New data in the Microsoft Security Intelligence Report volume 15, indicates that the malware infection rate of the United States increased precipitously between the fourth quarter of 2012 and the first quarter of 2013. The Malicious Software Removal Tool (MSRT) cleaned malware on 8.0 of every 1,000 computers scanned (Computers Cleaned per Mille or CCM) in the US in the second quarter of 2013, compared to the worldwide average 5.8 in the same quarter. This was more than double the infection rate of the fourth quarter in 2012 of 3.3, as illustrated in Figures 1 and 2. With the exception of the third quarter of 2011, the US has enjoyed infections rates consistently below the worldwide average. The infection rate in the fourth quarter of 2012 was one of the lowest recorded CCMs for the US in the history of the Microsoft Security Intelligence Report.
The percentage of systems that encountered threats in the US during this period increased only slightly from 13.4 percent in the fourth quarter of 2012 to 14.1 percent in the first quarter of 2013. This is well below the worldwide average encounter rate of 17.8 percent in in the first quarter of 2013. The encounter rate in the US decreased in the second quarter of 2013 to 11.5 percent, despite the malware infection rate remaining relatively high.
Figure 1 (left): Malware infection and encounter trends in the United States and worldwide from the third quarter of 2012 (3Q12) to the second quarter of 2013 (2Q13); Figure 2 (far right): Malware infection trend in the United States and worldwide from the first quarter of 2011 (1Q11) to the second quarter of 2013 (2Q13)
The sudden increase in the CCM in the US in the first half of 2013 can be primarily attributed to sharp increases in the infection rates of two threat families: Win32/Alureon and Win32/Sirefef. Both of these threat families are on the list of top threats in the US in the second quarter of 2013, as seen in Figure 3. Note that Win32/Alureon was not on the list of top threats in the US just two quarters earlier, as seen in Figure 4; Alureon was not among the top 10 most encountered threats globally as seen in Figure 5, helping to put the sudden rise in detections in the US into perspective. Similarly, comparing Sirefef detections in the US in the second quarter of 2013 (1.5% in Figure 3) to global detections of this threat in the same period (0.71% in Figure 5), helps illustrate Sirefef’s relative increased prevalence in the US.
Win32/Alureon are a family of data-stealing Trojans that have been in circulation for many years. Alureon gathers confidential information such as user names, passwords, and credit card data from incoming and outgoing Internet traffic. It may also download malicious data and modify DNS settings. This threat can also enable attackers to send malicious data to compromised systems and corrupt some driver files, making them unusable. In the second quarter of 2013, Alureon affected 1.0 percent of reporting computers with detections in the US.
Figure 3 (left): The top 10 malware families in the United States in the second quarter of 2013 (2Q13); Figure 4 (right): The top 10 malware families in the United States in fourth quarter of 2012 (4Q12)
Figure 5: Quarterly trends for the top 10 malware families encountered by Microsoft antimalware products worldwide in the last half of 2012 and the first half of 2013, shaded according to relative encounter rate
As seen in Figure 3, the second most common threat family in the US in the second quarter of 2013 was Win32/Sirefef, which affected 1.5 percent of reporting computers with detections in the US. Win32/Sirefef is a malware platform that receives and runs modules that perform different malicious activities. We have seen the dropper component of Win32/Sirefef distributed by exploits and programs that promote software-piracy, such as “keygens” (programs designed to bypass software licensing). You might have seen the news in December that the Microsoft’s Digital Crimes Unit worked with industry partners and law enforcement to disrupt the ZeroAccess botnet that is related to this family of threats: Microsoft Disrupts Botnet Hijacking Search Results and Exploiting Search Engines.
This family of malware uses stealth to hide its presence on compromised systems. Trojans in this family can do different things on compromised systems, including downloading and running other files, contacting remote hosts, and disabling security features. Members of the family can also change search results, which can generate money for the attackers who use Sirefef. Variants of Win32/Sirefef might be installed by other malware, including variants of the Trojan:Win32/Necurs family. More details on this threat family is available on the Microsoft malware Protection Center’s blog: The Wonder of Sirefef Plunder.
Despite the rapid increase in the infection rate of the US, levels of malicious websites in the US have not seen a commensurate increase, as Figure 6 shows. This is good news, because we typically see compromised systems used to host malicious sites for use in phishing attacks, drive-by download attacks, and to host malware.
Figure 6: Malicious website statistics for the United States
Variants of both of the threat families that drove malware infection rates higher in the US in the first half of 2013 leverage social engineering to trick the user into installing malware onto their system. Given the severe nature of these threats, it’s important to run real-time antivirus software and keep it up to date with the latest signatures. Doing an offline scan can also help reveal hidden malware. More guidance on how to prevent malware infections is available here.