Detecting Malware Associated with Unsecure Supply Chains
Through analysis of the data reported by Microsoft antimalware products running on computers that have been opted in to data collection, it is possible to discern patterns of activity that show a correlation between unsecure supply chains and malware. In some cases, this correlation may simply involve malware samples that have the same names as certain files that are known to be disseminated on file-distribution sites and networksâ€”spreading malware by claiming it is something else is a time-honored tactic used by attackers.
In other cases, a correlation can be drawn from the presence on the reporting computer of other threat familiesâ€”including Win32/Keygen, Win32/Pameseg, and Win32/Gendowsâ€”that are strongly associated with file distribution activity. These indicator families were detected on 16.8 percent of all computers reporting detections in the first quarter of 2012, increasing to 17.2 percent of computers in the second quarter. Some of these indicator families are considered unwanted software rather than malware, but all can be taken as evidence that file distribution activity has probably occurred. By looking at malware detected alongside the indicator families and comparing it with malware detections reported by computers that donâ€™t also report detections of indicator families, MMPC researchers can estimate the extent and impact of attackersâ€™ abuse of the file distribution supply chain.