Microsoft: Pirates at high risk of malware infection
Web-based attacks are on the rise, but according to Microsoft security researchers, the risks involved with casual browsing are nothing compared to the dangers of downloading and sharing illicit software, videos, music, and other media.
In the latest edition of the Microsoft Security Intelligence Report, published on Monday, Redmond’s Trustworthy Computing Group warns of a growing trend of malware infection via “unsecure supply chains,” which the report defines as “the websites, protocols, and other channels by which software and media are informally distributed.”
Examples of these so-called supply chains include underground websites, peer to peer networks, bootleg discs, and unreliable software archives – in short, anywhere media might be found that’s off the beaten track.
Sometimes the victims of these malware attacks are wholly innocent, such as when a user attempts to download a free software package but is duped into installing malware instead. For example, in the first half of 2012, Microsoft’s researchers spotted 35 different types of malware disguised as “install_adobeflash.exe.”
Far more often, however, the researchers found that malware had likely come bundled with illegal copies of commercial software or media that had been downloaded by users looking for a free lunch.
“Preying on the desire to ‘get a good deal’ is a form of social engineering that has been around for a long time, but it’s proving to be a perennially popular method for malware distributors,” writes Joe Blackbird of Microsoft Malware Protection Center, adding that people hoping to download media for free or at reduced cost are putting their PCs at risk.
Naturally, Microsoft has a vested interest in making such claims. Between Windows and Office alone, Microsoft products are among the most frequently pirated software in the world. But Redmond’s latest Security Intelligence Report attempts to back up its assertions with real-world research.
Who’s been naughty, then?
To get a sense for how widespread malware infection is among illicit downloaders, Microsoft’s security team studied data reported by PCs running Microsoft antimalware software, looking for six “indicator families” of malware – that is, certain types of malicious or unwanted software that are closely correlated with illegal downloads.
One such indicator family is Win32/Keygen, a generic name for a category of software designed to generate license key codes for various commercial software packages, such as Microsoft Office, Adobe Photoshop, and so on.
Technically, Win32/Keygen is classified as “potentially unwanted software,” rather than malware. Software in this category does not necessarily carry any kind of harmful payload (although it can). But key generators are highly correlated with illicit software trading – naturally, since legitimate software purchasers don’t need them – making them good markers for studying the threats associated with software piracy.
The other malware families the researchers tracked follow a similar theme. Some are designed to bypass Microsoft’s Windows Activation process, while others try to patch trial copies of software to unlock their full features. One family, Win32/Pameseg, is a scam that tricks users into paying to install illicit software. As with Win32/Keygen, the presence of any of these families is good evidence that someone has been up to some funny business.
In their study, the first thing Microsoft’s researchers noticed was that these indicator families were widespread and commonplace. Of all the PCs that reported malware detections in the first half of 2012, around 17 per cent detected at least one of the indicator families. Win32/Keygen, in particular, was the most frequently detected potential threat across every version of Windows studied.
More crucially, of those PCs that detected one or more indicator families, more than 76 per cent also detected some other form of malware threat. That’s a common pattern; users who become infected with one form of malware often pick up others. But PCs that detected one of the indicator families were actually 10 per cent more likely to detect multiple infections than PCs that didn’t detect an indicator family.
Of course, correlation is not causation. Nobody is saying the indicator families were directly responsible for downloading other malware (although it’s possible). But the data does suggest that people who are involved in illicit file trading are at high risk for malware infection.
It’s a scary underworld out there
Microsoft’s report goes on to explain that illegal software isn’t the only risk vector. A category of malware called ASX/Wimad can disguise itself as a number of popular media file formats – including MP3, AVI, and WMV, among others – and exploit a Windows Media Player bug to download a malware payload. While this type of malware wasn’t as prevalent as Win32/Keygen in Microsoft’s research, it was still in the Top Ten threats detected on most versions of Windows.
Furthermore, Microsoft’s Blackbird says, users who want something for nothing may put themselves at risk simply by the act of searching for illegal media. Sites that purport to offer free downloads often hide exploits that can install malware on users’ PCs without their knowledge, he said.
For example, in Microsoft’s research, PCs that detected Win32/Keygen were twice as likely to also encounter “Blacole,” a comprehensive web-based exploit suite that can install malware by attacking a variety of different browser and plugin vulnerabilities.
According to Redmond’s report, avoiding all of these malware threats is largely a matter of following the usual advice. Users should have antimalware installed and their definition files should be up to date. They should also make sure that they have the latest security patches installed, both for their OS and for all of their applications.
But according to Microsoft’s security team, it’s equally important that users don’t go out of their way to find malware threats by looking for illegal downloads. In fact, they should avoid digging around the wrong corners of the web altogether.
“In other words,” Blackbird writes, “it’s not just downloading license key generators, cracked software or free media files that expose users to malware; the act of visiting web pages of unknown origin, claiming to provide this type of free software download, is risky activity.” ®