In a post to Microsoft’s Threat Research & Response Blog, the software giant is claiming success against Autorun-based malware. Here’s the breakdown:
On Feb. 8, Microsoft started releasing updates for the Windows XP and Vista platforms to make the Autorun feature more locked-down on those older platforms by preventing AutoPlay from being enabled automatically (except when it comes to "shiny media" such as CDs and DVDs).
Malware using a technique to abuse a feature of Windows called Autorun grew in prevalence in 2010.
Then something expected happened. The infection rates for Windows XP and Vista went down -- pretty significantly, in fact. By May of 2011, the number of infections found by the MSRT per scanned computer was reduced by 59% on XP and by 74% on Vista in comparison to the 2010 infection rates. Specific service packs show even greater declines between the month prior to the update (Jan. 2011) and last month (May 2011).
A decrease in infections ... was expected – or at least, we had hoped that would happen (that was the whole point after all). What was unexpected, is that there appears to have been a residual effect -- a "secondhand smoke" kind of effect on adjacent systems that were already protected with proactive defenses (in our case, Forefront Client Security, Forefront Endpoint Security, and Microsoft Security Essentials).
By May of 2011, the number of infections found by the Microsoft Malicious Software Removal Tool (MSRT) per scanned computer was reduced by 68% (all operating systems, all service packs) in comparison to the 2010 infection rates.Some people have wondered why the change to Autorun hasn't reduced infections and infection attempts to zero. The answer to that question is that these families use multiple infection vectors to arrive at a computer. In addition to Autorun, they replicate on network shares, they guess passwords, they exploit old vulnerabilities in hopes they'll find one or more systems without an update, they even get placed there by other malware families (downloaders and droppers) -- and let's not forget about good old social engineering trickery. They use that, too.
Abusing Autorun was only one trick up their collective sleeve. However, judging by the numbers in our data, it was a lucrative one. It's not every day that you have such strong confirmation that something you were a part of made a difference in the world, but I have to say that seeing 1.3 million fewer infections over the past few months and all of these trend lines going down – that just feels good. I can't wait to look at the numbers in June and July. Much gratitude goes to Adam Shostack and the whole teams of people in MSRC and Windows that helped make this happen. This experience has brought together creativity, research, data, and process -- we are all better together. Thanks to you all.
Check out the blog post for the full story and for some illustrative graphs.