Friday 27 May 2011

New malware scanner finds 5% of Windows PCs infected

One in every 20 Windows PCs whose users turned to Microsoft for cleanup help were infected with malware, Microsoft said this week.

Microsoft cited that statistic and others from data generated by its new Safety Scanner, a free malware scanning and scrubbing tool that re-launched May 12.

The 420,000 copies of the tool that were downloaded in the first week of its availability cleaned malware or signs of exploitation from more than 20,000 Windows PCs, Microsoft's Malware Protection Center (MMPC) reported Wednesday. That represented an infection rate of 4.8%.

On average, each of the infected PCs hosted 3.5 threats, which Microsoft defined as either actual malware or clues that a successful attack had been launched against the machine.

Of the top 10 threats found by Safety Scanner, seven were Java exploits, said Scott Wu and Joe Faulhaber of the MMPC, in a blog post. Wu is a program manager with the MMPC, while Faulhaber is a software engineer.

That finding backs up a recent Microsoft security intelligence report that noted a huge spike in Java-based exploits in the second half of 2010, when the number tracked by Microsoft jumped to nearly 13 million from around 1 million in the first six months of that year.

Microsoft blamed exploits of just two vulnerabilities in Oracle's Java for generating 85% of all Java attacks in the second half of 2010. Not surprising, those same two vulnerabilities ranked No. 1 and No. 6 in the Safety Scanner top 10.

One of the heavily-exploited Java bugs was patched in December 2008 by Sun -- which has since been swallowed by Oracle -- while the other was fixed in November 2009.

Microsoft has sounded the warning about the explosion in Java exploits before. In October 2010, Holly Stewart, another MMPC manager, said the attack volume was "scary" and "unprecedented."

Hacker reliance on Java made sense to Marc Fossi, the director of Symantec's security response team, in an interview last year. "Since Java is both cross-browser and cross-platform, it can be appealing to attackers," he said, referring to Java's use by every major browser, and on Windows, Mac OS and Linux.

Safety Scanner found 2,272 Windows PCs with evidence of an exploit of the most wide-used Java bug, dubbed "CVE-2008-5353" in the Common Vulnerabilities & Exploits database. Of those machines, 7.3% of them also contained the notorious Alureon rootkit, while 5.7% of them had been infected with one of the fake security programs of the "Winwebsec" family.

"By the time a user downloads and runs [Microsoft Safety Scanner] to detect malware, the machine may have already been infected, if it was vulnerable to the exploit at the time," acknowledged Wu and Faulhaber.

Alureon made news in February 2010 when Windows XP systems infected with the rootkit were crippled after a Microsoft security update. And Winwebsec, as Microsoft called the line of phony antivirus software that dupes victims into paying for the worthless program, has been linked to MacDefender, the scareware that's been plaguing Mac users all month.

Safety Scanner, which replaced an older online-only tool, uses the same technology and detection signatures as Microsoft's free consumer-grade Security Essentials antivirus program and its Forefront Endpoint Protection product for enterprises.

No comments: