Top Microsoft Security Architect: Windows 7 Will Slash Malware

Microsoft caused the IT security community more than a little heartburn when it included fixes for the barely-out-of-the-box Windows 7 in its October 2009 Patch Tuesday security update.

See also: In Defense of Microsoft and Windows 7 and The Patch Tuesday Survival Guide

Nevertheless, Jimmy Kuo — principal architect for Microsoft’s Malware Protection Center — has high hopes that Windows 7 will ultimately be seen as the major turning point where malware writers finally met their match. In the following Q&A, Kuo talks about the top takeaways from the latest Microsoft security intelligence report and why he believes Windows 7 will ultimately shut the door on a lot of the malware activity outlined this year.

First, a note on the report: Microsoft’s conclusions are based on data being reported back from its Malicious Software Removal Tool (MSRT), which is on 450 million computers; Bing, which performed billions of Web page scans during the past six months; Windows Live OneCare and Windows Defender, which runs on more than 100 million computers; and Forefront Online Protection for Exchange and Forefront Client Security, which scans billions of e-mail messages a year.

The report says rogue security software was the single-largest threat category for the first half of 2009. Talk about the data that lead Microsoft to that conclusion.

Kuo: We detected and cleaned rogue security software off of 13.4 million computers. That’s down from 16.8 million last year, but it’s still a significant threat. Also known as scareware, this stuff takes advantage of customers’ desire to keep their computers protected. A box will appear warning the user that their computer has been infected and they must download the given program to clean it up. The user OK’s the download, and that’s when they become a victim.

One of the takeaways from the report is that old-style worms are making a comeback. Why?

Kuo: In the first half of 2009, worms rose from fifth place in to become the second-most prevalent threat category in the latest report — a 98.4 percent increase. Worms rely heavily on access to unsecured file shares and removable storage volumes, both of which are plentiful in enterprise environments.

What were some of the more pervasive malware threats?

Kuo: Conficker was the top worm threat detected for the enterprise, because its method of propagation works more effectively within a firewalled network environment. Taterf targets massively multiplayer online role-playing games and has increased 156 percent from 2 million last year to 4.9 million in this year. Win32/Taterf steals your online game login details. It spreads by copying itself to the root of all fixed and removable drives on the infected system, ensuring it gets executed by creating an ‘autorun.inf’ file. After its first day in MSRT, Taterf components had been removed from over 700,000 machines. It illustrates the need for organizations to have guidelines for removable drives (such as thumb drives) and evaluate how connections are made to outside machines.

The report did indicate some victories in dealing with Win32/Zlob, a family of Trojans that often pose as downloadable media codecs. What happened?

Kuo: This was a top threat for the past two years. At its peak, we had to remove it from more than 21.1 million systems. That has decreased nearly 10-fold to 2.3 million disinfections in the first half of 2009.

All this activity is based on what the world looked like before the official release of Windows 7. Will we continue to see similar data in future reports or will security features built into the new operating system dramatically turn the tide?

Kuo: A lot of the security enhancements worked into the development of Windows 7 were based on the threats these reports have outlined in recent years. DirectAccess, for example, offers remote workers the same level of seamless and secure connectivity that they have in the office. The system automatically creates a secure tunnel to the corporate network and workers don’t have to manually substantiate a connection. DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network. We’re pretty hopeful that this will lead to a reduction in the malware we’ve been seeing.

It should also be noted that the newer the OS, the less malware we tend to find because of the higher patch rate. All previous patches have been worked into Windows 7. That will have a positive impact.