2. Tim Rains Group Product Manager Microsoft Session Code: SIA206

3. Security Intelligence Report volume 6 (July-December 2008) Report addresses data and trends observed over the past several years, but focuses on the second half of 2008 (2H08) Major sections cover The Threat Ecosystem Software Vulnerability Disclosures Software Vulnerability Exploits Browser-Based and Document Format Exploits Security and Privacy Breaches Malicious Software and Potentially Unwanted Software Email, Spam, Phishing and Drive-By Download Threats Special Focus on Rogue Security Software Country/region Specific Data for 12 Locations Worldwide Report builds on five previous editions of the SIR

4. Security Intelligence Report volume 6 (July-December 2008) Data Sources Software Vulnerability Disclosures Common Vulnerabilities and Exposures Website http://cve.mitre.org http://www.first.org/cvss National Vulnerability Database (NVD) Web site http://nvd.nist.gov/ Security Web sites Vendor Web sites and support sites Security Breach Notifications http://datalossdb.org

5. Security Intelligence Report volume 6 (July-December 2008) Data Sources Software Exploits Variety of public sources, including exploit archives, antivirus alerts, mailing lists, security related websites Customer support incidents and reports submitted to Microsoft Customer submissions of malicious software to the Microsoft Malware Protection Center Microsoft Security Bulletins http://www.microsoft.com/technet/security http://www.microsoft.com/technet/security

6. Security Intelligence Report volume 6 (July-December 2008) Data Sources Malicious Software and Potentially Unwanted Software Data from several hundred million computers worldwide Some of the busiest services on the Internet (e.g. Hotmail) During 2H08 MSRT executed 2.2 billion times Since January 2005 total MSRT executions surpass 15 billion Also data from Windows Live Search and the Microsoft Windows Safety Platform

8. Disclosures in 2H08 down 3% from 1H08 Disclosure for all of 2008 down 12% from 2007 Industry-wide vulnerability disclosures by half-year, 2H03-2H08

9. Disclosure of high severity vulnerabilities 3.8% higher than 1H08 The highest severity rating accounts for 7.8% of all disclosures Industry-wide vulnerability disclosures by severity, 2H08 Industry-wide vulnerability disclosures by severity by half-year, 2H03–2H08 Low Medium High

10. Majority of disclosures are Low Complexity Industry-wide vulnerability disclosures by access complexity, 2H03–2H08

11. Security Vulnerability Disclosures Operating system, Browser and Application Disclosures – Industry Wide Operating system vulnerabilities – 8.8% of the total Browser vulnerabilities – 4.5% of the total Other vulnerabilities – 86.7% of the total Industry-wide operating system, browser, and other vulnerabilities, 2H03-2H08

12. Security Vulnerability Disclosures Microsoft Vulnerability Disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft products, 2H03- 2H08 Vulnerability disclosures for Microsoft products, by year, 2004-2008

13. Security Vulnerability Disclosures Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Vulnerability disclosures for Microsoft and non-Microsoft products, 2H03-2H08 Non-Microsoft Microsoft

14. Security Vulnerability Disclosures Microsoft vulnerability disclosures Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale Microsoft vulnerability disclosures as a percentage of all industry disclosures, 2H03-2H08

16. Microsoft consolidates multiple vulnerabilities into individual security bulletins to minimize update events

18. Microsoft Vulnerability Exploit Details Browser-based exploits Data taken from user-reported incidents, submissions of malicious code, and Windows error reports Data from multiple operating systems and browsers Browser-based exploits, by percentage, encountered in 2H08

19. Microsoft Vulnerability Exploit Details Browser-based exploits by system locale The most common system locale was U.S English at 32.4% of all incidents The second most common was Chinese at 25.6% Browser-based exploits, by system locale of victim, encountered in 2H08

20. Microsoft Vulnerability Exploit Details Browser-based exploits by operating system and software vendor On Windows XP-based machines, Microsoft vulnerabilities accounted for 40.9% of the exploits On Windows Vista-based machines, Microsoft vulnerabilities account for only 5.5% of the exploits Browser-based exploits targeting Microsoft and third-party software on computers running Windows XP, 2H08 Browser-based exploits targeting Microsoft and third-party software on computers running Windows Vista, 2H08

21. Microsoft Vulnerability Exploit Details Top 10 browser-based exploits on Windows XP-based machines The 10 browser-based vulnerabilities exploited most often on computers running Windows XP, 2H08 Microsoft Vulnerabilities Third-Party Vulnerabilities

22. Microsoft Vulnerability Exploit Details Top 10 browser-based exploits on Windows Vista-based machines On Windows Vista-based machines Microsoft software accounted for none of the top 10 vulnerabilities The 10 browser-based vulnerabilities exploited most often on computers running Windows Vista, 2H08 Third-Party Vulnerabilities

24. Study of publicly reported security breaches worldwide Hacking and viruses less than 20% of all notifications in 2H08 50% of breaches in 2H08 resulted from stolen equipment Security breach incidents by type, expressed as percentages of the total, 2H07-2H08

26. The infection rate of Windows Vista SP1 was 60.6% less than Windows XP SP3 Windows Vista with no service pack was 89.1% less than Windows XP with no service pack installed

27. Family categories detected by Windows Live OneCare and Forefront Client Security, by percentage of the total number of infected computers cleaned by each program, in 2H08 Infection patterns mirror usage patterns Worms are more prevalent in enterprise environments Trojans are more prevalent in home environments

28. Computers cleaned by threat category, in percentages, 2H06-2H08 Circular markers denote malicious software, square markers denote potentially unwanted software

29. Malicious and Potentially Unwanted Software Family trends in 2H08, all Microsoft anti-malware desktop products worldwide RankFamily Most Significant Category Infected Computers 1Win32/RenosTrojan Downloaders & Droppers4,371,508 2Win32/ZlobTrojan Downloaders & Droppers3,772,217 3Win32/VundoMiscellaneous Trojans3,635,207 4Win32/ZangoSearchAssistantAdware3,326,275 5Win32/TaterfWorms1,916,446 6Win32/ZangoShoppingreportsAdware1,752,252 7Win32/FakeXPAMiscellaneous Trojans1,691,393 8Win32/FakeSecSenMiscellaneous Trojans1,575,648 9Win32/HotbarAdware1,477,886 10Win32/AgentMiscellaneous Trojans1,289,178 11ASX/WimadTrojan Downloaders & Droppers1,168,724 12Win32/BaiduSobarMisc. Potentially Unwanted Software1,131,180 13Win32/FrethogPassword Stealers & Monitoring Tools1,037,451 14Win32/Antivirus2008Misc. Potentially Unwanted Software1,034,897 15Win32/Playmp3zAdware996,272 Italics indicate rogue security software-related families

30. Malicious and Potentially Unwanted Software Global Infection Counts Country/Region Computers Cleaned in 2H08 United States13,245,712 China3,558,033 United Kingdom2,225,016 France1,815,639 Brazil1,654,298 Spain1,544,623 Korea1,368,857 Germany1,209,461 Italy978,870 Canada916,263 Mexico915,605 Turkey768,939 Country/Region Computers Cleaned in 2H08 Netherlands641,053 Russia604,598 Taiwan466,929 Australia464,707 Japan417,269 Poland409,532 Portugal337,313 Sweden287,528 Belgium267,401 Denmark224,021 Norway203,952 Colombia164,986 Switzerland163,156 The 25 locations with the most computers cleaned by Microsoft anti-malware desktop products in 2H08

32. Country/Region 2H08 average CCM ( computers cleaned per 1000 executions of MSRT) Serbia, Montenegro77.0 Russia21.1 Brazil20.9 Turkey20.5 Spain19.2 Saudi Arabia18.5 Korea18.3 Egypt16.5 Mexico15.9 Guatemala13.9 Locations with the highest infection rates by CCM, 2H08Country/Region 2H08 average CCM (computers cleaned per 1000 executions of MSRT) Vietnam1.3 Philippines1.4 Macao S.A.R1.5 Japan1.7 Morocco2.1 Pakistan2.2 Austria2.3 Luxembourg2.5 Algeria2.6 Finland2.6 Locations with the lowest infection rates by CCM, 2H08 South Africa heat map infection rate (CCM) was 6.6 in 2H08 i.e. 6.6 systems infected for every 1,000 systems MSRT executed on Noticeably lower than worldwide average of 8.6

33. Significant differences in threat patterns worldwide Threat categories worldwide and in the eight locations with the most infected computers, by incidence, among all computers cleaned by Microsoft desktop anti-malware products, 2H08

34. Top Threats in South Africa Disinfected Threats by Category in 2H08Category Infected Computers Trend from 1H08 Worms24,318+ 317.8% Miscellaneous Trojans17,773+ 130.4% Trojan Downloaders and Droppers15,103+39.8% Miscellaneous Potentially Unwanted Software14,727-13.4% Adware9,715-18.3% Backdoors5,815+122.7% Password Stealers and Monitoring Tools5,674+356.5% Viruses3,069+228.6% Spyware608-29.3% Exploits534+111.1% TOTAL+ 64.6%

35. Data from All Microsoft Security Products Top 10 Families in South Africa, 2H08FamilyCategory Infected computers Trend 1 Win32/Taterf Worm11,940+579.2% 2 Win32/Zlob Trojan Downloaders & Droppers 9.037-5.9% 3 Win32/Renos Trojan Downloaders & Droppers 6,753+262.3% 4 Win32/Rjump Worm5,404+228.1% 5 Win32/Vundo Miscellaneous Trojans4,517+80.0% 6 Win32/ZangoSearchAssistant Adware3,663+20.4% 7 Win32/Frethog Password Stealers & Monitoring Tools 2,722NEW 8 Win32/FakeSecSen Miscellaneous Trojans2,692NEW 9 Win32/Hamweq Worm2,425NEW 10 Win32/SeekmoSearchAssistant Adware2,409-8.4%

36. Top Threats in South Africa Prevalent Families Win32/Taterf is significantly more prevalent in South Africa ASX/Taterf is #1 in South Africa, #5 worldwide A family of worms that spread via mapped drives to steal login & account details for popular online games Win32/Rjump and Win32/Frethog are significantly more prevalent in South Africa Win32/Rjump is #4 in South Africa, #22 worldwide Worm that spreads via newly attached media Win32/Frethog is #7 in South Africa, #13 worldwide Password stealer targeting login & account details for popular online games

37. Top Threats in South Africa Prevalent Families - Summary Of the top families: 8 of the top 10 are malware 20 out of the top 25 families are malware Only 2 of the top 10 are potentially unwanted software, such as adware Top 25 families accounted for 91.0% of the total infected machines in South Africa

39. Inbound messages blocked by Forefront Online Security for Exchange content filters, by category, during the last six weeks of 2H08

40. Inbound messages blocked by Forefront Online Security for Exchange content filters, by category, 1H08-2H08 Product advertising dominated spam volumes Spam promoting stocks declined sharply

45. Analysis of Drive-By Download Pages Example of a Drive-By Download Attack

46. Analysis of Drive-By Download Pages Geographic Distribution of Drive-by Download Pages

47. www.microsoft.com/teched Sessions On-Demand & Community http://microsoft.com/technet Resources for IT Professionals http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification & Training Resources Resources Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online. Required Slide Speakers, TechEd 2009 is not producing a DVD. Please announce that attendees can access session recordings at TechEd Online.

48. Related Content End to End Trust (SIA101) Security Management and Protection: What's in Microsoft Forefront Client Security Version 2 (SIA203) Targeting SPAM with Forefront (SIA204) Deploying Windows 7 BitLocker in the Enterprise (WCL308) Next Generation Messaging and Collaboration Protection Drilldown (SIA301) Windows Internet Explorer 8 Security, Inside and Out (WCL305) 12 Tips to Secure Your Windows Systems, Revisited: How Windows Vista, Windows Server 2008, and Windows 7 Change the Game (WSV301) Overview of Microsoft Forefront Unified Access Gateway (SIA305) Access and Protection: A Technical Preview and Deep Dive of the Next Generation of Microsoft ISA Server (SIA303) Developing a Security Awareness Strategy (SIA202) Cybercrime: A Journey to the Dark Side (SIA310) Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Any queries, please check with your Track Owner. Required Slide Speakers, please list the Breakout Sessions, TLC Interactive Theaters and Labs that are related to your session. Any queries, please check with your Track Owner.

49. Track Resources www.microsoft.com/sir www.microsoft.com/msrc www.microsoft.com/mmpc www.microsoft.com/msec Required Slide Track Owners to provide guidance. Please address any queries to your track owners. Required Slide Track Owners to provide guidance. Please address any queries to your track owners.

50. Required Slide Complete a session evaluation and enter to win! 10 pairs of MP3 sunglasses to be won

51. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. Required Slide