ken malcolmson senior product manager microsoft session code: its206 vinny gullotto general manager...
TRANSCRIPT
Microsoft Security Intelligence Report v7
Ken MalcolmsonSenior Product ManagerMicrosoftSession Code: ITS206
Vinny GullottoGeneral ManagerMicrosoft Malware Protection Center
Security Intelligence Report volume 7(January - June 2009)
Major sections coverMalicious software and potentially unwanted softwareEmail, spam and phishing threats
Focus content onMalware and signed codeThreat combinationsMalicious Web sites
Software vulnerability exploitsBrowser-based and Microsoft Office document exploitsDrive-by download exploits
Security and privacy breachesSoftware vulnerability disclosures
Industry-wide vulnerability disclosuresMicrosoft Security Bulletins and the Exploitability IndexUsage trends for Windows Update and Microsoft Update
Security Intelligence Report volume 7Continued Evolution
Best Practices Around the WorldMalware and Signed CodeThreat CombinationsGeographic Origins of Spam MessagesReputation Hijacking“Malvertising”: An Emerging Industry ThreatConficker updateAutomated SQL Injection AttacksCategories of payloads delivered by Microsoft Office exploits in 1H09Top 10 malware families used in Office file exploits in 1H091H09 Bulletin Severity and Exploitability Index AccuracySecurity Bulletin Mitigations, Workarounds, and Attack Surface Reduction analysisUsage Trends for Windows Update and Microsoft UpdateUpdate service usage and software piracy rates for seven locations worldwideMyths and Facts About Microsoft Update Services and Software Piracy
Centers Supporting TwC SecurityTwC Security
Protecting Microsoft customers throughout the entire life cycle(in development, deployment and operations)
Microsoft Security Engineering Center
(MSEC)
Security Assurance
Security Science
SDL
Microsoft Malware Protection Center
(MMPC)
Microsoft Security Response Center
(MSRC)
MSRC Engineering
MSRC Ops
EcoStrat
Conception
Release
Product Life Cycle
Customers submit data directly
Security Intelligence Report Volume 7Data Sources
Microsoft Malware Protection Center
labs located globally
Protection for customers in more than 12 countries around the
world
Security Intelligence Report Volume 7Data Sources
Available in dozens of languages and performs
millions of malware removals per year worldwide
Security Intelligence Report Volume 7Data Sources
safety scanner
Security Intelligence Report Volume 7Data Sources
World’s most popular browser
SmartScreen Filter Microsoft Phishing Filter
Millions of users worldwide using Forefront solutions
Security Intelligence Report Volume 7Data Sources
Protecting thousands of enterprise customers and scanning billions of e-mail
messages per year
Security Intelligence Report Volume 7Data Sources
More than 100 million users worldwide
Security Intelligence Report Volume 7Data Sources
More than 280 million active users worldwide
Security Intelligence Report Volume 7Data Sources
450 million computers worldwide reporting monthly
Security Intelligence Report Volume 7Data Sources
Malicious Software
Removal Tool2.7 billion executions in 1H09
More than 16.5 billion executions since 2005
Security Intelligence Report Volume 7Data Sources
Billions of web-page scans per month
These data sources enable Microsoft to get data from all the relevant points of view: client, server,
mail, Internet threats – globally
Security Intelligence Report Volume 7Data Sources
Security Intelligence Report Volume 7Data Sources
Software Vulnerability DisclosuresCommon vulnerabilities and exposures Web sitehttp://www.first.org/cvss National Vulnerability Database (NVD) Web sitehttp://nvd.nist.gov/Security Web sitesVendor Web sites and support sites
Security Breach Notificationshttp://datalossdb.org
Software ExploitsVariety of public sources, including exploit archives, antivirus alerts, mailing lists, security related websitesMicrosoft Security Bulletinshttp://www.microsoft.com/technet/security SecurityFocuswww.securityfocus.com
Malicious and Potentially Unwanted Software
www.microsoft.com/sir
Malicious And Potentially Unwanted SoftwareGeographic distribution of malware – MSRT, 1H09
2H06 1H07 2H07 1H08 2H08 1H090%
5%
10%
15%
20%
25%
30%
35%
40%Misc. Trojans
Worms
Trojan Down-loaders & Drop-persAdware
Misc. Potentially Unwanted Software
Password Stealers & Monitoring Tools
Backdoors
Viruses
Spyware
Exploits
Malicious And Potentially Unwanted SoftwareCategory trends
Miscellaneous trojans remain very prevalentWorm infections increased significantly
Computers cleaned by threat category, in percentages, 2H06-1H09
Malicious And Potentially Unwanted Software Top malware and potentially unwanted families
Family Most Significant Category 1H09 2H081 Win32/Conficker Worms 5,217,862 3,7192 Win32/Taterf Worms 4,911,865 1,916,4463 Win32/Renos Trojan Downloaders & Droppers 3,323,198 4,371,508
4Win32/ZangoSearchAssistant
Adware 2,933,627 3,326,275
5 Win32/Frethog Password Stealers & Monitoring Tools 2,754,226 1,037,4516 Win32/FakeXPA Miscellaneous Trojans 2,384,497 1,691,3937 Win32/Vundo Miscellaneous Trojans 2,119,606 3,635,2078 Win32/Alureon Miscellaneous Trojans 1,976,735 510,281
9Win32/ZangoShoppingReports
Adware 1,412,476 1,752,252
10 Win32/Agent Miscellaneous Trojans 1,361,667 1,289,178
Top malware/potentially unwanted software families detected by Microsoft anti-malware desktop products worldwide in 1H09
Malicious And Potentially Unwanted SoftwareOperating system trends
Infection rates of Windows Vista machinesWith SP1: 61.9% less than Windows XP SP3With no service pack: 85.3% less than Windows XP with no service pack
Windows XP RTM
Windows XP SP1
Windows XP SP2
Windows XP SP3
Windows Vista
RTM
Windows Vista
SP1
Windows 2000 SP4
Windows Server 2
003 SP1
Windows Server 2
003 SP2
Windows Server 2
008 RTM
0
10
20
30
40x86
x86
x86
x86x86
x86 x86x86
x86x86
x64
x64x64
x64x64
Number of computers cleaned for every 1,000 MSRT executions in 1H09
Malicious And Potentially Unwanted SoftwareOperating system trends over time
1H07 2H07 1H08 2H08 1H090.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
40.0Windows XP RTM Windows XP SP1 Windows XP SP2 Windows XP SP3 Windows Vista RTMWindows Vista SP1
Computers cleaned by threat category, in percentages, 2H06-1H09
Relative OS infection rates remain consistent over time
Malicious And Potentially Unwanted Software Threats at home and in the enterprise
Enterprise computers were more likely to encounter wormsHome computers were more likely to encounter trojans
0%
20%
40%
60%
Forefront Client Security Windows Live OneCare
Malicious And Potentially Unwanted Software Threats at home and in the enterprise
Windows Live OneCare Most Significant Category PercentASX/Wimad Trojan Downloaders & Droppers 10.3%Win32/Agent Miscellaneous Trojans 7.4%Win32/Renos Miscellaneous Trojans 5.0%Win32/Obfuscator Misc. Potentially Unwanted Software 3.4%
Win32/Pdfjsc Exploits 3.0%
Top 5 families detected by Windows Live OneCare/Forefront Client Security in 1H09
Forefront Client Security Top Families Most Significant Category Percent
Win32/Conficker Worms 12.3%
Win32/Autorun Worms 6.6%
Win32/Hamweq Worms 5.9%
Win32/Agent Miscellaneous Trojans 5.1%
Win32/Taterf Worms 3.9%
E-Mail ThreatsSpam trends and statistics
More than 97% of unwanted e-mail messages were blocked at the edge
Percentage of incoming messages blocked by FOPE using edge-blocking and content filtering, 1H06-1H09
1H06 2H06 1H07 2H07 1H08 2H08 1H09
0%10%20%30%40%50%60%70%80%90%
100%
Delivered
Content Filtered
Edge Filtered
E-Mail ThreatsSpam trends and statistics
Spam was dominated by product advertisements in 1H09Inbound messages blocked by FOPE content filters, by category, in 1H09
Pharmacy - Non-Sexual40.5%
Non-Pharmacy Product Ads20.9%
Pharmacy - Sexual7.8%
Dating/Sexually Explicit Material
5.7%
Image Only5.4%
419 Scams4.1%
Fraudulent Diplomas
3.2%
Financial3.0%
Gambling2.2%
Malware2.1%
Get Rich Quick1.8%
Phishing1.8%
Stock0.9%
Software0.6%
North America33.4%
Asia30.2%
Europe23.8%
South America9.8%
Central America1.5%
Oceania1.2%
Africa0.0%
E-Mail ThreatsGeographic origins of spam messages
Most spam is sent through botnets or other automated toolsThe geographic origin of spam does not necessarily indicate the physical location of the spammer
Geographic origins of spam, by percentage of total spam sent, in 1H09
Top Threats in GermanyDisinfected Threats by Category in 1H09Category Infected
ComputersTrend from 2H08
Miscellaneous Trojans 504,922 +11.5%
Trojan Downloaders & Droppers
239,478 -38.2%
Adware 165,543 -50.1%
Miscellaneous Potentially Unwanted Software
122,731 -51.8%
Worms 86,148 +132.4%
Backdoors 57,462 +5.8%
Password Stealers & Monitoring Tools
54,120 +104.2%
Viruses 26,549 -25.5%
Spyware 13,669 +45.7%
Exploits 7,582 +32.9%
Misc. Trojans; 39.5%
Trojan Downloaders & Droppers; 18.7%
Adware; 13.0%
Misc. Potentially
Unwanted Soft
ware; 9.6%
Worms
; 6.7%
Backdoors; 4.5%
Password Stealers & Monitoring Tools;
4.2%Viruses; 2.1% Spyware; 1.1% Exploits; 0.6%
Data from All Microsoft Security ProductsTop 25 Families in Germany in 1H09
Family CategoryInfected computers
1 Win32/Wintrim Misc. Trojans 153,518
2 Win32/Alureon Misc. Trojans 124,102
3 Win32/Renos Trojan Downloaders & Droppers
122,589
4 Win32/ZangoSearchAssistant
Adware 79,877
5 Win32/Vundo Misc. Trojans 75,485
6 Win32/Conficker Worms 66,6597 Win32/Zlob Trojan
Downloaders & Droppers
58,090
8 Win32/Agent Misc. Trojans 44,346
9 Win32/Hotbar Adware 38,10510 Win32/
ZangoShoppingreports
Adware 34,800
11 Win32/SeekmoSearchAssistant
Adware 33,361
12 Win32/FakeXPA Misc. Trojans 28,683
Family CategoryInfected computers
13 Win32/Tibs Misc. Trojans 18,184
14 Win32/FakeRean Misc. Trojans 17,658
15 Win32/Taterf Worms 16,506
16 Win32/C2Lop Misc. Trojans 16,333
17 Win32/Yektel Trojan Downloaders & Droppers
16,218
18 Win32/Cutwail Trojan Downloaders & Droppers
15,758
19 Win32/Playmp3z Adware 15,512
20 Win32/WhenU Adware 14,174
21 Win32/RealVNC Adware 13,557
22 Win32/FakeAdpro
Misc. Potentially Unwanted Software
13,481
23 Win32/Rustock Backdoor 13,05924 Win32/Rbot Backdoor 12,807
25 Win32/Frethog Password Stealers & Monitoring Tools
11,804
Lots more local data in the report
“Deep dive” information on 14 countries and regions around the worldHeatmaps – malware infection rates, phishing sites, malicious software sites, drive-by download attacksDownload the SIR for the full facts
Software Vulnerability Exploit Details
www.microsoft.com/sir
CVE-2007-0071 (Adobe Flash Player)
17.5%
Ourgame_GLIEDown210.0%
CVE-2009-0075/MS09-002 (Microsoft Internet
Explorer)7.9%
CVE-2007-4816: BaoFeng_Storm2
6.5%CVE-2007-5601 (RealNetworks
RealPlayer)4.9%
GLChat_startNotify4.8%
CVE-2006-0003/MS06-014 (Microsoft Data Access Components)
4.5%
CVE-2007-5892: SSReader_pdg2
4.3%
CVE-2008-6442: Sina_Dloader
3.9%
CVE-2009-0927 (Adobe Reader)
3.2%
CVE-2007-4105: Baidu_SobaSearchBar
3.0%
Other29.5%
Software Vulnerability Exploit DetailsBrowser-based exploits
Data taken from user-reported incidents, submissions of malicious code, and Windows error reportsData from multiple operating systems and browsers
Browser-based exploits, by percentage, encountered in 1H09
Software Vulnerability Exploit DetailsBrowser-based exploits by system locale
The most common system locale was China (China), at 53.6% of all incidentsThe second most common was United States (English), at 27.5%
Browser-based exploits, by system locale, encountered in 1H08
China (zh CN)‑53.6%United States
(en US)‑27.5%
Japan (ja JP)‑2.6%
Russia (ru RU)‑1.9%
Korea (ko KR)‑1.3% Other
13.2%
Software Vulnerability Exploit DetailsBrowser-based exploits by operating system and software vendor
On Windows XP-based machines, Microsoft vulnerabilities account for 56.4% of the exploitsOn Windows Vista-based machines, Microsoft vulnerabilities account for only 15.5% of the exploits
Browser-based exploits targeting Microsoft and third-party software on computers running Windows XP and Windows Vista in1H09
3rd Party43.6%
Microsoft56.4% 3rd Party
84.5%
Microsoft15.5%
Windows XP machines Windows Vista machines
Document File Format ExploitsMicrosoft Office Format Exploits
Data from submissions of malicious code to MicrosoftOne vulnerability was the target of 71.0% of all attacks
Microsoft Office file format exploits, by percentage, encountered in 1H09
CVE-2006-2492: MS06-027, 71.0%CVE-2008-0081:
MS08-014; 13.0%
CVE-2009-0238: MS09-009; 7.5%
CVE-2006-0022: MS06-028; 3.4%
CVE-2009-0556: MS09-017; 2.0%
CVE-2007-0671: MS07-015; 1.5% Others; 1.5%
Document File Format ExploitsMalware dropped by Microsoft Office document exploit attacks
Types of malware dropped during Microsoft Office exploit attacks
Trojan Down-loaders & Droppers
55.0%
Backdoors34.2%
Worms6.3%
Misc. Potentially Unwanted Software
2.8%
Password Stealers & Mon-itoring Tools
1.2%Exploits
0.5%Viruses
0.1%
Nearly 90% of exploits involved a trojan or backdoorThese threats allow access to install more malware
Security Breach Trends
www.microsoft.com/sir
Security Breach TrendsStudy details
Hacking and viruses less than 25 percent of all notifications in 1H09Most breaches resulted from stolen, lost or improperly disposed of equipment
Security breach incidents, by incident type, 2H07 – 1H09
2H071H08
2H081H09
050
100150200250300350
MissingVirusE-mailPostal MailLostAccidental WebFraudHackDisposalStolen
Inci
dent
s
Software Vulnerability Disclosure Trends
www.microsoft.com/sir
Security Vulnerability DisclosuresOperating system, Browser and Application Disclosures – Industry Wide
Application vulnerabilities down sharply in 1H09OS and browser vulnerabilities relatively stable
Operating system, browser & application vulnerabilities as a percentage of all disclosures, 1H04-1H09
1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08 1H09
- 500
1,000 1,500 2,000 2,500 3,000 3,500
Operating System Vulnerabilities Browser Vulnerabilities Application Vulnerabilities
1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08 1H09
-
500
1,000
1,500
2,000
2,500
3,000
3,500
Security Vulnerability DisclosuresMicrosoft vulnerability disclosures
Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale
Vulnerability disclosures for Microsoft and non-Microsoft products, 1H04-1H09
Non-MicrosoftMicrosoft
Microsoft Vulnerability Exploit DetailsResponsible Disclosure Rates
1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08 1H09
0%
20%
40%
60%
80%
100%
Other Responsible Disclosure Vulnerability Broker CasesFull Disclosure
Responsible disclosure rates rose to a high of 79.5%
Responsible disclosures as a percentage of all disclosures involving Microsoft software, 1H05-1H09
1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08 1H09
0102030405060708090
100
Unique CVEs
Security Bul-letins
Microsoft Vulnerability Exploit DetailsSecurity Bulletins
In 1H09 Microsoft released 27 bulletins addressing 87 individual CVE-identified vulnerabilitiesSecurity bulletins released and CVEs addressed by half-year, 1H05-1H09
Microsoft Vulnerability Exploit DetailsExploitability Index
The Exploitability Index has helped IT professionals prioritized deployment of security updates
Rating 1Rating 2
Rating 3
05
1015202530354045
ExploitedNot Exploited
CVEs with exploits discovered within 30 days, by Exploitability Index rating, in 1H09
Microsoft Vulnerability Exploit DetailsMitigations and workarounds in security bulletins
Workaround and mitigation status for 1H09 security bulletins
Workarounds Available For All Vulnerabilities;
48.1%
Workarounds Available For Some
Vulnerabilities; 22.2%
No Workarounds - Some Mitigations;
25.9%
No Workarounds Or Mitiga-tions; 3.7%
Microsoft gives workaround, mitigation or attack surface reduction advice where possible
Update Service Usage Over TimeMicrosoft Update and Windows Update
2H05 1H06 2H06 1H07 2H07 1H08 2H08 1H09
0%
50%
100%
150%
200%
250%
Microsoft Update
Windows Update only
Adoption of Microsoft Update has risen significantlyMicrosoft Update provides a more comprehensive solution than Windows Update alone
Usage of Windows Update & Microsoft Update indexed to 2H05 total usage
Update Service Usage ImpactThe role of automatic updating
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
Daily Windows error reports caused by Win32/Renos on Windows Vista computers
A Windows Defender signature issued via Microsoft Update had a significant and dramatic impact on Win32/Renos trojan infections
Update Service UsageRegional variations in update service usage
United StatesJapan
United KingdomGermany
FranceBrazil
China
0%
100%
200%
300%
400%
Update Service Usage
Software Piracy Rate
Update service usage and software piracy rates for seven locations worldwide, relative to the United States
Usage of Microsoft updates varies worldwideVariations are due to a variety of factors including broadband Internet connectivity, software piracy and the percentage of computers in enterprise environments
Microsoft Update ServicesMyths and facts – read this when you download the SIR!
Myth Fact
Anti-piracy updates are forcibly installed by Microsoft if users install updates through Windows Update and Automatic Updates
Users can , through the Windows Update or Automatic Updates control panels, choose how updates are downloaded and installed. Use of the Windows Update and Microsoft Update Web sites (Windows XP and Windows Server 2003) is gated to require Genuine validation, but there is no restriction on the use of Automatic Updates on the local computer
Microsoft does not offer security updates to pirated systems.
Microsoft offers all security updates for Windows and all other Microsoftproducts. They also allow all computers to install the latest service packs, update rollups, critical reliability updates, compatibility updates, and most software upgrades.
Microsoft update services scan computers for pirated software and relay personally identifiableinformation (PII) back to Microsoft for use in criminal prosecutions.
Microsoft’s update services do not collect and forward personally identifiable information back to Microsoft for use in criminal prosecutions.To help mitigate privacy concerns, Microsoft has obtained and continues to renew third-party privacy certification for each version of the Windows update client. For more information about how privacy is protected through Windows Update, refer to the Windows Update privacy statement. For more information on how privacy is protected through genuine software updates, refer to the Microsoft Genuine Advantage Privacy Statement.
Microsoft update services will cause non-genuine computers to crash more often or experience performance problems. Functionality of Windows is reduced on non-genuine computers.
The functionality, reliability, or performance of non-genuine Windows basedcomputers is not degraded. The following things will occur for a non-genuine computer:• The desktop background will be changed to the color black.• The user will be periodically notified that the computer is non-genuine.• The user may not be offered new software or less-critical (value added)updates that are offered to Genuine Windows-based computers.
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
question & answerwww.microsoft.com/sir
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.