Risk
10/9/2012
12:39 PM
50%
50%

Windows 7 Malware Infection Rates Soar

Microsoft reports malware infections grow more prevalent on Windows 7 SP1 and Windows XP SP3 machines, while plummeting on Windows Vista SP2.

8 Key Differences Between Windows 8 And Windows RT
8 Key Differences Between Windows 8 And Windows RT
(click image for larger view and for slideshow)
The number of Windows 7 SP1 and Windows XP machines infected by malware is on the increase, while the number of infected Windows Vista SP2 machines has declined sharply.

Those findings come from the latest Microsoft Security Intelligence Report (volume 13), released Tuesday, which reviews threat prevalence and infection rates seen in the first half of 2012.

According to the report, the average number of infected Windows 7 SP1 machines increased by 23% on 32-bit systems and 7% on 64-bit systems, comparing the last quarter of 2011 to the first half of 2012. In the same time period, the average number of malware-infected Windows XP SP3 PCs increased by about 10%, while the number of malware-infected Windows Vista SP2 PCs plummeted by 33% for 32-bit systems, and 43% for 64-bit systems.

Despite the changing infection profiles, 32-bit Windows XP SP3 machines are now two to three times more likely to be infected by malware than 32-bit Windows Vista SP2 machines, which have the lowest infection rate of any Microsoft operating system, followed closely by Windows 7 SP1 and Windows 7 RTM.

Meanwhile, the report found that "the infection rate for Windows XP SP3 increased" in the first half of 2012 "after declining for several quarters," largely thanks to Dorkbot worm infections, as well as a Trojan downloader called Pluzoks, which is prevalent in South Korea, where Windows XP remains the most-used operating system.

[ See 8 Security Tips For Windows 8. ]

What accounts for the sudden increase in Windows 7 SP1 infections? "A similar trend of slowly increasing infection rates was observed for Windows Vista between 2007 and 2009, prior to the release of Windows 7," according to the report, which suggested that as more people adopt the software, security suffers. "Early adopters are often technology enthusiasts who have a higher level of technical expertise than the mainstream computing population," it said. "As the Windows 7 install base has grown, new users are likely to possess a lower degree of security awareness than the early adopters and be less aware of safe online practices."

In terms of threats, Microsoft's report also charts a rise in social engineering attacks involving supposed license key generator--a.k.a. "keygen"--software that can be used to provide on-demand serial numbers, so people can pirate commercial software without buying a license.

Obviously, a large software manufacturer such as Microsoft has a vested interest in keeping people away from keygen software. Also, according to Microsoft's new security report, 76% of PCs that downloaded keygen software in the first half of 2012 had a 10% higher than average rate of malware infection.

Another new threat-related finding from Microsoft's report is that the exploit kit known as Blacole has recently grown in popularity to become the most common toolkit seen on PCs infected with such software.

"Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious Web pages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components," according to the report. "When the attacker installs the Blacole kit on a malicious or compromised Web server, visitors who don't have the appropriate security updates installed are at risk of infection through a drive-by download attack."

Interestingly, "Blacole is more than twice as likely to be seen by users who also report keygen detections, as compared to the total number of users," said Joe Blackbird, a program manager for the Microsoft Malware Protection Center, in a blog post. In other words, beyond trying to watch out for malicious websites that seek to exploit known vulnerabilities on unpatched PCs via drive-by attacks, also beware malware attacks hidden with pirated software.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JimC
50%
50%
JimC,
User Rank: Apprentice
10/12/2012 | 1:30:01 PM
re: Windows 7 Malware Infection Rates Soar
The "FBI virus" has been infecting lots of computers in the past few weeks.
s404n1tn0cc
50%
50%
s404n1tn0cc,
User Rank: Apprentice
10/9/2012 | 8:06:43 PM
re: Windows 7 Malware Infection Rates Soar
Not an accurate paper. It depends on how frequently you update the definition file in security essentials- a free anti-malware and anit- virus app.
Best recommendation- update it Daily. If you note that by the end of the 3rd day of your last update you machine is sluggish-- you may need to install it again.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.