informa

Sneaky Malware Hard to Kill

Microsoft's new Security Intelligence Report finds Trojan downloaders/droppers are on the rise, while viruses decline
Tucked away in Microsoft's detailed new Security Intelligence Report is a tidbit that illuminates just how tough it is to detect targeted attacks and botnet infections.

The Microsoft report, released today and based on malware data gathered from millions of Windows PCs from around the world, found that Trojan downloaders and droppers were the most prevalent threat to these machines in the first half of 2008. This type of malware made up more than 30 percent of all malware cleaned off of Windows machines during that period.

"This goes back to targeted attacks and the way malware is exploiting users and not vulnerabilities," says John Pescatore, vice president and research fellow at Gartner. "Signature-based stuff is pretty good at blocking threats from previous years, but new threats are getting right through."

Trojans and other backdoor malware -- which often sneak past antivirus and antispyware scanners -- are typically used to steal credentials (think online banking) or for botnet proliferation. Microsoft found that these threats are increasing, while viruses dropped from nearly 10 percent in the second half of last year to less than 5 percent from January through June of this year. Spyware also declined during the same period, from nearly 5 percent to about 2 percent.

Gartner's Pescatore says while Microsoft's report includes many consumer PCs that may be bot-infected by this malware, the corporate world is experiencing similar problems. In a recent Gartner case study with Proctor & Gamble, for instance, P&G discovered that 3,000 of its 80,000 PCs were infected with botnet malware. And P&G's bot problem isn't unique: 5 to 15 percent of Gartner corporate clients that do more in-depth scanning of their PCs find Trojan downloaders and related malware targeting their organizations, Pescatore says.

The main culprits in the Trojan infections, according to Microsoft, are the Win21/Zlob and Win32/Renos family of malware, which accounted for more thanr 96 percent of the infections Microsoft's Malicious Software Removal Tool cleaned in the first half of 2008. The total amount of malware and unwanted software removed from computers worldwide by MSRT increased by more than 43 percent compared with the second half of 2007.

Among the other key findings by Microsoft was that new vulnerability disclosures dropped by 4 percent from the second half of last year, and by 19 percent from the first half of 2007. That is likely because most of the easy-to-find bugs have already been found, Gartner's Pescatore says.

More than 90 percent of the vulnerabilities disclosed in the first half of this year were in applications, according to the Microsoft report. And only 10 percent affected operating systems. "From the exploit perspective, the focus is on applications," says Bret Arsenault, general manager of Microsoft's National Security Team.

There was a 13 percent jump in the disclosure of high-severity vulnerabilities versus the second half last year, but this is a 28 percent decrease from the first half of '07. And interestingly, while vulnerabilities that were easy to exploit increased during the period of January through June of this year, Microsoft found that only 10.4 percent of those vulnerabilities were converted into publicly available and operable exploits.

But it's not always about vulnerabilities: Nearly half of all security breaches in the first half of the year came from stolen (37.2 percent) and lost (10.3 percent) equipment. Overall, less than 23 percent of reported breaches came from malicious software, according to Microsoft.

Meanwhile, Microsoft was able to toot its own horn a bit in the report: Microsoft vulnerabilities dropped 33.6 percent this year versus the second half of last year. And operating system malware declined as well. "We see 60 percent less malware on Vista than on XP machines with SP [Service Pack]," Arsenault says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message