Threat Research & Response Blog
On Feb. 8, Microsoft started releasing updates for the Windows XP and Vista platforms to make the Autorun feature more locked-down on those older platforms by preventing AutoPlay from being enabled automatically (except when it comes to "shiny media" such as CDs and DVDs). We knew we would want to come back sometime later to measure how the update changed the rate of infection for these families. That time is now. Let's have a look.
As reported in volume 10 of the Microsoft Security Intelligence Report and in a previous post, malware using a technique to abuse a feature of Windows called Autorun grew in prevalence in 2010. If you examine the top families, you'll spot the top offenders: Taterf, Rimecud, Conficker, and Autorun (a "family" that we detect with generic signatures based on Autorun propagation behaviors). The following chart, based on the data in the SIRv10 report, shows their changes quarter over quarter in 2010. This chart shows the total number of detections reported by computers running any MMPC product, so it includes malware that was detected and blocked (no infection) and also those found by the Microsoft Malicious Software Removal Tool (MSRT) for removal. (In other words, these are counts for computers reporting detections, not infections.)
Chart 1 – Detections reported by computers running MMPC products of threats using "autorun.inf"
Then something expected happened. The infection rates for Windows XP and Vista went down -- pretty significantly, in fact. By May of 2011, the number of infections found by the MSRT per scanned computer was reduced by 59% on XP and by 74% on Vista in comparison to the 2010 infection rates. Specific service packs show even greater declines between the month prior to the update (Jan. 2011) and last month (May 2011). The chart below illustrates how Windows XP SP 3 and Windows Vista SP 1 & 2 changed dramatically. Windows 7 shows little change (it already had the updated Autorun feature), and neither did Windows XP SP 2 (it's out of support, so it didn't get the update).
Chart 2 – Illustration of the decline in ‘Autorun' threats among Windows XP and Windows Vista systems
These infections started their decline when the update was released and in May hit an all-time low. (There was a small uptick in April, but that was likely caused by the a second MSRT release at the end of that month.) In comparison to the three months prior to the update, we saw 1.3 million fewer infections on Windows Vista and XP from February to May. The following chart shows the decline in the total number of computers (all operating systems/all service packs) that reported an infection by one of these major Autorun-abusing families.
Chart 3 – Illustration of the decline in total number of computers among all Windows operating systems
So, the chart clearly shows a decrease in infections. That was expected – or at least, we had hoped that would happen (that was the whole point after all). What was unexpected, is that there appears to have been a residual effect -- a "secondhand smoke" kind of effect on adjacent systems that were already protected with proactive defenses (in our case, Forefront Client Security, Forefront Endpoint Security, and Microsoft Security Essentials). The infection attempts on these computers also went down immediately after the update was released:
Chart 4 – Reduction in infection attempts as reported by MMPC products January 2010 to May 2011
The overall infection rates changed, too. By May of 2011, the number of infections found by the Microsoft Malicious Software Removal Tool (MSRT) per scanned computer was reduced by 68% (all operating systems, all service packs) in comparison to the 2010 infection rates.
Some people have wondered why the change to Autorun hasn't reduced infections and infection attempts to zero. The answer to that question is that these families use multiple infection vectors to arrive at a computer. In addition to Autorun, they replicate on network shares, they guess passwords, they exploit old vulnerabilities in hopes they'll find one or more systems without an update, they even get placed there by other malware families (downloaders and droppers) -- and let's not forget about good old social engineering trickery. They use that, too.
Abusing Autorun was only one trick up their collective sleeve. However, judging by the numbers in our data, it was a lucrative one. It's not every day that you have such strong confirmation that something you were a part of made a difference in the world, but I have to say that seeing 1.3 million fewer infections over the past few months and all of these trend lines going down – that just feels good. I can't wait to look at the numbers in June and July. Much gratitude goes to Adam Shostack and the whole teams of people in MSRC and Windows that helped make this happen. This experience has brought together creativity, research, data, and process -- we are all better together. Thanks to you all.
-Holly Stewart, MMPC