Vulnerabilities / Threats
5/7/2014
03:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft: Deception Dominates Windows Attacks

Deceptive downloads and ransomware tripled worldwide in Q4 2013, according to the new Microsoft Security Intelligence Report.

The good news in the new Microsoft Security Intelligence Report (SIR) published today: The number of severe bugs used to attack Microsoft Windows machines worldwide dropped by 70 percent from 2010 to 2013. The bad news: The bad guys are now employing more sophisticated social engineering techniques to infect users.

Deceptive downloads -- via ad networks, installers, search syndicators, and search providers -- and ransomware are the new threats to Windows users. In more than 95 percent of the 110 countries and regions covered in Microsoft's data, deceptive downloads ranked as a top threat. These attacks are either where cybercriminals bundle malware along with legitimate content and applications that users download, unbeknownst to the victims, or via ransomware, where attackers demand the victim pay to regain use of his or her machine.

"Cybercriminals increasingly are turning to deceptive tactics to lure their victims. While the use of deceptive tactics isn't especially new, it has dramatically increased in the second of half of 2013," says Holly Stewart, senior program manager for the Microsoft Malware Protection Center.

Stewart attributes the shift in tactics by the bad guys to Microsoft's building more security into its software, plus its Secure Development Lifecycle process for writing more secure code. "It's having an impact," she claims.

Microsoft also found an increase in worldwide infection and malware encounters, with 21.2 percent of machines encountering malware each quarter of 2013, and infection rising at a rate of 11.7 computers cleaned per thousand by Microsoft's Malicious Software Removal Tool. The infection rate tripled from the third quarter to the fourth quarter last year. "This rise was predominantly affected by malware using deceptive tactics, influenced by three families" of malware, Sefnit, Rotbrow, and Brantall, says a Microsoft blog about the report. Rotbrow and Brantall -- Nos. 1 and 2 in the top deceptive downloader rankings -- are variants of Sefnit, which is used mainly for click fraud and Bitcoin-mining.

Stewart says deceptive downloads typically are bundled with free programs. "There's an adware packaged in, but it seems OK," for example, but other malicious programs install on the victim's machine as well and use the machine for click fraud as well as Bitcoin-mining, she says.

"It's not immediately discernable by the user. Their search results might be strange, or their computers slow down" because the machine is clicking on ads in the background, for example, and that's when they notice something is awry. Six percent of all Windows machines worldwide were hit by this malware in Q4, she tells us.

Reveton is the most common ransomware family, and it increased by 45 percent between the first and second halves of 2013, the report says. This -- and other families such as Urausy and Crilock/CryptoLocker -- typically send an alert purporting to be from the FBI or a law enforcement agency. Even if victims pay the ransom fee, there's no guarantee they'll get their files back, nor control of their computers, Stewart says. "And if you pay, in the future you risk being known as a target who will pay."

Ransomware is mostly rearing its ugly head in Europe, particularly Italy, Belgium, Spain, Greece, Portugal, and Austria. In 4Q13, six out of 10,000 computers in the US encountered Crilock, she says, while in Europe, seven out of 1,000 computers encountered Reveton, and five out of 10,000 computers in the UK encountered Crilock.

Security awareness training firm KnowBe4 this week issued a warning about yet another ransomware attack on the rise called CryptorBit, a.k.a. HowDecrypt. "Infections with this recent CryptorBit strain are on the rise, and once a user's files are encrypted, the fees are up to $500 ransom in Bitcoin to decrypt the files," says Stu Sjouwerman, CEO of KnowBe4. CryptorBit appears able to cheat group policy settings set to deflect the malware, according to KnowBe4.

The full Microsoft SIRv16 is available here for download.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DLEVINSON191
50%
50%
DLEVINSON191,
User Rank: Apprentice
5/21/2014 | 11:20:38 AM
Re: Does Microsoft compare
On my Windows box I'm always having to remove malicious adware bundled with other legitimate downloads & I've noticed strange things with my keyboard - I see that you are experiencing the same - where all of a sudden, I never type in any vowels.  I am sure that you know how to spell/type in the word compare.  Yet, I bet that you have had to retype vowels in much of your typing.  No one has mentioned that yet.  On my old Linux boxes, I have way less trouble but I only use them in a more limited way.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:24:09 PM
Re: Does Microsoft compare
There must be surveys that compare the the major Oses..There certainly is no shortage of atttack data. (The shortage is in effective solutions to the solutions.)
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2014 | 4:07:28 PM
Re: Does Microsoft compare
You are correct, Marilyn. Microsoft's SIR reports are all based on Windows threats and infections, and that's always Microsoft's focus in those reports. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:05:02 PM
Does Microsoft compare
Kelly, Does Microosft explore how attacks against Windows machines cmpare to attacks other operating systems like Android or IOS? I assume this report only pertains to Windows...  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:04:58 PM
Does Microsoft compare
Kelly, Does Microosft explore how attacks against Windows machines cmpare to attacks other operating systems like Android or IOS? I assume this report only pertains to Windows...  
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.