Forgot your password?
typodupeerror
Security Stats Windows Worms IT Technology

How Windows Gets Infected With Malware 373

Posted by timothy
from the sure-c'mon-in dept.
Orome1 writes "Since Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits, CSIS has actively collected real time data from them for a period of three months. The purpose of their study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk. They monitored more than 50 different exploit kits on 44 unique servers / IP addresses. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."
This discussion has been archived. No new comments can be posted.

How Windows Gets Infected With Malware

Comments Filter:
  • by 140Mandak262Jamuna (970587) on Wednesday October 05, 2011 @11:07AM (#37612612) Journal
    Salient point is that, fully updated and patched installs let 70% of the infections through.
    • Mainly because the technology is reactive. We have to see and attack before we can guard against it.
      • by hedwards (940851)

        That's the theory behind Immunet, once one of the computers is infected by a new virus it's analyzed pretty much immediately and a signature is added before the virus has a chance to infect more machines. It doesn't stop new infections, but it does diminish the spread.

        I'm not sure how well it ultimately works, but the basic theory behind it is sound.

        Another thing that could happen would be for the ISP to throttle the connection back to dial up speed for infected computers downloading anything other than ant

        • by AJH16 (940784)

          An interesting thought, but something seems fishy there. How does immunet tell that a particular piece of malware is malware? If it can tell automatically, then why not simply prevent it in the first place and updates are not necessary as you now have the perfect AV. If you can't tell automatically, then it relies on an end user to recognize and prevent infection. At this point, it is really relying on the end user and is not really any better than conventional AV.

          • Well in theory, if you rigged a computer with a baseline install, and the 3 major browsers and perhaps flash, ran a script to make it visit random pages, but not download or install any files or programs, upon reboot any process running is almost certainly malicous.
    • Re: (Score:3, Insightful)

      by Moheeheeko (1682914)
      The day that people stop clicking on "want bigger pen0r?" or "see x clebrity naked here" links is the day that 30% jumps to 90%. The fact is is that a fully updated maintaned system is virtually malware proof if the user uses common sense.
      • But sadly, average users need better than this.
        Everyone on /. is at least computer literate, likely has fundamentals of data and system level security, and understands the importance of backups (even if they don't do it, they are accepting a known risk).
        The average user thinks that e-mails are private, that 'password' is a bad password but that 'pa$$word', 'mypassword', 'PaSsWoRd', and password123' are all good enough, and that their digital pictures are perfectly safe on their hard drive in their 5 year ol

        • by houstonbofh (602064) on Wednesday October 05, 2011 @11:44AM (#37613106)

          I also think Linux is bad for the average user, because while it is more secure than Windows by default, if you muck with it you can cause vastly more damage to the system if you are in the "just enough knowledge to be dangerous" camp. Ubuntu goes a long way towards this, but it needs an even friendlier interface (IMHO) for system setup and config. We won't get that till an OEM adopts it seriously for end user platforms.

          I have set up a laptop for 2 different client's wives with Ubuntu. Both were non-computer experts, and kept getting every infection known to man. After setting them up (Over 2 years ago) I never say those laptops again. I still see the clients, but they say the laptops are running perfect. Lost a lot of business there, and from happy clients. :) Ooops...

          • by oakgrove (845019)
            I used to do the bi-monthly schlep to my mother's house to clean off the latest Google-results-hijack/adware/trojans du jour. Finally one day I told her, "I got something for ya." Installed Ubuntu 10.04 LTS and haven't had a problem since. She's one very happy Linux user.
          • Re: (Score:3, Insightful)

            by jijacob (943393)
            The catch here is that *you* set the laptops up. Had you given the wives an Ubuntu CD and left them to their own methods, odds are they wouldn't be so happy.
            • by ThePilgrim (456341) on Wednesday October 05, 2011 @12:43PM (#37613968) Homepage

              Except having it set up is how most people receive windows

            • by oakgrove (845019) on Wednesday October 05, 2011 @01:22PM (#37614506)
              And if you think that would be bad, imagine giving them a Windows CD.
            • by Riceballsan (816702) on Wednesday October 05, 2011 @03:14PM (#37616066)
              Installing a modern linux OS, is generally easier then windows, even for someone who has never used linux before.

              typical linux install, insert CD, boot computer, click the install linux button (by default it will ask to downlaod the updates, and does so in this step), hit next, accept the defaults. computer boots back up, ready to go with a word processor, firefox and almost everything they need ready to go.

              windows 7. insert install CD, hit next, accept the defaults, computer boots back up, look for manufacturs CD to install any missing drivers, find printer drivers, find Office CD or go to webpage to download open or libre office, install antivirus, agree to windows updates, reboot, install more updates, reboot. Done.

              There are a few exceptions to the list, and it's not uncommon for windows to have all of the drivers ready for you, But oddly in all installs of linux I have done recently, everything I have ever thrown at it has been automatically detected and ready to go on reboot, and I do admit the antivirus would be necessary if linux were to ever fall into the common for average users to get category.

      • by Krneki (1192201)
        It helps, but what can you do if you favorite site serves infected 3rd party adds?

        P.S: I do use noscript.
        • It helps, but what can you do if you favorite site serves infected 3rd party adds?

          P.S: I do use noscript.

          AdBlock Plus.

    • Re: (Score:3, Interesting)

      by LordLimecat (1103839)

      Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits).

      All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.

      • But aren't you assuming that the other 87% are fully cross-platform? For instance Java and Flash vulnerabilities exist in both Linux and OS X but don't result in the same issue as those platforms are different. For example, a Flash vulnerability may allow the execution of a bundled .exe file; however that does nothing for Linux/OS X users. For them they would have to get scripts and even then bypass any default settings that don't allow scripts to run automatically.
        • exe files arent materially different than Linux / Mac bin files-- if you can tell the OS to execute arbitrary code, the extension is hardly meaningful.

          Regardless, thats not how those exploits work. Machine-code is somehow slipped through the plugin's security measures, and is executed (buffer overflow, etc). That code then downloads the actual exe and dll files that are set up as the permanent infection, and will often attempt privilege escalation at the same time (and if successful, will often overwrite

          • The problem is that you are assuming arbitrary code execution rather than arbitrary file placement. Both are bad but there is less severity in file placement depending on where the file is located. If files can only be saved to user directories but not executable there is less risk. As for Pwn2Own there were different categories. One was code execution and one was file placement and one was reading user files.
      • by beelsebob (529313)

        Tbf, a large number leveraged flash and acrobat reader. Flash is not installed by default on Macs any more (though is likely to be installed as there's no alternative), acrobat reader is not installed, and is unlikely to be installed due to the existence of preview, and safari's native pdf rendering.

        • Flash is also not installed by default on Windows, nor is Java (though your OEM vendor may slip it in on you). That doesnt matter; the first time the user visits youtube, they will get Flash, and that will likely be the version of Flash they have for the next umpteen months until their local friendly geek updates them. (does Mac system update cover java?)

          • by gtall (79522)

            "does Mac system update cover java?" Nope, as of OS X 10.7, java is your problem, not Apple's.

            • :\ one would have hoped they would have started moving towards "best of Windows and Linux", not "we're putting more things on the user's plate".

              Seriously, why cant MS and Apple get on the "update repository for desktops" bandwagon?

          • by Pope (17780)

            Yes, the built-in Software Update service on OS X includes some Java updates, but with Lion, Java is no longer installed by default. http://support.apple.com/kb/DL1421 [apple.com]

    • by Anonymous Coward on Wednesday October 05, 2011 @11:30AM (#37612920)

      You say:

      Salient point is that, fully updated and patched installs let 70% of the infections through.

      TFA says:

      The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.

    • by ackthpt (218170)

      To think with GUI Operating System versions it began with Microsoft's rather optimistic view, with regards to ActiveX, nobody on another networked computer would every think of invading your computer, manipulating it, installing software on it and controlling it.

      Big fan of OTR and impressed when I heard a radio play from the 1950's which predicted unprotected computer hardware being infected... so the concept wasn't new.

      I also spent my early years on a mainframe system, where we were always vigilant to keep

    • by blackicye (760472)

      Salient point is that, fully updated and patched installs let 70% of the infections through.

      This proves that no amount of software development can overcome human stupidity.

      I haven't used an antivirus program in over 15 years and have not had any infections in about as long. I do download a free trial of some random antivirus program every year or so and just do a full manual scan before I uninstall it though.

      I like to tell people that the best antivirus that you can possibly install lies between your ears.

    • by Hatta (162192)

      How many are let through with a fully updated NoScript?

      • by JDG1980 (2438906)
        How many users are willing to have all websites broken by default until each one is explicitly whitelisted?
  • by sgt scrub (869860) <saintium&yahoo,com> on Wednesday October 05, 2011 @11:08AM (#37612634)

    A window can get infected? Lies I tell you!

  • According to the article, IE ranks fourth! Java JRE ranks first, Adobe Flash and Adobe Pdf reader takes the next two places. I think combining these two, Adobe is the king of the hill now in being the vector of disease. Not that it is any surprise.

    Java JRE issue is confusing. If the problem is with Java and specs, it should be platform independent. So it is the Windows implementation that is at fault? I don't know.

    • OTOH, you can cruise the Internet in safety and ease using the following combination:

      WIndows 98
      Safari for Windows
      Quicktime for Windows

      About the only thing you could do is run iTunes, but you would be safe!

    • by daid303 (843777)

      Java JRE, so, disable it. I haven't found a single site that depends on it, the add-on seems to install by default (I just want the runtime, not the browser add-on...) and only use in the browser seems to be an attack vector.

      And It's not a problem with the specs I think, it's the problem that the Java JRE is huge, and a single exploit in a single feature is a problem.

    • by gad_zuki! (70830)

      Yep, the advice I always give is:

      1. Uninstall java. Most end users never have a need for it and don't update it.

      2. Use Chrome to read PDFs or Foxit. No need for Adobe, but to be fair Adobe's new sandbox model in version X is resistant to viral infections and exploits.

      3. Update flash as often as it says or switch to Chrome.

      4. Run MSE or some other AV.

    • Yes, people who actually deal with such issues for a living have known this for some time. The difference between browsers is rapidly becoming moot-- the market share of any one browser is too diluted to be worth targetting when compared with the widespread adoption of Flash, Java, Acrobat, and Quicktime.

      There are some cases where it is conceivable that IE would be more secure than firefox, given the huge leaps made between IE6 and IE9 over the last 4 years.

    • I am getting this pop up ad for Norton anti-virus. That would not be unusual except for the fact that the only way I can see to get rid of it is to click the accept button. There is no x or a no thanks button on it. I have microsoft anti-virus and I also have Iobit windows care program and I run firefox with their pop up blocker. Even with all of that I still get that pop up. I will not accept just because they do not have a easy way to decline.
    • by washu_k (1628007)
      The JRE issue is simple. The JRE is being exploited to deliver Windows malware. Linux or other OSes can get "infected" by the same exploit, but since the payload code is for Windows it won't run on other OSes. The JRE is just the delivery method, it's not actually running the malware.

      The big issue with Java is that while it is platform independent, it is not version independent. There are many many Java apps that require a specific version of the JRE and will not run on a newer one. So if you need t
  • by mrflash818 (226638) on Wednesday October 05, 2011 @11:10AM (#37612670) Homepage Journal

    When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash.

    Update early. Update often.

    • by chispito (1870390)

      When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash.

      Update early. Update often.

      Alternately, you could simply not use Adobe plugins.

      • Funny enough, while there are loads of alternative pdf readers out there, all of the alternative flash players I know of seem to be Linux only, or the windows versions are way behind. http://www.gnu.org/software/gnash/ [gnu.org] http://sourceforge.net/apps/trac/lightspark [sourceforge.net] http://swfdec.freedesktop.org/wiki/ [freedesktop.org] Perhaps this will get these projects some attention...
      • by jimicus (737525)

        Alternately, you could simply not use Adobe plugins.

        Let's face it, for most people that's a bit like telling them not to have sex if they don't want to get pregnant.

        Entirely true, but so un-representative of the real world you might as well save your breath.

      • by antdude (79039)

        How do we watch Flash videos then? :P

    • Uninstall reader/acrobat as useless, install firefox with flashblock, adblock.
      Ta-da, infection almost certainly now depends on users being morons.

      I personally would like a way to tell firefox to block cross-domain anything that's not a static image. That would quash a lot of the scripts that are problematic without the hassle of noscript.

  • I guess dont use java, adobe reader or flash, or IE, and you should kill 90% of possibilities.

  • by SpryGuy (206254) on Wednesday October 05, 2011 @11:17AM (#37612754)

    Looking at the graphs and statistics, I ended up wishing they'd factored in usage share, to make the numbers more meaningful.

    I mean, if (say) 70% of users used XP and 30% of users use Win7, then seeing 70% of the exploits on XP and 30% of the exploits on Win7 doesn't tell you much other than there's an exploit that is the same across them. It does NOT mean that XP is more vunerable than Win7. Ditto the breakdown by browsers. Without usage share factored in, the numbers can be misleading in either direction.

  • Simply Click HERE! [goats--damnicantdoit] ;)

  • by sl4shd0rk (755837) on Wednesday October 05, 2011 @11:26AM (#37612886)

    User's patches not up-to-date. User got infected.

    The applications the malware targets are unsurprisingly the same-ol-same-ol. Windows, Java, IE, Adobe.

    Perhaps the real questions should be:
    - Why is patching so ineffective?
    - Why is patch frequency not decreasing over time (these are *very* mature applications) ?

    • The Flash update process is pretty retarded, for one.

      In the control panel, it can tell me which versions of the ActiveX (IE) and plugin (Firefox, etc) are installed, but when I manually ask to check for updates it sends the default browser to the Flash download page.

      What a completely lame-brained approach--the control panel should check for, download and install updates itself, or pass it off to an Adobe Update app, or *something* that doesn't require manually downloading and installing a fresh copy of *bot

  • by Bigbutt (65939) on Wednesday October 05, 2011 @11:28AM (#37612906) Homepage Journal

    Unfortunately I run into areas where I am unable to upgrade the JRE due to incompatibilities with newer versions. For instance, in dealing with a Dell DRAC, the old Chassis says it'll support 1.4_5 something or other or newer. The problem is with the exact version it works fine but upgrading JRE on my system causes it to fail and refuse to start up the console java app. So I have a Windows laptop at my desk that is kept at that specific version of the JRE so I can continue to access the chassis until it's replaced. It's just one example but it's one I have to deal with on a periodic basis.

    [John]

    • Easy: Virtualize the management system used to manage these cards, throw it in a VM that is not used for general everyday computing (its sole purpose is managing the DRACs)

      Contact Dell to see if an update exists that would allow you to use a newer version of Java.

      If the hardware is too old, look into a replacement plan due to aging.
      • by Bigbutt (65939)

        Not allowed to virtualize Windows (I've asked). They're trying to reduce the number of Windows licenses in the company (I have a Mac :) )

        The last update was applied. This was end of life'd two years ago.

        Hahahahahahaha. Believe me, we're trying to get old hardware replaced.

        [John]

    • I have clients that can't use their check scanner for online corporate banking if JRE gets upgraded. Of all the PCs in the office, that's the one you do NOT want to get infected with a rootkit and keylogger for obvious reasons.

      • by Bigbutt (65939)

        My solution is to just keep the old laptop around but not use it for anything but that specific task. So it sits in a drawer and every month or so I have to break it out, turn it on, and check out the console for the server that stopped responding to the network for some reason. If it doesn't get on the 'net, there isn't much of a chance of it getting infected.

        [John]

  • They need to incorporate the option of turning on automatic, silent upgrades like Google Chrome has - many end users don't recognize the "Hey I've got an update" balloons on their machines, and just ignore them until they wind up several versions out of date. Also, Adobe needs to cut out this "reboot required" nonsense for Adobe Reader. Not everyone is able to reboot machines at a drop of a hat, and it's annoying to have to schedule a reboot on a server for a program that didn't require a reboot for insta
    • I don't know about Flash, but Java can be set to auto-update.

    • Silent updates is the worst idea ever. Something that worked yesterday, stops working today - and I have no clue why.
      It is OK for some users to enable automatic updates (e.g. if you use only a Web browser and no specific plugins), but even then: Make the users aware about each update. Most users are far better off with a planned update.

      • That only works if users actuall install the updates. Best case scenario, they actually call IT and ask about it and make us install it for them. Worst case scenario, they ignore it and we don't find out about it until six months later when they're system is suddenly infected beyond repair because they double clicked a fake UPS attachment reciept.
  • http://www.net-security.org/images/articles/102011-infection.jpg [net-security.org]

    Avoid Java, Flash, acrobat and IE Explorer and you avoid around 95+% of the entry points. IOW it does not seem to be opera or mozilla which is vlnerable, but the added cruft plug in.
  • TL;DR:

    The majority of infections are (in order): JRE, Acrobat Reader, Flash, and a minority are actual browser exploits and/or Quicktime exploits. No word on the versions but I expect that they are all well-known and long-patched holes.

    Part of the reason I run with Java disabled, Flashblock installed, etc.

  • by nairnr (314138) on Wednesday October 05, 2011 @12:29PM (#37613768)
    Of course this study was done to showcase a product... And it is a Danish company CSIS...

    "With this study CSIS has received confirmation that our security program Heimdal is addressing a market not adequately covered by a proper patch routine or policy for this area. "

    • by Guspaz (556486)

      Not to be confused with CSIS, the Canadian Security Intelligence Service, our equivalent of the CIA.

Debug is human, de-fix divine.

Working...