Risk
10/9/2012
12:39 PM
50%
50%

Windows 7 Malware Infection Rates Soar

Microsoft reports malware infections grow more prevalent on Windows 7 SP1 and Windows XP SP3 machines, while plummeting on Windows Vista SP2.

8 Key Differences Between Windows 8 And Windows RT
8 Key Differences Between Windows 8 And Windows RT
(click image for larger view and for slideshow)
The number of Windows 7 SP1 and Windows XP machines infected by malware is on the increase, while the number of infected Windows Vista SP2 machines has declined sharply.

Those findings come from the latest Microsoft Security Intelligence Report (volume 13), released Tuesday, which reviews threat prevalence and infection rates seen in the first half of 2012.

According to the report, the average number of infected Windows 7 SP1 machines increased by 23% on 32-bit systems and 7% on 64-bit systems, comparing the last quarter of 2011 to the first half of 2012. In the same time period, the average number of malware-infected Windows XP SP3 PCs increased by about 10%, while the number of malware-infected Windows Vista SP2 PCs plummeted by 33% for 32-bit systems, and 43% for 64-bit systems.

Despite the changing infection profiles, 32-bit Windows XP SP3 machines are now two to three times more likely to be infected by malware than 32-bit Windows Vista SP2 machines, which have the lowest infection rate of any Microsoft operating system, followed closely by Windows 7 SP1 and Windows 7 RTM.

Meanwhile, the report found that "the infection rate for Windows XP SP3 increased" in the first half of 2012 "after declining for several quarters," largely thanks to Dorkbot worm infections, as well as a Trojan downloader called Pluzoks, which is prevalent in South Korea, where Windows XP remains the most-used operating system.

[ See 8 Security Tips For Windows 8. ]

What accounts for the sudden increase in Windows 7 SP1 infections? "A similar trend of slowly increasing infection rates was observed for Windows Vista between 2007 and 2009, prior to the release of Windows 7," according to the report, which suggested that as more people adopt the software, security suffers. "Early adopters are often technology enthusiasts who have a higher level of technical expertise than the mainstream computing population," it said. "As the Windows 7 install base has grown, new users are likely to possess a lower degree of security awareness than the early adopters and be less aware of safe online practices."

In terms of threats, Microsoft's report also charts a rise in social engineering attacks involving supposed license key generator--a.k.a. "keygen"--software that can be used to provide on-demand serial numbers, so people can pirate commercial software without buying a license.

Obviously, a large software manufacturer such as Microsoft has a vested interest in keeping people away from keygen software. Also, according to Microsoft's new security report, 76% of PCs that downloaded keygen software in the first half of 2012 had a 10% higher than average rate of malware infection.

Another new threat-related finding from Microsoft's report is that the exploit kit known as Blacole has recently grown in popularity to become the most common toolkit seen on PCs infected with such software.

"Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious Web pages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components," according to the report. "When the attacker installs the Blacole kit on a malicious or compromised Web server, visitors who don't have the appropriate security updates installed are at risk of infection through a drive-by download attack."

Interestingly, "Blacole is more than twice as likely to be seen by users who also report keygen detections, as compared to the total number of users," said Joe Blackbird, a program manager for the Microsoft Malware Protection Center, in a blog post. In other words, beyond trying to watch out for malicious websites that seek to exploit known vulnerabilities on unpatched PCs via drive-by attacks, also beware malware attacks hidden with pirated software.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JimC
50%
50%
JimC,
User Rank: Apprentice
10/12/2012 | 1:30:01 PM
re: Windows 7 Malware Infection Rates Soar
The "FBI virus" has been infecting lots of computers in the past few weeks.
s404n1tn0cc
50%
50%
s404n1tn0cc,
User Rank: Apprentice
10/9/2012 | 8:06:43 PM
re: Windows 7 Malware Infection Rates Soar
Not an accurate paper. It depends on how frequently you update the definition file in security essentials- a free anti-malware and anit- virus app.
Best recommendation- update it Daily. If you note that by the end of the 3rd day of your last update you machine is sluggish-- you may need to install it again.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.