Microsoft: Windows XP has the highest infection rate

Microsoft has released its latest bi-annually Security Intelligence Report covering the first half of 2012 which offering a worldwide threat assessment for that period. One of the highlights of the report is the average infection rate of popular Microsoft client and server operating systems.  According to the report, Windows XP SP3 systems are on average twice as likely to get infected as Windows Vista or Windows 7 systems. The system with the lowest number of average infections is the 64-bit version of Windows 7 SP1, with 3.1 infections per 1000 computers compared to XP’s 9.5 infections per 1000 computer systems.

It is interesting to note that infection rates for 64-bit versions of Windows 7 are lower than infection rates for 32-bit versions of the operating system version.

microsoft windows infection rates

When you look at the trend chart, you will notice that the average infection rate of Windows XP and Windows 7 systems is on the rise, while that of Windows Vista has dropped significantly in the first half of 2012. Windows 7 infection rates only increased slightly in the first half though, while Windows XP infection rates made a huge jump to over 10.0 in the second quarter of 2012. This jump is attributed to the worm family Win32/Dorkbot and the trojan downloader Win32/Pluzoks by Microsoft.

infection trends

Miscellaneous trojans lead the thread category listing, followed by the potentially unwanted software, worms, adware, trojan downloaders and droppers and exploits.

threat categories

  • The increase in Miscellaneous Trojans, the most commonly detected category during both quarters, was driven by an increase in the generic exploit family JS/IframeRef and the rogue security software family Win32/FakePAV.
  • Miscellaneous Potentially Unwanted Software detections remained consistent through both quarters. Win32/Keygen, a generic detection for tools that generate keys for various software products, was the most commonly detected family in this category.
  • The Adware category has declined significantly over the past several quarters, from 1st as recently as 3Q11 to 4th in 2Q12. Significantly reduced detections of JS/Pornpop, Win32/Hotbar, and Win32/OpenCandy have been the biggest contributors to the decline.
  • The Exploit category, which had been increasing gradually for several quarters, fell slightly in 2Q12. This trend corresponds to the increase and apparent peaking of the Blacole exploit kit.

threat categories by country

  • The United States and the United Kingdom, two predominantly English speaking locations that also share a number of other cultural similarities, have similar threat mixes in most categories. The Miscellaneous Trojans category is more prevalent in both places than in others primarily because of detections of the English-language rogue security software family Win32/FakePAV, 72.7 percent of which involved computers in the US  and UK.  Exploits are somewhat more prevalent in the UK than in the US because of the Blacole exploit family, which was detected on proportionally more computers in the UK.
  • In Russia, the Miscellaneous Potentially Unwanted Software category is especially prevalent, led by Win32/Pameseg and Win32/Keygen. Pameseg is a family of installers that require the user to send a text message to a premium number to successfully install certain programs, some of which are otherwise available for free. Currently, most variants target Russian speakers.
  • Brazil has long had higher-than-average detections of Password Stealers & Monitoring Tools because of the prevalence of malware that targets customers of Brazilian banks, especially Win32/Bancos and Win32/Banker. In 2Q12, Brazil accounted for 69.9 percent of computer reporting Bancos detections worldwide, and 42.4 percent of computers reporting Banker detections.
  • Korea had significantly higher-than-average detections of the Trojan Downloaders & Droppers and Adware categories, and significantly lower than-average detections of all other categories. The high level of Trojan Downloaders & Droppers detection was driven by large numbers of computers infected withWin32/Pluzoks. The high level of Adware detections was driven by Win32/Wizpop, which monitors users’ Web browsers and diverts requests for certain URLs to a Korean-language site. In 2Q12, 90.4 percent of computers reporting detections of Wizpop were located in Korea.
  • Worms were especially prevalent in Turkey in 4Q11 because of Win32/Helompy, a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or
    services. The worm contacts a remote host to download arbitrary files and to upload stolen details. In 2Q12, 63.2 percent of computers reporting detections of Helompy were located in Turkey. For more information about Helompy and Turkey.
  • Worms and viruses were particularly prevalent in India, driven by detections of the generic worm family Win32/Autorun and the virus families Win32/Sality and Win32/Ramnit.

It needs to be noted that the report is looking at the big picture, and while that means that Windows XP SP3 systems have a higher average infection rate than Windows 7 systems, it does not mean that individual XP systems are more likely to get infected than Windows 7 systems. In the end, it comes down to updates, the software that is installed on the system, the security of the system, the user’s activities and other factors.

You can download the full report from the Microsoft SIR website.


Original news article at https://www.ghacks.net on October 11, 2012 at 05:55PM

Capital One Financial Corp latest victim of Cyber Attack

Capital One Financial Corp. said it’s the latest target in a new round of coordinated cyber attacks aimed at disrupting the websites of major U.S. banks, and SunTrust Banks Inc. and Regions Financial Corp. said they expect to be next.

The so-called “Izz ad-Din al-Qassam Cyber Fighters” posted a specific timetable for its attack program on PasteBin.com, a website commonly used by hackers to brag about exploits. Izz ad-Din al-Qassam also threatened to pursue more cyber attacks next week and has long said it will not stop until the video is removed from the Internet.
American banks will reportedly face a massive cyberattack in coming weeks. A Russian-speaking hacker is organizing a massive trojan attack based around fraudulent wire transfers–and American banks appear to be at the center of the raid.
In the past, such attacks have sometimes caused websites to slow to a crawl or become inaccessible for some users; however, the impact cannot be gauged in advance. The same group has taken credit for attacks on Bank of America , J.P. Morgan Chase and the NYSE Euronext  in recent weeks.
Security professionals investigating the recent cyber attacks against the U.S. financial sector said last week that they discovered the tools at the heart of the attacks are more complex than previously thought and that a variant of the malware has been found in labs in Saudi Arabia. It’s not clear whether this means the malware used against U.S. banks came from Saudi Arabia or just ended up there coincidentally.


Original news article at https://thehackernews.com/ on October 10, 2012 at 02:38AM

Splitting passwords up to increase security

Splitting passwords up could be the next big thing next to 2-factor authentication schemes which companies such as Google, Facebook or PayPal have offered as an opt-in service to their users. The two solutions use different angles to improve the protection of user account data from attackers. Where 2-factor authentication is entirely the user’s responsibility, splitting up passwords is entirely dependent on the webmaster and company running the server.

The idea itself is simple: instead of saving passwords in a single location, they are split up and saved in multiple locations. Attackers who attack the server infrastructure of a company therefore need to get into multiple servers instead of just one, and since it is possible to protect the servers in different ways, for instance by using different operating systems, firewalls, security scripts and personal, it reduces the possibility of a potential breach. The technique also protects the data from inside jobs, for instance when an admin downloads data from a database.

A new software by RSA brings the technology later this year on the market. RSA’s approach is the following. Passwords are broken into pieces during account creation, and then randomly saved to different servers. When a user logs in, the supplied password is split into encrypted strings, which are then sent to the password servers. The password is split into as many pieces as there are password servers, and one part of the string is randomly sent to each password server.

The user string is then combined with the stored password piece, and all the newly created strings are then compared to determine whether the password is correct or not. RSI claims that it is mathematically impossible to determine the password from an individual string or all strings combined.

1)      Before it is stored, the password is transformed with a random number. The random number is stored in one server (“red” server) and the transformed password in a different server (“blue” server). Compromising one server is not sufficient to compromise the password.

2)      At regular time intervals, a new random number is generated and both servers are updated with the new random number value, adding a time-based layer of protection:  Both servers must be compromised at the same time for the password to be compromised.

3)      When an application needs to verify a password, the claimed password transformed with a new random number is sent to the “blue” server while the random number is sent to the “red” server. Each server can execute a new transformation involving the stored data and validate whether the claimed password matches the stored password without exposing the legitimate password

RSA calls the approach distributed credential protection, which is a version of long known technique called threshold cryptography. What is new is that the technology will be made available to the general public.

Using multiple servers may be problematic from an availability point of view unless parts of the password are supplied to more servers than necessary so that fallback servers are available when a server goes down.

You can read about the announcement on the official RSA blog.


Original news article at https://www.ghacks.net on October 10, 2012 at 06:29PM

New data-theft attack technique can run across web

Researchers have detected a “new man-in-the-browser” (MITB) attack method that uses malware capable of stealing users bank or other sensitive information entered on websites.

As opposed to traditional MITB scams – where malware sitting on victims’ computers is used to monitor a list of targeted websites and then pounces when users visit those sites – this technique allows criminals to draw victims’ data from an unlimited pool of sites.


Original news article at https://news.hitb.org/