In the six or seven years that we have been publishing the Microsoft Security Intelligence Report (SIR) I have seen many trends emerge over time. The threat landscape is constantly changing as attackers try to find methods that will help them compromise the systems they target. For several years viruses (file infectors) seemed to be out of favor with attackers as they used other categories of threats to attack systems.
Viruses simply didn’t support the profit motive many attackers had in the same way that Trojan Downloaders and Droppers, Miscellaneous Trojans, and Password Stealers and Monitoring Tools all did. Viruses are threats designed in an era before ubiquitous Internet connectivity made it easier for Worms to successfully self-propagate. Worms like SQL Slammer and Blaster spread around the world in minutes. This would likely take an old fashioned file-infector much, much longer to accomplish, limiting their ability to infect large numbers of systems quickly. Additionally, Viruses tend to be relatively “noisy” threats as they typically try to infect large numbers of files (.exe, .dll, .scr) on the systems they compromise. This characteristic can make them easier to detect than other more blended threats.
Subsequently, I have rarely seen the Virus threat category found on more than 5 percent of systems with detections globally. There have been regional exceptions like Korea, Russia, and Brazil, where I have seen relative Virus levels reach between 10 and 15 percent. But more recently I have noticed that Viruses seem to be making a comeback. As seen in Figure 1, the relative prevalence of Viruses has been trending up. The prevalence worldwide for the Virus threat category was 7.8 percent in the fourth quarter of 2012 (4Q12).
Figure 1: Detections by threat category, 3Q11–4Q12, by percentage of all computers reporting detections, note: totals for each time period may exceed 100 percent because some computers report more than one category of threat in each time period
Locations with high levels of Viruses included Pakistan (Viruses found on 44% of systems with detections), Indonesia (40%), Ethiopia (40%), Bangladesh (38%), Somalia (37%), Egypt (36%), and Afghanistan (35%). Looking at this list of locations it seems that most of these places don’t have the same levels of Internet connectivity/bandwidth that locations in North America and Europe have. Based on analysis published in Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance, we saw a -0.6 correlation between broadband penetration and regional malware infection rates. Looking at 2011 broadband subscriptions rates (broadband subscriptions per 100 inhabitants) using data from the International Telecommunication Union, we can see relatively low broadband penetration rates in locations with relatively high levels of Viruses: Bangladesh (0.31), Ethiopia (0.01), Egypt (2.21), and Indonesia (1.13%).
Although we don’t have complete data for all the aforementioned locations, we can see that 30 percent to 40 percent of computers in some of these locations do not have up-to-date real-time anti-virus software installed, compared to the worldwide average of 24 percent. These insights might help explain why Viruses are relatively prevalent in these locations compared to other places.
The most prevalent virus detected by Microsoft globally is Win32/Sality, as seen in Figure 2. In 2012 Microsoft detected Sality on 8,204,434 computers worldwide. Sality is a family of polymorphic file infectors that target executable files with the extensions .scr or .exe, and may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. The ability to exploit vulnerability CVE-2010-2568 on systems that don’t have MS10-046 installed on them, was added to Sality by its author(s). This is one of the vulnerabilities that the Stuxnet worm used.
Sality is one of the top five detections on Windows XP, as seen in Figure 3. Sality hasn’t been as successful on newer versions of Windows.
Figure 2 (left): ; Figure 3 (right): The malware and potentially unwanted software families most commonly detected by Microsoft antimalware solutions in 4Q12, and how they ranked in prevalence on different platforms, as published in the Microsoft Security Intelligence Report Volume 14
Sality’s success proves that file infectors can be still be successful. Unlike viruses from yesteryear, attackers today are trying to steal information, sometimes by turning on computers’ microphones and cameras.
The good news is that Viruses are relatively easy to defend against.
- Know thy enemy: to learn more about Sality, check out the Microsoft Malware Protection Center’s blog on this threat: http://blogs.technet.com/b/mmpc/archive/2010/07/30/stuxnet-malicious-lnks-and-then-there-was-sality.aspx
- Keep all the software on your system up-to-date with the latest security updates. Run newer software wherever possible.
- Run up-to-date real-time anti-virus from a vendor you know and trust.
- Avoid transferring data via removable media like USB drives unless you have to.