Recently I had the opportunity to speak at the Security Education Conference Toronto (SecTor) 2012, the largest security conference in Canada. Sector had a great group of speakers and more than 1,000 people and had a great group of speakers.
At the conference I spoke in two sessions on two different topics: the threat landscape in Canada and cloud security standards. My presentation on the threat landscape in Canada was based on data from several volumes of the Microsoft Security Intelligence Report including volume 13 (SIRv13) which we released on October 9.
The threat landscape in Canada is interesting because the categories and families of threats have become more serious over time even though the country has a relatively low malware infection rate. For example, in the first quarter of 2011 (1Q11), adware in Canada made up 58% of the threats Microsoft found on systems infected with malware. I consider adware a less severe threat than Trojans or exploits because adware typically doesn’t compromise your system with the intent of stealing your identity and allowing attackers to control your system remotely. But over the past year the level of adware found in Canada has been reduced relative to other threats like Trojans and exploits. In the second quarter of 2012 (2Q12) adware accounted for less than 25% of the threats found on systems infected with malware, and more severe threats like Trojans and exploits were found on 45% and 25% of systems, respectively.
Figure 1 (left): CCM infection trends in Canada and worldwide; Figure 2 (right): Malware and potentially unwanted software categories in Canada in 4Q11, by percentage of computers reporting detections
In the list of top threats found in Canada in 2Q12, two exploits are present, including Java/Blacole, the so-called “Black Hole” exploit kit, and Java/CVE-2012-0507, a detection for Java applet malware that exploits a vulnerability in the Java Runtime Environment (JRE) component in certain versions of Oracle Java. Note that Java/Blacole also uses Java/CVE-2012-0507. I have written about this exploit kit in the past: The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date. From the first half of 2011 to the end of the second half of 2012, Microsoft anti-malware products detected/blocked over 20 million Java vulnerability exploit attempts in Canada. All of the vulnerabilities targeted had security updates available for them including CVE-2010-0840, CVE-2008-5353, CVE-2010-0094 and CVE-2009-3867.
Figure 3: The top 10 malware and potentially unwanted software families in Canada in 2Q12
The second most common threat family in Canada in 2Q12 was JS/IframeRef, which affected 9.2% of computers with detections in Canada. JS/IframeRef is a generic detection for specially formed IFrame tags that point to remote websites that contain malicious content.
Figure 4 (top): Example Win32/Winwebsec brands; Figure 5 (bottom): example images/dialogs used by Win32/FakePAV
I recently wrote an article on Win32/Keygen, the number eight threat on the list of top threats in Canada. Win32/Keygen is a family of tools that generates keys for various software products. By nature, Keygen is not malicious. However, because it is commonly bundled with malware or leads to malware, it should be avoided. In fact, on 76% of the systems where we found Win32/Keygen, we also found other threats.
Figure 6: Windows Update and Microsoft Update usage in Canada and worldwide
Figure 6 shows the growth in the number of computers connecting to Windows Update and Microsoft Update in Canada over the last four years, indexed to the total usage of both services in Canada in 2008. In 2012, the number of computers connecting to Windows Update and Microsoft Update in Canada was up 2.9% from 2011, and up 30.0% from 2008. By comparison, worldwide use of the two services increased 18.3% between 2011 and 2012, and 59.7% from 2008 to 2012. Of the computers using the two update services in Canada in 2012, 81.7% were configured to use Microsoft Update, compared to 58.5% worldwide.
Canadians are doing a great job keeping the malware infection rate low in their country, but attackers are using every trick they have to try to change this positive trend.