Archive

Archive for the ‘Autorun’ Category

New: Microsoft Security Intelligence Report Volume 11- Now Available

October 11th, 2011 No comments

Hi, again everyone!

Today we released the 11th volume of the Microsoft Security Intelligence Report, also known as SIRv11.   I have to say once again we’ve outdone ourselves and launched the largest and most comprehensive version of this report to date. This time it’s over 800 pages of threat intelligence spanning 100+ countries and regions around the world.  The report provides threat trends and data analysis on topics like software vulnerabilities, exploits, malicious code and potentially unwanted software.  We also cover third party products in the report.

As part of SIRv11, we’ve included an in-depth analysis titled “Zeroing in on malware propagation.”

The purpose of this study is to help customers better understand where malware was propagating and encourage the use of this information to prioritize where and how to focus risk management efforts.  In contrast to popular belief, this study found that zero-day vulnerabilities accounted for a very small percentage of actual infections.  In fact, none of the top malware families detected through our tools like the Malicious Software Removal Tool and Microsoft Security Essentials, and others propagated through the use of a zero-day.  And while some smaller families did take advantage of these types of vulnerabilities, less than 1 percent of all vulnerability attacks were against zero-day vulnerabilities – in other words, approximately 99% of attempted attacks impacted vulnerabilities for which an update was available.

While these statistics may come as a surprise to some, the key takeaway is how malware was actually propagating and we found that to be through  user interaction-typically employing social engineering techniques, Autorun feature abuse, file-infection, various exploits (with updates available) and brute force password attacks. This study provides insight into the frequency in which these methods were being used to spread malware, and puts zero-day vulnerabilities into context against other propagation methods.

The graph below outlines the areas I’ve mentioned and gives you a good idea of where we’re seeing malware propagate from – essentially the methods.

Figure: Malware detected by the Microsoft Windows Malicious Software Removal Tool (MSRT) in the first half of 2011, categorized by propagation methods

We’ve always known the bad guys use multiple methods of malware distribution to compromise users, and they often build this functionality into the malware itself.  As an example, Conficker exploits vulnerabilities, abuses Autorun, and guesses passwords to infect users.  Other families, like Taterf, Vobfus, Ramnit, and Renocide focus on Autorun abuse and incorporate social engineering tricks that require user interaction.  However the report provides insight into the frequency in which these methods were being used to spread.  It also puts zero-day into context against the other propagation methods.

Zero-day vulnerabilities tend to strike fear in the hearts of consumers and IT professionals, and for good reason. They combine fear of the unknown and an inability to fix the vulnerability, which leaves customers feeling defenseless. It’s no surprise that zero-day vulnerabilities receive enormous coverage in the press when they happen, and should be treated with the utmost level of urgency by the affected vendor and the vendors’ customers. Despite the level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape.

The purpose of our featured story in SIRv11 was to put zero-day threats into context against the other malware propagation vectors and encourage IT Professionals to consider this information when prioritizing their security practices.  Zero-day threats are real and I don’t want to diminish the risk they represent.  However we hope that users will take this information into consideration when prioritizing their security efforts.  

The study just scratches the surface on the intelligence contained in the SIRv11.  For more information on global or regional threat trends, check out the website.  As I said the report is huge and  contains data from over 600 million systems worldwide, over 280 million Hotmail accounts, billions of pages scanned by Bing each day and more importantly the report provides prescriptive guidance to help protect against the bad guys.

I hope you enjoy this report.  If you would like to provide input on ideas for future reports, join the SIR Community where you can gain early access to upcoming announcements and SIR events, learn about early concept ideas and extended content as well as participate in feedback surveys that help to drive the direction of data analyzed.

Thanks again and stay safe!!

Vinny Gullotto 
General Manager
Microsoft Malware Protection Center

MSRT June Release, taking care of a few worm families

June 14th, 2011 No comments

In this month’s MSRT release, we added three new threat families to the detection capability. One of these three is Win32/Nuqel, which has been around for four years since its first variant was found. More than 60 variants of Win32/Nuqel have been identified in the wild. This worm spreads itself via network shares, removable drives and instant messenger programs. These combined spreading methods make it very efficient in propagating, and it has gained prevalence lately.

Aside of the typical Autorun behavior, which will only provide a shrinking value to malware authors, Nuqel employs a disguise to fool victims. When infecting a machine with shared network drives, Nuqel copies itself to the folders on the network share with the name and icon of a folder. If the user clicks the icon, the worm will be activated.

For example the infected network share may look like this:

View of infected network share, with file extensions hidden

Image 1 – View of infected network share, with file extensions hidden

 

After showing the extension, you can see why there are two folders having the same name ‘Pictures’:

View of infected network share, with file extensions visible

Image 2 – View of infected network share, with file extensions visible

 

If you don’t have any folder or file shared, Win32/Nuqel will create one for you as <Root Drive>\New Folder.exe, which is another copy of itself. For more information about its methods of propagation, please refer to our Win32/Nuqel description in the MMPC encyclopedia.

Although it’s a family that’s been around for a pretty long time, the volume in the wild is still large and rising, based on the numbers seen by Microsoft security products:

Percent increase in detection, January 2009 - May 2011

Chart 1 – Percent increase in detection, January 2009 – May 2011

 

If we split the count of detections by countries, the United States is the most affected with 40 percent of all Nuqel detections, followed by Turkey. The top 5 countries occupy 73 percent in total, as illustrated below.

Detection by country

Chart 2 – Detection by country

 

The other two threat families added to MSRT detection for June 2011 are Win32/Yimfoca and Win32/Rorpian, both of which are also high-profile worms with several payloads and are also gaining prevalence these days. We believe MSRT will put a dent in these threats, and as always, we recommend that users install real-time protection with a full antivirus solution such as Microsoft Security Essentials.

— Shawn Wang & Scott Wu, MMPC

MSRT June Release, taking care of a few worm families

June 14th, 2011 No comments

In this month’s MSRT release, we added three new threat families to the detection capability. One of these three is Win32/Nuqel, which has been around for four years since its first variant was found. More than 60 variants of Win32/Nuqel have been identified in the wild. This worm spreads itself via network shares, removable drives and instant messenger programs. These combined spreading methods make it very efficient in propagating, and it has gained prevalence lately.

Aside of the typical Autorun behavior, which will only provide a shrinking value to malware authors, Nuqel employs a disguise to fool victims. When infecting a machine with shared network drives, Nuqel copies itself to the folders on the network share with the name and icon of a folder. If the user clicks the icon, the worm will be activated.

For example the infected network share may look like this:

View of infected network share, with file extensions hidden

Image 1 – View of infected network share, with file extensions hidden

 

After showing the extension, you can see why there are two folders having the same name ‘Pictures’:

View of infected network share, with file extensions visible

Image 2 – View of infected network share, with file extensions visible

 

If you don’t have any folder or file shared, Win32/Nuqel will create one for you as <Root Drive>\New Folder.exe, which is another copy of itself. For more information about its methods of propagation, please refer to our Win32/Nuqel description in the MMPC encyclopedia.

Although it’s a family that’s been around for a pretty long time, the volume in the wild is still large and rising, based on the numbers seen by Microsoft security products:

Percent increase in detection, January 2009 - May 2011

Chart 1 – Percent increase in detection, January 2009 – May 2011

 

If we split the count of detections by countries, the United States is the most affected with 40 percent of all Nuqel detections, followed by Turkey. The top 5 countries occupy 73 percent in total, as illustrated below.

Detection by country

Chart 2 – Detection by country

 

The other two threat families added to MSRT detection for June 2011 are Win32/Yimfoca and Win32/Rorpian, both of which are also high-profile worms with several payloads and are also gaining prevalence these days. We believe MSRT will put a dent in these threats, and as always, we recommend that users install real-time protection with a full antivirus solution such as Microsoft Security Essentials.

— Shawn Wang & Scott Wu, MMPC

Deeper insight into the Security Advisory 967940 update

February 8th, 2011 Comments off

Hi!  I’m Adam Shostack,
a program manager working in TWC Security, and I’d like to talk a bit about
today’s AutoRun update.   Normally, I post over on the SDL blog, but of
late I’ve been doing a lot of work in classifying and quantifying how Windows
computers get compromised.  One thing
that popped from that analysis was the proportion of infected machines with
malware that uses Autorun to propagate.

You might note that that’s a convoluted sentence, and I
apologize.  Why can’t I just say
“infected because of AutoRun?”  Well, because
we don’t actually know that.  Due to the
nature of the problem, it’s probably not possible to acquire great data on the
number of attacks that succeed by misusing Autorun.   What we know, and talked about in volume 9
of our Security
Intelligence Report
last fall, is that a lot of malware uses Autorun as one
of several propagation mechanisms. 
Because of the very real positive uses of Autorun, we didn’t want to
simply shut it off without a conversation. On the other hand, we believed
action should be taken to shut down the misuse.

In April 2009 we delivered a very public message to the
Windows ecosystem that we were changing the behavior of Autorun in ways that
improved security. We blogged on the
progress of that transition, posting “AutoRun
changes in Windows 7
” in April 2009.  In November 2009, we posted “AutoPlay Windows 7 behavior backported” and we put out an update to do the
same for older operating systems. We made that update available from the
Download Center. That allowed anyone who wanted the update to seek it out and download
it for themselves. Our partners expressed their concerns about that change, but
by and large understood the reasons for it. 
Over the last few years, companies that needed the functionality
incorporated U3 functionality into their devices.  Others documented the change.  Overall, the transition hasn’t been simple,
but it has worked.

Today we are taking another important step to protect our
customers. We’re putting the existing update into the Windows Update channel.  This change has three important effects:

  • We deliver the existing update to many more machines;
  • We make it easier to deploy via WSUS;
  • We help those organizations that, as a matter of
    their policy, only widely deploy updates that are in WU.

We’re marking this as an “Important, non-security
update.”  It may seem a little odd to
call this a “non-security update,” especially since we’re delivering it
alongside our February bulletins.   But at
Microsoft we reserve the term “Security Update” to mean “a broadly released fix
for a product-specific security-related vulnerability.”  And it would be odd to refer to Autorun as a vulnerability.  That term is generally used, and we use it,
to mean accidental functionality that allows someone to violate the security of
the system.  But Autorun isn’t an accident
— it’s by design, and as I mentioned we care about the very real positive uses
of the feature. In other words, in a very real sense, it’s not a bug, it’s a
feature, and we documented it as such. 

It’s also not a security update because security updates are
intended to fix a problem and all known variants.   That’s
more problematic when the “problem” is a feature that’s being used as intended,
and so this update does not turn off the feature entirely.  For example, it does not impact “shiny media”
such as CDs or DVDs that contain Autorun files. We are aware that someone could
write malware to take advantage of that, but we haven’t seen it in the wild.
(We also think malware on shiny media would be less likely to have widespread
impact, because people burn CDs less often than they insert USB drives.) 

Based on what we’ve learned over the last 22 months and
shared in the SIR, now is the right time to bring this update to a wide
audience. (The MMPC blog today has further insight into that aspect of this update.) At the same time, we’re aware that some
customers prefer the existing Autorun functionality and will want to reverse
the effects.  So we have a Fix It
available that accomplishes
that
.

Changing behavior for a running system is never a trivial thing,
and we take it incredibly seriously.  It
would be a bad outcome for people to think they have to make a tradeoff between
security and anything else.  Updates to
protect against vulnerabilities are an important part of keeping a system
secure.  We had to be very confident that
this change was the right balance for most people.

Adam

 

Categories: Autorun Tags: