Ken Malcolmson Senior Product Manager Microsoft Session Code: ITS206 Vinny Gullotto General Manager Microsoft Malware Protection Center
Security Intelligence Report volume 7 (January - June 2009) Major sections cover Malicious software and potentially unwanted software , spam and phishing threats Focus content on Malware and signed code Threat combinations Malicious Web sites Software vulnerability exploits Browser-based and Microsoft Office document exploits Drive-by download exploits Security and privacy breaches Software vulnerability disclosures Industry-wide vulnerability disclosures Microsoft Security Bulletins and the Exploitability Index Usage trends for Windows Update and Microsoft Update
Security Intelligence Report volume 7 Continued Evolution Best Practices Around the World Malware and Signed Code Threat Combinations Geographic Origins of Spam Messages Reputation Hijacking “Malvertising”: An Emerging Industry Threat Conficker update Automated SQL Injection Attacks Categories of payloads delivered by Microsoft Office exploits in 1H09 Top 10 malware families used in Office file exploits in 1H09 1H09 Bulletin Severity and Exploitability Index Accuracy Security Bulletin Mitigations, Workarounds, and Attack Surface Reduction analysis Usage Trends for Windows Update and Microsoft Update Update service usage and software piracy rates for seven locations worldwide Myths and Facts About Microsoft Update Services and Software Piracy
Centers Supporting TwC Security TwC Security Protecting Microsoft customers throughout the entire life cycle (in development, deployment and operations) Microsoft Security Engineering Center (MSEC) Security Assurance Security Science SDLSDL Microsoft Malware Protection Center (MMPC) Microsoft Security Response Center (MSRC) (MSRC) MSRC Engineering MSRC Ops EcoStratEcoStrat Conception Release
Security Intelligence Report Volume 7 Data Sources
Miscellaneous trojans remain very prevalent Worm infections increased significantly Computers cleaned by threat category, in percentages, 2H06-1H09
Family Most Significant Category 1H092H08 1Win32/ConfickerWorms5,217,8623,719 2Win32/TaterfWorms4,911,8651,916,446 3Win32/RenosTrojan Downloaders & Droppers3,323,1984,371,508 4 Win32/ZangoSearc hAssistant Adware2,933,6273,326,275 5Win32/FrethogPassword Stealers & Monitoring Tools2,754,2261,037,451 6 Win32/FakeXPAMiscellaneous Trojans2,384,4971,691,393 7Win32/VundoMiscellaneous Trojans2,119,6063,635,207 8Win32/AlureonMiscellaneous Trojans1,976,735510,281 9 Win32/ZangoShop pingReports Adware1,412,4761,752,252 10Win32/AgentMiscellaneous Trojans1,361,6671,289,178 Top malware/potentially unwanted software families detected by Microsoft anti- malware desktop products worldwide in 1H09
Infection rates of Windows Vista machines With SP1: 61.9% less than Windows XP SP3 With no service pack: 85.3% less than Windows XP with no service pack Number of computers cleaned for every 1,000 MSRT executions in 1H09
Computers cleaned by threat category, in percentages, 2H06-1H09 Relative OS infection rates remain consistent over time
Enterprise computers were more likely to encounter worms Home computers were more likely to encounter trojans
Windows Live OneCare Most Significant Category Percent ASX/WimadTrojan Downloaders & Droppers10.3% Win32/AgentMiscellaneous Trojans7.4% Win32/RenosMiscellaneous Trojans5.0% Win32/ObfuscatorMisc. Potentially Unwanted Software3.4% Win32/PdfjscExploits3.0% Top 5 families detected by Windows Live OneCare/Forefront Client Security in 1H09 Forefront Client Security Top Families Most Significant Category Percent Win32/ConfickerWorms12.3% Win32/AutorunWorms6.6% Win32/HamweqWorms5.9% Win32/AgentMiscellaneous Trojans5.1% Win32/TaterfWorms3.9%
More than 97% of unwanted messages were blocked at the edge Percentage of incoming messages blocked by FOPE using edge-blocking and content filtering, 1H06-1H09
Spam was dominated by product advertisements in 1H09 Inbound messages blocked by FOPE content filters, by category, in 1H09
Most spam is sent through botnets or other automated tools The geographic origin of spam does not necessarily indicate the physical location of the spammer Geographic origins of spam, by percentage of total spam sent, in 1H09
Top Threats in Germany Disinfected Threats by Category in 1H09Category Infected Computers Trend from 2H08 Miscellaneous Trojans504, % Trojan Downloaders & Droppers 239, % Adware165, % Miscellaneous Potentially Unwanted Software 122, % Worms86, % Backdoors57, % Password Stealers & Monitoring Tools 54, % Viruses26, % Spyware13, % Exploits7, %
Data from All Microsoft Security Products Top 25 Families in Germany in 1H09FamilyCategory Infected computers 1Win32/WintrimMisc. Trojans153,518 2Win32/AlureonMisc. Trojans124,102 3Win32/Renos Trojan Downloaders & Droppers 122,589 4 Win32/ZangoSear chAssistant Adware79,877 5Win32/VundoMisc. Trojans75,485 6Win32/ConfickerWorms66,659 7Win32/Zlob Trojan Downloaders & Droppers 58,090 8Win32/AgentMisc. Trojans44,346 9Win32/HotbarAdware38, Win32/ZangoSho ppingreports Adware34, Win32/SeekmoSe archAssistant Adware33,361 12Win32/FakeXPAMisc. Trojans28,683 FamilyCategory Infected computers 13 Win32/TibsMisc. Trojans18, Win32/FakeReanMisc. Trojans17, Win32/TaterfWorms16, Win32/C2LopMisc. Trojans16, Win32/Yektel Trojan Downloaders & Droppers 16, Win32/Cutwail Trojan Downloaders & Droppers 15, Win32/Playmp3zAdware15, Win32/WhenUAdware14, Win32/RealVNCAdware13, Win32/FakeAdpr o Misc. Potentially Unwanted Software 13, Win32/RustockBackdoor13, Win32/RbotBackdoor12, Win32/FrethogPassword Stealers & Monitoring Tools 11,804
Lots more local data in the report “Deep dive” information on 14 countries and regions around the world Heatmaps – malware infection rates, phishing sites, malicious software sites, drive-by download attacks Download the SIR for the full facts
Software Vulnerability Exploit Details Browser-based exploits Data taken from user-reported incidents, submissions of malicious code, and Windows error reports Data from multiple operating systems and browsers Browser-based exploits, by percentage, encountered in 1H09
Software Vulnerability Exploit Details Browser-based exploits by system locale The most common system locale was China (China), at 53.6% of all incidents The second most common was United States (English), at 27.5% Browser-based exploits, by system locale, encountered in 1H08
Software Vulnerability Exploit Details Browser-based exploits by operating system and software vendor On Windows XP-based machines, Microsoft vulnerabilities account for 56.4% of the exploits On Windows Vista-based machines, Microsoft vulnerabilities account for only 15.5% of the exploits Browser-based exploits targeting Microsoft and third-party software on computers running Windows XP and Windows Vista in1H09 Windows XP machines Windows Vista machines
Document File Format Exploits Microsoft Office Format Exploits Data from submissions of malicious code to Microsoft One vulnerability was the target of 71.0% of all attacks Microsoft Office file format exploits, by percentage, encountered in 1H09
Document File Format Exploits Malware dropped by Microsoft Office document exploit attacks Types of malware dropped during Microsoft Office exploit attacks Nearly 90% of exploits involved a trojan or backdoor These threats allow access to install more malware
Hacking and viruses less than 25 percent of all notifications in 1H09 Most breaches resulted from stolen, lost or improperly disposed of equipment Security breach incidents, by incident type, 2H07 – 1H09
Security Vulnerability Disclosures Operating system, Browser and Application Disclosures – Industry Wide Application vulnerabilities down sharply in 1H09 OS and browser vulnerabilities relatively stable Operating system, browser & application vulnerabilities as a percentage of all disclosures, 1H04-1H09
Security Vulnerability Disclosures Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft and non-Microsoft products, 1H04-1H09 Non-Microsoft Microsoft
Responsible disclosure rates rose to a high of 79.5% Responsible disclosures as a percentage of all disclosures involving Microsoft software, 1H05-1H09
In 1H09 Microsoft released 27 bulletins addressing 87 individual CVE-identified vulnerabilities Security bulletins released and CVEs addressed by half-year, 1H05-1H09
The Exploitability Index has helped IT professionals prioritized deployment of security updates CVEs with exploits discovered within 30 days, by Exploitability Index rating, in 1H09
Workaround and mitigation status for 1H09 security bulletins Microsoft gives workaround, mitigation or attack surface reduction advice where possible
Adoption of Microsoft Update has risen significantly Microsoft Update provides a more comprehensive solution than Windows Update alone Usage of Windows Update & Microsoft Update indexed to 2H05 total usage
Daily Windows error reports caused by Win32/Renos on Windows Vista computers A Windows Defender signature issued via Microsoft Update had a significant and dramatic impact on Win32/Renos trojan infections
Update service usage and software piracy rates for seven locations worldwide, relative to the United States Usage of Microsoft updates varies worldwide Variations are due to a variety of factors including broadband Internet connectivity, software piracy and the percentage of computers in enterprise environments
MythFact Anti-piracy updates are forcibly installed by Microsoft if users install updates through Windows Update and Automatic Updates Users can, through the Windows Update or Automatic Updates control panels, choose how updates are downloaded and installed. Use of the Windows Update and Microsoft Update Web sites (Windows XP and Windows Server 2003) is gated to require Genuine validation, but there is no restriction on the use of Automatic Updates on the local computer Microsoft does not offer security updates to pirated systems. Microsoft offers all security updates for Windows and all other Microsoft products. They also allow all computers to install the latest service packs, update rollups, critical reliability updates, compatibility updates, and most software upgrades. Microsoft update services scan computers for pirated software and relay personally identifiable information (PII) back to Microsoft for use in criminal prosecutions. Microsoft’s update services do not collect and forward personally identifiable information back to Microsoft for use in criminal prosecutions. To help mitigate privacy concerns, Microsoft has obtained and continues to renew third-party privacy certification for each version of the Windows update client. For more information about how privacy is protected through Windows Update, refer to the Windows Update privacy statement. For more information on how privacy is protected through genuine software updates, refer to the Microsoft Genuine Advantage Privacy Statement. Microsoft update services will cause non- genuine computers to crash more often or experience performance problems. Functionality of Windows is reduced on non- genuine computers. The functionality, reliability, or performance of non-genuine Windows based computers is not degraded. The following things will occur for a non-genuine computer: The desktop background will be changed to the color black. The user will be periodically notified that the computer is non-genuine. The user may not be offered new software or less-critical (value added) updates that are offered to Genuine Windows-based computers.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Sessions On-Demand & Community Resources for IT Professionals Resources for Developers Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide