Vulnerabilities / Threats
5/7/2014
03:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft: Deception Dominates Windows Attacks

Deceptive downloads and ransomware tripled worldwide in Q4 2013, according to the new Microsoft Security Intelligence Report.

The good news in the new Microsoft Security Intelligence Report (SIR) published today: The number of severe bugs used to attack Microsoft Windows machines worldwide dropped by 70 percent from 2010 to 2013. The bad news: The bad guys are now employing more sophisticated social engineering techniques to infect users.

Deceptive downloads -- via ad networks, installers, search syndicators, and search providers -- and ransomware are the new threats to Windows users. In more than 95 percent of the 110 countries and regions covered in Microsoft's data, deceptive downloads ranked as a top threat. These attacks are either where cybercriminals bundle malware along with legitimate content and applications that users download, unbeknownst to the victims, or via ransomware, where attackers demand the victim pay to regain use of his or her machine.

"Cybercriminals increasingly are turning to deceptive tactics to lure their victims. While the use of deceptive tactics isn't especially new, it has dramatically increased in the second of half of 2013," says Holly Stewart, senior program manager for the Microsoft Malware Protection Center.

Stewart attributes the shift in tactics by the bad guys to Microsoft's building more security into its software, plus its Secure Development Lifecycle process for writing more secure code. "It's having an impact," she claims.

Microsoft also found an increase in worldwide infection and malware encounters, with 21.2 percent of machines encountering malware each quarter of 2013, and infection rising at a rate of 11.7 computers cleaned per thousand by Microsoft's Malicious Software Removal Tool. The infection rate tripled from the third quarter to the fourth quarter last year. "This rise was predominantly affected by malware using deceptive tactics, influenced by three families" of malware, Sefnit, Rotbrow, and Brantall, says a Microsoft blog about the report. Rotbrow and Brantall -- Nos. 1 and 2 in the top deceptive downloader rankings -- are variants of Sefnit, which is used mainly for click fraud and Bitcoin-mining.

Stewart says deceptive downloads typically are bundled with free programs. "There's an adware packaged in, but it seems OK," for example, but other malicious programs install on the victim's machine as well and use the machine for click fraud as well as Bitcoin-mining, she says.

"It's not immediately discernable by the user. Their search results might be strange, or their computers slow down" because the machine is clicking on ads in the background, for example, and that's when they notice something is awry. Six percent of all Windows machines worldwide were hit by this malware in Q4, she tells us.

Reveton is the most common ransomware family, and it increased by 45 percent between the first and second halves of 2013, the report says. This -- and other families such as Urausy and Crilock/CryptoLocker -- typically send an alert purporting to be from the FBI or a law enforcement agency. Even if victims pay the ransom fee, there's no guarantee they'll get their files back, nor control of their computers, Stewart says. "And if you pay, in the future you risk being known as a target who will pay."

Ransomware is mostly rearing its ugly head in Europe, particularly Italy, Belgium, Spain, Greece, Portugal, and Austria. In 4Q13, six out of 10,000 computers in the US encountered Crilock, she says, while in Europe, seven out of 1,000 computers encountered Reveton, and five out of 10,000 computers in the UK encountered Crilock.

Security awareness training firm KnowBe4 this week issued a warning about yet another ransomware attack on the rise called CryptorBit, a.k.a. HowDecrypt. "Infections with this recent CryptorBit strain are on the rise, and once a user's files are encrypted, the fees are up to $500 ransom in Bitcoin to decrypt the files," says Stu Sjouwerman, CEO of KnowBe4. CryptorBit appears able to cheat group policy settings set to deflect the malware, according to KnowBe4.

The full Microsoft SIRv16 is available here for download.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DLEVINSON191
50%
50%
DLEVINSON191,
User Rank: Apprentice
5/21/2014 | 11:20:38 AM
Re: Does Microsoft compare
On my Windows box I'm always having to remove malicious adware bundled with other legitimate downloads & I've noticed strange things with my keyboard - I see that you are experiencing the same - where all of a sudden, I never type in any vowels.  I am sure that you know how to spell/type in the word compare.  Yet, I bet that you have had to retype vowels in much of your typing.  No one has mentioned that yet.  On my old Linux boxes, I have way less trouble but I only use them in a more limited way.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:24:09 PM
Re: Does Microsoft compare
There must be surveys that compare the the major Oses..There certainly is no shortage of atttack data. (The shortage is in effective solutions to the solutions.)
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2014 | 4:07:28 PM
Re: Does Microsoft compare
You are correct, Marilyn. Microsoft's SIR reports are all based on Windows threats and infections, and that's always Microsoft's focus in those reports. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:05:02 PM
Does Microsoft compare
Kelly, Does Microosft explore how attacks against Windows machines cmpare to attacks other operating systems like Android or IOS? I assume this report only pertains to Windows...  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:04:58 PM
Does Microsoft compare
Kelly, Does Microosft explore how attacks against Windows machines cmpare to attacks other operating systems like Android or IOS? I assume this report only pertains to Windows...  
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-3025
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

Best of the Web
Dark Reading Radio