How Windows Gets Infected With Malware

← Back to Stories (view on slashdot.org)

How Windows Gets Infected With Malware

Posted by timothy on Wednesday October 5, 2011 @03:04AM from the sure-c'mon-in dept.

Orome1 writes "Since Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits, CSIS has actively collected real time data from them for a period of three months. The purpose of their study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk. They monitored more than 50 different exploit kits on 44 unique servers / IP addresses. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."

32 of 373 comments (clear)

Min score:

Reason:

Sort:

70% on fully updated installs. by 140Mandak262Jamuna · 2011-10-05 03:07 · Score: 5, Interesting

Salient point is that, fully updated and patched installs let 70% of the infections through.

--
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
1. Re:70% on fully updated installs. by Moheeheeko · 2011-10-05 03:19 · Score: 3, Insightful
  
  The day that people stop clicking on "want bigger pen0r?" or "see x clebrity naked here" links is the day that 30% jumps to 90%. The fact is is that a fully updated maintaned system is virtually malware proof if the user uses common sense.
2. Re:70% on fully updated installs. by LordLimecat · 2011-10-05 03:23 · Score: 3, Interesting
  
  Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits).
  All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.
3. Re:70% on fully updated installs. by Dunbal · 2011-10-05 03:28 · Score: 5, Insightful
  
  Stupid users eh? Explain the following: Yesterday I visited the top site google provided for a search I did. I was not searching for anything particularly exotic or deviant, certainly not pornographic or illegal. Immediately on visiting the site with my Windows 7 machine, Microsoft Security Essentials pops up to alert me of a "severe" threat (Trojan:JS/BlacoleRef.A) it had located in my browser cache (Firefox 7.01). I did what the security program said, and it says the threat was removed. I have no idea if it was removed or not, my only choice with such an obfuscated, complicated OS is to assume that the tools I am given are not lying to me and are doing the job that they are.
  However should I be infected in the above scenario, how exactly does this make me a "stupid user"? I've had a PC since the late 1970's. I can code in ASM, Cobol, Fortran, Basic, C, C++. I like to think I know how computers work. I don't click "Yes" to everything, and I don't run programs from dubious sources anywhere other than a virtual machine. Should I be going through my registry and boot files daily to not be a "stupid user"? Isn't that what an OS is supposed to do for me - take care of the basic functions of my machine while I run the programs I need? Are you just going to troll me by saying "use linux instead you noob"?
  
  --
  Seven puppies were harmed during the making of this post.
4. Re:70% on fully updated installs. by Anonymous Coward · 2011-10-05 03:30 · Score: 5, Insightful
  
  You say:
  
  Salient point is that, fully updated and patched installs let 70% of the infections through.
  TFA says:
  
  The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.
5. Re:70% on fully updated installs. by hedwards · 2011-10-05 03:32 · Score: 2
  
  That's the theory behind Immunet, once one of the computers is infected by a new virus it's analyzed pretty much immediately and a signature is added before the virus has a chance to infect more machines. It doesn't stop new infections, but it does diminish the spread.
  I'm not sure how well it ultimately works, but the basic theory behind it is sound.
  Another thing that could happen would be for the ISP to throttle the connection back to dial up speed for infected computers downloading anything other than antivirus software. The main concern I'd have there would be false positives and the inherent reward of throttling users.
6. Re:70% on fully updated installs. by UnknowingFool · 2011-10-05 03:36 · Score: 2
  
  But aren't you assuming that the other 87% are fully cross-platform? For instance Java and Flash vulnerabilities exist in both Linux and OS X but don't result in the same issue as those platforms are different. For example, a Flash vulnerability may allow the execution of a bundled .exe file; however that does nothing for Linux/OS X users. For them they would have to get scripts and even then bypass any default settings that don't allow scripts to run automatically.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
7. Re:70% on fully updated installs. by CadentOrange · 2011-10-05 03:39 · Score: 2
  
  Your anecdote perfectly illustrates why we need to run AV scanners on our machines. It doesn't matter how careful we are, we are not immune to drive by attacks. At this point, the typical slashdot response is "Run AdBlock/NoScript". This doesn't always guarantee that you'll be safe because what happens if the "safe" site you regularly visit has been compromised and the script you're about to allow is no longer safe? AV packages add another layer of defense, and this is a good thing.
8. Re:70% on fully updated installs. by houstonbofh · 2011-10-05 03:44 · Score: 4, Interesting
  
  I also think Linux is bad for the average user, because while it is more secure than Windows by default, if you muck with it you can cause vastly more damage to the system if you are in the "just enough knowledge to be dangerous" camp. Ubuntu goes a long way towards this, but it needs an even friendlier interface (IMHO) for system setup and config. We won't get that till an OEM adopts it seriously for end user platforms.
  I have set up a laptop for 2 different client's wives with Ubuntu. Both were non-computer experts, and kept getting every infection known to man. After setting them up (Over 2 years ago) I never say those laptops again. I still see the clients, but they say the laptops are running perfect. Lost a lot of business there, and from happy clients. :) Ooops...
9. Re:70% on fully updated installs. by AJH16 · 2011-10-05 03:54 · Score: 2
  
  An interesting thought, but something seems fishy there. How does immunet tell that a particular piece of malware is malware? If it can tell automatically, then why not simply prevent it in the first place and updates are not necessary as you now have the perfect AV. If you can't tell automatically, then it relies on an end user to recognize and prevent infection. At this point, it is really relying on the end user and is not really any better than conventional AV.
  
  --
  AJ Henderson
10. Re:70% on fully updated installs. by beelsebob · 2011-10-05 03:56 · Score: 2
  
  Tbf, a large number leveraged flash and acrobat reader. Flash is not installed by default on Macs any more (though is likely to be installed as there's no alternative), acrobat reader is not installed, and is unlikely to be installed due to the existence of preview, and safari's native pdf rendering.
11. Re:70% on fully updated installs. by oakgrove · 2011-10-05 04:11 · Score: 2
  
  I used to do the bi-monthly schlep to my mother's house to clean off the latest Google-results-hijack/adware/trojans du jour. Finally one day I told her, "I got something for ya." Installed Ubuntu 10.04 LTS and haven't had a problem since. She's one very happy Linux user.
  
  --
  The soylentnews experiment has been a dismal failure.
12. Re:70% on fully updated installs. by jijacob · 2011-10-05 04:17 · Score: 3, Insightful
  
  The catch here is that *you* set the laptops up. Had you given the wives an Ubuntu CD and left them to their own methods, odds are they wouldn't be so happy.
13. Re:70% on fully updated installs. by maxwell+demon · 2011-10-05 04:37 · Score: 2
  
  It helps, but what can you do if you favorite site serves infected 3rd party adds?
  P.S: I do use noscript.
  AdBlock Plus.
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
14. Re:70% on fully updated installs. by ThePilgrim · 2011-10-05 04:43 · Score: 4, Insightful
  
  Except having it set up is how most people receive windows
  
  --
  Wouldn't it be nice if schools got all the money they wanted and the army had to hold jumble sales for guns
15. Re:70% on fully updated installs. by JDG1980 · 2011-10-05 04:53 · Score: 2
  
  How many users are willing to have all websites broken by default until each one is explicitly whitelisted?
16. Re:70% on fully updated installs. by oakgrove · 2011-10-05 05:22 · Score: 3, Funny
  
  And if you think that would be bad, imagine giving them a Windows CD.
  
  --
  The soylentnews experiment has been a dismal failure.
17. Re:70% on fully updated installs. by Riceballsan · 2011-10-05 07:02 · Score: 2
  
  Well in theory, if you rigged a computer with a baseline install, and the 3 major browsers and perhaps flash, ran a script to make it visit random pages, but not download or install any files or programs, upon reboot any process running is almost certainly malicous.
18. Re:70% on fully updated installs. by Riceballsan · 2011-10-05 07:14 · Score: 3, Interesting
  
  Installing a modern linux OS, is generally easier then windows, even for someone who has never used linux before.
  typical linux install, insert CD, boot computer, click the install linux button (by default it will ask to downlaod the updates, and does so in this step), hit next, accept the defaults. computer boots back up, ready to go with a word processor, firefox and almost everything they need ready to go.
  windows 7. insert install CD, hit next, accept the defaults, computer boots back up, look for manufacturs CD to install any missing drivers, find printer drivers, find Office CD or go to webpage to download open or libre office, install antivirus, agree to windows updates, reboot, install more updates, reboot. Done.
  There are a few exceptions to the list, and it's not uncommon for windows to have all of the drivers ready for you, But oddly in all installs of linux I have done recently, everything I have ever thrown at it has been automatically detected and ready to go on reboot, and I do admit the antivirus would be necessary if linux were to ever fall into the common for average users to get category.
How Window Gets... hu wha? by sgt+scrub · 2011-10-05 03:08 · Score: 4, Insightful

A window can get infected? Lies I tell you!

--
Having to work for a living is the root of all evil.
Update early. Update often. by mrflash818 · 2011-10-05 03:10 · Score: 2, Insightful

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash.
Update early. Update often.

--
Uh, Linux geek since 1999.
Re:Welll by QuantumRiff · 2011-10-05 03:11 · Score: 4, Insightful

I can't tell you how much I wish Windows Update would update other applications.. I guess I've turned into a crusty, bearded old Linux geek.. but one command to update everything kind of spoils you. (and being able to install and uninstall more than one application at a time is nice too).

--

What are we going to do tonight Brain?
Re:Welll by mikael · 2011-10-05 03:14 · Score: 2

I must admit I always had some suspicions of web browsers that visit dozens of websites before they even visit your own home page. Running 'tcpdump -vv' and 'netstat -a', while a browser is very enlightening, even more so when doing 'whois' on those websites I've never heard of.
Never could understand why 'firefox' was opening a shttp link to weather.noaa.gov, or who "stopbadware.org" was.

--
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Better statistics? by SpryGuy · 2011-10-05 03:17 · Score: 2

Looking at the graphs and statistics, I ended up wishing they'd factored in usage share, to make the numbers more meaningful.
I mean, if (say) 70% of users used XP and 30% of users use Win7, then seeing 70% of the exploits on XP and 30% of the exploits on Win7 doesn't tell you much other than there's an exploit that is the same across them. It does NOT mean that XP is more vunerable than Win7. Ditto the breakdown by browsers. Without usage share factored in, the numbers can be misleading in either direction.

--

- Spryguy
There are three kinds of people in this world: those that can count and those that can't
Re:Welll by houstonbofh · 2011-10-05 03:23 · Score: 5, Insightful

Plug-in repositories are one thing I WISH windows would steal from Linux!
Not much meat in TFA by sl4shd0rk · 2011-10-05 03:26 · Score: 2

User's patches not up-to-date. User got infected.
The applications the malware targets are unsurprisingly the same-ol-same-ol. Windows, Java, IE, Adobe.
Perhaps the real questions should be:
- Why is patching so ineffective?
- Why is patch frequency not decreasing over time (these are *very* mature applications) ?

--
Join the Slashcott! Feb 10 thru Feb 17!
Java JRE by Bigbutt · 2011-10-05 03:28 · Score: 2

Unfortunately I run into areas where I am unable to upgrade the JRE due to incompatibilities with newer versions. For instance, in dealing with a Dell DRAC, the old Chassis says it'll support 1.4_5 something or other or newer. The problem is with the exact version it works fine but upgrading JRE on my system causes it to fail and refuse to start up the console java app. So I have a Windows laptop at my desk that is kept at that specific version of the JRE so I can continue to access the chassis until it's replaced. It's just one example but it's one I have to deal with on a periodic basis.
[John]

--
Shit better not happen!
Re:Welll by Leebert · 2011-10-05 03:41 · Score: 2

It will happen if and when Microsoft can manage to swipe the App Store concept. The end goal is in sight, although we might not like the side effects.
Re:Welll by bill_mcgonigle · 2011-10-05 03:45 · Score: 4, Funny

I think that's in Windows 8 and they're calling it an 'App Store'.
No word yet on how many reboots it'll take to install an app.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Re:Welll by buchner.johannes · 2011-10-05 04:08 · Score: 2

Use PSI https://secunia.com/vulnerability_scanning/personal/
There are also several software-updaters based on repositories, but none are really good. The software landscape is just different in Windows.

--
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Product Pushing. by nairnr · 2011-10-05 04:29 · Score: 2

Of course this study was done to showcase a product... And it is a Danish company CSIS...
"With this study CSIS has received confirmation that our security program Heimdal is addressing a market not adequately covered by a proper patch routine or policy for this area. "
Re:Flash, Silverlight, Office, Java by LordLimecat · 2011-10-05 06:56 · Score: 2

My friends & family run $OS with the browser running in an isolated user account, works quite well
So do most windows users. Luckily for the virus makers, its pretty easy to pester the user with a zillion gksudo / consent.exe prompts requesting elevation-- all it takes is clicking "allow" if you dont have a password set, and its all over.