Microsoft: Trojans are huge and China is tops in browser exploits

China gets more browser-based exploits than any other country, according to the Microsoft Security Intelligence Report for the first half of 2008.

(Credit: Microsoft)

Three things you might not know: Vulnerabilities are decreasing but becoming easier to exploit. Trojans are the biggest threat. And Chinese computers are infected with more browser-based exploits than anywhere else.

Those are findings in the Microsoft Security Intelligence Report, due to be released on Monday. Covering the first half of this year, the report provides statistics compiled from Microsoft's Malware Protection Center that reveal trends about threats, breaches, and infection rates.

"Industrywide, we've seen a decrease in the last 12 months in vulnerabilities across products," down nearly 20 percent from the year-ago period, George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group, said in an interview.

Meanwhile, the percentage of disclosed vulnerabilities that are easiest to exploit increased, with 56 percent requiring a low complexity exploit, according to the report.

Operating system vulnerabilities continued to decline, representing about 6 percent of disclosed vulnerabilities with more than 90 percent found in applications.

And vulnerabilities in Microsoft software continued to trend down, by about one-third from the second half of 2007. About one-third of vulnerabilities disclosed in Microsoft software had publicly available exploit code.

Microsoft released patches for 77 security vulnerabilities during the first half of 2008, with 25 having publicly available exploit code.

The total amount of malware and unwanted software removed from computers worldwide in the first half of the year increased more than 43 percent from the second half of last year. Trojan downloaders accounted for more than 30 percent of that.

Of the computers serviced by Microsoft's Malicious Software Removal Tool, which runs on every PC that gets Windows updates, an average of 10 out of 1,000 are found to be infected worldwide, Stathakopoulos said. In the U.S. the infection number is 11.2 per 1,000. The lowest infection rate is in Japan, at 1.8 infected computers per 1,000, and at the other end is Afghanistan at 76 machines per 1,000, he said.

Downloaders or droppers, software that drops back doors on to computers, remained the most prevalent threat category. More than 96 percent of the computers cleaned in this category were attributed to two Trojan families: Win32/Zlob and Win32/Renos, the report said.

"Defenses against viruses and spyware work pretty well," said John Pescatore, an analyst at Gartner. "But the numbers are growing for Trojans; things are getting right through the antivirus and spyware software. It's not stopping the targeted malicious executables."

The changing landscape of vulnerabilities, with social engineering attacks plaguing PCs, along with pop-up ads and scareware, means companies should change their strategy for how they protect the corporate network, said Don Retallack, an analyst at Directions on Microsoft.

"Companies and organizations may want to do some employee training rather than counting on (software) configuration management," he said.

The report also has some interesting statistics specific to different countries. For instance, China has a high level of browser-based exploits, accounting for 47 percent of all incidents, followed by the U.S. with 23 percent of incidents, the report found.

China is at the top of the list because the software developers there are not as disciplined in writing code with security in mind and the huge market is an attractive target for malware writers, Stathakopoulos said.

In Brazil, password stealers dominate; viruses are big in Spain; in Italy it's unwanted software led by the peer-to-peer client Wi32/BearShare; while in Korea viruses are the biggest threat.

In general, malware infection rates are higher in developing countries, as reported by the Malicious Software Removal Tool. This map shows infection rates per 1,000 computers cleaned.

(Credit: Microsoft)

[posporelis]

HOW COME MAC PCS DONT COME WITH ANY VIRUS, SPYWARE PROTECTION????
I WAS TOLD THAT MAC DON'T NEED THEM, CAUSE THEY ARE IMMUNE???
SO WHY IS MICROSOFT HAVING SO MANY PROBLEMS WITH VIRUSES, TROJANS, ETC ???
CAN'T THEY LEARN FROM COMPETITOR IN WHAT THEY ARE DOING RIGHT ?
I LEAN VERY STRONGLY TO GO BUY MACS AND SUPPORT THEM AND PULL AWAY FROM MICROSOFT COMPLETELY....

[Penguinisto]

It isn't that OSX is immune, it is that OSX is very (very!) tough to code an exploit for that is 1) remote, 2) gives you a workable zombie, and 3) easy to spread. It requires talent that 99.999% of the malware-writing community simply does not have.

No defense is perfect, but there's a diff between OSX and Linux' near-perfect security, and the nearly undefendable Windows.

[oOJustmeOo]

I'd like to add that most programmers that are trying to infect machines are choosing whats going to give them the best outcome. Windows inhabits the majority of computers around the world, this is the main reason Mac's and Linux machines don't have as high of a threat risk.

[ballmerisanape]

oOJustmeOo, you can't ignore the fact that the way IE has been implemented allowed this problem to get as bad as it is. If Microsoft had designed it's OS with security in mind a log time ago.. the problem would not be as bad.

[Renegade Knight]

Penguinisto:

Macs and Linux have less problems entirly because they have less market share. If you are in the bot net business you have to go with the numbers. Windows has the numbers. Even if Windows had better security than Linux and OS X, there would still be more exploits.

[st430]

what a load of crap.
The O/S is like a bank.
you got a small local bank that only has 10 branches (apples in term of sales) and a national chain that has 100 branches in the same area (windows). Of couse the national chain will have a higher chance of getting rob since it's everywhere. In the same case..the small chain is puting an extra security guard in each of the 10 branch...so it's
more secure....does that mean it won't get rob ever? NO!.
Apple OS/X get malware and exploites and virus just like Linux boxes does (I was linux admin with hundred of boxes... we got hack once a while too even we did everything we can to prevent it.) OS/X is just another unix variant...it's harder to exploite, since the virus maker has to know the weakness of linux or OS/X...which is harder than learning windows...but that does not mean no one can't hack it.
There are viruses out there specially for apple, just less.
Don't get fool by the myth that apple doesn't need anti virus , you basically just open your front door and let any one to hack you. The apple browser has weakness to let people take over your mac or iphone just as easy as windows.
And it does not take long to do it either.
Apple has no virus is a myth, not truth.

[Penguinisto]

@ Renegade Knight:

* Apache owns the majority of web server marketshare. Please explain why IIS has always been broken into more often, and in more spectacular ways.

* Oracle and MySQL own the vast majority of SQL installations, both online and offline. Why is it that we have such things as Slammer for MSSQL, but pretty much nothing for Oracle or MySQL installs?

* If your logic were true, then OSX, with nearly 10% marketshare in North America, would have 10% of the viruses out there... yet OSX has ~0% of them, and Windows nearly ~100%.

Someone care to 'splain that?

/P

[Penguinisto]

@st430: Please list all active OSX viruses at this time. Note that trojans which require the user to implicitly launch the thing does not count.

We'll be waiting.

[Penguinisto]

Vulnerabilities w/ active exploits may indeed be trending down, but the total (esp. remote ones) is still miles above that of other browsers on the same OS, let alone those present in other operating systems.

I see this as too much hand-waving on Microsoft's part.

What they need to do is focus on eliminating the reasons why the still-existing vulnerabilities are there and are actively exploitable. The biggest reason has to do with Microsoft's stupid insistence on letting their web browser live so deep into the OS... all because their former CEO stupidly wanted to abuse monopoly powers and push out Netscape.

If only they would separate the browser entirely from the OS (that is, pull it far enough away from the core/executive layers so that even a complete compromise of the app wouldn't mean ownership of the underlying OS), they could increase the damned thing's security by more than 80% over what it is now (meaning, it ain't all that secure right now).

Of course, they wouldn't dream of doing that... so we see them trying to crow about how they're making baby steps towards security, while their browser and OS competitors are making huge strides.

I don't mind the breakdown of where malware is most active, but honestly, there are more than enough credible sources outside of MSFT that can do that, and do it more completely (F-Secure, SANS, etc). MSFT the vendor needs to concentrate more on fixing their relatively insecure products, not on which nation is the most vulnerable when using it.

/P

[yydonkey]

* If your logic were true, then OSX, with nearly 10% marketshare in North America, would have 10% of the viruses out there... yet OSX has ~0% of them, and Windows nearly ~100%.

Someone care to 'splain that?

Let's speak of 'logic', your statement of OSX with nearly 10% marketshare should have 10% of viruses. Ha, where is that 'logic' from, a politician?

My point to this discussion is:
Microsoft (imho, less secure) not only has the marketshare, but they also have the historical knowledge built against their OS. This means, the bugs, viruses, trojans, etc have been widely publicized and more importantly shared with other coders that there is a huge base of knowledge on how to circumvent the security of Microsoft's OS. (here's an example, you going to the store takes 10 turns, your friends know 8 of those turns, it won't take you long to figure out the other 2 turns--that's Microsoft. On the other hand for OSX, your friends only know 4 turns, it will take you a lot of time and effort to determine the next 6 turns.) Speaking from experience, these guys are lazy and want to make an impact as quickly and effortlessly as possible, and more importantly as BIG as possible.

Big isn't OSX; big is Microsoft
effortless isn't OSX; effortless is Microsoft
impact isn't OSX; impact is Microsoft
lazy isn't OSX; lazy is Microsoft (yes, in more ways than one)

[richard petty--2008]

Regarding oOJustmeOo November 3, 2008 6:57 AM PST
> I'd like to add that most programmers that are trying to infect machines are choosing whats
> going to give them the best outcome. Windows inhabits the majority of computers around the
> world, this is the main reason Mac's and Linux machines don't have as high of a threat risk.

The cause and effect relationship that you described here is a myth.

Unix is a multi-user operating system that was developed from the very beginning with security as a top priority. Window is a single user operating system with developed with no security whatsoever. Windows security has been bolted on, long after the fact.

THIS is why Windows has more security problems than Unix. Period.

The relative market penetration is irrelevant.

[joetesta70]

Virus writers are like game developers.

No viruses for Mac and Linux, no Google Chrome or Fallout 3 for Mac or Linux

Have a nice day entertaining yourself with OpenOffice!

[Perry_Clease]

"Virus writers are like game developers. "

Your right about that.

[Penguinisto]

He is indeed... too bad he'll never realize why and in what context, though.

FWIW though, thx for the chuckle on this end :)

/P

[Perry_Clease]

There are so many jokes to be made here, but I don't want to get banned for posting them :)

Put something together with Richard's comment about market penetration and Trojans

Seriously there is hope. Remember in the end (another joke in the making), after a long struggle, that the Trojans lost the war. That is what happens when you steal something, be it someone else's wife or a password.

Now excuse me while I get some real work done, and yes Joe, I will be using my Mac :)

[AppleSuxLeo]

With 92+ % of the computer market , and the fact that real work gets done as well as
the fact the business world uses Windows , it makes no sense to go after some punk pharting around with "Garage Band". Bwahahahah ! Dude ! Lets dress like Jeepers Creepers Boy...and start a Garage Band. Fer Sure !

[aintnorainbowdorothy]

Read the story and nowhere did the wru\iter say that it was Microsoft that was most vulnurable. It was a Microsoft survey that simply said where most vuylnerabilities were. Not the OS, nothing of that nature. Mac Fangirls, read the article. Same for Linux Fangirls and Windows Fangirls. Incidentally, since I read and wtire English somewhat well, can people at least try to write in readable verbage. And learn how to spell.

[aintnorainbowdorothy]

Of course, I didn't say I could type well.

[Perry_Clease]

"And learn how to spell."

I need to ask a serious question, and I do not mean to throw gasoline on the flamewar. I do not use Windows, is there not a check-spelling-while-typing feature in Explorer? Of course it won't help with homophones, or grammar, but it should catch most typos.