Report addresses data and trends observed over the past several years, but focuses on the first half of 2009 (1H09) Major sections include Malicious software and potentially unwanted software , spam and phishing threats Focus content on Malware and signed code Threat combinations Malicious Web sites Software vulnerability exploits Browser-based exploits Microsoft Office document exploits Drive-by download exploits Security and privacy breaches Software vulnerability disclosures Industry-wide vulnerability disclosures Microsoft Security Bulletins and the Exploitability Index Usage trends for Windows Update and Microsoft Update

Country/Region Computers Cleaned (1H09) Computers Cleaned (2H08) Change United States13,971,05613,245,7125.5% China2,799,4563,558, % Brazil2,156,2591,654, % United Kingdom2,043,4312,225, % Spain1,853,2341,544, % France1,703,2251,815, % Korea1,619,1351,368, % Italy1,192,867978, % Turkey1,161,133768, % Germany1,086,4731,209, % Mexico957,697915,6054.6% Canada942,826916,2632.9% Taiwan781,214466, % Russia581,601604, % Japan553,417417, % The15 locations with the most computers cleaned by Microsoft desktop anti-malware products in 1H09

Significant differences in threat patterns worldwide Threat categories worldwide and in eight locations around the world, by incidence among all computers cleaned, 1H09

Location1H09 Finland1.9 Austria2.1 Puerto Rico2.1 Philippines2.3 Vietnam2.4 Macao S.A.R2.2 Tunisia2.5 Morocco2.6 Algeria2.8 Kenya2.9 Kazakhstan2.9 Germany3.0 Location1H09 Serbia and Montenegro97.2 Turkey32.2 Brazil25.4 Spain21.6 Korea21.3 Saudi Arabia20.8 Taiwan20.4 Guatemala17.0 Russia15.0 Mexico14.5 Thailand14.0 Egypt13.7 Locations with the lowest infection rates, by CCM, in 1H09 (100,000 monthly MSRT executions or more) Locations with the highest infection rates, by CCM, in 1H09 (100,000 monthly MSRT executions or more)

Miscellaneous trojans remain very prevalent Worm infections increased significantly Computers cleaned by threat category, in percentages, 2H06-1H09 Circular Markers Represent Malware Square Markers Represent Potentially Unwanted Software

Infection rates of Windows Vista SP1 were 61.9% less than Windows XP SP3 Windows Vista with no service pack were 85.3% less than Windows XP with no service pack installed Number of computers cleaned for every 1,000 MSRT executions, by operating system, 1H09

Computers cleaned by threat category, in percentages, 2H06-1H09 Relative OS infection rates remain consistent over time

Family Most Significant Category 1H092H08 1Win32/ConfickerWorms5,217,8623,719 2Win32/TaterfWorms4,911,8651,916,446 3Win32/RenosTrojan Downloaders & Droppers3,323,1984,371,508 4Win32/ZangoSearchAssistantAdware2,933,6273,326,275 5Win32/FrethogPassword Stealers & Monitoring Tools2,754,2261,037,451 6 Win32/FakeXPAMiscellaneous Trojans2,384,4971,691,393 7Win32/VundoMiscellaneous Trojans2,119,6063,635,207 8Win32/AlureonMiscellaneous Trojans1,976,735510,281 9Win32/ZangoShoppingReportsAdware1,412,4761,752,252 10Win32/AgentMiscellaneous Trojans1,361,6671,289,178 Top 15 malware and potentially unwanted software families detected by Microsoft anti- malware desktop products worldwide, by number of unique infected computers, in 1H09

User reaction to threat alerts varies widely by severity User reaction to alerts, by severity, 1H09

User action is more consistent for malware categories User action by threat category, 1H09

Category1H092H08Difference Viruses68,008,49662,785,3588.3% Miscellaneous Trojans23,474,53916,638, % Password Stealers & Monitoring Tools7,087,1411,287, % Trojan Downloaders & Droppers6,251,2865,511, % Adware3,402,2241,422, % Misc. Potentially Unwanted Software 2,753,0083,332, % Worms2,707,5602,391, % Exploits1,311,250869, % Backdoors589,747631, % Spyware269,556116, % Total115,854,80794,985, % Unique samples by category, 1H09 and 2H08

Graph excludes virus samples Viruses can infect many different files, each considered unique

Family Most Significant Category Total Samples Total Reports Reports/ Sample Win32/Parite Viruses 40,932,14166,786, Win32/Virut Viruses 15,217,83931,000, Win32/Agent Miscellaneous Trojans 6,720,42210,236, Win32/Lolyda Password Stealers & Monitoring Tools 5,671,2518,293, Win32/Vundo Miscellaneous Trojans 5,130,14327,959, ASX/Wimad Trojan Downloaders & Droppers 3,339,29612,835, Win32/Sality Viruses 3,154,3686,495, Win32/Chir Viruses 3,100,2506,355, Win32/GameVance Adware 2,785,39510,263, Win32/Jeefo Viruses 2,589,94231,122, Top 10 families with more than 1 million unique samples detected in 1H09

Enterprise computers were more likely to encounter worms Home computers were more likely to encounter trojans Threat categories detected by Windows Live OneCare and Forefront Client Security, by percentage of all infected computers cleaned by each program, 1H09

Windows Live OneCare Top Families Most Significant Category Percent ASX/WimadTrojan Downloaders & Droppers10.3% Win32/AgentMiscellaneous Trojans7.4% Win32/RenosMiscellaneous Trojans5.0% Win32/Obfuscator Misc. Potentially Unwanted Software 3.4% Win32/PdfjscExploits3.0% Win32/Xilos Viruses2.9% Win32/SwifTrojan Downloaders & Droppers2.3% Win32/AlureonMiscellaneous Trojans2.3% Win32/FakeXPAMiscellaneous Trojans2.2% Win32/AutorunWorms1.9% Top 10 families detected on infected computers by Windows Live OneCare, by percentage of computers cleaned, in1H09

Forefront Client Security Top Families Most Significant Category Percent Win32/ConfickerWorms12.3% Win32/AutorunWorms6.6% Win32/HamweqWorms5.9% Win32/AgentMiscellaneous Trojans5.1% Win32/TaterfWorms3.9% Win32/Obfuscator Misc. Potentially Unwanted Software 1.9% Win32/RenosMiscellaneous Trojans1.7% Win32/RealVNC Password Stealers & Monitoring Tools 1.6% Win32/SalityViruses1.6% Autolt/RenocideWorms1.4% Top 10 families detected on infected computers by Forefront Client Security, by percentage of computers cleaned, in1H09

Family Most Significant Category % of Signed Threat Files % of Signed Threat Reports Win32/Hotbar Adware 0.0%31.3% Win32/ZangoSearchAssistant Adware 0.0%23.4% Win32/ZangoShoppingReports Adware 0.0%17.1% Win32/Pointfree Misc. Potentially Unwanted Software 0.3%4.7% Win32/BaiduSobar Misc. Potentially Unwanted Software 0.0%3.7% Win32/Wintrim Miscellaneous Trojans 52.8%3.3% Win32/SeekmoSearchAssistant Adware 0.0%2.5% Win32/RealVNC Misc. Potentially Unwanted Software 0.0%1.9% Win32/GameVance Adware 29.7%1.9% Win32/WinFixer Misc. Potentially Unwanted Software 0.1%0.7% The 10 families responsible for the most signed-code threat reports in 1H09 Criminals sign malware code in efforts to evade detection Certificates may be issued to malware authors by CAs

Infected computers frequently have multiple infections Trojan threats were most likely to download other threats Threats that downloaded other threats, 1H09

Trojans also comprise a significant proportion of threats downloaded by other threats Threats that were downloaded by other threats, 1H09

Adware is a much larger proportion of single-country families Breakdown of threats hosted in one country and in multiple countries, by category, in 1H09

More than 97% of unwanted messages were blocked at the edge Percentage of incoming messages blocked by FOPE using edge-blocking and content filtering, 1H06-1H09

Spam was dominated by product advertisements in 1H09 Inbound messages blocked by FOPE content filters, by category, in 1H09

Most spam is sent through botnets or other automated tools The geographic origin of spam does not necessarily indicate the physical location of the spammer Geographic origins of spam, by percentage of total spam sent, in 1H09

Educational institutions are the source of most spam sent, despite accounting for a low portion of the FOPE customer base Computer management strategies may be less strict Outbound spam sent through FOPE, by type of organization, in 1H09

FOPE Families Most Significant Category Percent Win32/SmallTrojan Downloaders & Droppers39.1% Win32/VirutViruses10.3% Win32/ZbotPassword Stealers & Monitoring Tools8.5% Win32/Delfinject Miscellaneous Potentially Unwanted Software 4.3% Win32/ProvisMiscellaneous Trojans3.4% Win32/VB Miscellaneous Trojans3.1% Win32/ProlacoWorms2.9% Win32/NetskyWorms2.6% Win32/MydoomWorms2.3% Win32/AutorunWorms2.1% Top 10 families detected in by Forefront Online Protection for Exchange, by percentage of all infected messages, in1H09

Windows Live Hotmail Families Most Significant Category Percent JS/RedirectorMiscellaneous Trojans10.4% Win32/NetskyWorms8.1% Win32/MabezatVirus4.7% Win32/HelpudMiscellaneous Trojans3.9% Win32/RochapTrojan Downloaders & Droppers3.5% Win32/Agent Miscellaneous Trojans2.6% Win32/GamaniaPassword Stealers & Monitoring Tools2.3% ASX/WimadTrojan Downloaders & Droppers2.2% Win32/MydoomWorms2.2% Win32/MywifeWorms2.1% Top 10 families detected in by Windows Live Hotmail, by percentage of all infected messages, in1H09

Family Most Significant Category Desktop & Mobile Client Percent Web Client Percent Total Percent JS/RedirectorMiscellaneous Trojans15.3%1.1%10.4% Win32/NetskyWorms10.8%3.0%8.1% Win32/MabezatVirus6.7%0.9%4.7% Win32/HelpudMiscellaneous Trojans3.2%5.3%3.9% Win32/RochapTrojan Downloaders & Droppers1.3%7.7%3.5% Win32/Agent Miscellaneous Trojans1.6%4.6%2.6% Win32/Gamania Password Stealers & Monitoring Tools 3.5%0.1%2.3% ASX/WimadTrojan Downloaders & Droppers1.7%3.2%2.2% Win32/MydoomWorms1.9%2.9%2.2% Win32/MywifeWorms1.9%2.5%2.1% Top 10 malware families detected by Windows Live Hotmail, by method of access, in1H09

Phishing impressions suddenly increased in May and June 2009 Phishing impressions tracked each month in 2H08 and 1H09, indexed to January 2009

The number of phishing sites did not increase to the same extent Active phishing sites tracked each month in 2H08 and 1H09, indexed to January 2009

The significant increase in phishing impressions seems to have been driven by one or more campaigns targeting social networks Impressions for each type of phishing site each month in 1H09

A small number of sites account for the bulk of social network phishes Active phishing sites tracked each month in 2H08 and 1H09, indexed to January 2009

RankFamily Most Significant Category Percent of Malware Impressions 1Win32/MoneytreeMisc. Potentially Unwanted Software32.8% 2Win32/PdfjscExploits5.2% 3Win32/RenosTrojan Downloaders & Droppers4.6% 4Win32/FakeXPAMiscellaneous Trojans4.6% 5Win32/WinwebsecMiscellaneous Trojans4.5% 6Win32/PrivacyCenter Miscellaneous Trojans4.2% 7Win32/ObfuscatorMiscellaneous Trojans4.0% 8Win32/InternetAntivirusMiscellaneous Trojans4.0% 9Win32/SmallTrojan Downloaders & Droppers3.7% 10Win32/FakereanMiscellaneous Trojans3.3% Top 10 malware families hosted on sites blocked by the SmartScreen filter in Internet Explorer in 1H09

Potentially unwanted software phishing impressions increased while detections diminished on the desktop SmartScreen may be having a measurable amount of success in preventing these threats reaching the desktop Threats hosted at URLs blocked by the SmartScreen filter, by category, in 2H08 and 1H09

Data taken from user-reported incidents, submissions of malicious code, and Windows error reports Data from multiple operating systems and browsers Browser-based exploits, by percentage, encountered in 1H09

The 10 browser-based vulnerabilities exploited most often, by month, January-June 2009

The most common system locale was China (China), at 53.6% of all incidents The second most common was United States (English), at 27.5% Browser-based exploits, by system locale, encountered in 1H08

On Windows XP-based machines, Microsoft vulnerabilities account for 56.4% of the exploits On Windows Vista-based machines, Microsoft vulnerabilities account for only 15.5% of the exploits Browser-based exploits targeting Microsoft and third-party software on computers running Windows XP in1H09 Browser-based exploits targeting Microsoft and third-party software on computers running Windows Vista in 1H09

On Windows XP-based machines Microsoft software accounted for 6 of the top 10 vulnerabilities The most commonly exploited vulnerability was disclosed and patched by Microsoft in 2006 The 10 browser-based vulnerabilities exploited most often on computers running Windows XP, by percentage of all exploits in 1H09

On Windows Vista-based machines Microsoft software accounted for only one of the top 10 vulnerabilities The 10 browser-based vulnerabilities exploited most often on computers running Windows Vista, by percentage of all exploits in1H09

Trojan downloaders & droppers are well suited to drive- by download attacks as they can then download additional threats Types of threat payloads delivered through drive-by downloads in 1H09

Percentile distribution of exploit servers by the number of drive-by pages pointing to each one, 1H09

Drive-by download pages pointing to exploit servers marutz.cn and 3b3.org during May 2009

Drive-by download exploit servers are concentrated in a small number of Top Level Domains These Top Level Domains are prevalent in heavily- populated countries Types of malware dropped during Microsoft Office exploit attacks

BulletinDateVulnerabilityCVE MS06-027June 2006Word Malformed Pointer Object VulnerabilityCVE MS06-028June 2006 PowerPoint Remote Code Execution using a Malformed Record Vulnerability CVE MS06-037July 2006Excel File Rebuilding OverflowCVE MS06-048August 2006PowerPoint mso.dll VulnerabilityCVE MS06-060October 2006Word Mail Merge VulnerabilityCVE MS07-014February 2007 Word Malformed Data Structures Vulnerability CVE MS07-015February 2007Excel Malformed Record VulnerabilityCVE MS07-025May 2007Drawing Object VulnerabilityCVE MS08-014March 2008Macro Validation VulnerabilityCVE MS09-009April 2009Excel Memory Corruption VulnerabilityCVE MS09-017May 2009PowerPoint Memory Corruption VulnerabilityCVE Vulnerabilities exploited in Microsoft Office file formats

Data from submissions of malicious code to Microsoft One vulnerability was the target of 71.0% of all attacks Microsoft Office file format exploits, by percentage, encountered in 1H09

The most common locales correspond to countries and regions with large populations Microsoft Office file format exploits, by percentage, encountered in 1H09

Microsoft Office file format exploits encountered, by date of last Windows or Office security update, in 1H09

VulnerabilityBulletin Office 2000 RTM Office XP RTM Office 2003 RTM Office 2007 RTM CVE MS06-028Yes No CVE MS06-037Yes No CVE MS06-027Yes No CVE MS06-048Yes No CVE MS06-060Yes No CVE MS Yes No CVE MS07-015Yes No CVE MS07-025Yes CVE MS08-014Yes CVE MS09-009Yes CVE MS09-017Yes Vulnerabilities affecting RTM versions of Office

VulnerabilityBulletin Office 2000 RTM Office XP RTM Office 2003 RTM Office 2007 RTM CVE MS06-028Yes No CVE MS06-037Yes No CVE MS06-027Yes No CVE MS06-048Yes No CVE MS06-060Yes No CVE MS Yes No CVE MS07-015Yes No CVE MS07-025Yes No CVE MS08-014Yes No CVE MS09-009Yes No CVE MS09-017Yes Vulnerabilities affecting Office with latest service packs installed

Types of malware dropped during Microsoft Office exploit attacks Nearly 90% of exploits involved a trojan or backdoor These threats allow access to install more malware

Family Most Significant Category Percent of trojans Win32/BuzusTrojan Downloaders & Droppers29.5% Win32/AgentBypassMiscellaneous Trojans11.7% Win32/EnfalMiscellaneous Trojans11.3% Win32/SmallMiscellaneous Trojans6.4% Win32/SystemHijackMiscellaneous Trojans3.0% Win32/ProcInject Miscellaneous Trojans 3.0% Win32/MalresTrojan Downloaders & Droppers2.6% Win32/KirpichTrojan Downloaders & Droppers2.3% Win32/MalagentMiscellaneous Trojans2.3% Win32/BumatMiscellaneous Trojans2.3% Top 10 trojan families used in Office exploits in 1H09

Family Most Significant Category Percent of trojans Win32/PoisonIvyBackdoors61.4% Win32/BifroseBackdoors7.4% Win32/RipnipBackdoors5.5% Win32/DifeqsBackdoors4.1% Win32/RilerBackdoors3.9% Win32/Farfil Backdoors 2.8% Win32/DelfBackdoors2.5% Win32/PcClientBackdoors2.3% Win32/VedenBackdoors2.3% Win32/AgentBackdoors1.8% Top 10 backdoor families used in Office exploits in 1H09

Hacking and viruses less than 25 percent of all notifications in 1H09 Most breaches resulted from stolen, lost or improperly disposed of equipment Security breach incidents, by incident type, 2H07 – 1H09

Disclosures in 1H09 down 28.4% from 2H08 1H09 had the lowest number of disclosures since 2H05 Industry-wide vulnerability disclosures by half-year, 1H04-1H09

Disclosure of high severity vulnerabilities down 12.9% The highest severity rating accounts for 6.7% of all disclosures Industry-wide vulnerability disclosures by severity, 1H09 Industry-wide vulnerability disclosures by severity by half-year, 2004–2009 Low Medium High

Proportion of Low complexity disclosures declined… …but majority of disclosures still remain Low complexity Industry-wide vulnerability disclosures by access complexity, 1H04–1H09

High severity vulnerabilities, by access complexity, in 1H percent of High severity vulnerabilities were also classified as Low complexity

Application vulnerabilities down sharply in 1H09 OS and browser vulnerabilities relatively stable Operating system, browser & application vulnerabilities as a percentage of all disclosures, 1H04-1H09

Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft and non-Microsoft products, 1H04-1H09 Non-Microsoft Microsoft

Responsible disclosure rates rose to a high of 79.5% Responsible disclosures as a percentage of all disclosures involving Microsoft software, 1H05-1H09

In 1H09 Microsoft released 27 bulletins addressing 87 individual CVE-identified vulnerabilities Security bulletins released and CVEs addressed by half-year, 1H05-1H09

Microsoft continues to combine vulnerabilities into single updates, thus reducing the number of patching events Average number of CVEs addressed per security bulletin, 1H05-1H09

The Exploitability Index has helped IT professionals prioritized deployment of security updates CVEs with exploits discovered within 30 days, by Exploitability Index rating, in 1H09

Workaround and mitigation status for 1H09 security bulletins Microsoft gives workaround, mitigation or attack surface reduction advice where possible

Adoption of Microsoft Update has risen significantly Microsoft Update provides a more comprehensive solution than Windows Update alone Usage of Windows Update and Microsoft Update, 2H06-1H09, indexed to 2H06 total usage

Both WSUS and end-user update services are growing faster than the Windows installed base Users are choosing to enable updating on new and existing Windows installations Relative growth in Microsoft WSUS and end-user update services, 2H06-1H09, indexed to 2H06

Daily Windows error reports caused by Win32/Renos on Windows Vista computers in February and March 2007 A Windows Defender signature issued via Microsoft Update had a significant and dramatic impact on Win32/Renos trojan infections

Update service usage and software piracy rates for seven locations worldwide, relative to the United States Usage of Microsoft updates varies worldwide Variations are due to a variety of factors including broadband Internet connectivity, software piracy and the percentage of computers in enterprise environments

MythFact Anti-piracy updates are forcibly installed by Microsoft if users install updates through Windows Update and Automatic Updates Users can, through the Windows Update or Automatic Updates control panels, choose how updates are downloaded and installed. Use of the Windows Update and Microsoft Update Web sites (Windows XP and Windows Server 2003) is gated to require Genuine validation, but there is no restriction on the use of Automatic Updates on the local computer. Microsoft does not offer security updates to pirated systems. Microsoft offers all security updates for Windows and all other Microsoft products. They also allow all computers to install the latest service packs, update rollups, critical reliability updates, compatibility updates, and most software upgrades. Microsoft update services scan computers for pirated software and relay personally identifiable information (PII) back to Microsoft for use in criminal prosecutions. Microsoft’s update services do not collect and forward personally identifiable information back to Microsoft for use in criminal prosecutions. To help mitigate privacy concerns, Microsoft has obtained and continues to renew third-party privacy certification for each version of the Windows update client. For more information about how privacy is protected through Windows Update, refer to the Windows Update privacy statement. For more information on how privacy is protected through genuine software updates, refer to the Microsoft Genuine Advantage Privacy Statement. Microsoft update services will cause non-genuine computers to crash more often or experience performance problems. Functionality of Windows is reduced on non- genuine computers. The functionality, reliability, or performance of non-genuine Windows based computers is not degraded. The following things will occur for a non-genuine computer: The desktop background will be changed to the color black. The user will be periodically notified that the computer is non-genuine. The user may not be offered new software or less-critical (value added) updates that are offered to Genuine Windows-based computers.

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.