"Some situations and some programs do nothing but scare people and use an exploit to get on a screen and present an alert to users," says Jimmy Kuo, principle architect at the Microsoft Malware Protection Center and principle researcher of the study. “It usually does nothing; it takes advantage of name squatting and lands you on a page.”
Many states attorneys general have moved against rogue software distributors in their jurisdictions; the Microsoft study shows that the tactic for duping unwitting users into shelling out money—typically with credit cards—is increasing rapidly. In December, the Federal Trade Commission blocked the operations of Innovative Marketing and ByteHosting Internet Services for engaging in deceptive tactics to sell useless anti-virus applications.
More disturbing but not an immediate threat is the residual code left on a machine by the scareware distributor. Microsoft says rogue software distributors often use a downloader application to deliver their scareware. The downloader, Win32/Renos, is a kin to a Trojan that could enable the scareware distributors to return with malicious payloads at a future date.
"Renos has the ability to do other things, so people had better beware," Kuo says. "When rogue security software loses its allure, the distributors will look to use Renos in other ways."
Kuo believes rogue security software will remain a serious threat through 2009 before enough public awareness forces distributors to change their tactics.
When scareware distributors change tactics, they could find the crop of vulnerable machines ripe for exploitation. The Microsoft study found that 91.3 percent of the attacks against Microsoft Office were for a single vulnerability that was patched more than two years ago. The volume and severity of the attack shows systems—particularly among consumers and non-business users—are not being updated and patched consistently.
Kuo says the Microsoft Security Intelligence Report data also shows that home users are far more vulnerable to adware and software droppers, while corporate environments are more susceptible to worms and self-replicating malware. Security experts agreed that the recent Conficker worm presented a serious threat to business environments because the malware thrived in networked environments, but didn’t pose as serious a threat to individual PCs used by consumers.
Small and midsize businesses are at serious risk to malware, according to a separate report released by Symantec today. According to Symantec’s study, one-third of SMB organizations globally do not have any anti-virus applications running on their PCs and networks, and one in four have no anti-spam or server backup and recovery applications.
"There’s a lack of understanding of the consequences," says Kevin Murray, senior director of security marketing at Symantec. "The data is at risk, but it comes back to they don’t have the training to do [security] right."
The Microsoft and Symantec security studies concur on the types of breaches affecting users. According to the Microsoft report, stolen equipment, hackers, and advance breaches and lost equipment top the lists of breaches. Symantec’s breach list was led by system failures, lost or stolen equipment and human error.
"It looks like a great opportunity for a VAR to come in and help businesses be aware and stay on top of their security," says Murray.