SIRv16: Cybercriminal tactics trend toward deceptive measures
Microsoft’s Security Intelligence Report volume 16 (SIRv16) was released today, providing threat trends on malware encounter rates, infection rates, vulnerabilities, exploits, and more for 110 countries/regions worldwide. The report is designed to help IT and security professionals better protect themselves and their organizations from cyberattacks.
Malware data is gathered from the Malicious Software Removal Tool (MSRT), which is used to calculate the infection rate (Computers Cleaned per Mille (CCM), and our real-time protection products are used to derive the encounter rate. One of the more notable findings included in the report was an increase in worldwide infection rates and encounter rates. About 21.2 percent of reporting computers encountered malware each quarter in 2013. We also saw an infection rate of 11.7 CCM.
More specifically, the infection rate increased from a CCM rate of 5.6 in the third quarter of 2013 to 17.8 in the fourth—a threefold increase, and the largest infection rate increase ever measured by the MSRT between two consecutive quarters. This rise was predominantly affected by malware using deceptive tactics, influenced by three families not unfamiliar to readers of this blog: Sefnit, and its related families Rotbrow and Brantall.
Sefnit, a bot which gives a remote attacker a multitude of options, is often used in connection with activities that help attackers make money—things like click fraud and Bitcoin mining. In fact, Sefnit was first detected because it was leveraging click hijacking, and users reported seeing their searches redirected. Researchers widely believed the Sefnit threat was diminished and it didn’t re-emerge until it started to behave differently, acting like a proxy service and giving attackers the ability to leverage a botnet of Sefnit-hosted proxies to relay web traffic issuing illegitimate “clicks” for online ads.
These new Sefnit variants operated in the background, evading detection by researchers for a short while. Rotbrow, software that poses as protection from browser plug-ins (“Browser Protector”), and Brantall, which fronts as an installer for some legitimate software programs, were both caught directly installing Sefnit in the second half of the year. Once detection was added, Sefnit became the third most commonly encountered malware family in the third quarter of 2013, dropping down as detections for Rotbrow and Brantall were added to Microsoft security products.
Once Rotbrow was added to MSRT it went to the top of the charts as the number one threat encountered and cleaned globally in the second half of 2013. In the fourth quarter, Rotbrow was the most commonly encountered malware family with an encounter rate of 5.90 percent.
Brantall followed as the next most commonly encountered threat, with an encounter rate of 3.55 percent in that same quarter.
Figure 1: 2013 encounter rates for major threat families in the second half of 2013
However, deceptive techniques are not limited to these three families.
Ransomware is another type of deceptive tactic that is less prevalent but can be devastating to owners of infected systems.
In threat families such as Reveton, Urausy, or the highly publicized Crilock (also known as Cryptolocker), cybercriminals gain control of a user’s computer and lock them out of access to their own files, holding files for ransom and refusing to return control of it or their files until the victim pays a fee. In many instances, control of the computer or files is never returned to the victim, causing them to lose valuable data, pictures, movies, music, etc. Certain cases of ransomware, where local or national "authorities" appeared to warn of an alleged crime committed by the computer user and demand a "fine", were extremely threatening. Many users were so threatened by the fake warnings that they felt they had no choice but to pay the fee. Between the first and second halves of 2013, the top ransomware threat encountered globally, Reveton, increased by 45 percent.
While there was an increase in deceptive tactics, interestingly, there was a decrease in exploits.
In the second half of 2013, exploits—particularly Java exploits and web-based threats—declined between the first and second halves of the year. As always, malicious hackers work to vary what they focus on exploiting, ultimately engaging us in a game of whack-a-mole. First, a decline in web-based threats was seen, followed by a drop in Java exploits. Some of this decline correlated with the discovery and subsequent arrest of alleged exploit kit author Paunch, and some of it might have been associated with exploit kit writers varying the exploits they use in their popular kits. You can find more data on exploits and how they trended in SIRv16.
Figure 2: 2013 exploit encounter rates
In SIRv16, the Trustworthy Computing security science team has elaborated on exploit trends in its in-depth study of exploits of vulnerabilities in Microsoft products. Markedly, they have identified a 70 percent decline in the number of severe vulnerabilities (those that can enable remote code execution) exploited in Microsoft products between 2010 and 2013.
As always, the best protection from malware and potentially unwanted software is to keep all your software up-to-date and run a real-time security product such as Microsoft Security Essentials.
Additional data on deceptive threats as well as much more regional-, platform- and category-specific analysis is available now in Volume 16, which you can download at www.microsoft.com/sir.