Information security threats in H1 2009: malware and rogue security software

Microsoft found that in the US, the UK, France and Italy, trojans were the largest information security threat category. China saw several language-specific browser-based threats and in Brazil, malware targeting online banking has been widespread. Spain and Korea saw the dominance of worms led by threats targeting online gamers.

In worldwide information security threat trends, Microsoft found that trojans, including rogue security software, remained the most prevalent category. Worms were the second most prevalent information security threat in the first half of 2009 having risen from fifth place in the second half of 2008. Password stealers and monitoring tools also rose, partially due to increases in malware targeting online gamers.

Jimmy Kuo, principal architect at the Microsoft Malware Protection Center, told Infosecurity: “Last year rogue [security software] jumped from obscurity to become the number one problem. This has now levelled off a bit. Worms, which were prevalent 10 years ago… had a resurgence last year.”

Looking at rogue security software, Kuo said the first half of 2009 saw 13.4 million computers detected and cleaned of rogue security software, down from 16.8 million in the second half of 2008.

Commenting on the fall, Kuo said: “We attribute it to the user education that we’ve been doing.”

“Internet Explorer 8 now has SmartScreen, and SmartScreen blocks access to some of the sites that cause rogue issues”, he added. The fall in infected computers does not mean a fall in malware attacks, just that computers appear to be better protected, Kuo explained.

Kuo recommended users to rely on reputable anti-malware products and not to be fooled into thinking that pop-up products are better than your anti-malware because they’ve ‘found’ malware on your machine: “All that it’s doing is scaring you. Most likely there is no malware on your machine other than the one reporting that you have lots of malware.”

Worms and trojans

Kuo told Infosecurity that the number of worms almost doubled from H2 2008 to become “the most significant threat” in H1 of 2009.

One of the reasons for the dramatic increase in worm infections, could be ascribed to the infection of corporate networks. “If you have a home network affected, that’s two or three machines, but if you have a corporate network, it could be 50 000 machines and so the count dramatically increases whenever you have a worm infecting a company”, Kuo said.

“The worms that are responsible for this drive include Conficker, AutoRun, Hamweq and Taterf. The combination of these worms account for one sixth of these threats encountered by the enterprise.”

Kuo said they all have the ability to utilise shared resources such as drives and servers. They can for example spread from a USB memory stick through the auto play setting on many computers.

“Because of that commonality Microsoft did a change to the operating system so it will only take such action such as auto play on media that’s likely to be read-only. So a memory stick won’t invoke auto play whereas your DVDs and CDs will”, Kuo explained.

The top information security threat for corporate environments was the Conficker worm, but in home environments, the worm did not even reach the top 10.

An example of a worm stealing login credentials for gaming is Taterf, which has increased 156% to 4.9 million. Taterf spreads copying itself to the root of all fixed and removable drives on the infected system ensuring it gets executed by creating and autorun.inf file.

Despite its target of gaming, Kuo said the worm is often found in the corporate environment. The reasons for this could be that employees are being infected at home on the same computer they do work from home at, and then infect the corporate environment when they plug in their USB stick to upload their work; or that employees stay after hours at work to play games.

Kuo said it is therefore very important to have corporate guidelines and policies around the use of removable drives, and also to patch machines not yet updated with Microsoft’s OS patch disabling auto play on some drives.

Win32/Zlob trojans often posing as downloadable media codecs fell almost tenfold from a peak of 21.1 million to 2.3 million disinfections recorded through Microsoft’s Malicious Software Removal Tool (MSRT) in the first half of 2009.

Kuo said Microsoft kept adding signatures that would address all the variants of the trojans, and in the end, a message appeared in one of the Zlob variants where the malware authors acknowledged Microsoft’s effort, and that they would give up.


Microsoft said phishing impressions rose “significantly” in the last period – primarily due to an increase in phishing attacks targeting social networking sites, which saw a quadrupling in May.

Email and spam

Looking at email traffic and spam, Microsoft said its Forefront Online Protection for Exchange (FOPE) blocked 97.3% of all messages received at the network edge in the first half of 2009, up from 92.2% in the second half of 2008.

Spam was dominated by product advertisement – primarily pharmaceutical products.

Data loss

The top data loss threat continued to be stolen equipment such as computers, which accounted for 30% of reported data loss incidents.

Security breaches from hacking or malware incidents remain less than 15% of the total.

Information security measures

Despite the ‘miscellaneous potentially unwanted software’ category increasing from 35% of malware impressions in the second half of 2008 to 44.5% in the first half of 2009, the percentage of computers cleaned decreased from 22.8% to 14.9% suggesting that “SmartScreen and similar technologies may be successfully intercepting these threats before they are downloaded to computers”, Microsoft said.

Furthermore, Kuo highlighted that countries and regions deploying community based defence against information security threats are largely successful in combating threats.

Information security threat trends for 2010

Asked about expected information security threat trends for 2010, Kuo said: “Hopefully if we can get corporations to enact the recommendations we have surrounding network shares [e.g. disabling auto play, implementing updates, etc.], that will take a big bite out of a worm’s ability to spread in a corporate environment. So we hope soon that worms will be curtailed.”

Kuo warned that if companies do not protect their network shares, worms could rise from their second place to a number one information security threat.

Rogue security software “will still play a major role”, Kuo said, but with the SmartScreen filtering in Internet Explorer 8 and the launch of free Microsoft Security Essentials, the defences have been reinforced.

What’s Hot on Infosecurity Magazine?