In my last article on operating system infection rates I discussed the malware infection rate trends for operating systems and service packs.  Many customers ask me about this data because it helps them understand how specific platforms are performing with regard to mitigating attacks over time.  The long term trend indicates that newer operating systems and service packs have lower malware infection rates than older software. 

The security professionals I talk to are also interested in learning about the specific families of threats that are detected most often on the platform(s) they operate in their environment.  This data helps customers defend against the most common attacks on the specific platform(s) they use in their environment.  This is especially true given that exploit activity has been so high over the past year.

Figure 1: The malware and potentially unwanted software families most commonly detected by Microsoft antimalware solutions in the second quarter of 2012 (2Q12), and how they ranked in prevalence on different platforms

Windows 7 is the most widely used consumer operating system worldwide, and the most prevalent families on both Windows 7 RTM and Windows 7 SP1 tended to be the same families that were prevalent overall.  The most common threat detected on Windows 7 based systems in the second quarter of 2012 (2Q12) was Win32/Keygen – a threat I have written about before.  In fact, in my recent article on threat predictions for 2013, I predicted that detections of Keygen would continue to increase.  Autorun worms are also ranked very high on Windows 7 systems.  Please see this article for more details on this threat: Defending Against Autorun Attacks.

The Blacole exploit kit was the most commonly detected family on Windows Vista; it ranked lower on other platforms. The Blacole kit uses drive-by download attacks to try to infect systems that have out of date software installed on them. Internet Explorer 7, which is installed by default with Windows Vista, does not include SmartScreen Filter, the feature that provides malware protection in subsequently released versions of Internet Explorer. This factor may result in some Windows Vista users being more exposed to Blacole. Users should upgrade to a newer version of Internet Explorer with built-in antimalware protection, such as Internet Explorer 9.  Adware and rogue security software are also found in the top five threats detected on Windows Vista. Rounding out the top five threats on Windows Vista is ASX/Wimad. I predicted that attackers will continue leveraging ASX/Wimad more in the future.  This is a threat that preys on users’ desire for free music and movies.

JS/IframeRef was the number one threat found on Windows XP SP3 in 2Q12.  It is a detection for JavaScript that attempts to redirect the browser to another website.  These types of scripts are used in drive-by download attacks.  Win32/Pluzoks, a Trojan downloader family, was the second most commonly detected family on Windows XP SP3 in 2Q12, but ranked much lower on other platforms. Detections of Pluzoks were highly concentrated in Korea, where use of Windows XP remains relatively higher than in the rest of the world.  This might also help explain why Korea has the highest malware infection rate in the world by a large margin.

If you are still running systems with Windows XP SP3 in your environment, be aware that end of support for Windows XP SP3 is April 8, 2014. Migrate to Windows 7 or Windows 8 ASAP.  Given the types of threats detected on Windows XP SP3, running up-to-date antimalware software from a trusted vendor is strongly recommended, as is running a version of Internet Explorer with SmartScreen.  If your organization is still using Internet Explorer 6, you haven’t been receiving security updates for your browser for some time.  It’s critical that you migrate to a version of Internet Explorer that is supported and will provide you with modern security mitigations. 

I suggest that you do some extra research on the threats you see listed in Figure 1 for the platform(s) you use in your environment.  The more you understand the tactics attackers are using to try to compromise the platform(s) your organization uses, the easier it will be to assess whether you need to make any changes to your security posture.  A great source of information is the Microsoft Malware Protection Center’s threat encyclopedia.

Tim Rains
Director, Trustworthy Computing