Symantec detected more than three billion malware attacks from 286 million malware variants last year, according to the 2010 edition of its annual Internet Security Threat Report, published today. Web-based attacks were up 93 percent on 2009, and you were most likely to come across a malicious Web site if you were on the hunt for pornography; 49 percent of malicious sites found through Web searches were pornographic.

Overall, the report paints a grim picture of the Internet threat landscape. Software flaws are abundant. In 2010, 6,253 software vulnerabilities were reported, higher than in any previous edition of the report. 14 vulnerabilities were used in zero-day attacks, including four different Windows zero-days used in the Stuxnet attack.

Though data breaches are still relatively rare—457 in 2010 according to aggregator DataLossDB—they still put many at risk. About 61,000 identities were compromised on average, with breaches in the finance sector particularly big, at an average of over 235,000 identities per breach. Breaches as a result of hacks—rather than insiders, or theft or loss of hardware and media—tended to be substantial, averaging more than 262,000 identities per hack.

The bad guys also demonstrated a firm grasp of new technology. Social networking sites are a huge target, both due to their wide use and their enormous susceptibility to social engineering. In mass, untargeted attacks, the social networking sites give malicious links a veneer of integrity—if a friend of yours posts a link it's surely going to be safe, right? For spear-phishing and other targeted attacks, the social networks give valuable insight into individual habits and interests, not to mention the ability for hackers to strike up friendships with their would-be victims and to gain their trust that way.

Hand in hand with social networking sites like Twitter, we've also seen a boom in URL shortening services such as bit.ly. Hackers have been quick to exploit the way these mask the destination URL, making it much harder to know if a link is malicious until you actually click on it. Two-thirds of attacks used on social networking sites used such masked, shortened URLs.

Smartphones are also beginning to attract malware. 2010 saw the discovery of the first Android trojan, and it looks like hackers regard Android as a ripe platform for attacks—last month more than 50 malicious programs were yanked from Android Market. More vulnerabilities are being found on mobile platforms, with 163 found last year, an increase of 41 percent. While still small-scale attacks compared to their PC-based counterparts, this is set to be a growth market. Smartphones are chock full of personal information and thanks to premium rate phone and text numbers, have an unparalleled ability to monetize malware.

Patching won't save you

2010 was also a big year for targeted attacks; Google came out as a victim of the Aurora attacks, and, of course, Stuxnet struck Iran. The targeted attacks were notable for their use of zero-day vulnerabilities—three different Internet Explorer zero-days were used in three separate targeted attacks, and Stuxnet used four Windows zero-days. Social engineering was also instrumental in these attacks.

The use of zero-days is significant because it means that even an organization with good practices (patching machines on a timely basis, using anti-malware software) is at risk; these old mechanisms do little to guard against this style of attack. Heuristic analysis and sandboxing techniques both have a role to play in detecting these problems but work still needs to be done to make these easy to use, robust, and effective.

More than anything else, the report shows that the security situation really isn't improving; it's getting quite a bit worse. Social networking-based social engineering and zero-day targeted attacks put even conscientious, well-educated users at risk. Software vulnerabilities are abundant, and malware is rampant. That's good news for companies like Symantec—it ensures that they'll continue to see a large market for their security products. But it's bad news for everyone else.