In the newest edition of their Security Intelligence Report, covering the second half of 2013, Microsoft says that their investments of more than ten years in secure development practices have been paying off: Between 2010 and 2013, the number of severe vulnerabilities exploited in Microsoft products decreased by 70%. That's the good news.
The bad news is that malicious actors have compensated by increasing their use of deceptive tactics, the use of which more than tripled in the last quarter of 2013. The main tactic used is an old one, the bundling of malicious software with user-initiated downloads. These are typical downloads for fake security software, codecs and the like. In addition to the downloaded software, the user gets infected with malware.
Deceptive downloads were one of the top ten threats in 105 of the 110 countries or regions worldwide studied by Microsoft. More than six of every 100 systems worldwide encountered such a download in the fourth quarter of 2013.
By far the most prevalent malware in use late last year was what Microsoft calls Rotbrow. Microsoft says that one common way it is installed is bundled with Babylon Toolbar, a browser toolbar that translates content between languages and which Microsoft says is "clean." It also masquerades as browser security software and codecs. The payloads vary, but common applications are click fraud and Bitcoin mining.
Brantall is another threat installed via deceptive download that made a splash late in 2013. Microsoft has seen this threat installed via claimed downloads of these legit programs:
- Best Codecs Pack
- PC doer
- Speed Analysis
- Video doer
Mostly because of Rotbrow and Brantall, the number of computers that had to be disinfected more than tripled from the third to fourth quarters of 2013.
Microsoft also discusses ransomware in the report. They say that ransomware is not especially prevalent compared to other threats, but when it hits a user it can be devastating. The top ransomware threat, Reveton, increased 45 percent between the first and second halves of 2013. Another common strain was Urausy. Both purport to be from legitimate law enforcement and intimidate the user into compliance.
Microsoft stresses that users should not pay the ransom for ransomware. Doing so does not necessarily remove the threat and, having established yourself as willing to pay, the attackers may come back again. Microsoft and others have free tools for removing many of these threats.