We’re used to reports of malware these days. It seems as if there’s a universe of programs whose sole purpose is causing trouble for innocent users like you and me. That’s why it’s a bit of a surprise when just one of them can cause a huge spike in attacks.
Malware infections of Microsoft Windows computers tripled last year, says a Computerworld article on Microsoft’s latest Biannual Security Intelligence Report (SIR), which was released yesterday.
According to Tim Rains, director of Microsoft’s Trustworthy Computing division, an average of 5.8 Windows computers out of every 1000 were infected with malware in the third quarter of 2013. That’s bad enough, but the number jumped to 17 per 1000 in the fourth quarter.
And it seems that just a single program is responsible. Rains attributed that jump to a malware program called “Rotbrow.” It masquerades as “Browser Protector,” a browser add-on and supposedly a security product. It was found on no fewer than 59 out of every 1000 computers using Microsoft security products.
Rotbrow is in fact a “dropper” – a program that can download other software onto an infected computer. It didn’t download malware at first, which is what probably led to its being classified as harmless by security companies.
But because it was initially innocuous, Rotbrow managed to get itself installed on a large number of computers. It then changed its behaviour and started downloading malicious browser extensions, at which point Microsoft notified security companies, which started to block it.
“I would characterize it as a low and slow attack,” Rains said. “They were patient and waited a long time before they started to distribute malicious stuff. I think they gained a lot of people’s trust over time.”
One piece of malware Rotbrow distributes is “Sefnit,” a malicious botnet code that can download other harmful programs such as those involved in click fraud. Sefnit has also been linked to ransomware, which encrypts a person’s files and demands payment.
Microsoft (Nasdaq: MSFT) says it added Rotbrow detection to its Malicious Software Removal Tool last December.
Computerworld says Microsoft’s latest SIR concludes that security improvements in Windows, such as Address Space Layout Randomization and Data Execution Prevention have made it much more difficult to exploit known vulnerabilities. The report also said the number of vulnerabilities in Microsoft products that can be remotely exploited has fallen by 70 percent between 2010 and 2013.
“We are really trying to raise the cost of exploitation,” Rains said. “It’s not impossible to exploit, just hard. They have to put in the extra time, extra cost.”
Rains said he is confident that there won’t be a rise in Rotbrow infections from this point.