I've started on a little light bedtime reading to distract myself from the general economic doom and gloom, and here's a reliable source of lightweight but interesting factoids : the annual Microsoft Security Intelligence Report. We're now up to Volume 14, and as per usual it's packed with insights into the antics of the criminals and data poachers who lurk around the edges of the interweb. It stays mysteriously quiet about the not-so-amusing data-stealing that certain institutions and governments (allegedly) engage in, but I guess that would spoil the light-hearted fun.


From this document - a cracking good read, and with a nice selection of graphs and diagrams to break up the reams of text - I've selected a couple of items to whet your appetite. First off, that perennial favourite, the Top Ten of Malware for the previous year. No surprise that Java infections make up four of the ten, but that's better than the year before. And there's a new Number 1 - so careful with those PDF files.


2012 list of infections.JPG


Detections of Win32/Pdfjsc, a detection for specially crafted PDF files that exploit vulnerabilities in Adobe Reader and Adobe Acrobat, more than doubled from 3Q12 to 4Q12. It was the most commonly detected exploit during the last quarter of the year and the second most common for the half-year period overall.


Blacole is Microsoft’s detection name for components of the so-called “Blackhole” exploit kit, which delivers malicious software through infected webpages. Blacole was the most commonly detected exploit family in the second half of 2012. Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets.


It consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components.


When the attacker loads the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack.


(Copyright © 2013 Microsoft Corporation. All rights reserved)                


That's just in case the legal eagles get bored and drop by here ...



Want to know which countries had the highest proportion of infected PCs running Windows? Egypt, Libya, Iraq, Turkey, Pakistan, Morocco, and South Korea. Plus a few others, the map's too fuzzy to be certain. Cuba and Iran at first glance scored an amazing zero per cent infection rate. Gosh. Oh no, maybe not. There's "insufficient data" for those countries. Also Somalia, Venezuala, and (I don't know why) East Timor. And half of Africa.


And which operating system is the one most likely to need cleaning of infections? Ahem, step forward (yet again) good ol' Windows XP, with 11.3 per thousand. A good way ahead of Vista (2.5 per thou (32-bit)/4.6 per thou (64-bit)) and Windows 7 SP1(4.5/3.3).  Which perhaps explains why Microsoft is so keen to see the back of XP.



The Top 6 Threat Families for 2012 has one new entry : DealPly (see below), an adware infestation that claims to be "a browser add-on that makes your online shopping experience better" but your browsing experience a whole lot worse. It often comes with something called "Protlerdob" (I kid you not) which claims to be a free movie download but is in fact anything but. Microsoft have the lowdown on both of these in their Encyclopedia (an absolute must-read, go bookmark it now).

http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Adw are%3AWin32%2FDealPly

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Sof twareBundler%3aWin32%2fProtlerdob


Top 6 Threat Families 2012.JPG


Detections of Win32/Keygen, the most common detection overall in 2H12, increased each quarter, from 4.8 million computers in 2Q12 to 6.8 million in 4Q12. Keygen is a detection for tools that generate keys for various software products, which may allow users to run the products illegally.


The adware detection Win32/DealPly, which first appeared in 4Q12, quickly became the second most common detection of the quarter. DealPly is an adware program that displays offers that are related to the user’s web browsing habits. It has been observed being bundled with certain third-party software installation programs, including Win32/Protlerdob.


Detections of the generic family JS/IframeRef increased fivefold in 4Q12 after falling off significantly between 2Q12 and 3Q12. IframeRef is a generic detection for specially formed HTML inline frame (IFrame) tags that redirect to remote websites that contain malicious content. The increased IframeRef detections in 2Q12 and 4Q12 resulted from the discovery of a pair of widely used new variants in April and November 2012. (In January 2013, these variants were reclassified as Trojan:JS/Seedabutor.A and Trojan:JS/Seedabutor.B, respectively.)


(Copyright © 2013 Microsoft Corporation. All rights reserved)



There's plenty more where this came from. I've just scratched the surface of what's in the global summary. If you want the full read you can get the real deal from the Microsoft website


or download any of the report documents from these links -


http://download.microsoft.com/download/E/0/F/E0F59BE7-E553-4888-9220-1C79CBD14B4 F/Microsoft_Security_Intelligence_Report_Volume_14_Running_Unprotected_English.p df


http://download.microsoft.com/download/E/0/F/E0F59BE7-E553-4888-9220-1C79CBD14B4 F/Microsoft_Security_Intelligence_Report_Volume_14_Key_Findings_Summary_English. pdf


http://download.microsoft.com/download/E/0/F/E0F59BE7-E553-4888-9220-1C79CBD14B4 F/Microsoft_Security_Intelligence_Report_Volume_14_Worldwide_Threat_Assessment_E nglish.pdf


http://download.microsoft.com/download/E/0/F/E0F59BE7-E553-4888-9220-1C79CBD14B4 F/Microsoft_Security_Intelligence_Report_Volume_14_Regional_Threat_Assessment_En glish.pdf


Fascinating stuff. Or is that just me?