Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/7/2014
03:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft: Deception Dominates Windows Attacks

Deceptive downloads and ransomware tripled worldwide in Q4 2013, according to the new Microsoft Security Intelligence Report.

The good news in the new Microsoft Security Intelligence Report (SIR) published today: The number of severe bugs used to attack Microsoft Windows machines worldwide dropped by 70 percent from 2010 to 2013. The bad news: The bad guys are now employing more sophisticated social engineering techniques to infect users.

Deceptive downloads -- via ad networks, installers, search syndicators, and search providers -- and ransomware are the new threats to Windows users. In more than 95 percent of the 110 countries and regions covered in Microsoft's data, deceptive downloads ranked as a top threat. These attacks are either where cybercriminals bundle malware along with legitimate content and applications that users download, unbeknownst to the victims, or via ransomware, where attackers demand the victim pay to regain use of his or her machine.

"Cybercriminals increasingly are turning to deceptive tactics to lure their victims. While the use of deceptive tactics isn't especially new, it has dramatically increased in the second of half of 2013," says Holly Stewart, senior program manager for the Microsoft Malware Protection Center.

Stewart attributes the shift in tactics by the bad guys to Microsoft's building more security into its software, plus its Secure Development Lifecycle process for writing more secure code. "It's having an impact," she claims.

Microsoft also found an increase in worldwide infection and malware encounters, with 21.2 percent of machines encountering malware each quarter of 2013, and infection rising at a rate of 11.7 computers cleaned per thousand by Microsoft's Malicious Software Removal Tool. The infection rate tripled from the third quarter to the fourth quarter last year. "This rise was predominantly affected by malware using deceptive tactics, influenced by three families" of malware, Sefnit, Rotbrow, and Brantall, says a Microsoft blog about the report. Rotbrow and Brantall -- Nos. 1 and 2 in the top deceptive downloader rankings -- are variants of Sefnit, which is used mainly for click fraud and Bitcoin-mining.

Stewart says deceptive downloads typically are bundled with free programs. "There's an adware packaged in, but it seems OK," for example, but other malicious programs install on the victim's machine as well and use the machine for click fraud as well as Bitcoin-mining, she says.

"It's not immediately discernable by the user. Their search results might be strange, or their computers slow down" because the machine is clicking on ads in the background, for example, and that's when they notice something is awry. Six percent of all Windows machines worldwide were hit by this malware in Q4, she tells us.

Reveton is the most common ransomware family, and it increased by 45 percent between the first and second halves of 2013, the report says. This -- and other families such as Urausy and Crilock/CryptoLocker -- typically send an alert purporting to be from the FBI or a law enforcement agency. Even if victims pay the ransom fee, there's no guarantee they'll get their files back, nor control of their computers, Stewart says. "And if you pay, in the future you risk being known as a target who will pay."

Ransomware is mostly rearing its ugly head in Europe, particularly Italy, Belgium, Spain, Greece, Portugal, and Austria. In 4Q13, six out of 10,000 computers in the US encountered Crilock, she says, while in Europe, seven out of 1,000 computers encountered Reveton, and five out of 10,000 computers in the UK encountered Crilock.

Security awareness training firm KnowBe4 this week issued a warning about yet another ransomware attack on the rise called CryptorBit, a.k.a. HowDecrypt. "Infections with this recent CryptorBit strain are on the rise, and once a user's files are encrypted, the fees are up to $500 ransom in Bitcoin to decrypt the files," says Stu Sjouwerman, CEO of KnowBe4. CryptorBit appears able to cheat group policy settings set to deflect the malware, according to KnowBe4.

The full Microsoft SIRv16 is available here for download.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DLEVINSON191
50%
50%
DLEVINSON191,
User Rank: Apprentice
5/21/2014 | 11:20:38 AM
Re: Does Microsoft compare
On my Windows box I'm always having to remove malicious adware bundled with other legitimate downloads & I've noticed strange things with my keyboard - I see that you are experiencing the same - where all of a sudden, I never type in any vowels.  I am sure that you know how to spell/type in the word compare.  Yet, I bet that you have had to retype vowels in much of your typing.  No one has mentioned that yet.  On my old Linux boxes, I have way less trouble but I only use them in a more limited way.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:24:09 PM
Re: Does Microsoft compare
There must be surveys that compare the the major Oses..There certainly is no shortage of atttack data. (The shortage is in effective solutions to the solutions.)
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2014 | 4:07:28 PM
Re: Does Microsoft compare
You are correct, Marilyn. Microsoft's SIR reports are all based on Windows threats and infections, and that's always Microsoft's focus in those reports. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:05:02 PM
Does Microsoft compare
Kelly, Does Microosft explore how attacks against Windows machines cmpare to attacks other operating systems like Android or IOS? I assume this report only pertains to Windows...  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:04:58 PM
Does Microsoft compare
Kelly, Does Microosft explore how attacks against Windows machines cmpare to attacks other operating systems like Android or IOS? I assume this report only pertains to Windows...  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.