Windows Getting Safer, but Study Finds that 1 of Every 14 Programs Downloaded is Later Confirmed as Malware

June 7, 2011

With all the news about Mac malware making Apple devices more vulnerable, Microsoft has announced that Windows is getting safer – particularly if you’re using Windows 7.

There are some pretty interesting discoveries in Microsoft’s most recent Security Intelligence Report covering the second half of 2010, and it’s worth the full read if you’re at all technically inclined.  Here are a few points I found particularly interesting:

  1. It really pays to upgrade your Windows OS to increase your security. A Windows 7 64-bit system (their most recently released Windows client) has the lowest infection rates at 2.5 infections per thousand computers.
    In comparison:
    1. Windows 7 32-bit systems have infection rates of 3.8 per thousand computers.
    2. Windows Vista SP2 32-bit PCs have a rate of 7.5 infections per thousand computers.
    3. Windows XP SP3 32-bit machines have an infection rate of 15.9 for every thousand computers.
  2. Malware infections are a global scourge – but not all parts of the globe are equally plagued.  The US, Mexico and Central and South America, France, Spain, Parts of the Arab world and Russia are hardest hit. This map paints a clear picture of the problem areas.
  3. The prevalence of various types of malware threats changes based on country factors.  For example, the U.S., England and Russia have significant issues with Miscellaneous Trojans, but are less likely than other countries to struggle with password stealers and backdoors.
  4. Though most phish scams target financial sites, it’s the phishes through social networks that get most of the impressions – an impression is measured as a single instance of a user attempting to visit a known phishing site with Internet Explorer. Phishing impressions that targeted social networks increased from a just 8.3% of all impressions in January to a whopping 84.5% of impressions in December. This trend was especially stark in the last four months of the year.Also note the increased focus on targeting gaming sites early in the year, the report suggests that with the tremendous success of phishing via social networks, the focus on gaming declined, but they expect to see this increase again when social networkers become more savvy to the attacks and new methods of delivery need to be found.

  5. Adding to our understanding of the phishing threats covered in MSFT’s security report is an article on the IEBlog that talks about how the company’s SmartScreen technology in IE9 is helping to block social engineering attacks.  The following are excerpts from the blog:

For context, recent studies show that despite the headlines that exploits of software vulnerabilities get, people browsing the Web are more likely to face a socially engineered attack. Recent articles have compared different approaches to protecting people. Application Reputation is a natural extension of the current protections introduced in IE7 & IE8 that block phishing sites and sites that distribute malicious programs.

…User-downloaded malware is a huge problem and getting bigger.

…IE blocks between 2 and 5 million attacks a day for IE8 and IE9 customers. Since the release of IE8, SmartScreen has blocked more than 1.5 billion attempted malware attacks. From our experience operating these services at scale, we have found that 1 out of every 14 programs downloaded is later confirmed as malware.

These reports paint a very sobering picture on the state of internet security, but there are clear steps you can take today to decrease your chances of malware infections – not matter which operating system, browser, or device type you are using.

Here’s a 12 point checklist to get you started on the road to Internet security and safety. If you want more detail, look to for straightforward practical advice on how to steer clear of Internet hazards whether you’re sending e-mail, dating online, making purchases or socializing – and whether you are on a computer, or your phone.

  1. Secure your computers and smartphones with anti-virus, anti-spyware, and tools.
    Keep them current and use them unfailingly-as automatically as locking your door when you leave the house. A computer that does not have security software installed and up-to-date will become infected with malicious software in an average of four minutes. That malicious software will steal your information and put you at risk for crimes.

    1. You must have anti-virus and anti-spyware software installed and up-to-date. If your computer or phone isn’t protected from Trojans, viruses and other malware, your financial information, passwords and identity will be stolen. This concept is so basic, yet only 20% of the US population adequately protects their computers. If the cost of security software is prohibitive, use a free service.
    2. Secure your internet connection – Make sure your computer’s firewall is on. If you use a wireless network it needs to be encrypted so someone who is lurking outside the house can’t collect your information. If you need a free firewall, click here. Never use a public WiFi service for any type of financial transaction or other type of sensitive information transfer.
    3. Use added protection on sensitive financial information with passwords or store on a flash drive, CD or external hard drive For added protection all year, keep your finances inaccessible to anyone who uses (or hacks into) your computer. You can do this by password protecting individual files or folders on your computer, or choose to keep this information on a flash drive or CD that you keep in your safe or other secure location.
  2. Use strong, unique passwords for every site. Creating strong memorable passwords is easy and can actually be fun – and the payoff in increased safety is big. The key aspects of a strong password are length (the longer the better); a mix of letters, numbers, and symbols; and no tie to your personal information. Learn how with my blog Safe passwords don’t have to be hard to create; just hard to guess
  3. Review the privacy terms and settings. This needs to be done for every social site you use. Create an environment of safety for yourself by understanding how any website you use treats your privacy and information. That fine print may tell you the company can own, resell, rent, or give your information to anyone they want. If it does, find a more respectful site.
  4. Discuss online safety with your family and friends.  Decide together how you will help protect each other’s privacy online and set rules that reflect your personal values. Decide what information about yourself you are willing to have shared online, and with whom you are willing to share it. This includes asking friends to put your email address on the Bcc: line if they are including you on an email to people that you don’t know. Learn more here
  5. Be selective about who you interact with online and what information you make public.
    1. The risks are relatively low when you stick with people you know—your family, and friends. Going into public chat rooms or opening your blog up to the general public, for example, significantly increases your risk.
    2. Think carefully before you post online any information that can personally identify you, a family member, or friend on a public site like a blog, in online white pages, on job hunt sites, or in any other place anyone on the Internet can see the information. Sensitive information includes real name, birth date, gender, town, e-mail address, school name, place of work, and personal photos.
  6. Pay attention to messaging risks.
    1. Think twice before you open attachments or click links in messages -even if you know the sender-as these can be used to transmit spam and viruses to your computer.
    2. Never respond to messages asking you to provide personal information, especially your account number or password, even if it seems to be from a business you trust. Reputable businesses will not ask you for this information in e-mail.
    3. Never click on links provided in messages, unless you are sure of the sender. Instead, use a search engine to find the website yourself.
    4. Don’t forward spam. Whether it’s a cute ‘thought of the day’, ‘set of jokes’, ‘amazing photo’,  ‘recipe tree’ or similar email, if you don’t personally know the sender the email is surely a scam designed to collect the email accounts – and relationships – of everyone you share it with.
  7. Don’t trade personal information for “freebies.”   Online freebies come in two forms:
    1. The free games, free offers, and ‘great deals’. Just as in the physical world, if these types of offers sound too good to be true, they probably are. Not only will these collect and sell your personal information, these ‘deals’, and ‘free’ applications are usually riddled with spyware, viruses or other malicious software.
    2. Through survey’s, sweepstakes, quizzes, and the like. These marketing tools are designed for one purpose – to get as much information from you as they can, so they can sell that to interested parties. Even the most innocuous ‘survey’s learn far more than you imagine, and they may give you malicious software or download tracking cookies, so just skip these entirely.
  8. Periodically review your internet contacts, and online activities.   Internet housekeeping is important. Review who you have as contacts, and who can see your online profiles periodically to prune out everyone you no longer have a close relationship with. Review any images and content you’ve posted online to see if collectively these tell more about you than should be known.
  9. Check your credit reports.  Under the Fair Credit Reporting Act, you have the right to one free credit disclosure in every 12-month period from each of the three national credit reporting companies—TransUnion, Experian, and Equifax.
    1. Request a free credit report from one of the three companies for yourself, your spouse, and any minors over the age of 13 living at home to check for credit fraud or inaccuracies that could put you at financial risk. (Although exact figures are difficult to get, the latest data shows that at least 7 percent of identity theft targets the identities of children.) The easiest way to do this is through
    2. You can also pay for credit monitoring services that will alert you to any suspicious activity or changes in your credit scores.
  10. Block people you don’t want to interact with.   You don’t have to accept invitations to be friends with people just because they ask. Women in particular can find it difficult to turn someone down – and creeps and crooks count on this very thing. If you don’t want to be friends, delete the request. If you are already connected with someone you would rather not be, block them from your social sites. You can also block their email account so they can never contact you through email, and block their phone number from calling or sending text messages to your phone.  YOU get to choose who, how, and when you are contacted.
  11. Trust your instincts.   Online and offline, your instincts play a critical role in your protection. If something feels ‘off’, go with your instinct. You don’t have to explain your reasoning to anyone.
  12. If you are exploited, it is not your fault.   Following the fourteen steps outlined above can go a long way to keeping you safe, but bad things sometimes do happen. If you fall victim to a scam, fraudster, abuser or criminal, don’t blame yourself. The only person guilty is the abuser or criminal.  You didn’t cheat, scam, lie, threaten, harm, steal, or abuse yourself in some other way, so don’t lay a burden of guilt where none belongs. Don’t let the abuser or criminal shame you into silence. Speak out and get the help you need.

For even more information and help, check out these two blogs: