Vulnerabilities / Threats
4/7/2009
08:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft: Rogue AV Found On 10 Million Machines

Scareware more pervasive than thought, while data breaches more about lost and stolen equipment than hackers, according to new Microsoft Security Intelligence Report

Rogue security software infections by just one family of malware jumped 66 percent in the second half of the year, according to Microsoft's new Security Intelligence Report (SIR), released today. And it's not hackers who are responsible for data breaches: It's the lost and stolen laptops, disks, and other computer equipment, according to the report.

Microsoft's report on threats for the second half of 2008, which gathers threat data from hundreds of millions of Windows machines worldwide, as well as some vulnerability and breach data from other sources, for the first time looked at business versus consumer threat data. While enterprise users are more likely to be hit by worms, consumers get more Trojan and adware infections, according to Microsoft.

But it was the scareware, or rogue AV infections, that stood out overall with the big numbers for the second half of '08. "This was a significant scale that we had not seen in the past," says Jeff Williams, principal architect for Microsoft's Malware Protection Center. "It has become very widespread, and the scale of it had been hidden from view [until now]," he says.

The bad guys are capitalizing on users' understanding that they need security software protection from threats, he says. "Fear is a powerful motivator," Williams says. And the phony threats have a convincing look and feel that can easily dupe consumers, he says.

"They are copying our software look and feel, and Symantec's, etc., with the same naming conventions," he says. They also are localizing it by region, he notes.

Microsoft says the Win32/Renos scareware attack was found on 4.4 million computers, for instance, and Win32/FakeXPA and Win32/FakeSecScan on 1.5 million machines. Other rogue AV types were also detected, bringing the total numbers of those types of infections to the 10 million mark.

The report, using data from the Open Security Foundation's OSF Data Loss Database, also noted that 33.5 percent of all security breach incidents were from stolen equipment, and that stolen and lost equipment together accounted for half of all reported breaches in the second half of 2008. Malware and other hacking incidents accounted for less than 20 percent of all data breaches. "So it's not just a technology issue, but [victims] have governance issues," Williams says.

And a bit of possibly good news: Based on Microsoft's and other data, the total number of new vulnerability disclosures dropped 3 percent from the first half of the year, and the total number in 2008 was 12 percent fewer than disclosed in 2007. The caveat: "High severity" vulnerabilities were up 4 percent in the second half of '08, and more than half of all vulnerabilities in that period were high severity" Still, the total number was down 16 percent from 2007.

Around 90 percent of vulnerabilities during the second half of last year were in applications, Williams points out, and with increased attacks targeting third-party apps. Microsoft vulnerabilities comprised about 41 percent of browser-based attacks against XP machines, and 5.5 percent against Vista machines.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report