The Internet is a great place to share; we share information, ideas, experiences, software, and media through many different services over the Internet. The Internet is also a great place to do business and to shop for great deals on software, movies, and music as well as other goods and services. Unfortunately, malware distributors take advantage of people's desire to share and find the best deals by using social engineering in attempt to infect computer systems.

Preying on the desire to "get a good deal" is a form of social engineering that has been around for a long time, but it's proving to be a perennially popular method for malware distributors. The typical situation starts with users looking for some software or media such as movies or music for free, or for a reduced price. They surf the web looking for the file and perhaps also a crack or license key generator (Keygen) so that they don't have to purchase it. This is where the malware distributors step in and attempt to get between these users and the software or media that they are looking for.

By disguising malware as popular software, or by bundling malware with popular software, malware distributors are hoping that enthusiastic bargain hunters will download and execute their malicious software and become infected. According to new research conducted by Joe Faulhaber from the Microsoft Malware Protection Center and published in volume 13 of the Microsoft Security Intelligence Report that was released today, these deceptive downloads are an effective method of social engineering. The research indicates that 76% of users that downloaded keygen or software cracks were also exposed to other, more dangerous malware, which is 10 percent higher than the average co-infection rate for other families.

However, deceptive downloads are not necessarily the only way malware can find its way onto a person's computer when they seek free or discounted software. The other way is associated with simply searching for free software, license key generators, and media. In that method of infection, malware distributors hide exploits in webpages that attempt to take advantage of unpatched software vulnerabilities to compromise these bargain hunter's computers.

Family

Most Significant Category

Q1

Q2

Win32/Autorun

Worms

849,108

937,747

JS/Pornpop

Adware

637,966

661,711

Win32/Obfuscator

Misc. Potentially Unwanted Software

515,575

606,081

Blacole

Exploits

561,561

512,867

Win32/Dorkbot

Worms

492,106

522,617

Table 1: Threat families most commonly detected on computers displaying evidence of unsecure file distribution such as Win32/Keygen in 1H12

This method of spreading malware and infecting a user's system is a very popular one, and has become even more popular since the last half of 2011 with the rise of the Blacole exploit kit. The Blacole exploit kit is a set of exploits typically injected into an infected web page. It is designed to break into systems by exploiting a variety of vulnerabilities in popular software packages from different software vendors. These vulnerabilities all have updates available for them, but the attackers are betting that many people's systems are not up to date. It's a very common threat family, ranking number four overall by users running Microsoft antivirus technologies. It's also the fourth most common threat family detected on systems where the Keygen family was also detected (as seen in Table 1 above).

Microsoft Anti-Malware Users

Reporting attempted Blacole exploit kit attacks

All

1 in 36

Those reporting Keygen detections

1 in 15

Table 2: Correlation between users affected by Blacole and Keygens

Furthermore, as seen in Table 2, Blacole is more than twice as likely to be seen by users who also report Keygen detections, as compared to the total number of users: one in 15 users report Blacole detections when they also have Keygen detected in their computers, whereas only one in 36 of all users have come across Blacole. This is true for the first half of 2012 and for users of a Microsoft antivirus technologies.

In other words, it's not just downloading license key generators, cracked software or free media files that expose users to malware; the act of visiting web pages of unknown origin, claiming to provide this type of free software download, is risky activity. Therefore, it's crucially important to make sure that you get your software and media from a trusted source. Also, to avoid falling victim to Blacole and other malware, make sure that your software patches are up to date and that you're running up to date antivirus software from a vendor that you know and trust.

You can find out more on deceptive downloads and Blacole exploit kit trends, as well as other global and regional trends in Internet security, in our latest Microsoft Security Intelligence Report Volume 13, that launched today.

-Joe Blackbird, MMPC