Microsoft: Our Bugs Aren't The Only Problem
According to Matt Braverman, a program manager with Microsoft's Anti-Malware Technology Team, data from the group's Malicious Software Removal Tool shows that dupes are as crucial to attackers as bugs.
February's update of the Malicious Software Removal Tool -- the utility is refreshed on the same schedule Microsoft uses to release security patches -- discovered an unusually high number of Alcan.b worms on users' PCs.
Microsoft's cleaning utility runs on about 250 million computers each month, said Braverman, and after its Feb. 14 update, it detected Alcan.b on more than 250,000 machines, or one-tenth of one percent.
"[That was] easily the top detection for the month," said Braverman. "Compare this to the MyWife.e worm (aka CME-24), which we removed from approximately 40,000 computers in February.
Left unsaid by Braverman, however, was that Alcan.b harked back to mid-2005, while MyWife appeared in January 2006; the additional months could have allowed Alcan.b to silently accumulate on otherwise-unprotected PCs, since Microsoft's removal tool wasn't equipped to detect and delete the worm until February.
"Alcan.b does not exploit any software vulnerabilities. Instead, it spreads through popular peer-to-peer applications and its prevalence is likely due to effective social engineering," claimed Braverman.
Social engineering refers to the low-tech techniques fraudsters, attackers, and other criminals use to dupe Internet users into giving up identity information (phishing) or trick them into clicking on links to Web sites under all kinds of pretenses. Once at those sites, however, the users is often infected with worms, viruses, Trojans, adware, or spyware.
"Threats like this reinforce the idea that malware that exploits user weakness can be as dangerous as those threats which exploit software vulnerabilities," said Braverman.
Microsoft often posts social engineering requirements in its security bulletins as a way to downplay threats posed by flaws in Windows or its other software. The company's most-frequently-used phrasing is "An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site."
Coincidentally or not, Microsoft will issue one or more patches next week, April 11, including one for an Internet Explorer bug currently being exploited by attackers. That "createTextRange" vulnerability lets attacks hijack PCs in silent drive-by downloads, but requires that users be suckered into surfing to malicious sites.