Where does malware come from?
On Windows machines, some malware comes from drive-by downloads. You visit a website, you get infected by a piece of script that triggers a buffer overflow that allows the malware to stealthily install.
If you keep your system fully patched, you are almost certainly not that victim. Those types of attacks are typically successful only with PC owners who haven’t installed the latest security updates. Most such exploits, in fact, target vulnerabilities that were patched years earlier. A 2009 Kaspersky report concluded, “With very few exceptions, the exploits in circulation target software vulnerabilities that are known – and for which patches are available.”
The number of drive-by installations is small. So how does the majority of malware get on a PC or Mac? Most attacks today succeed by convincing the victim to do the actual work.
A 2010 study by Bruce Hughes of AVG Technologies, says “Social engineering trumps a zero-day every time.” It concludes that “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.”
How do those big numbers translate into the actual families of malware that end up on user’s machines? You can get a pretty good idea by looking at data from Microsoft’s most recent Security Intelligence Report. The report contains two interesting top 10 lists representing threats faced by consumer and enterprise populations, respectively. In all, this combined list accounts for between 54% and 56% of all malware that was detected on Windows PCs by any Microsoft security product in 2010.
Let’s go through the list (note that because of overlap between the consumer and enterprise lists there are fewer than 20 entries here).
The biggest infection of 2010, by far, was Conficker. This is a worm that spreads via file shares, mostly on corporate networks. At its peak, it represented 22% of all infections detected on domain-joined computers.
Conficker’s means of propagation is a vulnerability in the Windows Server service. This vulnerability was fixed in October 2008 by Security Bulletin MS08-067, which patched Windows 2000, XP, Vista, Server 2003, and Server 2008. (Windows 7 was never affected.) There’s no excuse for that patch not being installed nearly two years later, in 2010.
The lists contain multiple families classed as Trojans, which typically rely on social engineering to spread:
- Frethog and Taterf are password-stealing Trojans that show up in both the consumer and enterprise populations. They were originally identified in May and June 2008, respectively.
- Alureon (aka Zlob) is a data-stealing Trojan found mostly in the enterprise space. It dates all the way back to March 2007.
- Renos is a family of fake security software that’s classified as a Trojan Downloader & Dropper, much like Mac Defender. It dates back to April 2007. FakeSpypro, a more recent variant, was originally identified in May 2010.
RealVNC, a legitimate remote terminal program, also made it on the list, under the category Potentially Unwanted Software. If it’s installed by an intruder, it can be used for malicious purposes. It was detected on more than 5% of domain-joined PCs.
In the consumer populations, four browser-based families of threats—not malicious, just annoying—made the Top 10 list. All are typically installed by means of social engineering.
- Adware:JS/Pornpop.A, added to the encyclopedia in August 2010, isn’t a piece of software at all. It’s a snippet of script from a web page that is activated within an iFrame in any browser. Microsoft’s security software usually picks up on this one when it scans the browser’s cache.
- Zwangi is a browser hijacker, first spotted in October 2009.
- Hotbar, which has been around as long as I can remember, is an annoying adware program.
- ClickPotato is a relatively new family of “multi-component adware” that displays pop-ups and ads. It often tags along with Hotbar.
The latter three programs are typically installed along with smileys and other bits of fluffy software aimed at noobs and rubes.
Finally, there are a family of interesting Trojans that combine social engineering with the AutoRun feature of USB drives and file shares:
- Autorun is a generic worm that attempts to copy itself to mapped drives, then writes an autorun configuration file (Autorun.inf) pointing to the executable file. It’s usually accompanied by other malware variants
- Rimecud is a backdoor that spreads by way of removable drives and instant-messaging programs.
- Hamweq is an IRC-based backdoor program that spreads via flash drives.
The AutoRun feature doesn’t actually install the malware. Instead, it uses the AutoRun feature to open a dialog box that tries to trick the user into running an installer.
The behavior that made this social engineering possible was changedbefore Windows 7 was released. The behavior was modified in the same fashion for Windows XP and Windows Vista by means of Optional updates that were published in February 2009 (KB967940) and August 2009 (KB971029). As of February 2011, they are delivered as Important updates through Windows Update.
So add it all up. Among the top 10 threats in both the consumer and enterprise populations, one exploited a vulnerability that had been patched more than a year earlier, and the rest consisted of Trojans and worms that relied on social engineering to land on a victim’s PC.