Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/7/2014
03:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft: Deception Dominates Windows Attacks

Deceptive downloads and ransomware tripled worldwide in Q4 2013, according to the new Microsoft Security Intelligence Report.

The good news in the new Microsoft Security Intelligence Report (SIR) published today: The number of severe bugs used to attack Microsoft Windows machines worldwide dropped by 70 percent from 2010 to 2013. The bad news: The bad guys are now employing more sophisticated social engineering techniques to infect users.

Deceptive downloads -- via ad networks, installers, search syndicators, and search providers -- and ransomware are the new threats to Windows users. In more than 95 percent of the 110 countries and regions covered in Microsoft's data, deceptive downloads ranked as a top threat. These attacks are either where cybercriminals bundle malware along with legitimate content and applications that users download, unbeknownst to the victims, or via ransomware, where attackers demand the victim pay to regain use of his or her machine.

"Cybercriminals increasingly are turning to deceptive tactics to lure their victims. While the use of deceptive tactics isn't especially new, it has dramatically increased in the second of half of 2013," says Holly Stewart, senior program manager for the Microsoft Malware Protection Center.

Stewart attributes the shift in tactics by the bad guys to Microsoft's building more security into its software, plus its Secure Development Lifecycle process for writing more secure code. "It's having an impact," she claims.

Microsoft also found an increase in worldwide infection and malware encounters, with 21.2 percent of machines encountering malware each quarter of 2013, and infection rising at a rate of 11.7 computers cleaned per thousand by Microsoft's Malicious Software Removal Tool. The infection rate tripled from the third quarter to the fourth quarter last year. "This rise was predominantly affected by malware using deceptive tactics, influenced by three families" of malware, Sefnit, Rotbrow, and Brantall, says a Microsoft blog about the report. Rotbrow and Brantall -- Nos. 1 and 2 in the top deceptive downloader rankings -- are variants of Sefnit, which is used mainly for click fraud and Bitcoin-mining.

Stewart says deceptive downloads typically are bundled with free programs. "There's an adware packaged in, but it seems OK," for example, but other malicious programs install on the victim's machine as well and use the machine for click fraud as well as Bitcoin-mining, she says.

"It's not immediately discernable by the user. Their search results might be strange, or their computers slow down" because the machine is clicking on ads in the background, for example, and that's when they notice something is awry. Six percent of all Windows machines worldwide were hit by this malware in Q4, she tells us.

Reveton is the most common ransomware family, and it increased by 45 percent between the first and second halves of 2013, the report says. This -- and other families such as Urausy and Crilock/CryptoLocker -- typically send an alert purporting to be from the FBI or a law enforcement agency. Even if victims pay the ransom fee, there's no guarantee they'll get their files back, nor control of their computers, Stewart says. "And if you pay, in the future you risk being known as a target who will pay."

Ransomware is mostly rearing its ugly head in Europe, particularly Italy, Belgium, Spain, Greece, Portugal, and Austria. In 4Q13, six out of 10,000 computers in the US encountered Crilock, she says, while in Europe, seven out of 1,000 computers encountered Reveton, and five out of 10,000 computers in the UK encountered Crilock.

Security awareness training firm KnowBe4 this week issued a warning about yet another ransomware attack on the rise called CryptorBit, a.k.a. HowDecrypt. "Infections with this recent CryptorBit strain are on the rise, and once a user's files are encrypted, the fees are up to $500 ransom in Bitcoin to decrypt the files," says Stu Sjouwerman, CEO of KnowBe4. CryptorBit appears able to cheat group policy settings set to deflect the malware, according to KnowBe4.

The full Microsoft SIRv16 is available here for download.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DLEVINSON191
50%
50%
DLEVINSON191,
User Rank: Apprentice
5/21/2014 | 11:20:38 AM
Re: Does Microsoft compare
On my Windows box I'm always having to remove malicious adware bundled with other legitimate downloads & I've noticed strange things with my keyboard - I see that you are experiencing the same - where all of a sudden, I never type in any vowels.  I am sure that you know how to spell/type in the word compare.  Yet, I bet that you have had to retype vowels in much of your typing.  No one has mentioned that yet.  On my old Linux boxes, I have way less trouble but I only use them in a more limited way.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:24:09 PM
Re: Does Microsoft compare
There must be surveys that compare the the major Oses..There certainly is no shortage of atttack data. (The shortage is in effective solutions to the solutions.)
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2014 | 4:07:28 PM
Re: Does Microsoft compare
You are correct, Marilyn. Microsoft's SIR reports are all based on Windows threats and infections, and that's always Microsoft's focus in those reports. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:05:02 PM
Does Microsoft compare
Kelly, Does Microosft explore how attacks against Windows machines cmpare to attacks other operating systems like Android or IOS? I assume this report only pertains to Windows...  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2014 | 4:04:58 PM
Does Microsoft compare
Kelly, Does Microosft explore how attacks against Windows machines cmpare to attacks other operating systems like Android or IOS? I assume this report only pertains to Windows...  
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
News
When AI Becomes the Hacker
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/13/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24288
PUBLISHED: 2021-05-17
When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
CVE-2021-24289
PUBLISHED: 2021-05-17
There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
CVE-2021-24290
PUBLISHED: 2021-05-17
There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.
CVE-2021-24292
PUBLISHED: 2021-05-17
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The â€&oe...
CVE-2021-24295
PUBLISHED: 2021-05-17
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via...