1. An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com AVAR 2005 Tianjin, China

2. Agenda Importance of data analysis and malware Data sources and analysis from Microsoft Key Observations

3. One infected personMillions of infection particles Virus “particles” for people

4. Virus “particles” for computers Rbot-infected computer Email infection Vulnerability exploit File sharing

5. Usefulness of Data “First Hour”: Predicting how prevalent a piece of malware will be “Second Month”: Continued Prevalence “Five Year”: Historical

6. Windows Malicious Software Removal Tool Ability to detect and remove prevalent malicious software Updated and released monthly Low execution impact Localized into 24 languages Protect the Internet Supports Windows XP, Windows 2000, and Windows Server 2003, 32/64 bit

7. Key Observations Botnets are a BIG deal Social engineering worms and mass mailing worms continue to be very effective Zotob: how bad was it? Rootkit data prevalence is surprising Blaster persists Antinny: Who would have thought?

8. Botnets are a Big Deal Gaobot, Rbot, Sdbot 58% of malware removed are bots Top 3 bot families are 85% of all bots removed Order of most prevalent: RbotSdbotGaobot 10% of Rbot infections are re-infections 3% of Gaobot infections are re-infections

9. Social Engineering and Mass Mailing Worms Among families removed by MSRT: Netsky was #4 overall Bagle is #10 overall 2,000 copies of Netsky will be removed during AVAR Netsky.P is 1/3 of all Netsky infections WUKill is #5 for October

10. Zotob: How bad? Zotob is #41 overall It was only #35 for October Esbot was more prevalent, but received no attention Esbot was #12 in October

11. Rootkit Prevalence Hacker Defender FURootkitIsPro In order of prevalence: FURootkitIsPro Hacker Defender : 5 th overall, 3 rd in October : 5 th overall, 3 rd in October : 7 th overall, 15 th in October : 17 th overall, 24 th in October : 17 th overall, 24 th in October

12. Blaster Sure is Persistent! Blaster is #6 overall, and #16 in October Almost 1,000 infections will be removed during AVAR MsBlast.A is most common variant in family But… Nachi.A is even more common

13. Antinny: Who would have thought? Antinny was #2 in October So far, it’s #4 in November

14. Other Interesting Facts Machines running Windows XP SP2 are 13-15 times less likely to be infected with malware from the Wild List Infected machines average 1.3 infections Some have 30 or more active infections Bottom 8 families have less than 100 disinfections each

15. Top Disinfection Totals by Family RankSince JanuaryOctober only 1Rbot 2SdbotAntinny 3GaobotFURootkit 4NetskySdbot 5FURootkitWukill 6MsblastGaobot 7IsproNetsky 8KorgoBagle 9BerbewSientok 10BagleLovegate 11AntinnyMytob 12MytobEsbot RankSince January 1Rbot 2Sdbot 3Gaobot 4Netsky 5FURootkit 6Msblast 7Ispro 8Korgo 9Berbew 10Bagle 11Antinny 12Mytob

16. Ranking by Family since January

17. Disinfections by Type

18. August Disinfection Breakdown January Families

19. August Disinfection Breakdown February Families

20. Highest Re-infection Since January

21. Links Anti-Malware Engineering Team blog http://blogs.msdn.com/antimalware Windows Malicious Software Removal Tool http://www.microsoft.com/cleaner Windows Live Safety Center http://safety.live.com

22. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.