Microsoft: Deception Dominates Windows Attacks

Deceptive downloads and ransomware tripled worldwide in Q4 2013, according to the new Microsoft Security Intelligence Report.

The good news in the new Microsoft Security Intelligence Report (SIR) published today: The number of severe bugs used to attack Microsoft Windows machines worldwide dropped by 70 percent from 2010 to 2013. The bad news: The bad guys are now employing more sophisticated social engineering techniques to infect users.

Deceptive downloads -- via ad networks, installers, search syndicators, and search providers -- and ransomware are the new threats to Windows users. In more than 95 percent of the 110 countries and regions covered in Microsoft's data, deceptive downloads ranked as a top threat. These attacks are either where cybercriminals bundle malware along with legitimate content and applications that users download, unbeknownst to the victims, or via ransomware, where attackers demand the victim pay to regain use of his or her machine.

"Cybercriminals increasingly are turning to deceptive tactics to lure their victims. While the use of deceptive tactics isn't especially new, it has dramatically increased in the second of half of 2013," says Holly Stewart, senior program manager for the Microsoft Malware Protection Center.

Stewart attributes the shift in tactics by the bad guys to Microsoft's building more security into its software, plus its Secure Development Lifecycle process for writing more secure code. "It's having an impact," she claims.

Microsoft also found an increase in worldwide infection and malware encounters, with 21.2 percent of machines encountering malware each quarter of 2013, and infection rising at a rate of 11.7 computers cleaned per thousand by Microsoft's Malicious Software Removal Tool. The infection rate tripled from the third quarter to the fourth quarter last year. "This rise was predominantly affected by malware using deceptive tactics, influenced by three families" of malware, Sefnit, Rotbrow, and Brantall, says a Microsoft blog about the report. Rotbrow and Brantall -- Nos. 1 and 2 in the top deceptive downloader rankings -- are variants of Sefnit, which is used mainly for click fraud and Bitcoin-mining.

Stewart says deceptive downloads typically are bundled with free programs. "There's an adware packaged in, but it seems OK," for example, but other malicious programs install on the victim's machine as well and use the machine for click fraud as well as Bitcoin-mining, she says.

"It's not immediately discernable by the user. Their search results might be strange, or their computers slow down" because the machine is clicking on ads in the background, for example, and that's when they notice something is awry. Six percent of all Windows machines worldwide were hit by this malware in Q4, she tells us.

Reveton is the most common ransomware family, and it increased by 45 percent between the first and second halves of 2013, the report says. This -- and other families such as Urausy and Crilock/CryptoLocker -- typically send an alert purporting to be from the FBI or a law enforcement agency. Even if victims pay the ransom fee, there's no guarantee they'll get their files back, nor control of their computers, Stewart says. "And if you pay, in the future you risk being known as a target who will pay."

Ransomware is mostly rearing its ugly head in Europe, particularly Italy, Belgium, Spain, Greece, Portugal, and Austria. In 4Q13, six out of 10,000 computers in the US encountered Crilock, she says, while in Europe, seven out of 1,000 computers encountered Reveton, and five out of 10,000 computers in the UK encountered Crilock.

Security awareness training firm KnowBe4 this week issued a warning about yet another ransomware attack on the rise called CryptorBit, a.k.a. HowDecrypt. "Infections with this recent CryptorBit strain are on the rise, and once a user's files are encrypted, the fees are up to $500 ransom in Bitcoin to decrypt the files," says Stu Sjouwerman, CEO of KnowBe4. CryptorBit appears able to cheat group policy settings set to deflect the malware, according to KnowBe4.

The full Microsoft SIRv16 is available here for download.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights