There is almost no protection that is foolproof against a fool who downloads a file then executes it on his computer. But we have several incidents EVERY DAY of somebody who does just that.
Drive-by downloads from compromised websites are the worst, because often there is no clue to the user what actually happened.
According to Microsoft’s recently released Security Intelligence Report, that’s socially engineered malware (scareware pop ups; blackhat search engine optimization attacks), or malware requiring user interaction such as campaigns enticing users into downloading and executing a malicious file.
More propagation tactics:
- User Interaction required - 44.8%
- AutoRun USB - 26%
- AutoRun: Network - 17.2%
- File Infector - 4.4%
- Exploit: Update Long Available - 3.2%
- Exploit: Update Available - 2.4%
- Password Brute Force - 1.4%
- Office Macros - 0.3%
- Exploit: Zero Day - 0%
Based on a sample of 600 million systems worldwide, the research further positions AutoRun USB infection as the second most popular malware propagation tactic, based on the data provided by the software giant. Microsoft disabled AutoRun by default on Windows XP/Vista in February in order to prevent malware infections. The results, at least according to Microsoft, have indicated a significant decline in malware using AutoRun as a spreading mechanism.
The report also points out that zero day flaws do not necessarily represent a driving force in the growth of malicious attacks or cybercrime in general. A point — including several other — which I already discussed in my article “Seven myths about zero day vulnerabilities debunked“.
How well is Microsoft positioned to take advantage of the points presented in the study? For starters, for a second year in a row, Microsoft’s Internet Explorer outperforms competing browsing in protecting against socially engineered malware, at least according to studies conducted by NSS Labs. Studies whose methodology I debunked in related posts - “IE8 outperforms competing browsers in malware protection — again” ; “Study: IE8’s SmartScreen leads in malware protection.
Now that socially engineered malware is supposedly taken care of, what else is Microsoft missing? It’s malware that spreads without user interaction, namely through the exploitation of client-side vulnerabilities in third-party software and browser plugins. That’s precisely what the studies from NSS Labs have omitted from their research, especially in times when web malware exploitation kits dominate the threatscape.
What are some of the most common client-side exploits that malicious attackers attempt to exploit through these kits? According to Microsoft:
The most commonly observed type of exploits in 1H11 were those targeting vulnerabilities in the Oracle (formerly Sun) Java Runtime Environment (JRE), Java Virtual Machine (JVM), and Java SE in the Java Development Kit (JDK). Java exploits were responsible for between one-third and one-half of all exploits observed in each of the four most recent quarters.
Consider going through the report here.
