an accurate understanding of on-going malware prevalence jason garms architect & group pm...
TRANSCRIPT
![Page 1: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/1.jpg)
An accurate understanding of on-going malware prevalence
An accurate understanding of on-going malware prevalenceJason GarmsJason GarmsArchitect & Group PMArchitect & Group PMAnti-Malware Technology TeamAnti-Malware Technology TeamMicrosoft CorporationMicrosoft Corporation
[email protected]@Microsoft.Com
AVAR 2005Tianjin, China
AVAR 2005Tianjin, China
![Page 2: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/2.jpg)
AgendaAgenda
Importance of data analysis and Importance of data analysis and malwaremalware
Data sources and analysis from Data sources and analysis from MicrosoftMicrosoft
Key ObservationsKey Observations
![Page 3: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/3.jpg)
One infected personMillions of infection particles
Virus “particles” for peopleVirus “particles” for people
![Page 4: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/4.jpg)
Virus “particles” for computersVirus “particles” for computers
Rbot-infected computer
Email infection
Vulnerability exploit File sharing
![Page 5: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/5.jpg)
Usefulness of DataUsefulness of Data
““ First Hour”: First Hour”: Predicting how Predicting how prevalent a piece of malware will be prevalent a piece of malware will be
““Second Month”: Continued Second Month”: Continued Prevalence Prevalence
““Five Year”: HistoricalFive Year”: Historical
![Page 6: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/6.jpg)
Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool
Ability to detect and remove prevalent Ability to detect and remove prevalent malicious softwaremalicious softwareUpdated and released monthlyUpdated and released monthlyLow execution impactLow execution impactLocalized into 24 languagesLocalized into 24 languagesProtect the InternetProtect the InternetSupports Windows XP, Windows 2000, and Supports Windows XP, Windows 2000, and Windows Server 2003, 32/64 bitWindows Server 2003, 32/64 bit
![Page 7: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/7.jpg)
Key ObservationsKey Observations
Botnets are a BIG dealBotnets are a BIG deal
Social engineering worms and mass Social engineering worms and mass mailing worms continue to be very mailing worms continue to be very effectiveeffective
Zotob: how bad was it?Zotob: how bad was it?
Rootkit data prevalence is surprisingRootkit data prevalence is surprising
Blaster persistsBlaster persists
Antinny: Who would have thought?Antinny: Who would have thought?
![Page 8: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/8.jpg)
Botnets are a Big DealBotnets are a Big Deal
Gaobot, Rbot, SdbotGaobot, Rbot, Sdbot
58% of malware removed are bots58% of malware removed are bots
Top 3 bot families are 85% of all bots removedTop 3 bot families are 85% of all bots removed
Order of most prevalent:Order of most prevalent:RbotRbotSdbotSdbotGaobotGaobot
10% of Rbot infections are re-infections10% of Rbot infections are re-infections
3% of Gaobot infections are re-infections3% of Gaobot infections are re-infections
![Page 9: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/9.jpg)
Social Engineering and Mass Mailing WormsSocial Engineering and Mass Mailing Worms
Among families removed by MSRT:Among families removed by MSRT:Netsky was #4 overallNetsky was #4 overall
Bagle is #10 overallBagle is #10 overall
2,000 copies of Netsky will be removed 2,000 copies of Netsky will be removed during AVARduring AVAR
Netsky.P is 1/3 of all Netsky infectionsNetsky.P is 1/3 of all Netsky infections
WUKill is #5 for OctoberWUKill is #5 for October
![Page 10: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/10.jpg)
Zotob: How bad?Zotob: How bad?
Zotob is #41 overallZotob is #41 overall
It was only #35 for OctoberIt was only #35 for October
Esbot was more prevalent, but Esbot was more prevalent, but received no attentionreceived no attention
Esbot was #12 in OctoberEsbot was #12 in October
![Page 11: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/11.jpg)
Rootkit PrevalenceRootkit Prevalence
Hacker DefenderHacker Defender
FURootkitFURootkit
IsProIsPro
In order of prevalence:In order of prevalence:FURootkitFURootkit
IsProIsPro
Hacker DefenderHacker Defender
: 5: 5thth overall, 3 overall, 3rdrd in October in October
: 7: 7thth overall, 15 overall, 15thth in October in October
: 17: 17thth overall, 24 overall, 24thth in in OctoberOctober
![Page 12: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/12.jpg)
Blaster Sure is Persistent!Blaster Sure is Persistent!
Blaster is #6 overall, and #16 in OctoberBlaster is #6 overall, and #16 in October
Almost 1,000 infections will be removed Almost 1,000 infections will be removed during AVARduring AVAR
MsBlast.A is most common variant in MsBlast.A is most common variant in familyfamily
But… Nachi.A is even more commonBut… Nachi.A is even more common
![Page 13: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/13.jpg)
Antinny: Who would have thought?Antinny: Who would have thought?
Antinny was #2 in OctoberAntinny was #2 in October
So far, it’s #4 in NovemberSo far, it’s #4 in November
![Page 14: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/14.jpg)
Other Interesting FactsOther Interesting Facts
Machines running Windows XP SP2 are 13-Machines running Windows XP SP2 are 13-15 times less likely to be infected with 15 times less likely to be infected with malware from the Wild Listmalware from the Wild List
Infected machines average 1.3 infectionsInfected machines average 1.3 infections
Some have 30 or more active infectionsSome have 30 or more active infections
Bottom 8 families have less than 100 Bottom 8 families have less than 100 disinfections eachdisinfections each
![Page 15: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/15.jpg)
Top Disinfection Totals by FamilyTop Disinfection Totals by Family
Rank Since January October only
1 Rbot Rbot
2 Sdbot Antinny
3 Gaobot FURootkit
4 Netsky Sdbot
5 FURootkit Wukill
6 Msblast Gaobot
7 Ispro Netsky
8 Korgo Bagle
9 Berbew Sientok
10 Bagle Lovegate
11 Antinny Mytob
12 Mytob Esbot
Rank Since January
1 Rbot
2 Sdbot
3 Gaobot
4 Netsky
5 FURootkit
6 Msblast
7 Ispro
8 Korgo
9 Berbew
10 Bagle
11 Antinny
12 Mytob
![Page 16: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/16.jpg)
Ranking by Family since JanuaryRanking by Family since January
![Page 17: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/17.jpg)
Disinfections by TypeDisinfections by Type
![Page 18: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/18.jpg)
August Disinfection BreakdownJanuary Families
August Disinfection BreakdownJanuary Families
![Page 19: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/19.jpg)
August Disinfection BreakdownFebruary Families
August Disinfection BreakdownFebruary Families
![Page 20: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/20.jpg)
Highest Re-infectionHighest Re-infection
Since January
![Page 21: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/21.jpg)
LinksLinks
Anti-Malware Engineering Team blogAnti-Malware Engineering Team bloghttp://blogs.msdn.com/antimalwarehttp://blogs.msdn.com/antimalware
Windows Malicious Software Removal ToolWindows Malicious Software Removal Toolhttp://www.microsoft.com/cleanerhttp://www.microsoft.com/cleaner
Windows Live Safety CenterWindows Live Safety Centerhttp://safety.live.comhttp://safety.live.com
![Page 22: An accurate understanding of on-going malware prevalence Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation JasonG@Microsoft.Com](https://reader035.vdocuments.site/reader035/viewer/2022062802/56649ef45503460f94c06d1a/html5/thumbnails/22.jpg)
© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.