Stopbadware: State of Badware – June 2011
Last updated on: September 6, 2020
The team at StopBadware has published their "State of Badware" report for 2011 and it is a great read for everybody in our industry. The report has an interesting focus in that it goes into some detail as to the infection vectors of badware/malware, rather than discussing the options on how to deal with already infected machines.
Badware infections go squarely through workstations, desktops and laptops, and use vulnerabilities in the browser and its plug-ins to gain an initial foothold in the network. Most attacks in 2010 were aimed at the Java plug-in, followed by HTML/Script, direct OS attacks and application files (see page 6).
Estimates of how many web pages are carrying links to badware vary widely and are based largely on returned results on popular search engines. Google has published numbers of overall numbers of 0.75% of all search results leading to badware, while Websense reports that over 20% of popular searches lead to badware.
The quote on page 8 sums up the challenge that home users face where infections rates are estimated to be between 25 and 50%:
"The infection surface any given computer presents for badware infection is meaningfully increased by the presence of unpatched, exploited vulnerabilities in the software that computer runs. Patching those vulnerabilities in a timely fashion is a difficult task, especially for large producers of widely installed and used software. Once a user installs a piece of software on a computer, the ability of that software’s author to patch vulnerabilities is contingent upon either an automatic update mechanism or specific action on the user’s part. Older software, in particular, is unlikely to default to the use of automatic updates."
For enterprise users the situation looks somewhat better, with rates between 4% and 8%, but still emphasizes the challenge the IT departments face: how to implement "good software hygiene" to assure that workstations are kept updated to recent patch levels, because the majority of the initial infection points would be neutralized by bringing workstations up to current patch levels.