In the six or seven years that we have been publishing the Microsoft Security Intelligence Report (SIR) I have seen many trends emerge over time. The threat landscape is constantly changing as attackers try to find methods that will help them compromise the systems they target. For several years viruses (file infectors) seemed to be out of favor with attackers as they used other categories of threats to attack systems.
Viruses simply didn’t support the profit motive many attackers had in the same way that Trojan Downloaders and Droppers, Miscellaneous Trojans, and Password Stealers and Monitoring Tools all did. Viruses are threats designed in an era before ubiquitous Internet connectivity made it easier for Worms to successfully self-propagate. Worms like SQL Slammer and Blaster spread around the world in minutes. This would likely take an old fashioned file-infector much, much longer to accomplish, limiting their ability to infect large numbers of systems quickly. Additionally, Viruses tend to be relatively “noisy” threats as they typically try to infect large numbers of files (.exe, .dll, .scr) on the systems they compromise. This characteristic can make them easier to detect than other more blended threats.
Subsequently, I have rarely seen the Virus threat category found on more than 5 percent of systems with detections globally. There have been regional exceptions like Korea, Russia, and Brazil, where I have seen relative Virus levels reach between 10 and 15 percent. But more recently I have noticed that Viruses seem to be making a comeback. As seen in Figure 1, the relative prevalence of Viruses has been trending up. The prevalence worldwide for the Virus threat category was 7.8 percent in the fourth quarter of 2012 (4Q12). Read more.
Systems that host and distribute malware are located all over the world. These systems have typically been compromised and are being used for illicit purposes unbeknownst to the administrators of the systems. These compromised machines can be personal computers located in homes and small businesses, as well as servers in data centers.
Some background information
To get a sense of how attackers use malware hosting servers, just look at drive-by download attacks as one example. A drive-by download site is a website that hosts one or more exploits that target specific vulnerabilities in web browsers, and browser add-ons. Malware distributors use various techniques to attempt to direct internet users to websites that have been compromised or are intentionally hosting hostile code. Users with vulnerable computers can be secretly infected with malware simply by visiting such a website, even without attempting to download anything themselves. I have written about drive- by download attacks before: What You Should Know About Drive-By Download Attacks part 1, part 2.
The RSA Conference in San Francisco is over for another year. I want to thank all those conference attendees that attended one of the many activities Microsoft had going on during the week or took time to visit our booth.
Special thanks to those conference attendees that attended the breakout session that Jeff Jones and I hosted on the Microsoft Security Intelligence Report. The session was well attended and we had some great questions during and after the session. It was a lot of fun for both Jeff and I!
I have written about the threat landscape in Korea a few times in the past as it has been one of the most active threat landscapes in the world for some time:
- A Very Active Place - The Threat Landscape in the Republic of Korea
- Koreans Vanquish Top Malware Threat, Threat Landscape Continues to be Incredibly Active
- The Threat Landscape in Asia & Oceania – Part 2: Korea and Japan
Data from the Microsoft Security Intelligence Report volume 13 indicates that Korea’s malware infection rate (Computers Cleaned per Mille or CCM) increased 6.3 times during the first half of 2012. During this period the number of systems cleaned per 1,000 systems scanned by the Microsoft Malicious Software Removal Tool (MSRT) in Korea increased from 11.1 in the fourth quarter of 2011 (4Q11) to 70.4 in the second quarter (2Q12) of 2012. At the end of the first half of 2012 Korea had the highest malware infection rate ever published in the Microsoft Security Intelligence Report, ten times the worldwide average infection rate.
This morning, Adrienne Hall, General Manager for Trustworthy Computing delivered a keynote speech at RSA Europe and announced the availability of the Microsoft Security Intelligence Report volume 13 (SIRv13). It’s hard to believe that it’s been over six years since we published the first volume of the report. The report has evolved a lot since then, but our goal has always remained the same: to provide our customers with the most comprehensive view into the threat landscape so they can make informed risk management decisions.