Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/5/2012
09:34 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Studies 10 Years Of Malware And Threats

Special report maps malware evolution, and how the least-infected regions keep botnets, other threats at bay

Click here for more articles.

RSA CONFERENCE 2012 -- San Francisco, Calif. -- A lot can happen in 10 years, and that's an understatement when it comes to malware: According to new data released by Microsoft this week, the number of malware variants went from 1,000 in 1991 to millions in 2011.

In celebration of the 10-year anniversary of the launch of its Trustworthy Computing initiative, Microsoft published a special edition of its Security Intelligence Report (SIR). "What we wanted to do from the Security Intelligence Report was look at the past 10 years and how the threat landscape" has evolved, says Tim Rains, director of Microsoft's TwC. "A lot of these samples were new variants of a same family."

Among the more telling trends was the near disappearance of worms and the continued surge in socially engineered malware threats and Trojans. Rains says as companies such as Microsoft build better and less buggy software, the bar gets raised for attackers. Hence the jump in socially engineering attacks that lure users into opening infected attachments or clicking on malicious links that spread Trojans, he says. "Social engineering is probably a mainstay now," Rains says.

The report looks at the "cleanest" countries malware infection-wise. Finland had the lowest rate of infected machines in 2011, with just over one infected machine per 1,000 machines. Japan had just over two per 1,000 machines; followed by Norway, Switzerland, and Australia, all of which had fewer than four. On average, Microsoft cleans up 10 machines per 1,000 globally.

Turkey (57), Korea (20), Brazil (just under 20), Taiwan (more than 15), and Spain (just over 10) didn't fare as well. "We wondered why Finland and others were so low," Raines says, so Microsoft did a case study on one of Finland's largest ISPs, TeliaSonera.

Rains says TeliaSonera wanted security to be a competitive differentiator in its services. In the wake of the Rustock botnet takedown and Microsoft's Digital Crimes Unit giving Finland's CERT a list of Rustock-infected IP addresses, TeliaSonera found that it was taking an average of 40 minutes per customer to clean up the machines. So the ISP automated the process, and used the Rustock data from Microsoft's DCU to identify infected machines on its network and kept them quarantined until they were cleaned up.

TeliaSonera alerts infected customers via an automatically generated text message and placed the user's machine in a so-called "walled garden" until the machine is remediated and clean.

Microsoft also gleaned from the ISP as well as other organizations in the regions with the fewest infections what it is they do that could be adopted in other regions. The regions had strong bonds between the public and private sectors and tended to be more proactive. ISPs and CERTs monitor emerging threats and then take action, and quarantining bots is a key strategy to prevent further spread, for instance. The regions also had aggressive public service campaigns to educate users, promoted up-to-date software, and had low software piracy rates.

"The key takeaways for other users is improve your basic hygiene, run newer software, and [install] updates. Keep yourself educated out there, and if you're an organization or business or country, alter your security posture to be more holistic" to protect against persistent threats, Microsoft's Rains says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
CVE-2019-16307
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
CVE-2019-16294
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
CVE-2019-16309
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.