Malware Revolution: A Change in Target


By Mary Landesman
Technical Editor, Microsoft Security Research and Response

See other Viewpoint articles.

A significant evolution has occurred in the malware landscape over the past five years –- a change of intent from amateur virus writers seeking attention to professional criminals seeking profit. But in the past year, a more abrupt shift has taken place: a change in target, with users squarely in the bulls-eye.

To a certain extent, malicious software has always relied upon the user. In the Sneaker-net era, the boot sector virus often relied on the user to inadvertently leave a floppy disk in the drive during boot-up. And more currently, profit-driven programs routinely try to trick the user into installing software that, unbeknownst to them, will deliver incessant pop-up advertising or redirect their Internet browsing. Yet once the software is installed, the users themselves become superfluous. The target was the computer and the objective was met.

Today’s malware is decidedly different. Instead of hijacking the computer for illicit gains, today’s malware is intent on hijacking the user for hard currency, credit card fraud, and outright identity theft. In the current landscape, malware is no longer the end to the means, but rather the means through which the end is reached.

Spam, Scams, and Social Engineering

In 2006, the Microsoft Exchange Hosted Filtering (EHF) service, part of Microsoft Exchange Hosted Services, processed over 110 billion inbound e-mail messages of which 91.56% were classified as spam. Formerly considered a mere nuisance, spam is now the tool of choice for criminal profiteers.

  • To achieve their goal, criminals typically control large botnets, collections of sometimes tens of thousands of computers infected by backdoor Trojans. The Trojans used to form the botnets are typically installed by downloaders and droppers which, ironically, frequently reach their victims through spam.

  • In addition to botnets, peer-to-peer (P2P) file-sharing networks are breeding grounds for malware. Attackers deliberately seed these file shares with backdoor Trojans and downloaders, using file names that match popular program, music, or other coveted files.

  • Compromised instant messaging and social networking accounts allow attackers to contact others from the context of a trusted friend, thus attachments or links sent to those users are more likely to be trusted as well.

In 2006, 20 percent of all scans by the Windows Live OneCare safety scanner detected some form of malware, and the overwhelming majority was some form of downloader, dropper, or backdoor Trojan. To hide these Trojans, the use of rootkits is on the rise. In the first half of 2006, the safety scanner removed 5,349 instances of rootkits. In the second half of the year, the number increased over fourfold to 21,935.

These carefully hidden botnets provide attackers with a distributed network of compromised systems from which they can work to defraud others with near anonymity. For example, botnets formed by the Rustock Trojan spread the volume of spam over a wide range of IP addresses in order to bypass threshold restrictions imposed by many ISPs specifically to discourage spamming.

The spam sent goes far beyond simple unwanted advertising. In addition to seeding Trojans, spam often contains a colorful array of scams orchestrated with the intent of gaining users’ trust and, eventually, their money.

A few such scams include:

  • Lottery scams –- E-mail that fraudulently claims the recipient has won a large sum of money. Respondents are instructed to send processing fees to release the nonexistent winnings.

  • Pump and dump stock schemes –- Scammers buy a stock low and try to inflate its price through erroneous claims made in e-mail, selling the stock when prices rise and leaving victims with a worthless portfolio.

  • International dating scams –- The promise of romance entices victims to send money for airline tickets, long-distance phone calls, or fees to bribe emigration officials. Despite the payouts, the object of their affection never appears.

  • Nigerian 419 scams –- Named for the section of Nigerian penal code that outlaws this fraudulent activity, the scam predictably entices victims with the promise of large sums of cash. Respondents are cajoled into paying certain fees and bribes, in a similar fashion to lottery and dating scams.

These virtual equivalents of yesteryear’s snake oil salesman are just the tip of the iceberg. Zero-day vulnerabilities can fetch prices up to $25,000 on the Internet black market. In turn, these vulnerabilities are used in highly targeted, methodical attacks aimed at corporate espionage.

Zero-day Attacks

Zero-day attacks are exploits targeting specific vulnerabilities for which a software update is not yet available. In many cases, details of the vulnerability along with working proof-of-concept code are made public through various mailing lists, websites or other online communities. This controversial process is typically referred to as 'full disclosure'. The controversy surrounds the level of risk faced by users of the vulnerable software. While the vendor works to engineer and release the necessary update, attackers can compose malicious exploits targeting the vulnerability – exposing users to the risk of these so called zero day attacks.

Microsoft supports 'responsible disclosure' as it ensures the highest degree of safety for the user. In a responsible disclosure scenario, the researcher who discovers the vulnerability reports the findings directly to the appropriate vendor, providing a reasonable amount of time for the vendor to investigate, create, and test the necessary update. Only when the update is made available are actual details of the vulnerability made public, with due credit given to the original reporter. Typically, in a responsible disclosure scenario, working exploit code is not made public, affording an extra layer of security for the user.

The illicit buying and selling of zero-day vulnerabilities bypasses all forms of disclosure, as the intent is not to enable remediation of the vulnerability but rather to profit from its existence.

Phishing for Profit

If not the most turnkey of all scams, phishing is certainly the most prevalent. A typical phishing e-mail message is disguised as legitimate correspondence from a bank or e-commerce site. Quite often the e-mail message uses fear tactics to motivate the recipient into clicking a link contained within the message, which then points the intended victim to a fraudulent Web site disguised to look like the actual bank or e-commerce site. Unsuspecting users who enter their login credentials risk becoming victims of credit card fraud, stolen account funds, and even outright identity theft.

But not all phishing attacks are affected through spam or social engineering. Dynamic Web pages that do not properly validate input data may be susceptible to cross-site scripting (XSS) attacks. In some cases, XSS exploits can silently redirect visitors to a cleverly disguised look-alike site or run code within the security context of the legitimate site, which may be able to capture identifying details. The Microsoft ACE (Application Consulting & Engineering) Team identified XSS as the number-one vulnerability seen in Web Development today, followed by SQL Injection and Buffer Overflow attacks. The ACE Team provides the Microsoft Anti-Cross Site Scripting Library which encodes libraries based on the 'principle of inclusion' technique. Web site owners can also find specific advice for preventing XSS attacks on their sites by following the advice in Microsoft Knowledge Base Article 252985.

MSN, MSN Hotmail, Windows Live Mail and the latest versions of Microsoft Outlook and Microsoft Exchange Server protect users from phishing e-mail through patented Microsoft SmartScreen spam filtering. In addition, the Microsoft Phishing Filter for Windows Vista, Internet Explorer 7, and the Windows Live toolbar protects users against phishing and other malicious websites. The Microsoft Phishing Filter is also available as an add-on for the MSN Search Toolbar.

Helping Users Help Themselves

Microsoft’s Trustworthy Computing (TwC) is a holistic effort to ensure all users are able to enjoy a secure, private, and reliable computer experience. The company infuses TwC in all its business practices, resulting in a wide range of initiatives, services, and products aimed at achieving these goals.

A key feature in Microsoft Windows Vista, User Account Control (UAC) follows the premise of “least privileged” access–- assigning only the minimal rights necessary to perform any given action. UAC also simplifies some of the more common tasks such as installing printer drivers or setting up wireless connections, thereby reducing the number of alerts generated. When explicit user consent is required, the presence of the alert helps the user identify files that are attempting actions outside of their expected scope.

Microsoft is also taking steps to identify and remove prevalent threats that may otherwise remain hidden on users’ systems. Since May 2005, the Microsoft Malicious Software Removal Tool has removed over 28 million instances of malware from computers running the tool. Included were over 6.4 million instances of Win32/Rbot, a family of backdoor Trojans instrumental in creating botnets. The Malicious Software Removal Tool is designed specifically to remove high profile or particularly prevalent threats. New families are added monthly and updates to previously added family detections are also included. The tool is available from Microsoft Update, Windows Update and the Microsoft Download Center.

In addition, Microsoft provides Windows Defender, Windows Live OneCare, and the Windows Live OneCare safety scanner. Windows Defender is a free program that helps protect against security threats caused by spyware and other potentially intrusive programs. Windows Live OneCare is an all inclusive suite combining antivirus and antispyware with a managed two-way firewall, integrated anti-phishing technology, system tune-up features, and backup/restore services. The Windows Live OneCare safety scanner is a free online service that checks for and removes malicious and potentially intrusive software, as well as providing system performance tune-ups.

Education is also a key element in empowering the user to make the right decision. Microsoft will be introducing a new security portal in July 2007, providing a central resource for information pertaining to malware and its remediation.

Additionally, Microsoft is combining technology and consumer education with industry collaboration and legal sanctions against the perpetrators of the attacks. Since the inception of its Internet Safety Enforcement Team in 2003, Microsoft has supported hundreds of phishing and spam enforcement actions worldwide, including 283 lawsuits filed by Microsoft.


Today’s malware focus is no longer a battle to dominate the computer; it is increasingly a battle for control of the user’s assets. With money as the motive and the user as the target, we can expect to see an even greater number of cleverly disguised scams, phishing, and other socially engineered attacks in the future. The use of targeted rootkit-enabled Trojans will also likely continue to increase across a broad range of vectors, including social networking sites, file sharing networks, e-mail, and instant messaging. Further, it can be expected that these social engineering and traditional malware threats will continue to be supplemented by cross-site scripting attacks and other forms of exploit. Holistically applied filtering, prevention, and detection technologies will obviously play the key role in front line defense, dramatically reducing the user's chance of exposure. But should a wily con artist sneak past those defenses, users must also be empowered with tools, education and resources to assist them in recognizing and responding appropriately.