Malware Infection Percentages?

I was wondering what percent of infections are caused by drive-by-downloads/exploits, and what percent are people unintentionally installing malware?

 

There's no realistic way to determine the actual percentages. Unless the malware is discovered almost immediately, there's usually no way to know where it came from. The figures are also going to be quite variable. Are you including adware under the heading of malware? Lately, java exploits are contributing a large share. Go back a ways and it was flash. Go back farther and exploiting IE6 was the method of preference. For the most part, exploiting the user infects more systems than anything else, be it social engineering, bundled adware, etc.

 

THIS is likely the most common current exploit kit file drop name.

THIS is likely #2.

As these drop from exploit kits it really does not matter how up to date you are unless you are completely up to date. Even then if a 0day hole has not been patched yet then you might get infected anyway.

 

If there is no way to determine it, make an estimate, from personal experience?

 

It really depends on the user. Some users would only get infected through an exploit.

Users that visit a small range of ad supported legit sites for example will only be infected through exploits in the ads. This is especially true if they use an older OS and do not understand anything about updating web facing software and/or limited accounts.

I have seen exploits in ads on okcupid, ebaumsword, failblog and even the netzero webmail page this year so safe surfing is not going to be much help if all of your web facing software and/or OS and/or browser are out of date. Even then an unpatched 0day exploit may get you anyway.

 

A few years ago when I used to follow these things closely, I would ask those who posted for help in other help forums, where they thought they got infected. Some didn't know, but many would admit that they installed some freebee or cheap software, or were tricked into "updating" their software (Flash or a codec).

This was noted back then by Marco of Prevx:

The goal of anti-malware products
http://www.prevx.com/blog/109/The-goal-of-antimalware-products.html
December 16th, 2008
Posted by: Marco Giuliani

However, it's hard sometimes to categorize. For example, if a user is tricked into opening a booby trapped attachment, say, a Word or Excel document when then triggers a remote code execution exploit..

Or, a user who is tricked into connecting an infected USB device which contains a remote code execution exploit...

In these cases, it takes a social engineering trick to start the process, which ends up being auto-executed. In past discussions, I've noticed that not all agree which of the two categories they fit into. That is, you can make a case for inclusion in either of your two categories.

Since there is some controversy in categorizing exploits, I'm not sure that everyone would accept any statistics (if there could be a way of compiling them) as valid!


----
rich

 

There is a lot of conflicting research about delivery mechanisms for malware and which are most popular. A lot of this has to do with unclear definitions of what an exploit is ie: if I trick you into downloading a file and the file then uses an exploit to run is it social engineering or an exploit? The reality is it's both.

Two major papers were by Google and Microsoft and they had completely different conclusions and statistics. Google and Microsoft are very capable of performing research, both would have tons of information due to their positions on the web - Google's got Gmail, Chrome, and Search and MS has Bing, Windows, and IE. But they're completely different.

Personally most of the computers I've fixed up were infected through exploits (or primarily ie: a user ran a .pdf file and that exploited the reader).

But I've maybe fixed 1 or 2 hundred computers, a tiny sample size.

 

JAVA drive by's would be #1 at the moment. Exploit kit's are all over it. Then would be old FLASH/ADOBE READER PDF style exploits & 3RD probably phising url's.

That's just guessing really.

 

Code:

"wgsdgsdgdsgsd.exe"

Yes, I found one yesterday:



While it's true, as has been noted already, that unpatched 0-day vulnerabilites are the most dangerous, I noticed this easy mitigation step in an Opera security blog:

http://my.opera.com/securitygroup/b...an-in-the-middle-attack-on-secure-connections

In which case, the page loads and does nothing:



The percentage of drive-by download infections would drop dramatically if more users were educated in a few basic preventative measures!


----
rich