Computer worm infections up, scareware antivirus down, Microsoft says

By Michael S. Mimoso, Editor, Information Security magazine 02 Nov 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Microsoft today released its biannual Security Intelligence Report which demonstrates some surprising conclusions about the threat landscape impacting enterprise networks. For example, the number of rogue security software infections, a high-profile scourge earlier this year, were down as were the number of Trojan and downloader infections. Computer worm infections, on the other hand, surged upward.

The report covers the first six months of 2009 and is based on data collected from more than 450 million computers running Microsoft's Malicious Software Removal Tool (MSRT), users of its cloud-based security services Forefront Online Protection for Exchange, antimalware visibility into Hotmail and Windows Messenger, as well as Web crawlers on its Bing search engine.

Computer worm infections: Worms, Viruses and Other Things That Go Bump in the Night: Attacks from new viruses, worms, Trojan horses and malware continue to escalate from year to year.  Kaspersky system analyzes malicious URLs on Twitter for malware: Kaspersky Krab Krawler analysis finds users fueling the number of malicious links on Twitter by posting URLs to infected websites.

The rise in worm infections can partially be attributed to Conficker, which hit almost 5 million machines starting approximately a year ago and carried into early this year. Worm infections were up more than 98% from the last Security Intelligence Report. Jeff Williams, principal architect of Microsoft's Malware Protection Center, attributed the rise to the investment cybercriminals are making in finding new vulnerabilities to exploit beyond buffer overflows, for example, which were the attack vector for many early worms.

"The resurgence illustrates that criminals are investing in finding vulnerabilities that are difficult to find and create malware for," Williams said. "They have a profit motive; they're spending time and investing in technical expertise and operating like a business. This is a change not only in tactic, but in focus."

Many instances of Conficker, for example, were spread via infected USB memory sticks; Windows XP and Vista's autorun features would automatically execute the malware on an infected stick that were often carried into a business from the outside. Those autorun capabilities have been muted in Windows 7, Williams said.

Williams added that he believed the decline in Trojan and downloader infections is attributed to the advancements made in creating generic antimalware signatures not only for specific strains for malware, but for entire malware families. However, the cat and mouse game continues, as hackers move away from Trojans toward other weapons.

"Criminals are more overt in their attacks," Williams said. "In regard to the decline in Trojans, think about it in terms of tactics. A Trojan is a foothold on a box. The industry is so much better responding not only to new threats but with generic signatures for threat families. If protection is in place before a threat exists, that raises the bar for the criminal."

SearchSecurity radio:

Scareware numbers were also in decline; 13.4 million infections for this report, compared to 16.8 in the last. Scareware relies on social engineering to spread; users visiting a malicious or infected website would be presented with a pop-up claiming that the user's machine has been infected and that they should download protection from the pop-up. Williams conceded this is primarily a consumer problem. He said the decline in numbers can be attributed to a couple of fronts: legal action by the Federal Trade Commission to take down Innovative Marketing, a purveyor of the WinFixer family of scareware, and the deployment of the SmartScreen filter in Internet Explorer 8 which blocks phishing sites as well as attempts to install rogue malware.

"Users need to stay up to date on antimalware from a trusted party," Williams said. "The attackers' tactics may be getting more sophisticated, but fundamentally at the end of the day, you know that Microsoft.com is Microsoft.com. The same goes for any major security software ISV. They're going to have that trust and customers should understand they can go there for help rather than a pop-up that is randomly generated from the Web."

Tags: Malware, Viruses, Trojans and Spyware,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Web Application and Web 2.0 Threats Web security firm ranks Firefox, Safari browsers as flaw prone Web application vulnerability assessment shows patching progress Layoffs prompt insider threat fears, cybersecurity survey finds Botnet masters turn to Google, social networks to avoid detection Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary