Attacks Aimed at Personal Data Soar

Microsoft's Malicious Software Removal Tool detected 150 percent more phishing scams in early 2007, according to a Microsoft report.

During the first half of 2007, Microsofts Malicious Software Removal Tool detected 31.6 million phishing scams—an increase of more than 150 percent over the previous six months—and tracked a 500 percent increase in Trojan downloaders and droppers, according to the companys latest Security Intelligence Report.

The report, produced every six months, this time around found far more attacks that are focused on stealing personal information, including Trojan downloaders and droppers—malicious code that installs Trojans, password stealers, keyboard loggers and/or other malware on victims systems.

In the first half of the year, Microsoft also detected a growing number of backdoors—a category that includes bots and that the company referred to as an increasing threat to instant messaging users.

Ben Fathi, corporate vice president of development for the Windows Core Operating System Division at Microsoft, planned to present the research in his keynote at RSA Conference Europe in London on Oct. 23.

Brendon Lynch, Microsofts director of privacy strategy, told eWEEK in an interview that the findings just confirm what security professionals have been realizing for some time: that personal data is the currency of cyber-crime.


SMBs are inviting targets for cyber-crime. Find out why.

"Critical information is a very valuable resource, for the businesses that use it to the consumers [who] get personalized services, and also [its] valuable to criminals—its the currency of crime online," he said. "Thats what theyre targeting, to hijack accounts with fraud and the like."

Microsoft found that the large increase in personal data thievery—including backdoors/bots/password stealers/keyloggers—during the first half of 2007 was due almost exclusively to one family of malware, Win32/IRCbot, which accounted for 81 percent of all backdoor detections in Windows Live Messenger. Trojan interception rate also surged, with MSRT picking up 5.9 million downloaders and droppers, up from 960,000 in the previous six months.

How much of this is due to increasing malware and how much is due to Microsoft refining the detection capabilities of MSRT is up for debate.

"The quality of detection is going to of course affect these numbers," Lynch said. "As we continue to improve the quality [of the tools capabilities] theres [going to be more threats detected]. We dont believe thats the whole thing, though."

Rich Mogull, an independent security consultant, founder of Securosis LLC and former Gartner analyst, said that Microsoft is, in fact, getting better at detection, but there "really is more phishing."

"It also doesnt matter," he said in an e-mail exchange. "Its so bad now that those that cant filter and manage it to a reasonable level cant effectively use e-mail anymore anyway."

As far as the 500 percent increase in Trojans goes, Mogull has faith in Microsofts figures. "We do know that Trojan and other malware kits are far more available and in active use," he said. "I strongly suspect that the 500 percent increase is a combination of more malware and better detection. … MSRT definitely needed to improve detection, but most of the stats Ive seen are supporting big increases, if not at the levels MSRT is reporting."

MSRT removed malware from one out of every 217 computers it scanned in early 2007, compared with one out of 409 in late 2006 and one out of 359 in the second half of 2005. Microsoft said the increases are likely due to improvements in MSRT along with the addition of highly prevalent families, such as Win32/Renos, Win32/Stration and Win32/Alureon. Some families MSRT has detected—Win32/Hupigon, Win32/Bancos and Win32/Banker—target data theft and banking information.


To read about spammers who use MP3 attachments named after major recording artists, click here.

The report also noted that the number of new software vulnerabilities remains large, with 3,400 new zero-days disclosed in the first half of the year. That number was down from 2006, however, which marks the first-ever decline in total vulnerabilities since 2003.

Classic e-mail worms continue to shrink in significance: They dropped to 49 percent of total malware detected in e-mail. Phishing scams increased, however, from 12.4 million in the second half of 2006 to 31.6 million in the first half of 2007. E-mail containing malicious iFrame attacks accounted for 27 percent of e-mail malware in the second half of 2006, rising to 37 percent six months later.

Microsoft found that machines running Vista and Windows XP SP2 had "significantly" lower infection rates than older Windows operating systems.

Lynch said that this was due to stronger security controls and features—for example, Vista asks users to OK downloads—as opposed to the fact that Vista isnt widely adopted yet and therefore still hasnt been as attractive a focus for malware authors.

"[The comparison was] done on a comparable basis, so it was like for like," he said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.