Vulnerabilities / Threats
4/7/2009
08:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Microsoft: Rogue AV Found On 10 Million Machines

Scareware more pervasive than thought, while data breaches more about lost and stolen equipment than hackers, according to new Microsoft Security Intelligence Report

Rogue security software infections by just one family of malware jumped 66 percent in the second half of the year, according to Microsoft's new Security Intelligence Report (SIR), released today. And it's not hackers who are responsible for data breaches: It's the lost and stolen laptops, disks, and other computer equipment, according to the report.

Microsoft's report on threats for the second half of 2008, which gathers threat data from hundreds of millions of Windows machines worldwide, as well as some vulnerability and breach data from other sources, for the first time looked at business versus consumer threat data. While enterprise users are more likely to be hit by worms, consumers get more Trojan and adware infections, according to Microsoft.

But it was the scareware, or rogue AV infections, that stood out overall with the big numbers for the second half of '08. "This was a significant scale that we had not seen in the past," says Jeff Williams, principal architect for Microsoft's Malware Protection Center. "It has become very widespread, and the scale of it had been hidden from view [until now]," he says.

The bad guys are capitalizing on users' understanding that they need security software protection from threats, he says. "Fear is a powerful motivator," Williams says. And the phony threats have a convincing look and feel that can easily dupe consumers, he says.

"They are copying our software look and feel, and Symantec's, etc., with the same naming conventions," he says. They also are localizing it by region, he notes.

Microsoft says the Win32/Renos scareware attack was found on 4.4 million computers, for instance, and Win32/FakeXPA and Win32/FakeSecScan on 1.5 million machines. Other rogue AV types were also detected, bringing the total numbers of those types of infections to the 10 million mark.

The report, using data from the Open Security Foundation's OSF Data Loss Database, also noted that 33.5 percent of all security breach incidents were from stolen equipment, and that stolen and lost equipment together accounted for half of all reported breaches in the second half of 2008. Malware and other hacking incidents accounted for less than 20 percent of all data breaches. "So it's not just a technology issue, but [victims] have governance issues," Williams says.

And a bit of possibly good news: Based on Microsoft's and other data, the total number of new vulnerability disclosures dropped 3 percent from the first half of the year, and the total number in 2008 was 12 percent fewer than disclosed in 2007. The caveat: "High severity" vulnerabilities were up 4 percent in the second half of '08, and more than half of all vulnerabilities in that period were high severity" Still, the total number was down 16 percent from 2007.

Around 90 percent of vulnerabilities during the second half of last year were in applications, Williams points out, and with increased attacks targeting third-party apps. Microsoft vulnerabilities comprised about 41 percent of browser-based attacks against XP machines, and 5.5 percent against Vista machines.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web