Happy New Year! December 2013 was an exciting month for monitoring our protection results and watching malware trends. The good news - our customer infection rate for December (0.06 percent) was lower than any other month in 2013 and one third the size of our peak in October. The Win32/Sefnit trio mentioned in the October and November 2013 results declined even more significantly than last month. Even better, Win32/Sirefef malware development appears to have stopped after the disruption effort led by the Microsoft Digital Crimes Unit. Win32/Wysotot also suffered significant declines. More on these families in the year in review section below.
As for our other protection metrics, our performance metrics were consistent, and although incorrect detections remained low, we picked up one more crafted file attack. This was a specially-crafted clean file designed to trick antimalware vendors into incorrectly detecting a good program as malicious. This file raised our impact to 0.001 percent (or one in 100,000 in comparison to normal months where the impact closer to 1 in a 1,000,000). Along with improving our own processes to thwart these attack attempts on our systems, Dennis Batchelder and Hong Jia gave a presentation on this attack technique at VirusBulletin to help other vendors (from our data, we could see that there were several vendors who also appeared to be targets) discover and prevent these attacks from affecting customers.
Malware infections - Year in review
December 2013 was a good end to a tumultuous year. Figure 1 shows that although in this last quarter, our infection rates rose primarily due to the Sefnit trio, our overall rates ended on a good note with the decline of many malware families. Although fighting malware can often feel like whack-a-mole, seeing major families disappear into oblivion and the overall malware infection rate decline feels like a win in our industry.
Figure 2 highlights several major families that, earlier in the year, were contributing significantly to infections affecting Microsoft customers in addition to the overall infection rate (also shown on our protection metrics trend page.)
Figure 1: 2013 average daily infection rates
Figure 2: 2013 malware infections by family
First, I'll talk about FakeRean. This family poses as fake security software, which, as a category, took a dive in 2013 as we reported in the last Security Intelligence Report (SIRv15). FakeRean practically disappeared by July 2013.
Next, the Sefnit trio. Sefnit, a family that has been around for some time, made a strong comeback in 2013 and was given a strong assist by several trojans (Rotbrow and Brantall) used to distribute it. We took the fight to several fronts. One of the methods of distribution for Sefnit is through Tor. We worked with the Tor project to clean up the clients that were installed by Sefnit, preventing further abuse. We also took out the new distributors – Rotbrow and Brantall – reaching out to our MVI and VIA partners to ensure they also detected them. By December 2013, all three were in significant decline, and Sefnit impact is down to a trickle in comparison to the surge we saw in September and October 2013.
Wysotot, a new family that emerged late in 2013, hit a few highs in October and November, but slowed per our telemetry in December.
Last but not least, Sirefef. This family starting becoming very prevalent in 2012. Originally focusing on clickfraud and employing techniques making it really difficult to remove once installed, this threat quickly became a concern. In 2013, we started collaborating with the Digital Crimes Unit to apply some novel disruption techniques to squeeze this malware family out of existence. As figures 2 and 3 show, it worked. The malware authors even responded with a somewhat humorous "white flag" in their code and appear to have stopped development in their family altogether.
Figure 3: Sirefef encounters for Microsoft real-time protection customers
Of course these families could make a comeback. We'll be here waiting for them when they try.
Holly Stewart
MMPC