Network News

X My Profile
View More Activity

Microsoft: Dramatic Rise in 'Scareware' Infections

"Scareware," or programs that masquerade as legitimate security and anti-virus software and then frighten and bully users into paying for them, have emerged as the most prolific and fastest-growing threats facing PC users, according to a biannual security report released this week by Microsoft Corp.

George Stathakopoulos, general manager of Microsoft's trustworthy computing group, said these rogue security products can snare even experienced computer users.

"Some of these sites and products look really professional and well-done, with trademarks and copyrighted material," Stathakopoulos said. "If you're in a situation where you don't already have security software and you have not yet figured out the state of the machine, you will look for a solution, and these are solutions that come to you."


Microsoft found that in the second half of last year, seven of the top 25 malicious software families removed from Windows computers were scareware titles such as Antivirus2008, XPAntivirus, SpywareSecure, and Winfixer.

The data was compiled by tracking Microsoft's "malicious software removal tool" (MSRT), which ships detection updates along with security patches on the second Tuesday of each month to Windows users.

The number one piece of malware Redmond's MSRT killed during the last six months of 2008 was a Trojan Horse program Microsoft calls "Win32/Renos," which is essentially the malware used to download the initial scareware installer program. Microsoft said it removed the Renos Trojan from more than 4.4 million Windows systems, an increase of more than 66 percent over the first half of 2008.

The report also examines how attackers are exploiting security holes in popular document file formats like Microsoft Word (.doc), Excel (.xls) and Adobe PDF files. Typically sent as booby-trapped e-mail attachments, poisoned document files usually take advantage of flaws that already had fixes available for quite some time, Microsoft said.

To assess the use of file formats as an attack vector, Microsoft analyzed a sample of several hundred files that were used for successful attacks in the second half of 2008. The data set was taken from submissions of malicious code sent to Microsoft from customers worldwide. Microsoft says the majority of attacks against its Office products targeted systems that have not applied a single service pack for the relevant Office version installed.

"In the case of Office 2000, for example, 100 percent of the infected computers in the sample were running the [original "release to manufacturer"] versions of the application suite," the report notes.

I would not be surprised if a non-trivial number of Windows Vista users are in the camp of folks who are running Office 2000 applications without any service packs or updates installed. That's because Microsoft doesn't allow Vista users who have Office 2000 installed to scan their systems for needed patches. Instead, Vista users need to pick through Microsoft's list of available updates for the suite, which are listed in no particular order. Each one then needs to be manually downloaded and installed.

I realize Office 2000 was first released nearly a decade ago. But given that Microsoft still officially supports this suite, and by its own measurements says these users are particularly at risk, Microsoft should consider ways to make it easier to keep these applications updated.

On the subject of Office flaws, Microsoft warned on Thursday that hackers are exploiting another unpatched security hole in Office products. This time a flaw exists in PowerPoint versions 2000, 2002, and 2003 that together with an unpatched flaw in Excel that Microsoft warned in February, are being exploited by hackers in targeted attacks. Hopefully, Microsoft will address at least one of these flaws on Patch Tuesday next week.

Much of the rest of the report seems to hash over ground well trodden in previous reports from Microsoft. One exception is an observation from Redmond on the impact of the McColo takedown that I had not been aware of thus far. According to Microsoft, the disconnection of McColo in mid-November 2008 had dramatic effect on phishing.

By measuring activity from the anti-phishing technology built into Internet Explorer 7 and later versions, Microsoft found the number of people trying to visit phishing Web sites dropped 46.2 percent from October to November.

"The most dramatic decrease came from visits to phishing sites targeting social networking sites, which dropped from 34.1 percent of all impressions in October to just 1.1 percent of impressions in November," Microsoft found. "This suggests that McColo may have served a number of clients that specialized in phishing attacks that targeted social networks and that when McColo was de-peered, these clients could not access the command-and-control servers they used to send phishing messages."

The full report is available here.

By Brian Krebs  |  April 8, 2009; 8:51 AM ET
Categories:  Fraud , Latest Warnings  | Tags: mccolo, microsoft, rogue security software, scareware  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Time to Update Java
Next: Digital Pearl Harbor, Cyber 9/11, and E-Qaeda


Social Networking sites (Facebook, MySpace, Bebo, LiveJournal, etc.) are under attack by a variation of the Koobface worm which began to spread in August ‘08. This new variant, tracked as WORM_KOOBFACE.AZ has the potential of a fast infection rate. Most importantly, after propagating itself from the infected device, the Worm remains active on the user’s computer transmitting the computer’s data, settings, control information, and system information to over 300 international collection sites.

Posted by: anthonymfreed | April 8, 2009 10:58 AM | Report abuse

Since those Microsoft validation tools probably have a good idea of what programs are being used by customers, they should know people are still using Office 2000. I use Office 2003 at work and the Mac version of Office 2004 at home. Updating is a real problem. The new versions don't really offer that much that I would readily use.

By now, Microsoft should have categories of topics with the programs you need to update. Maybe an update tree, that breaks down MS Office to platform, version or year, then Vista, XP or the rest of the variety of programs. Currently, you have a better chance at finding answers to your Microsoft questions on Google, then you do own Microsoft’s own site.

I don’t use Automatic Updates. I have a real hatred for some of the stuff that Automatic Updates actually downloads. I normally go to the Microsoft Update Home site, click on the “Custom” button and select which items I want to download.

Unfortunately, I had to reinstall XP on my hard drive at work. I couldn’t remember how to add Office Updates to the items the software searches when I “Customize My Results”. I wanted to add Office Updates to the left side of the panel under “Select by Product.”

I called Microsoft after a few hours of searching its site. The Microsoft representative recommended that I call Dell since I am using a Dell computer. Yeah, right! So, there I had it; even Microsoft doesn’t know much about and can’t organize its own site to the advantage of its customers. I imagine any Dell representative I contacted would still be laughing.

I really fare no better on Microsoft’s Mac-oriented web site, either.

Posted by: ummhuh1 | April 8, 2009 1:10 PM | Report abuse

ummhuh1, as far as I know, the best way to find out about necessary Office updates is to visit the Microsoft Updates page and click on the "Office Update" link on the sidebar. Here's the link to the update page:

It's a pain to have to visit a separate page, but you don't actually expect Microsoft to be user-friendly, do you? ;) You have to visit the page with Internet Explorer, of course.

Posted by: Heron | April 8, 2009 5:21 PM | Report abuse


You were probably refered to Dell because your copy of Windows is an OEM copy. Microsoft's standard support practice is to require the OEMs to support any software they install under an OEM licence.

Posted by: prairie_sailor | April 8, 2009 5:44 PM | Report abuse

@ All: To obtain both Windows XP OS updates AND patches for Office 2003 / 2007, use "Microsoft Updates."

MS Updates is essentially an upgrade to the Windows Update feature available by default in all XP versions.

How: Within Internet Explorer 7, go to the tools menu or button and choose the Windows Updates feature. The Windows Updates site will come up and it might require a couple of Active X control installations. Once those are done, the Windows Updates site has a link @ the top to "Microsoft Update."

Clicking the MS Update link will launch a new brower window and prompt you through a couple of steps. Once those are complete, your computer will now pull down both OS and Office 2003 / 2007 critical updates when the IE-based Windows Update web site is accessed.

Posted by: CB12 | April 9, 2009 9:45 AM | Report abuse

@ All

Thanks for your help, but I was only talking about the computer which I reinstalled XP. There are two other computers in our office with XP also. Since I don’t use Automatic Updates, I have used only Firefox to update any Microsoft stuff for the past few years. (Remember the IE Tab add-on.) And if you view the “Customize My Results” page on these two computers, the Office Updates are listed as well as the OS ones. I really don’t bother with IE ever! I merely updated it after reading a comment Rob P made. (Yes, I mean Rob, not Brian!) I don’t like IE7 and I hear IE8 isn’t much better.


Yes, I am aware of that site, but I just didn’t want to go to it more than once.

So, after I re-loaded MS Office, I had to go to the Office Updates site multiple times since you need to have a particular item installed before you can install another patch. I can check the Office Update site for the monthly updates, but reinstalling Office 2003 was a pain!

Apple usually rolls all its updates into a Combo pack; I wish Microsoft would do the same. I don’t see why I need to go back to the site multiple times to get a patch that came out two years ago.

Posted by: ummhuh1 | April 10, 2009 4:08 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company