Microsoft today released its biannual Security Intelligence Report which demonstrates some surprising conclusions about how the threat landscape is impacting enterprise networks. For example, the number of rogue security software infections, which experienced a high-profile scourge earlier this year, was down, as was the number of Trojan and downloader infections. Computer worm infections, on the other hand, surged upward.
The report covers the first six months of 2009 and is based on data collected from more than 450 million computers running Microsoft's Malicious Software Removal Tool (MSRT), users of its cloud-based security services Forefront Online Protection for Exchange, antimalware visibility into Hotmail and Windows Messenger, as well as Web crawlers on its Bing search engine.
Computer worm infections:
Viruses and Other Things That Go Bump in the Night: Attacks from new viruses, worms, Trojan
horses and malware continue to escalate from year to year.
Kaspersky system analyzes malicious URLs on Twitter for malware: Kaspersky Krab Krawler analysis finds users fueling the number of malicious links on Twitter by posting URLs to infected websites.
The rise in worm infections can partially be attributed to Conficker, which hit almost 5 million machines starting approximately a year ago and carried into early this year. Worm infections were up more than 98% from the last Security Intelligence Report. Jeff Williams, principal architect of Microsoft's Malware Protection Center, attributed the rise to the investment cybercriminals are making in finding new vulnerabilities to exploit beyond buffer overflows, for example, which were the attack vector for many early worms.
"The resurgence illustrates that criminals are investing in finding vulnerabilities that are difficult to find and create malware for," Williams said. "They have a profit motive; they're spending time and investing in technical expertise and operating like a business. This is a change not only in tactic, but in focus."
Many instances of Conficker, for example, were spread via infected USB memory sticks; Windows XP and Vista's autorun features would automatically execute the malware on an infected stick that were often carried into a business from the outside. Those autorun capabilities have been muted in Windows 7, Williams said.
Williams added that he believed the decline in Trojan and downloader infections is attributed to the advancements made in creating generic antimalware signatures not only for specific strains for malware, but for entire malware families. However, the cat and mouse game continues, as hackers move away from Trojans toward other weapons.
"Criminals are more overt in their attacks," Williams said. "In regard to the decline in Trojans, think about it in terms of tactics. A Trojan is a foothold on a box. The industry is so much better responding not only to new threats but with generic signatures for threat families. If protection is in place before a threat exists, that raises the bar for the criminal."
Scareware numbers were also in decline; 13.4 million infections for this report, compared to 16.8 in the last. Scareware relies on social engineering to spread; users visiting a malicious or infected website would be presented with a pop-up claiming that the user's machine has been infected and that they should download protection from the pop-up. Williams conceded this is primarily a consumer problem. He said the decline in numbers can be attributed to a couple of fronts: legal action by the Federal Trade Commission to take down Innovative Marketing, a purveyor of the WinFixer family of scareware, and the deployment of the SmartScreen filter in Internet Explorer 8 which blocks phishing sites as well as attempts to install rogue malware.
"Users need to stay up to date on antimalware from a trusted party," Williams said. "The attackers' tactics may be getting more sophisticated, but fundamentally at the end of the day, you know that Microsoft.com is Microsoft.com. The same goes for any major security software ISV. They're going to have that trust and customers should understand they can go there for help rather than a pop-up that is randomly generated from the Web."