Microsoft: Dramatic Rise in 'Scareware' Infections
"Scareware," or programs that masquerade as legitimate security and anti-virus software and then frighten and bully users into paying for them, have emerged as the most prolific and fastest-growing threats facing PC users, according to a biannual security report released this week by Microsoft Corp.
George Stathakopoulos, general manager of Microsoft's trustworthy computing group, said these rogue security products can snare even experienced computer users.
"Some of these sites and products look really professional and well-done, with trademarks and copyrighted material," Stathakopoulos said. "If you're in a situation where you don't already have security software and you have not yet figured out the state of the machine, you will look for a solution, and these are solutions that come to you."
Microsoft found that in the second half of last year, seven of the top 25 malicious software families removed from Windows computers were scareware titles such as Antivirus2008, XPAntivirus, SpywareSecure, and Winfixer.
The data was compiled by tracking Microsoft's "malicious software removal tool" (MSRT), which ships detection updates along with security patches on the second Tuesday of each month to Windows users.
The number one piece of malware Redmond's MSRT killed during the last six months of 2008 was a Trojan Horse program Microsoft calls "Win32/Renos," which is essentially the malware used to download the initial scareware installer program. Microsoft said it removed the Renos Trojan from more than 4.4 million Windows systems, an increase of more than 66 percent over the first half of 2008.
The report also examines how attackers are exploiting security holes in popular document file formats like Microsoft Word (.doc), Excel (.xls) and Adobe PDF files. Typically sent as booby-trapped e-mail attachments, poisoned document files usually take advantage of flaws that already had fixes available for quite some time, Microsoft said.
To assess the use of file formats as an attack vector, Microsoft analyzed a sample of several hundred files that were used for successful attacks in the second half of 2008. The data set was taken from submissions of malicious code sent to Microsoft from customers worldwide. Microsoft says the majority of attacks against its Office products targeted systems that have not applied a single service pack for the relevant Office version installed.
"In the case of Office 2000, for example, 100 percent of the infected computers in the sample were running the [original "release to manufacturer"] versions of the application suite," the report notes.
I would not be surprised if a non-trivial number of Windows Vista users are in the camp of folks who are running Office 2000 applications without any service packs or updates installed. That's because Microsoft doesn't allow Vista users who have Office 2000 installed to scan their systems for needed patches. Instead, Vista users need to pick through Microsoft's list of available updates for the suite, which are listed in no particular order. Each one then needs to be manually downloaded and installed.
I realize Office 2000 was first released nearly a decade ago. But given that Microsoft still officially supports this suite, and by its own measurements says these users are particularly at risk, Microsoft should consider ways to make it easier to keep these applications updated.
On the subject of Office flaws, Microsoft warned on Thursday that hackers are exploiting another unpatched security hole in Office products. This time a flaw exists in PowerPoint versions 2000, 2002, and 2003 that together with an unpatched flaw in Excel that Microsoft warned in February, are being exploited by hackers in targeted attacks. Hopefully, Microsoft will address at least one of these flaws on Patch Tuesday next week.
Much of the rest of the report seems to hash over ground well trodden in previous reports from Microsoft. One exception is an observation from Redmond on the impact of the McColo takedown that I had not been aware of thus far. According to Microsoft, the disconnection of McColo in mid-November 2008 had dramatic effect on phishing.
By measuring activity from the anti-phishing technology built into Internet Explorer 7 and later versions, Microsoft found the number of people trying to visit phishing Web sites dropped 46.2 percent from October to November.
"The most dramatic decrease came from visits to phishing sites targeting social networking sites, which dropped from 34.1 percent of all impressions in October to just 1.1 percent of impressions in November," Microsoft found. "This suggests that McColo may have served a number of clients that specialized in phishing attacks that targeted social networks and that when McColo was de-peered, these clients could not access the command-and-control servers they used to send phishing messages."
The full report is available here.
April 8, 2009; 8:51 AM ET
Categories: Fraud , Latest Warnings | Tags: mccolo, microsoft, rogue security software, scareware
Save & Share: Previous: Time to Update Java
Next: Digital Pearl Harbor, Cyber 9/11, and E-Qaeda
Posted by: anthonymfreed | April 8, 2009 10:58 AM | Report abuse
Posted by: ummhuh1 | April 8, 2009 1:10 PM | Report abuse
Posted by: Heron | April 8, 2009 5:21 PM | Report abuse
Posted by: prairie_sailor | April 8, 2009 5:44 PM | Report abuse
Posted by: CB12 | April 9, 2009 9:45 AM | Report abuse
Posted by: ummhuh1 | April 10, 2009 4:08 PM | Report abuse
The comments to this entry are closed.