First published: 30th April 2009
Microsoft has released their "Security Intelligence Report", covering the period July to December 2008, and F-Secure has released their "IT threat summary" for the first quarter of 2009.
Microsoft highlights the rise of rogue security software that uses fear and annoyance tactics to convince victims to pay for “full versions” of the software in order to remove and protect themselves from malware, to stop the continual alerts and warnings, or both. Microsoft also provides various statistics relating to vulnerabilities and disclosures, noting that operating system vulnerabilities are declining as more are found in browsers and other applications.
Several comparisons are made between XP and Vista that show a much lower level of vulnerability exploits and malware infections in the newer OS. Whether this is because Vista is inherently more secure, or just less targeted by attackers because it is unpopular, cannot be deduced from the statistics. The data from Microsoft's Malicious Software Removal Tool (MSRT) shows that, even in the heaviest infected countries, such as Russia, Brazil and Turkey, MSRT discovers malware less than 3% of the times it is run. Whether this is because malware prevalence is low, or that MSRT is not good at discovering malware, or because the self-reporting introduces sampling bias (e.g. people who use MSRT and discover malware on their computer remove the infection and then keep running MSRT regularly, while other computers never have MSRT run, and remain infected and uncounted) is unknown.
Microsoft's report finds that 97% of email is unwanted, being spam, or carrying malicious software or phishing attacks.
F-Secure describes the story of January to March as "Worms, worms and more worms".
F-Secure highlights Conficker (Downadup) as the biggest malware story of 2009 so far, it is a classic worm exploiting vulnerabilities in Microsoft Windows, of the type that has not been seen in the past few years. However, Conficker has advanced features such as heavy encryption, a peer-to-peer functionality meaning that infected computers can communicate with each other without the need for a server, and the ability to convert and update itself.
Mikko Hyppönen, F-Secure's Chief Research Officer says: "The authors behind Conficker are professionals. They have infected millions of computers, and could do anything they wanted with them. The mystery is why they haven't done that. Not yet, anyway."
Conficker changed operation modes on April 1st, gaining front page media coverage world-wide. However, the gang behind the worm took no immediate action with their botnet. The mystery continues.
Worms have also started using social networking. The latest variant of the Koobface worm spreading on Facebook steals your logon credentials for Facebook. It logs in, steals your picture and friends' e-mail addresses, creates a fake YouTube page with your Facebook photo and then sends an e-mail to your friends saying they've been tagged in a video on YouTube.
"When you get a message in Facebook from a friend, you tend to trust the message to be real. And when people follow a "funny link" to a video and are prompted to "update" their player, they easily fall for these attacks," Hyppönen explains.
The first quarter was also historical as it saw the birth of the first SMS worm, Sexy View, designed for smartphones. Sexy View, like Koobface, is a social engineering worm which uses the contacts stored on your smartphone to spread. It sends a text message to your contacts telling them to check out some hot pictures and offers a link to a website.
Your contacts follow the URL because it came from you. They are asked to install an application, which now sends the worm to all their contacts. The worm sends the information about the phone to its makers who then use this information to send SMS spam.
"Sexy View is important in many ways, " Hyppönen continues."It is the first text message worm ever. It's also the first mobile phone worm that circumvents the signature checks that are meant to secure the latest smartphones. And the motive behind it seems to be to collect information for mobile phone spamming purposes. Mobile phone spam is already a big problem in some parts of the world - eventually it will be an issue everywhere."