Microsoft Security Intelligence Report
Tim RainsGroup Product ManagerMicrosoftSession Code: SIA206
Security Intelligence Report volume 6(July-December 2008)
Report addresses data and trends observed over the past several years, but focuses on the second half of 2008 (2H08)Major sections cover
The Threat EcosystemSoftware Vulnerability DisclosuresSoftware Vulnerability ExploitsBrowser-Based and Document Format ExploitsSecurity and Privacy BreachesMalicious Software and Potentially Unwanted SoftwareEmail, Spam, Phishing and Drive-By Download ThreatsSpecial Focus on Rogue Security SoftwareCountry/region Specific Data for 12 Locations Worldwide
Report builds on five previous editions of the SIR
Security Intelligence Report volume 6(July-December 2008) Data Sources
Software Vulnerability DisclosuresCommon Vulnerabilities and Exposures Website
http://cve.mitre.org http://www.first.org/cvss
National Vulnerability Database (NVD) Web sitehttp://nvd.nist.gov/
Security Web sitesVendor Web sites and support sites
Security Breach Notificationshttp://datalossdb.org
Security Intelligence Report volume 6(July-December 2008) Data Sources
Software ExploitsVariety of public sources, including exploit archives, antivirus alerts, mailing lists, security related websitesCustomer support incidents and reports submitted to MicrosoftCustomer submissions of malicious software to the Microsoft Malware Protection CenterMicrosoft Security Bulletinshttp://www.microsoft.com/technet/security
Security Intelligence Report volume 6(July-December 2008) Data Sources
Malicious Software and Potentially Unwanted SoftwareData from several hundred million computers worldwideSome of the busiest services on the Internet (e.g. Hotmail)During 2H08 MSRT executed 2.2 billion timesSince January 2005 total MSRT executions surpass 15 billion
Product Name
Main Customer Segment Malicious Software Spyware and Potentially Unwanted Software Available at
No Additional
Charge
Main Distribution
MethodsConsumers Business Scan and Remove
Real-time Protection
Scan and Remove
Real-time Protection
Windows Malicious Software Removal Tool ●
Prevalent Malware Families
● WU/AU Download Center
Windows Defender ● ● ● ● Download Center Windows Vista
Windows Live OneCare safety scanner ● ● ● ● Web
Windows Live OneCare ● ● ● ● ● Web/Store Purchase
Microsoft Forefront Online Security for Exchange ● ● ● Web
Forefront Client Security ● ● ● ● ● Volume Licensing
Also data from Windows Live Search and the Microsoft Windows Safety Platform
Software Vulnerability Disclosure Trends
Industry Wide Software Vulnerability DisclosuresBy half year, industry wide
Disclosures in 2H08 down 3% from 1H08Disclosure for all of 2008 down 12% from 2007
Industry-wide vulnerability disclosures by half-year, 2H03-2H08
2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
0
500
1000
1500
2000
2500
3000
3500
Software Vulnerability DisclosuresSeverity of vulnerabilities – CVSS v2
Disclosure of high severity vulnerabilities 3.8% higher than 1H08The highest severity rating accounts for 7.8% of all disclosures
Industry-wide vulnerability disclosuresby severity, 2H08
Industry-wide vulnerability disclosuresby severity by half-year, 2H03–2H08
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
1H08
2H08
0
500
1000
1500
2000
2500
3000
3500
Low
Medium
High
Medium (4-6.9)43.8%
Low (0-3.9)3.6%
High (9.9 +)7.8%
High (7-9.8) 44.8%
Software Vulnerability DisclosuresAccess complexity – Industry Wide
Majority of disclosures are Low Complexity
Industry-wide vulnerability disclosures by access complexity, 2H03–2H08
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
1H08
2H08
0%
20%
40%
60%
80%
100%
High Complexity Med Complexity Low Complexity
Security Vulnerability DisclosuresOperating system, Browser and Application Disclosures – Industry Wide
Operating system vulnerabilities – 8.8% of the totalBrowser vulnerabilities – 4.5% of the totalOther vulnerabilities – 86.7% of the total
Industry-wide operating system, browser, and other vulnerabilities, 2H03-2H08
2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
0
500
1,000
1,500
2,000
2,500
3,000
3,500
Operating System Vulnerabilities Browser Vulnerabilities
Security Vulnerability DisclosuresMicrosoft Vulnerability Disclosures
Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale
Vulnerability disclosures for Microsoft products, 2H03-2H08
Vulnerability disclosures for Microsoft products, by year, 2004-2008
2H031H04
2H041H05
2H051H06
2H061H07
2H071H08
2H08
0
20
40
60
80
100
120
140
160
180
2004 2005 2006 2007 2008
0
50
100
150
200
250
300
2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
0
500
1,000
1,500
2,000
2,500
3,000
3,500
Security Vulnerability DisclosuresMicrosoft vulnerability disclosures
Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale
Vulnerability disclosures for Microsoft and non-Microsoft products, 2H03-2H08
Non-Microsoft
Microsoft
Security Vulnerability DisclosuresMicrosoft vulnerability disclosures
Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale
Microsoft vulnerability disclosures as a percentage of all industry disclosures, 2H03-2H08
2H031H042H041H052H051H062H061H072H071H082H08
0%
2%
4%
6%
8%
10%
20042005
20062007
2008
0%
1%
2%
3%
4%
5%
6%
Security Vulnerability Disclosures Responsible Disclosure Rates
1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
0%10%20%30%40%50%60%70%80%90%
100%
Responsible vulnerability disclosures as a percentage of all disclosures involving Microsoft software, 1H05-2H08
Security Vulnerability Disclosures Security Bulletins
1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
0102030405060708090
100Security Bulletins Released and CVEs addressed by half year, 1H05-2H08
Unique CVEs
Bulletins
Microsoft consolidates multiple vulnerabilities into individual security bulletins to minimize update events
Software Vulnerability Exploit Trends
Microsoft Vulnerability Exploit DetailsBrowser-based exploits
Data taken from user-reported incidents, submissions of malicious code, and Windows error reportsData from multiple operating systems and browsers
Browser-based exploits, by percentage, encountered in 2H08
CVE_2007_0071_Adobe_Flash_Dowd 10.3%CVE_2008_1309_RealPlayer_rmoc3260_Conso
le8.0%
ourgame_GLIEDown2_IEStartNative7.8%
MSRC_6206_MS06_014_MDAC_RDS7.5%
CVE_2007_5601_RealPlayer_IERPCtl6.0%
Sina_Downloader_DLoader_DownloadAndInstall
4.9%CVE_2007_5892_SSReader_pdg2_Register
4.7%CVE_2007_4816_BaoFengStorm_rawParse
4.6%
CVE_2007_5064_Xunlei_Webthunder_DownURL23.9%
SSReader_pdg2_LoadPage3.0%
CVE_2007_0015_Apple_Quicktime_RTSP2.9%
Other 36.4%
Microsoft Vulnerability Exploit DetailsBrowser-based exploits by system locale
The most common system locale was U.S English at 32.4% of all incidentsThe second most common was Chinese at 25.6%
Browser-based exploits, by system locale of victim, encountered in 2H08
Russian (Russia) 7.9%
Italian (Italy) 1.9%
English (UK) 1.6%
Spanish (Spain) 1.5%
French (France) 2.0%German (Germany)1.9%
Korean (Korea) 1.8%
Other 23.4%
Chinese (China) 25.6%
English (US) 32.4%
Microsoft Vulnerability Exploit DetailsBrowser-based exploits by operating system and software vendor
On Windows XP-based machines, Microsoft vulnerabilities accounted for 40.9% of the exploitsOn Windows Vista-based machines, Microsoft vulnerabilities account for only 5.5% of the exploits
Browser-based exploits targeting Microsoft and third-party software on computers running Windows XP, 2H08
Browser-based exploits targeting Microsoft and third-party software on computers running Windows Vista, 2H08
Microsoft; 40.9%
3rd Party; 59.1%
Microsoft; 5.5%
3rd Party; 94.5%
MSRC_6206_MS06_014_MDAC_RDS
CVE_2008_1309_RealPlayer_rmoc3260_Console
CVE_2007_5892_SSReader_pdg2_Register
MSRC_6726_MS06_057_WebViewFolderIcon
MSRC_5651_MS05_014_createControlRange
MSRC_6999_MS06_071_MSXML_setRequestHeader
ourgame_GLIEDown2_IEStartNative
CANDIDATE_MSRC_8759_MSHTML_CXfer_TransferFromSrc
CVE_2007_0015_Apple_Quicktime_RTSP
MSRC_6779_MS06_055_VML
0%
2%
4%
6%
8%
10%
Microsoft Vulnerability Exploit DetailsTop 10 browser-based exploits on Windows XP-based machines
The 10 browser-based vulnerabilities exploited most often on computers running Windows XP, 2H08
MicrosoftVulnerabilitiesThird-PartyVulnerabilities
CVE_2007_0071_Adobe_Flash_Dowd
ourgame_GLIEDown2_IEStartNative
CVE_2008_1309_RealPlayer_rmoc3260_Console
CVE_2007_5601_RealPlayer_IERPCtl
CVE_2007_4816_BaoFengStorm_rawParse
CVE_2007_5892_SSReader_pdg2_Register
CVE_2007_5064_Xunlei_Webthunder_DownURL2
SSReader_pdg2_LoadPage
CVE_2007_0015_Apple_Quicktime_RTSP
CVE_2007_5659_AdobeAcrobat_collectEmailInfo
0%
5%
10%
15%
20%
Microsoft Vulnerability Exploit DetailsTop 10 browser-based exploits on Windows Vista-based machines
On Windows Vista-based machines Microsoft software accounted for none of the top 10 vulnerabilities
The 10 browser-based vulnerabilities exploited most often on computers running Windows Vista, 2H08
Third-PartyVulnerabilities
Security Breach Trends
Security Breach TrendsStudy details
Study of publicly reported security breaches worldwide Hacking and viruses less than 20% of all notifications in 2H0850% of breaches in 2H08 resulted from stolen equipment
Security breach incidents by type, expressed as percentages of the total, 2H07-2H08
Stolen
equ
ipm
ent
"Hac
k"
Lost e
quipm
ent
Acciden
tal w
eb
Frau
d
Snail m
ail
Dispos
al
Malwar
e
Miss
ing
0%
10%
20%
30%
40%
50%
2H07
1H08
2H08
Malicious and Potentially Unwanted Software
Malicious And Potentially Unwanted SoftwareOperating system trends
The infection rate ofWindows Vista SP1 was 60.6% less than Windows XP SP3Windows Vista with no service pack was 89.1% less than Windows XP with no service pack installed
Windows XP RTM
Windows XP SP1
Windows XP SP2
Windows XP SP3
Windows Vista RTM
Windows Vista SP1
Windows Vista RTM (64-bit)
Windows Vista SP1 (64-bit)
Windows 2000 SP4
Windows Server 2003 SP2
Windows Server 2008 RTM
Windows Server 2008 RTM (64-bit)
0
5
10
15
20
25
30
3533.6
25.2
12.9
6.53.7
2.6 3.02.5 3.8
2.71.3
0.6
# of
Com
pute
rs C
lean
ed p
er
1000
exe
cuti
ons
Malicious and Potentially Unwanted SoftwareThe Threat Landscape at Home and in the Enterprise
Family categories detected by Windows Live OneCare and Forefront Client Security, by percentage of the total number of infected computers cleaned by each program, in 2H08
Misc. Trojans
Trojan Downloaders & Droppers
Misc. Potentially Unwanted Software
Adware
Worms
Password Stealers & Monitoring Tools
Backdoors
Malware
Exploits
Spyware
0%
10%
20%
30%
40%
50%
60%
Windows Live OneCare
Infection patterns mirror usage patternsWorms are more prevalent in enterprise environmentsTrojans are more prevalent in home environments
Malicious And Potentially Unwanted SoftwareCategory Trends
2H06 1H07 2H07 1H08 2H080%
5%
10%
15%
20%
25%
30%
35%
40%Misc. Trojans
Trojan Downloaders & Droppers
Misc. Potentially Unwanted Software
Adware
Worms
Password Stealers & Monitor-ing Tools
Backdoors
Malware
Exploits
Spyware
Computers cleaned by threat category, in percentages, 2H06-2H08
Circular markers denote malicious software, square markers denote potentially unwanted software
Malicious and Potentially Unwanted SoftwareFamily trends in 2H08, all Microsoft anti-malware desktop products worldwide
Rank Family Most Significant Category Infected Computers
1 Win32/Renos Trojan Downloaders & Droppers 4,371,5082 Win32/Zlob Trojan Downloaders & Droppers 3,772,2173 Win32/Vundo Miscellaneous Trojans 3,635,2074 Win32/ZangoSearchAssistant Adware 3,326,2755 Win32/Taterf Worms 1,916,4466 Win32/ZangoShoppingreports Adware 1,752,2527 Win32/FakeXPA Miscellaneous Trojans 1,691,3938 Win32/FakeSecSen Miscellaneous Trojans 1,575,6489 Win32/Hotbar Adware 1,477,88610 Win32/Agent Miscellaneous Trojans 1,289,17811 ASX/Wimad Trojan Downloaders & Droppers 1,168,72412 Win32/BaiduSobar Misc. Potentially Unwanted Software 1,131,180
13 Win32/Frethog Password Stealers & Monitoring Tools 1,037,451
14 Win32/Antivirus2008 Misc. Potentially Unwanted Software 1,034,897
15 Win32/Playmp3z Adware 996,272
Italics indicate rogue security software-related families
Malicious and Potentially Unwanted SoftwareGlobal Infection Counts
Country/Region Computers Cleaned in 2H08United States 13,245,712China 3,558,033United Kingdom 2,225,016France 1,815,639Brazil 1,654,298Spain 1,544,623Korea 1,368,857Germany 1,209,461Italy 978,870Canada 916,263Mexico 915,605Turkey 768,939
Country/Region Computers Cleaned in 2H08Netherlands 641,053Russia 604,598Taiwan 466,929Australia 464,707Japan 417,269Poland 409,532Portugal 337,313Sweden 287,528Belgium 267,401Denmark 224,021Norway 203,952Colombia 164,986Switzerland 163,156
The 25 locations with the most computers cleaned by Microsoft anti-malware desktop products in 2H08
Malicious And Potentially Unwanted SoftwareInfection rates by country/region in 2H08
Malicious And Potentially Unwanted SoftwareNormalized infection rates by country/region - MSRT
Country/Region 2H08 average CCM(computers cleaned per 1000
executions of MSRT)
Serbia, Montenegro 77.0
Russia 21.1
Brazil 20.9
Turkey 20.5
Spain 19.2
Saudi Arabia 18.5
Korea 18.3
Egypt 16.5
Mexico 15.9
Guatemala 13.9
Locations with the highest infection rates by CCM, 2H08
Country/Region 2H08 average CCM(computers cleaned per 1000
executions of MSRT)
Vietnam 1.3
Philippines 1.4
Macao S.A.R 1.5
Japan 1.7
Morocco 2.1
Pakistan 2.2
Austria 2.3
Luxembourg 2.5
Algeria 2.6
Finland 2.6
Locations with the lowest infection rates by CCM, 2H08
South Africa heat map infection rate (CCM) was 6.6 in 2H08i.e. 6.6 systems infected for every 1,000 systems MSRT executed on
Noticeably lower than worldwide average of 8.6
Malicious And Potentially Unwanted SoftwareGeographic trends by location
Significant differences in threat patterns worldwideThreat categories worldwide and in the eight locations with the most infected computers, by incidence,
among all computers cleaned by Microsoft desktop anti-malware products , 2H08
WW United States
China United Kingdom
France Brazil Spain Korea Germany
0%
10%
20%
30%
40%
50%
60%
Misc. Trojans
Trojan Downloaders & Droppers
Misc. Potentially Unwanted Software
Adware
Worms
Password Stealers & Monitoring Tools
Backdoors
Malware
Exploits
Spyware
Top Threats in South AfricaDisinfected Threats by Category in 2H08Category Infected
ComputersTrend from 1H08
Worms 24,318 + 317.8%
Miscellaneous Trojans 17,773 + 130.4%
Trojan Downloaders and Droppers 15,103 +39.8%Miscellaneous Potentially Unwanted Software 14,727 -13.4%
Adware 9,715 -18.3%
Backdoors 5,815 +122.7%
Password Stealers and Monitoring Tools 5,674 +356.5%Viruses 3,069 +228.6%
Spyware 608 -29.3%Exploits 534 +111.1%
TOTAL + 64.6%
Worms; 25.0%
Trojans; 18.3%
Downloaders and Droppers; 15.5%
PUS; 15.1%
Adware; 10.0%
Backdoors; 6.0%
PWS
and moni-tor-ing tool
s; 5.8%
Viruses; 3.2% Spyware; 0.6% Exploits; 0.5%
Data from All Microsoft Security ProductsTop 10 Families in South Africa, 2H08
Family CategoryInfected computers Trend
1 Win32/Taterf Worm 11,940 +579.2%
2 Win32/Zlob Trojan Downloaders & Droppers
9.037 -5.9%
3 Win32/Renos Trojan Downloaders & Droppers
6,753 +262.3%
4 Win32/Rjump Worm 5,404 +228.1%
5 Win32/Vundo Miscellaneous Trojans 4,517 +80.0%
6 Win32/ZangoSearchAssistant Adware 3,663 +20.4%
7 Win32/Frethog Password Stealers & Monitoring Tools
2,722 NEW
8 Win32/FakeSecSen Miscellaneous Trojans 2,692 NEW
9 Win32/Hamweq Worm 2,425 NEW
10 Win32/SeekmoSearchAssistant Adware 2,409 -8.4%
Top Threats in South AfricaPrevalent Families
Win32/Taterf is significantly more prevalent in South Africa
ASX/Taterf is #1 in South Africa, #5 worldwideA family of worms that spread via mapped drives to steal login & account details for popular online games
Win32/Rjump and Win32/Frethog are significantly more prevalent in South Africa
Win32/Rjump is #4 in South Africa, #22 worldwideWorm that spreads via newly attached media
Win32/Frethog is #7 in South Africa, #13 worldwidePassword stealer targeting login & account details for popular online games
Top Threats in South AfricaPrevalent Families - Summary
Of the top families:8 of the top 10 are malware20 out of the top 25 families are malwareOnly 2 of the top 10 are potentially unwanted software, such as adwareTop 25 families accounted for 91.0% of the total infected machines in South Africa
Spam, Phishing, Drive-bys
E-Mail ThreatsSpam Trends and Statistics
Inbound messages blocked by Forefront Online Security for Exchange content filters, by category, during the last six weeks of 2H08
Pharmacy - non sexual; 38.6%
Non-pharmacy product ads; 23.6%
Pharmacy - sexual; 10.0%
Image only; 7.3%
Dating/Sexually Explicit Material; 5.2%
Financial ; 3.1%
Fraudulent Diplomas; 2.8%
419 Scam; 1.9% Malware ; 1.8% Get Rich Quick ; 1.7% Phishing ; 1.6% Gambling ; 1.1% Stock ; 0.6% Software ; 0.5%
E-Mail ThreatsSpam Trends and Statistics
Inbound messages blocked by Forefront Online Security for Exchange content filters, by category, 1H08-2H08
0%
10%
20%
30%
40%
1H08
2H08
Product advertising dominated spam volumesSpam promoting stocks declined sharply
Malicious Site AnalysisPhishing sites by coutry/region by percentage of all phishing sites worldwide in 2H08
Malicious Site AnalysisPhishing sites in the United States by percentage of all phishing sites nationwide in 2H08
Malicious Site AnalysisMalware hosting sites by coutry/region by percentage of all malware hosting sites worldwide in 2H08
Malicious Site AnalysisMalware hosting sites by coutry/region by percentage of all malware hosting sites worldwide in 2H08
Analysis of Drive-By Download PagesExample of a Drive-By Download Attack
Analysis of Drive-By Download PagesGeographic Distribution of Drive-by Download Pages
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related ContentEnd to End Trust (SIA101)
Security Management and Protection: What's in Microsoft Forefront Client Security Version 2 (SIA203)
Targeting SPAM with Forefront (SIA204)
Deploying Windows 7 BitLocker in the Enterprise (WCL308)
Next Generation Messaging and Collaboration Protection Drilldown (SIA301)
Windows Internet Explorer 8 Security, Inside and Out (WCL305)
12 Tips to Secure Your Windows Systems, Revisited: How Windows Vista, Windows Server 2008, and Windows 7 Change the Game (WSV301)
Overview of Microsoft Forefront Unified Access Gateway (SIA305)
Access and Protection: A Technical Preview and Deep Dive of the Next Generation of Microsoft ISA Server (SIA303)
Developing a Security Awareness Strategy (SIA202)
Cybercrime: A Journey to the Dark Side (SIA310)
Track Resources
www.microsoft.com/sir
www.microsoft.com/msrc
www.microsoft.com/mmpc
www.microsoft.com/msec
Complete a session evaluation and enter to win!
10 pairs of MP3 sunglasses to be won
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
question & answer