Since releasing the new Microsoft Security Intelligence Report Volume 12 (SIRv12) a few weeks ago, one of the top questions I have been asked is about the new malware infection rate data for Windows operating systems.
Figure 1: Infection rate (CCM) by operating system and service pack in the fourth quarter of 2011
Figure 2: Infection rate trends for currently and recently supported 32-bit version of Windows XP, Windows Vista, and Windows 7, third quarter 2010 (3Q10) – fourth quarter of 2011 (4Q11)
Why is Windows XP Service Pack 3’s malware infection rate lower than that of Windows Vista SP1?
There are likely several factors contributing to this trend, but I’ll try to provide an educated guess on some of the contributing factors.
Malware that used Autorun feature abuse to infect systems were especially successful on Windows XP based systems. About a year ago I wrote an article called Defending Against Autorun Attacks in which I outlined what Microsoft was doing to fight these threats and shared some of the preliminary results of these efforts. To summarize, Microsoft released security updates for Windows XP and Windows Vista that hardened the Autorun feature on these platforms the same way it is hardened on Windows 7 by default. Shortly after this security update was released we could see a precipitous decrease of Autorun related malware infections on Windows XP and Windows Vista systems.
Figure 3: Illustration of the decline in ‘Autorun’ threats among Windows XP and Windows Vista systems as previously published on the Microsoft Malware Protection Center blog
The good news is that the malware infection rate on Windows XP Service Pack 3 (SP3) systems decreased from 10.9 systems found infected with malware for every 1,000 systems scanned with the Microsoft Malicious Software Removal Tool (MSRT) in the second quarter of 2011 to 8.6 in the fourth quarter; this is primarily due to the continued drop in infections of malware that employ Autorun feature abuse on Windows XP SP3 based systems. Examples of such families and how they have dropped include:
- Win32/Autorun – CCM percentage decreased 81.37% between 1Q11 and 4Q11
- Win32/Rimecud – CCM percentage decreased 82.92% between 1Q11 and 4Q11
- Win32/Taterf – CCM percentage decreased 73.72% between 1Q11 and 4Q11
- Win32/Vobfus – CCM percentage decreased 44.69% between 1Q11 and 4Q11
Another malware family that uses Autorun feature abuse is Win32/Conficker. New data released in SIR volume 12 provides some insight into how Conficker is using Autorun feature abuse on an operating system by operating system basis. As seen in figure 4, in the last quarter of 2011, Conficker was observed attacking Windows XP systems using Autorun feature abuse only 2% of the time. Although Conficker is the top threat in enterprise environments, it’s not in the top ten threats found on systems running in non-domain joined environments, like homes.
Figure 4. Blocked Conficker infection attempts by operating system
The factors I outlined here are certainly contributing to the reduced malware infection rate of Windows XP SP3 based systems in the last half of 2011. It’s also important to note that support for Windows Vista Service Pack 1 (SP1) was retired on July 12, 2011. This means that Windows Vista SP1 based systems no longer automatically receive security updates and helps explain why there is a sudden and sharp increase in the malware infection rate on that specific platform. Support for Windows XP SP2 was retired on July 13, 2010 and end of support for Windows XP is April 8, 2014.
Call to Action
- If you are still running systems with Windows XP SP2 or Windows Vista SP1 in your environment, you need to install the latest service pack on these systems immediately as they are no longer automatically receiving security updates from Microsoft.
- If you haven’t already, deploy the security updates in your environment that harden the Autorun feature. No action required for Windows 7 based systems as its Autorun feature is hardened by default.
- Enforce a strong password policy in your environment. As I wrote in my last article, Conficker is using a hardcoded list of ridiculously simple passwords, that hasn’t changed in years, to attack enterprise systems and continues to be successful using this tactic. If an old automated threat like Conficker can do this, determined adversaries targeting your organization can do this too without using any “advanced” techniques.
- Deploy security updates for all software you have in your environment in a timely manner; this includes all software from all vendors, not just Windows operating systems.
- Use anti-malware software from a reputable vendor and keep it up to date.
- Use newer versions of software and newer service packs where possible to get the security benefits of the latest development practices, tools and security mitigations.
Director, Trustworthy Computing