Threat Research & Response Blog
As we reported in our most recent Security Intelligence Report, worms have been gaining speed in comparison to 2009. I remember a time when the world thought the day of the worm had come and gone. Although outbreaks that we saw in the Slammer and Blaster days never became an everyday occurrence, we’ve seen another trend where malware authors are upgrading their everyday static trojans to become worms and bots and oftentimes, bots that can propagate like worms.
If you examine the top families, you’ll soon connect the trend to the top offenders: Taterf, Rimecud, Conficker, Autorun (a “family” that we detect with generic signatures based on Autorun propagation behaviors). These families of malware occupied four of the top six slots for Q2 2010 when they were all trending upwards.
Most Significant Category
Misc. Potentially Unwanted Software
Trojan Downloaders & Droppers
Table 1: Top Families, Second Half of 2010, by Number of Detections
A similarity all of these worms share is a common propagation method. They all abuse the autoplay feature of Autorun, many by creating or manipulating Autorun.inf files on network drives and removable media, so that when a user connects, the malware is automatically executed on their system. Newer operating systems, like Windows Vista and Windows 7, have made changes to the way Autorun is configured (Windows Vista) and how it works by default (Windows 7). These changes appear to have had a significant difference in the ability for autorun-abusing malware to successfully infect these newer operating systems, especially for Windows 7.
Although Autorun is not the only technique these families use (why be a one-trick pony when you can be a swiss army knife?), the statistics on the infection rate of these families by platform indicate that the abuse of Autorun is more effective on older platforms, like Windows XP.
For example, if you compare the number of times one of our Microsoft Security Essentials users reports a detection (either an infection attempt block or an actual infection) of one of these Autorun-abusing families, you’ll see that Windows XP users and Windows 7 users are both exposed to this malware at a similar rate. On average in 2010, about 9% of Windows 7 Security Essentials users reported seeing one of these families at least once per month in comparison to 13% of Windows XP users. In other words, a Windows XP user was 43% more likely to report one of these Autorun detections in any given month in comparison to a Windows 7 user.
However, when you look at actual infection rates (using data from the Microsoft Malicious Software Removal Tool and normalizing the number of users per OS with the number of infection reports per OS to account for differences in the install base), the numbers are starkly different. Windows XP users were nearly 10 times as likely to get infected by one of these worms in comparison to Windows 7. Although causative proof is difficult to quantify, it is quite possible that these figures reflect, at least in part, the improvements made to the security of Autorun in Windows 7.
As Adam Shostack announced today on the MSRC blog, we are releasing updates to Windows XP and other operating systems to help secure this feature on those platforms. I’m looking forward to a few months from now when we can run this analysis, again, and hopefully measure resulting security improvements.
Many thanks to Adam, Joe Faulhaber (MMPC), and our MSRC colleagues. Together, our analysis of the threat landscape was pivotal in the decision to make this change.
-Holly Stewart, MMPC