oh ajo sog ad a vs.93
O xal s h rusock bo,whch s ou als wh lks o a ws o abou h gas. Uss w od o clck a lk
h al ad vs a s, whch h od h o dowload a ssg codc od o lauch a
vdo. Clckg o oba h codc acuall suld h sallao of a toja.
Aacks a hav also usd socal gg o lu uss o coosd wbss ud h gus
of bg assocad wh h 2008 Bjg Olc Gas, as aacks agas Chs-laguag wbss
casd sgfcal dug h gas.94 th x of hs aacks was gad, howv, b
avs o cas ol scu fo uss ahad of h Gas b shug dow o blacklsg
housads of wbss oall os suscbl o faud, whch a oula ags of aack fo Wb
alcao ad s-scfc vulabls. Also, housads of wbss Cha w coosd wh
ca Wb alcaos w fcd wh alcous JavaSc ha was lad hough h us of SQL-
jco aacks.95 Vsos o hs coosd ss had h cous aackd ad, f h aacks
w succssful, tojas w dowloadd oo h cous.96
Uka akd hd 2008 fo o cou of og fo Wb-basd aacks, accoug fo 12 c
of such aacks woldwd. th oc of Uka hs c s lkl du o h coos of h
wbs of a U.S.-basd lcoc bll a ocssg coa.97 th aacks w abl o oba
accou cdals o h coas doa usg a hshg aack, ad w h abl o ga accss
o h coas wbs. Cusos, hkg h w vsg h lga wbs, w dcd
o a alcous wbs hosd o svs Uka wh h w aackd wh a toja.98 i addo
o h coos of h bll a coas wbs, h w a las 71 doas ha w
dcd o h alcous Ukaa sv dug hs .99
Of o, sx of h o 10 cous fo Wb-basd aacks h euo, mddl eas, ad Afca (emeA)
go w also h o 10 cous of og fo Wb-basd aacks globall, ad cous h
emeA go accoud fo 41 c of h woldwd oal, o ha a oh go. exlo acks
a b o of asos bhd h oc of h emeA go hs asu. ma xlo
acks, cludg mpack,100 icpack,101 ad noslo,102 ogad russa ad s lkl ha h
russas who dvlod hs aack ks a sosbl fo uch of h coud oagao. ths
aacks could ossbl b coosg wbss aoud h wold ad dcg vsos o cous
emeA ha hos h xlo cod bg usd o ag cl-sd vulabls Wb bowss.
93 h://ws.bbc.co.uk/1/h/cholog/7548870.s94 h://www.wokwold.co/wsls/gw/2008/090808sg1.hl95 h://www.h-ol.co/scu/Chs-wbss-ud-ass-aack--/ws/11076496 ibd.97 h://www.wokwold.co/ws/2008/120508-wok-soluos-hshg-ca-bfo.hl98 h://www.csool.co/acl/474365/ChckF_Was_mllo_Cusos_Af_Hack99 h://blog.kvuka.fo/2008/12/dggg-d-o-chckf-aack.hl100 hs://fous2.sac.co/5/blogs/blogaclag/blog-d/vulabls_xlos/acl-d/93#m93101 hs://fous2.sac.co/5/blogs/blogaclag/blog-d/gab_bag/acl-d/81102 h://blogs.zd.co/scu/?=1593
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
41/78
Sac Gov i Scu tha ro
41
Also cobug o h oc of h emeA go hs od w a ub of hgh-ofl Wb-
basd aacks ha occud h. O xal was Jaua 2008, wh h bass wbs of h
nhlads russa was coosd ad vsos o h s w sld o sallg alcous
cod.103 Aoh xal occud Augus 2008 wh sval hudd doas h nhlads w
coosd ad dfacd.104
A hd cas was wh o ha a housad UK wbss w coosdad uss vsg hs ss skd bg fcd wh h Asox toja.105 th succss of hs aacks
o gov ss ca b abud, a, o h h us ha vsos o such ss wll hav,
akg hs vsos o labl o acc os o dowload fls f qusd.
Wb-basd aacks a a ajo ha o cou woks fo boh ss ad d uss. Aacks
such as dv-b dowloads a cov ad v dffcul o ga bcaus os uss a uawa ha
h a bg aackd. Ogazaos a hus cofod wh h colcad ask of havg o dc
ad fl aack affc fo lga affc. Sc a ogazaos l o Wb-basd ools ad
alcaos o coduc busss, s lkl ha h Wb wll cou o b h a codu fo aack
acv favod b alcous cod dvlos.
Threat activityprotection and mitigation
th a a ub of asus ha ss, adsaos, ad d uss ca lo o oc
agas alcous acv. Ogazaos should oo all wok-cocd cous fo sgs of
alcous acv, cludg bo acv ad oal scu bachs, sug ha a fcd
cous a ovd fo h wok ad dsfcd as soo as ossbl. Ogazaos should lo
dfs--dh sags, cludg h dlo of avus sofwa ad a fwall.106 Adsaos
should uda avus dfos gulal ad su ha all dsko, lao, ad sv cous a
udad wh all cssa scu achs fo h oag ss vdo. As coosd cous
ca b a ha o oh sss, Sac also cods ha ss of h iSps of a
oall alcous acv.
Sac cods ha ogazaos fo boh gss ad gss flg o all wok affc o
su ha alcous acv ad uauhozd coucaos a o akg lac. Ogazaos should
also fl ou oall alcous al aachs o duc xosu o ss ad d uss. i
addo, gss flg s o of h bs was o ga a DoS aack. DoS vcs fqul d o
gag h usa iSp o hl fl h affc o ga h ffcs of aacks.
Sac also advss ha uss v vw, o, o xcu a al aach ulss h aach
s xcd ad cos fo a kow ad usd souc, ad ulss h uos of h aach s
kow. B cag ad focg olcs ha df ad sc alcaos ha ca accss h
wok, ogazaos ca z h ffc of alcous acv, ad hc, z h ffc o
da-o-da oaos. Also, adsaos should l vlgs o sss fo uss ha do o qu
such accss ad h should also sc uauhozd dvcs, such as xal oabl had-dvs ad
oh ovabl da.
103 h://www.hgs.co.uk/2008/01/23/bass_ss_sv_alwa/104 h://blogs.zd.co/scu/?=1788105 h://cholog.sol.co.uk/ol/ws/ch_ad_wb/h_wb/acl4381034.c106 Dfs--dh haszs ull, ovlag, ad uuall suov dfsv sss o guad agas sgl-o falus a scfc cholog o
oco hodolog. Dfs--dh should clud h dlo of avus, fwalls, ad uso dco sss, aog oh scu asus.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
42/78
Sac Gov i Scu tha ro
42
to duc h lklhood of d hf, ogazaos ha so soal foao should ak h
cssa ss o oc daa asd ov h i o sod o h cous. ths should
clud h dvlo, lao, ad foc of a scu olc qug ha all ssv
daa s cd. Ogazaos should l a daa loss oco (DLp) soluo ha o ol
vs daa bachs, bu also gas oal daa laks fo wh a ogazao. Accss ossv foao should b scd ad ogazaos should also foc colac o foao
soag ad assso sadads such as h pCi sadad.107 polcs ha su ha cous
coag ssv foao a k scu locaos ad a accssd ol b auhozd
dvduals should b u lac ad focd. Ssv daa should o b sod o obl dvcs ha
could b asl slacd o sol. ths s should b a of a boad scu olc ha ogazaos
should dvlo ad l od o su ha a ssv daa s ocd fo uauhozd
accss. ths would su ha v f h cou o du o whch h daa w los o sol, h
daa would o b accssbl. ths s should b a of a boad scu olc ha ogazaos should
dvlo ad l od o su ha a ssv daa s ocd fo uauhozd accss.
107 hs://www.cscusadads.og/
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
43/78
Sac Gov i Scu tha ro
43
Malicious Code Trends
Sac also gahs alcous cod llgc fo o ha 130 llo cl, sv, ad gawa
sss ha hav dlod s avus oducs. Udg hs oducs a h Sac Dgal
iu Ss ad Sac Sca ad Dlv chologs, as wll as noo Cou Wach, whch
allow cusos o auoa h ocss of og vuss ad oh alcous cod has.
ths sco of h Sac Government Internet Security Threat Report wll dscuss h followg
alcous cod ds fo 2008:
nw alcous cod has
Golocao b of alcous cod
thas o cofdal foao
poagao chass
malcous codoco ad gao
New malicious code threats
Sac oos h olfao of alcous cod b xag h ub of w alcous cod
sgaus cad o dc has fo od o od. Coag w sgaus agas sgaus
cad vousl dcas how quckl w alcous cod has a bg dvlod. pods
whch a sgfca ub of w alcous cod has a cad dcas how ccal s fo boh
ss ad ho uss o aa udad avus sgaus, ad o l ad aa
obus scu asus such as sofwa achs.
i 2008, Sac cad 1,656,227 w alcous cod sgaus (fgu 8). ths s a 265 c
cas ov 2007, wh 624,267 w alcous cod sgaus w addd. Alhough h cag
cas sgaus addd s lss ha h fal saggg 445 c cas fo 2006 o 2007,
h ovall ub of alcous cod sgaus b h d of 2008 gw o 2,674,171. ths as ha
of all h alcous cod sgaus cad b Sac, o ha 60 c of ha oal was cad
2008. Fuho, Sac blockd a avag of o ha 245 llo ad alcous cod
aacks woldwd ach oh 2008.
8/14/2019 B-whitepaper Government Internet Security Threat Report 04-2009.en-us
44/78
Sac Gov i Scu tha ro
44
Numberofnew
threats
0
200,000
1,000,000
800,000
1,800,000
1,600,000
Period
600,000
400,000
1,400,000
1,200,000
2002
20,547
2003
18,827
2004
69,107
2005
113,025
2006
140,690
2007
624,267
2008
1,656,227
Figure 8. New malicious code signatures
Source: Symantec
pvous volus of h Sac Global Internet Security Threat Report hav dscussd h casg
ofssoalzao of alcous cod dvlo.108 th sul s a cas h sd ad ffcc
wh whch alcous cod s bough o ak, whch would abl a casd ub of has o
b dvlod. A dvg foc bhd h gowg sd ad ffcc of hs dvlos s h dad
fo goods ad svcs ha facla ol faud. ths s xlfd b h floushg ofabl of
cofdal foao sals, as was dscu