Wednesday, October 05, 2011

Malware prevalence != Infection rates

There have been a number of presentations of late that have tried to document howend-users get infected with malware.

Both Google's malware report and a recent report from CSIS purport to tell us how people get malware, based on how what malware they detect most frequently online, and what exploits it uses to get onto a client machine.

Google goes so far as to say:
Social engineering has increased in frequency significantly and is still rising. However, it’s important to keep this growth in perspective — sites that rely on social engineering comprise only 2% of all sites that distribute malware.

Google may well be right in the numbers they are reporting (I don't doubt their analysis) but this number tells us nothing about the frequency with which users encounter those malicious sites that employ social engineering to infect users.

Percent of sites on the internet is not directly correlated to a sites popularity. As a quick thought experiment, what if or or even were distributing social-engineering malware. They would represent a very small percent of total websites, and yet a tremendously large number of users.

My hope is that companies such as FireEye can provide the world some details on exactly what exploits they are seeing with that frequency (have they already done that?), but even there the numbers in a corporate environment may not align that well with what a home-user sees, as many companies that deploy FireEye also do web-filtering that prevents users from ever visiting certain types of sites.

The bottom line is that right now we can approximate what causes infections by looking at what the attackers are doing, but we don't truly know which of those attacks are having success and at what frequency.

If someone has more data to provide on that, I'm all ears...


Dan Guido said...

Hey Andy,

I just wanted to sum up the comments I made on twitter.

Google, CSIS, and myself all have statistics for which exploits are launched at potential victims. Any of these exploits will work if the victim isn't patched and you need to defend against all of them for any defense to be effective. Defensive strategies that only protect against a subset of exploits launched will fail. Information that indicates which exploits were ultimately successful at infecting a victim is therefore a distraction.

Rather than use this data to say that app X needs to be patched more than app Y, we should try to come up with effective defenses that more broadly effect the entire data set. I analyzed trends in this data set in slides 54-56 in my SOURCE Boston presentation to come up with a minimum set of defenses, that works without patching, and defends against every launched exploit.

Dan Guido

Adam Thomas said...
This comment has been removed by a blog administrator.
Stu Sjouwerman said...

Interesting Redmond Security Intelligence Report (SIR)

Redmond just came out with their Security Intelligence Report (SIR) on October 11, with some VERY interesting numbers. First of all, they put zero-day threats in perspective. Exploits of zero-day vulnerabilities accounted for less than 1% of all exploit activity during the first half of 2011. The press is making a lot of noise about these, but the reality is that the numbers are not alarming. Lots of bark, not so much bite.

Redmond states that they want to provide IT with the data so that they can correctly prioritize, and I appreciate that intention. Jeff Jones, a director of security with Microsoft's Trustworthy Computing group said "For the person who has security as a day-to-day job, they need to worry about the things that are most prevalent and most severe."

I agree! And that is why the next item is so important. Redmond is scoring malware in a way that accounts for the multiple attack strategies most malware now employs, but they also use data from a different sources like malware killed by its Malicious Software Removal Tool (MSRT).

What Causes 45% Of Malware Infections?

Guess what, they concluded that 45% of all malware was spread through user interaction, aka social engineering. Jones said that "Exploits that use a social-engineered attack vector and require user interaction, by the MSRT data, are the most severe threats and the most prevalent."

Well in that case Redmond needs to change the prioritization of their patches, because at the moment an exploit that requires user interaction is only "important", whereas I would call that "critical" based on this data. Also, it shows there is an urgent need to end-user education, and turning off Autorun permanently. Not a bad point to make in Cybersecurity Awareness Month!

Here is a link to the full Redmond SIR report. It's a 160+ page PDF:

And here is a nifty infographic that shows the big picture: