Malware peddlers prefer deceptive tactics to exploits

Cyber crooks are losing interested in exploits as an attack vector, and are concentrating on deceptive downloads and ransomware as a means of earning/stealing money.

The trend is very obvious to Microsoft. In its newest Security Intelligence Report (SIRv16), the data gathered via the company’s Malicious Software Removal Tool and real-time protection products reveal that worldwide infection rates and encounter rates in the second half of 2013 have risen considerably.

“More specifically, the infection rate increased from a CCM rate of 5.6 in the third quarter of 2013 to 17.8 in the fourth—a threefold increase, and the largest infection rate increase ever measured by the MSRT between two consecutive quarters. This rise was predominantly affected by malware using deceptive tactics, influenced by three families not unfamiliar to readers of this blog: Sefnit, and its related families Rotbrow and Brantall,” MS Malware Protection Center researchers have noted.

In fact, the latter two which, among other things have downloading and dropping capabilities, have been actively pushing and installing Sefnit – a bot that is often used for things like click fraud and Bitcoin mining.

Rotbrow often poses as software protecting users from malicious browser plug-ins (“Browser Protector”), and Brantall usually fronts as an installer for legitimate software programs.

Infection rates on all platforms were many times higher in 4Q13 mainly due to Rotbrow, the researchers pointed out, and say that they are expected to return to more typical levels in 2014.


Another popular malware wielded by the criminals is Wysotot, a family of trojans that change the start page of the user’s web browser. First detected late last year, Wysotot is usually installed by software bundlers that advertise free software or games.

“Ransomware is another type of deceptive tactic that is less prevalent but can be devastating to owners of infected systems,” they noted. Reveton, Urausy, and Cryptolocker are still wreaking havoc and stealing money. Infections with the former have increased by 45 percent between the first and second halves of 2013.

But, the use of exploits declined. “First, a decline in web-based threats was seen, followed by a drop in Java exploits,” they pointed out. “Some of this decline correlated with the discovery and subsequent arrest of alleged exploit kit author Paunch, and some of it might have been associated with exploit kit writers varying the exploits they use in their popular kits.”

Don't miss