Risk
10/9/2012
12:39 PM
Connect Directly
RSS
E-Mail
50%
50%

Windows 7 Malware Infection Rates Soar

Microsoft reports malware infections grow more prevalent on Windows 7 SP1 and Windows XP SP3 machines, while plummeting on Windows Vista SP2.

8 Key Differences Between Windows 8 And Windows RT
8 Key Differences Between Windows 8 And Windows RT
(click image for larger view and for slideshow)
The number of Windows 7 SP1 and Windows XP machines infected by malware is on the increase, while the number of infected Windows Vista SP2 machines has declined sharply.

Those findings come from the latest Microsoft Security Intelligence Report (volume 13), released Tuesday, which reviews threat prevalence and infection rates seen in the first half of 2012.

According to the report, the average number of infected Windows 7 SP1 machines increased by 23% on 32-bit systems and 7% on 64-bit systems, comparing the last quarter of 2011 to the first half of 2012. In the same time period, the average number of malware-infected Windows XP SP3 PCs increased by about 10%, while the number of malware-infected Windows Vista SP2 PCs plummeted by 33% for 32-bit systems, and 43% for 64-bit systems.

Despite the changing infection profiles, 32-bit Windows XP SP3 machines are now two to three times more likely to be infected by malware than 32-bit Windows Vista SP2 machines, which have the lowest infection rate of any Microsoft operating system, followed closely by Windows 7 SP1 and Windows 7 RTM.

Meanwhile, the report found that "the infection rate for Windows XP SP3 increased" in the first half of 2012 "after declining for several quarters," largely thanks to Dorkbot worm infections, as well as a Trojan downloader called Pluzoks, which is prevalent in South Korea, where Windows XP remains the most-used operating system.

[ See 8 Security Tips For Windows 8. ]

What accounts for the sudden increase in Windows 7 SP1 infections? "A similar trend of slowly increasing infection rates was observed for Windows Vista between 2007 and 2009, prior to the release of Windows 7," according to the report, which suggested that as more people adopt the software, security suffers. "Early adopters are often technology enthusiasts who have a higher level of technical expertise than the mainstream computing population," it said. "As the Windows 7 install base has grown, new users are likely to possess a lower degree of security awareness than the early adopters and be less aware of safe online practices."

In terms of threats, Microsoft's report also charts a rise in social engineering attacks involving supposed license key generator--a.k.a. "keygen"--software that can be used to provide on-demand serial numbers, so people can pirate commercial software without buying a license.

Obviously, a large software manufacturer such as Microsoft has a vested interest in keeping people away from keygen software. Also, according to Microsoft's new security report, 76% of PCs that downloaded keygen software in the first half of 2012 had a 10% higher than average rate of malware infection.

Another new threat-related finding from Microsoft's report is that the exploit kit known as Blacole has recently grown in popularity to become the most common toolkit seen on PCs infected with such software.

"Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious Web pages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components," according to the report. "When the attacker installs the Blacole kit on a malicious or compromised Web server, visitors who don't have the appropriate security updates installed are at risk of infection through a drive-by download attack."

Interestingly, "Blacole is more than twice as likely to be seen by users who also report keygen detections, as compared to the total number of users," said Joe Blackbird, a program manager for the Microsoft Malware Protection Center, in a blog post. In other words, beyond trying to watch out for malicious websites that seek to exploit known vulnerabilities on unpatched PCs via drive-by attacks, also beware malware attacks hidden with pirated software.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JimC
50%
50%
JimC,
User Rank: Apprentice
10/12/2012 | 1:30:01 PM
re: Windows 7 Malware Infection Rates Soar
The "FBI virus" has been infecting lots of computers in the past few weeks.
s404n1tn0cc
50%
50%
s404n1tn0cc,
User Rank: Apprentice
10/9/2012 | 8:06:43 PM
re: Windows 7 Malware Infection Rates Soar
Not an accurate paper. It depends on how frequently you update the definition file in security essentials- a free anti-malware and anit- virus app.
Best recommendation- update it Daily. If you note that by the end of the 3rd day of your last update you machine is sluggish-- you may need to install it again.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.