Vulnerabilities / Threats
4/7/2009
08:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft: Rogue AV Found On 10 Million Machines

Scareware more pervasive than thought, while data breaches more about lost and stolen equipment than hackers, according to new Microsoft Security Intelligence Report

Rogue security software infections by just one family of malware jumped 66 percent in the second half of the year, according to Microsoft's new Security Intelligence Report (SIR), released today. And it's not hackers who are responsible for data breaches: It's the lost and stolen laptops, disks, and other computer equipment, according to the report.

Microsoft's report on threats for the second half of 2008, which gathers threat data from hundreds of millions of Windows machines worldwide, as well as some vulnerability and breach data from other sources, for the first time looked at business versus consumer threat data. While enterprise users are more likely to be hit by worms, consumers get more Trojan and adware infections, according to Microsoft.

But it was the scareware, or rogue AV infections, that stood out overall with the big numbers for the second half of '08. "This was a significant scale that we had not seen in the past," says Jeff Williams, principal architect for Microsoft's Malware Protection Center. "It has become very widespread, and the scale of it had been hidden from view [until now]," he says.

The bad guys are capitalizing on users' understanding that they need security software protection from threats, he says. "Fear is a powerful motivator," Williams says. And the phony threats have a convincing look and feel that can easily dupe consumers, he says.

"They are copying our software look and feel, and Symantec's, etc., with the same naming conventions," he says. They also are localizing it by region, he notes.

Microsoft says the Win32/Renos scareware attack was found on 4.4 million computers, for instance, and Win32/FakeXPA and Win32/FakeSecScan on 1.5 million machines. Other rogue AV types were also detected, bringing the total numbers of those types of infections to the 10 million mark.

The report, using data from the Open Security Foundation's OSF Data Loss Database, also noted that 33.5 percent of all security breach incidents were from stolen equipment, and that stolen and lost equipment together accounted for half of all reported breaches in the second half of 2008. Malware and other hacking incidents accounted for less than 20 percent of all data breaches. "So it's not just a technology issue, but [victims] have governance issues," Williams says.

And a bit of possibly good news: Based on Microsoft's and other data, the total number of new vulnerability disclosures dropped 3 percent from the first half of the year, and the total number in 2008 was 12 percent fewer than disclosed in 2007. The caveat: "High severity" vulnerabilities were up 4 percent in the second half of '08, and more than half of all vulnerabilities in that period were high severity" Still, the total number was down 16 percent from 2007.

Around 90 percent of vulnerabilities during the second half of last year were in applications, Williams points out, and with increased attacks targeting third-party apps. Microsoft vulnerabilities comprised about 41 percent of browser-based attacks against XP machines, and 5.5 percent against Vista machines.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.