Page 1

2H07 Microsoft Security Intelligence Report July through December 2007

An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the second half of 2007


2H07

Microsoft Security Intelligence Report The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2008 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, ActiveX, BizTalk, Internet Explorer, MSN, Windows Live OneCare, Forefront, Outlook, Hotmail, the Security Shield logo, Visual Studio, Windows, Windows Live, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

2


Authors

Contributors

Tim Cranton

Daniel Bohm

Vinny Gullotto

Alexandru Carp

Jeff Jones

Doug Cavit

Ziv Mador

Marisela Cerda

Scott Molenkamp

Joe Faulhaber

Mike Reavey

Heather Goudey

Adam Shostack

Michael Grady

George Stathakopoulos

Satomi Hayakawa

Jeff Williams

Rob Hensing

Scott Wu

Yuhui Huang

Internet Safety Enforcement Team Microsoft Malware Protection Center Trustworthy Computing Microsoft Malware Protection Center Microsoft Malware Protection Center Microsoft Security Response Center Security Engineering and Community Microsoft Security Response Center Microsoft Malware Protection Center Microsoft Malware Protection Center

Exchange Hosted Services (EHS) Microsoft Malware Protection Center Trustworthy Computing Windows Live OneCare Microsoft Malware Protection Center Microsoft Malware Protection Center Trustworthy Computing Japan Security Response Center Microsoft Security Technology Unit Microsoft Malware Protection Center

Aaron Hulett

Microsoft Malware Protection Center

Japan Security Response Team Microsoft Japan

Non-Microsoft Contributors

Jeannette Jarvis

Customer Support Services

David Kennedy Paul Henry John Schramm

Microsoft Legal and Corporate Affairs

Jimmy Kuo

Microsoft Malware Protection Center

Ken Malcolmson

Trustworthy Computing

Mark Miller

Trustworthy Computing

Gina Narkunas

Microsoft Online Services Group

Aaron Putman

Microsoft Malware Protection Center

Tim Rains

Trustworthy Computing

Marc Seinfeld

Microsoft Malware Protection Center

Austin Wilson Windows Client

Jaime Wong

Microsoft Malware Protection Center

3


2H07

Key Findings

T

his report provides the MicrosoftÂŽ perspective on the security and privacy threat landscape over the six-month period from July through December 2007. As in previous editions, this report examines software vulnerabilities (both in Microsoft software and third-party software), software exploits (for which there is a related Microsoft Security Bulletin), malicious software, and potentially unwanted software. In addition, the report provides insight into the challenges posed by spam and phishing attacks, a detailed look at the Win32/Nuwar worm, and a focus on the Microsoft commitment to drive Internet safety enforcement. The lists below summarize the key points from each section of the report. Software Vulnerabilities

oo Vulnerability disclosures decreased by about 5Â percent in 2007, reversing a multiyear

trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.

oo Despite the decrease, the number of new disclosures across the industry remains in the

thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006.

oo The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the

NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High-severity than was previously the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.

oo Vulnerabilities requiring a Low-level of complexity in order to exploit accounted for

about half of all vulnerabilities disclosed in 2H07. Although this number is relatively large, the number has declined significantly from earlier periods.

Software Vulnerability Exploits oo During 2007, 32.2 percent of known security vulnerabilities (CVE IDs) in the Microsoft

products analyzed for this report had publicly available exploit code. This is nearly identical to the totals from 2006 when 32.7 percent of known security vulnerabilities for the same products had publicly available exploit code.

oo Microsoft matched each public exploit with its corresponding vulnerability using CVE

identifiers and Microsoft security bulletins. The number of Microsoft security bulletins released in 2007 was 11.5 percent lower than in 2006, and the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletins.

4


oo In a product-by-product comparison, more recent versions of Microsoft products were

proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000.

Security Breach Notifications oo Several jurisdictions around the world now require that companies and other

organizations publicly disclose security breaches that put personally identifiable information (PII) at risk. Analyzing these notifications offers insights into how and why such breaches occur.

oo Exploits, malware, and hacking account for less than a quarter of security breach noti-

fications. The majority of the breaches analyzed resulted from the absence or failure of proper information handling or physical security procedures.

Malicious and Potentially Unwanted Software Malware Trends for 2H07 oo The trends observed in the second half of 2007 are consistent with the observed shift

of malware away from an amateur phenomenon to a tool used by professional criminals and criminal organizations to generate revenue.

oo Trojan downloaders and droppers have grown to account for more infections than any

other category of malware, due in large part to a small handful of very prevalent trojan downloader/dropper families.

oo Many of the more prevalent malware families rely on social engineering tactics that

trick the user into taking action that bypasses or lessens the effectiveness of the user’s existing protection.

oo Infection rates observed by the Microsoft Windows Malicious Software Removal Tool

(MSRT) are significantly lower on Microsoft Windows® XP Service Pack 2 (SP2) and Windows Vista® compared to older operating systems. oo MSRT data shows that the infection rate for Windows Vista–based computers is

60.5 percent less than that of computers running Windows XP SP2, and 91.5 percent less than the infection rate for Windows XP with no service packs installed.

oo Backdoor trojans now account for more than half of all instant messaging (IM) disin-

fections, with both worms and trojans showing significant increases.

5


2H07

Win32/Nuwar oo Win32/Nuwar, called the storm worm in some reports, is a family of trojans and asso-

ciated components discovered in early 2007. By continually updating and adapting Win32/Nuwar in an effort to thwart detection and removal efforts, its authors have created a botnet that is estimated to have consisted of half a million infected systems worldwide.

oo During the second half of 2007, the Win32/Nuwar authors continued to adapt their

attacks technically, by updating and developing the binary components that make up the Nuwar family of malware, and socially, by tailoring their e-mailed pitches and finding new and different ways to leverage the botnet’s ability to send spam at their command. The second half of 2007 was a period of consistent permutation and adaptation.

E-Mail Threats oo Over 90 percent of all e-mail messages sent over the Internet today are spam. In addi-

tion to annoying the recipients and taxing the resources of e-mail providers, the flood of spam creates a potent vector for malware attacks and phishing attempts.

oo As with malware, spam has evolved from a tool used by small operators to one typically

used by larger, organized criminal groups to perpetuate scams and to sell fraudulent or dubious goods and services.

oo As the senders of spam have changed, spam messages themselves have shifted away

from selling legal products and services and toward the underground economy of illegal products and scams.

oo Phishing remained a significant threat in 2H07, eroding people’s trust in the Internet

and harming the reputations of the institutions victimized by phishing sites.

oo The number of live phishing pages tracked by the Microsoft Phishing Filter remained

roughly constant in 2H07, with new pages being discovered at approximately the same rate that older pages were going offline.

oo Phishing is still predominantly an English-language phenomenon. Typically,

75–80 percent of the active phishing pages tracked by the Microsoft Phishing Filter at a given moment in 2H07 were English-language pages.

oo Despite the increasingly sophisticated tricks employed by spammers, some of the

simplest spam-fighting techniques, like IP blocking, SMTP connection analysis, and recipient validation, remain very effective.

oo Users should be encouraged to use Web browsers with anti-phishing features, which

display alerts when users attempt to visit known phishing sites.

6


Potentially Unwanted Software oo Worldwide disinfections of potentially unwanted software are comparable to those of

malware. The top 15 potentially unwanted software families displayed a 114 percent increase over 1H07, owing in part to an increase in the number of users worldwide running one or more of the appropriate detection tools. Nine of the 15 families displayed increases of 100 percent or more, with five families increasing by more than 200 percent.

oo When Windows Defender detects a malware or potentially unwanted software infec-

tion, it gives the user the choice of removing the software, quarantining it, ignoring the warning once, or ignoring the warning permanently. The range of decisions made indicates that users perceive different potentially unwanted software programs as providing different levels of value.

oo Potentially unwanted software continues to target predominantly English-speaking

markets, although other countries have also showed strong increases.

oo The prevalence of rogue security software continues to increase, with many common

families being delivered by trojan downloaders and other malware, as well as by conventional social engineering methods.

oo When prompted about rogue security software, nearly 60 percent of users choose to

remove it immediately, with a large portion of the rest choosing to quarantine the software.

Internet Safety Enforcement oo As a component of the company’s security efforts, Microsoft has adopted a com-

prehensive, global approach to security and Internet safety enforcement. Microsoft believes that five fundamental pillars—technology, legislation, enforcement, education, and partnerships—are critical to promoting a safer online environment.

oo Microsoft has filed nearly 250 legal actions worldwide against spammers, often work-

ing with law enforcement officials in the United States, Europe, the Asia-Pacific region, and South America.

oo Microsoft is a member of the Anti-Spam Technical Alliance (ASTA), dedicated to

developing technical standards and promoting collaboration among industry partners to curb the proliferation of spam. ASTA achievements include filing the first major lawsuits under the CAN-SPAM Act against hundreds of individuals connected with some of the world’s largest spamming operations.

oo Microsoft was the first private-sector participant in the London Action Plan, a coali-

tion of international agencies that supports global cooperation on network security, law enforcement, and improved consumer awareness to combat spam.

7


2H07

oo Microsoft utilizes its technical expertise to combat phishing and online abuse. The

development of the Microsoft Phishing Filter, Windows Live OneCare™, and use of e-mail authentication technologies are examples of how Microsoft remains focused on developing additional layers of defense against phishers.

oo Microsoft actively addresses the threats posed by phishing through its Global Phish-

ing Enforcement Initiative. This initiative contains three central components: proactive domain defense; worldwide investigations and referrals; and strong international partnerships.

oo Microsoft sponsored and is currently an active participant in the International Botnet

Task Force, which supplies education and tools to law enforcement efforts to combat botnets. As a direct result of the operation, the FBI has charged numerous individuals with cyber crimes.

8


About This Report Scope

The Security Intelligence Report (SIR) is published by Microsoft twice per year. These reports focus on data and trends observed in the first and second halves of each calendar year. Past reports and related resources are available for download at http://www.microsoft.com/sir. We continue to focus on malware data, software vulnerability disclosure data, vulnerability exploit data, and related trends in this fourth installment of the Microsoft Security Intelligence Report. Highlights of this edition include new sections on privacy breaches and cybercrime law enforcement activities. In response to popular demand, we have also included a section addressing Win32/Nuwar (also known as the storm worm), a wideranging and sophisticated threat that has occupied the attentions of security professionals over the past year. We hope that readers find the data, insights, and guidance provided in this report useful in helping them protect their networks and users. Reporting Period

This Security Intelligence Report focuses on the second half of 2007 (2H07), though it also contains data and trends observed over the past several years. The nomenclature used throughout the report to refer to different reporting periods is nHYY, where nH refers to either the first (1) or second (2) half of the year, and YY denotes the year. For example, 1H07 represents the period covering the first half of 2007 (January 1 through June 30), while 2H05 represents the period covering the second half of 2005 (July 1 through December 31). Data Sources

If you are interested in the products, services, tools, and Web sites used to provide the data for this report, please see the full listing in Appendix A of this report.

9


2H07

Table of Contents

10

Microsoft Security Intelligence Report

2

Authors

3

Non-Microsoft Contributors

3

Contributors

3

Key Findings Software Vulnerabilities Software Vulnerability Exploits Security Breach Notifications Malicious and Potentially Unwanted Software Internet Safety Enforcement

4 4 4 5 5 7

About This Report Scope Reporting Period Data Sources

9 9 9 9

Microsoft Security Response Center Executive Foreword

12

Software Vulnerabilities Section Highlights Strategy, Mitigations, and Countermeasures Software Vulnerability Trends for 2H07 Vulnerability Disclosures by Year and Half-Year Vulnerability Disclosure by Month Severity Analysis Access Complexity Vulnerability Trends Summary and Conclusion

13 13 13 14 14 17 17 24 26

Software Vulnerability Exploits Section Highlights Strategy, Mitigations, and Countermeasures Survey Details Findings Software Vulnerability Exploit Trends Exploit Details Summary and Conclusion

27 27 27 28 29 32 32


Security Breach Notifications As a Lens into Security Failures Section Highlights Strategy, Mitigations, and Countermeasures Analysis

33 33 33 34

Malicious and Potentially Unwanted Software Section Highlights Strategy, Mitigations, and Countermeasures Malware Trends for 2H07 Malware Infections by Category Malware Infections by Operating System Malware Families Malware Activity and Variants Geographic Distribution A Focus on Win32/Nuwar (the “storm worm�) A Focus on E-Mail Threats Potentially Unwanted Software Malicious and Potentially Unwanted Software Summary and Conclusion

37 37 37 39 42 47 50 54 57 60 66 71

Focus on Internet Safety Enforcement Fighting Phishing Beating Botnets

84 84 87

Stopping Spam

83

88

Microsoft Malware Protection Center Executive Afterword

90

Glossary

92

Appendix A: Data Sources Software Vulnerabilities Malicious Software and Potentially Unwanted Software

95 95 96

Appendix B: Exploit Counts by Microsoft Security Bulletin and CVE ID Exploits by Microsoft Security Bulletin Exploits by CVE ID

100 100 102

11


2H07

Microsoft Security Response Center Executive Foreword

I

n this latest version of Microsoft’s Security Intelligence Report, we finish the chapter on 2007 by sharing our intelligence and corresponding analysis on data that we have collected in the threat landscape during the last half of calendar year 2007. Our data continues to support the improvements that I believe we are making with the security of our products. Again, Windows Vista has shown significantly lower malware infection rates than previous versions of Microsoft Windows. This is yet one data point that helps to reinforce our belief that Windows Vista is our most secure operating system to date. Nevertheless, we also understand security is more than just Windows Vista and that the security ecosystem is far from complacency. We continue to see social engineering tactics that trick users as well as more targeted exploits. As such, we must continually carry the message that security is a journey and while we continue to make progress we are still very far from our destination. After our last report, I made a concerted effort to speak with as many customers to gather valuable feedback and from what I’ve heard, the Security Intelligence Report is well received and is seen as a valuable tool. However, I understand that many of you have an insatiable appetite for more data and more transparency from Microsoft. You want more intelligence that can help you better manage your risk for an overall safer computing experience. Accordingly, we try to add new, relevant and fresh content that will hopefully provide you with additional insight into how the threat environment is evolving. To start, this report includes more data on spam and phishing than in previous reports and we’ve added some information surrounding our work with Law Enforcement agencies that help put cyber criminals in jail. There is also section on security breaches that discusses some research surrounding privacy issues. These topics help us to paint a broader picture that security and privacy are more than simply vulnerabilities, malware and exploits, especially since these account for less than a quarter of security breach notifications. Naturally, we still look to you to share our journey by continually providing us with valuable feedback. What do you like about this report? What don’t you like? What else would you like to see in this report that can help you better understand the threat landscape and ultimately better defend your network? Your feedback is important and will help us shape this report so that we can deliver what is needed. I strongly encourage you to please email me your thoughts at sirfb@microsoft.com. Thank you, George Stathakopoulos General Manager Microsoft Product Security Center Microsoft Security Response Center Microsoft Corporation

12


Software Vulnerabilities Section Highlights oo Vulnerability disclosures across the entire software industry decreased by about 5Â per-

cent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.

oo Despite the decrease, the number of new disclosures across the industry remains in

the thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006. The second half of 2007 also experienced a decline in the disclosure of vulnerabilities rated as High-severity, however, for the full year, Highseverity disclosures continued to grow relative to previous years.

oo The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the

NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High severity than was previously the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.

oo Vulnerabilities requiring a Low level of complexity in order to exploit accounted for

about half of all vulnerabilities disclosed in 2H07. Although this number is relatively large, the number has declined significantly from earlier periods.

Strategy, Mitigations, and Countermeasures oo The Microsoft TechNet Security Center at http://www.microsoft.com/technet/security

provides links to the latest security bulletins for Microsoft products, as well as other security resources, including the Microsoft Security Newsletter.

oo Both security vendors and IT Professionals should adjust their risk management pro-

cesses appropriately to ensure that operating systems and applications are protected. See the Security Risk Management Guide at http://www.microsoft.com/technet/ security/guidance/complianceandpolicies/secrisk/default.mspx for tips and assistance.

oo Organizations should participate in IT security communities to keep abreast of the

wide range of potential security issues they may face.

13


2H07

Software Vulnerability Trends for 2H07

Vulnerabilities are weaknesses in software that allow an attacker to compromise the integrity, availability, or confidentiality of that software. Some of the worst vulnerabilities allow attackers to run their code on the compromised system. This section of the Microsoft Security Intelligence Report analyzes new vulnerabilities that were disclosed during the second half of 2007. It compares trending information for vulnerabilities starting in 2003, with particular focus on trends that may be emerging over the past few half-year periods. Note that, in this report, the term disclosure is used to mean broad and public disclosure, and not any sort of private disclosure or disclosure to a limited number of people. This section discusses software vulnerability disclosures for the software industry as a whole, not just for Microsoft products. Vulnerability Disclosures by Year and Half-Year

In 1H07, reported vulnerabilities were on par with 2H06, departing from a trend of increasing vulnerability disclosures in every six-month period since 2H03. This trend was actually reversed in 2H07, with new vulnerability disclosures in 2H07 declining by more than 15 percent from the first half of the year to a total lower than that observed in any six-month period since 2H05. Figure 1. Industry-wide vulnerability disclosures by half-year, 2003–2007 3500 3000 2500 2000 1500 1000 500 0 1H03

14

2H03

1H04

2H04

1H05

2H05

1H06

2H06

1H07

2H07


This decrease represents a change from previous periods in at least three ways: oo It breaks the recent pattern of disclosure totals being higher in the second half of the

year than in the first half.

oo It breaks the pattern for second-half year-over-year disclosure growth. oo It represents a decrease not just from the previous half-year, but a lower total than any

of the three previous half-year periods.

Overall, in calendar year 2007, vulnerability disclosures decreased by about 5 percent since 2006, as illustrated in Figure 2. Figure 2. Industry-wide vulnerability disclosures by year, 2003–2007 8000 7000 6000 5000 4000 3000 2000 1000 0 2003

2004

2005

2006

2007

This break from the drastic growth from past years can likely be attributed to a number of factors, such as the following: oo The decrease could represent a general flattening of vulnerability discoveries. oo The disclosure increases observed in 2006 could have been an atypical spike, with the

2007 numbers more representative of the overall growth trend.

oo As exploitation of vulnerabilities for monetary gain increases, discoverers may have a

financial incentive to remain silent on new vulnerabilities.

15


2H07

A deeper analysis of each of these three possibilities suggests that the answer is not likely to be known for several more periods, if at all. oo If the disclosure increases observed in 2006 were anomalously high, future periods

should display less-steep increases, returning to the growth rate observed in previous years. However, this would not explain the 2H07 decrease relative to 1H07, which had not happened previously.

oo If the observed changes reflect a general flattening of vulnerability discoveries, future

totals should remain relatively flat for some time. Even if this occurs, historical trends demonstrate that any flattening would most likely be a temporary reprieve before attackers and security researchers develop new techniques for finding vulnerabilities.

oo In the past few years, the economic value of vulnerabilities has grown, providing

“

potential attackers with more incentive to sell them privately rather than disclose them publicly. It is conceivable that a number of vulnerabilities were discovered in 2007 and not publicly disclosed because the finder chose to keep the information private, rather than share it with everyone. However, the magnitude of the decrease observed in 2H07 suggests that this explanation is unlikely to account for the In the past few years, the economic value of vulnerabilities entirety of the decrease. has grown, providing potential attackers with more incentive to Historically, products contributing the most vulnerabilities each represent less than 1Â percent of the total number of disclosed vulnerabilities in a given sell them privately rather than disclose them publicly. period. The 2H07 drop is therefore equivalent to a 100 percent drop in disclosures for the 15 most widespread and popular products across the software industry. It is extremely unlikely that all or most of this decrease is due to vulnerability discoverers withholding information, although the increasing financial value of vulnerabilities is probably having a small contributory effect that will delay knowledge of some vulnerabilities until someone attempts to leverage them for gain. Regardless of these recent decreases and the reasons for them, the annual number of disclosures remains very high, with more than twice as many vulnerabilities disclosed in 2007 than were disclosed in 2004, just three years prior, so security professionals must remain vigilant.

16


Vulnerability Disclosure by Month

The general downward trend is also reflected in the monthly disclosure totals for 2H07, representing a fairly significant deviation from previous periods, as shown in Figure 3. Figure 3. Industry-wide vulnerability disclosures by month, July–December 2007 700 600 500 400 300

2003-2007 2H07

200 100 0 July

August

September

October

November

December

Vulnerability disclosures generally trended downward from July to December in 2007, in contrast to the generally upward trend observed over the last several years. December, in particular, is usually the top month in the year for new disclosures, for reasons that are not entirely clear. In 2007, however, it stands side by side with November as having the fewest disclosures of the year. Severity Analysis

In general, large numbers of total disclosed vulnerabilities across the software industry indicate significant challenges for IT administrators who have deployed the affected products. Not all vulnerabilities are equal, however, and an analysis of vulnerability severity can help IT Professionals understand and prioritize the nature and severity of the threats they face from new disclosures.

17


2H07

Database CVSS Severity Rating Changes in 2007 Traditionally, the Microsoft Security Intelligence Report has used the National Institute of Standards and Technology (NIST) National Vulnerability Database1 (NVD) severity ratings for severity analysis, which are derived from the Common Vulnerability Scoring System (CVSS). The CVSS is a standardized, platform-independent scoring system that assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. The NVD additionally assigns each vulnerability a severity ranking of Low, Medium, or High, according to its numeric CVSS score: oo Vulnerabilities are labeled Low-severity if they have a CVSS base score of 0.0–3.9 (out of 10). oo Vulnerabilities are labeled Medium-severity if they have a base CVSS score of 4.0–6.9. oo Vulnerabilities are labeled High-severity if they have a CVSS base score of 7.0–10.0. Until June 2007, the underlying CVSS score was calculated using the CVSSv1 (version 1) formula.2 That month, the NVD released CVSSv2 (version 2), an updated version of the CVSS formula intended to increase the accuracy, consistency, and applicability of the scoring system. The NVD subsequently switched to using the CVSSv2 formula to calculate the underlying CVSS scores for newly discovered vulnerabilities, and calculated CVSSv2 scores for older entries by upgrading and approximating the needed CVSS input values. In some cases, the CVSSv2 severity ratings calculated for existing vulnerabilities differ significantly from the CVSSv1 ratings.3 Because past volumes of the SIR have used the CVSSv1 formula for assessing vulnerability severity, this volume of the SIR provides severity analysis using both CVSSv1 scores and CVSSv2 scores. The CVSSv1 scores were calculated and derived from the CVSSv2 vectors, as provided in the NVD, and were validated against older instances of NVD entries.

1

Available at http://nvd.nist.gov/.

2

You may read about CVSSv1 in detail at http://www.first.org/cvss/v1/guide.html.

You may read a more detailed analysis of the impact of CVSSv2 upon vulnerability severity ratings in: Jones, Jeffrey. “CVSSV1 and CVSSV2 Severity, Exploring Severity Changes in CVSSv2,” April 2008 (http://blogs.technet.com/security/archive/2008/04/01/ countdown-to-rsa-conference-2008.aspx).

3

18


Comparing CVSSv1 and CVSSv2

Comparing the CVSSv1 and CVSSv2 rankings for half-year periods, as shown in Figure 4, illustrates the considerable difference between the two rating systems. In the CVSSv1 chart, Low-severity vulnerabilities have accounted for about 40 percent of the total over the past several periods. The CVSSv2 formula, by comparison, classifies a much larger number of vulnerabilities as High-severity, with negligible numbers of vulnerabilities classified as Low-severity. Both rating systems reveal a drop in the total number of High-severity vulnerabilities disclosed across the software industry during 2H07, with a small drop in the CVSSv1 chart and a larger drop under CVSSv2. Figure 4. Industry-wide vulnerability disclosures by CVSSv1 and CVSSv2 severity by half-year, 2003–2007

CVSSv1

4000 3500 3000 2500

Low

2000 1500

Medium

1000

High

500 0 1H03

2H03

1H04

2H04

1H05

2H05

1H06

2H06

1H07

2H07

CVSSv2 4000 3500 3000 2500 Low

2000 1500

Medium

1000

High

500 0 1H03

2H03

1H04

2H04

1H05

2H05

1H06

2H06

1H07

2H07

19


2H07

Figure 5, which compares the CVSSv1 and CVSSv2 severity breakdowns for each full year since 2003, shows that even with the decrease in the second half of the year, the number of High-security vulnerabilities disclosed across the software industry increased for the full year of 2007. Figure 5. Industry-wide vulnerability disclosures by CVSSv1 and CVSSv2 severity by year, 2003–2007

CVSSv1

8000 7000 6000 5000

Low

4000 Medium 3000 High

2000 1000 0 2003

2004

2005

2006

2007

CVSSv2

8000 7000 6000 5000

Low

4000 Medium 3000 High

2000 1000 0 2003

20

2004

2005

2006

2007


Figure 6 shows the severity breakdown by percentages. With the CVSSv1 rating system, the percentage of High-severity vulnerabilities disclosed reached an all-time high of 15 percent in 2007, with Low-severity vulnerabilities accounting for roughly 40 percent of vulnerabilities disclosed, and Medium-severity vulnerabilities accounting for the remaining 45 percent. If the CVSSv2 rating system is used, by comparison, High-severity vulnerabilities consistently make up 40–50 percent of annual vulnerabilities disclosed across the software industry, with Low-severity vulnerabilities contributing a much smaller percentage, reaching highs of around 9 percent in 2004 and 2005 and falling to 3.6 percent in 2007. Figure 6. Industry-wide vulnerability disclosures by CVSSv1 and CVSSv2 severity by percentages, 2003–2007

CVSSv1 100%

80% Low

60%

Medium 40% High 20%

0% 2003

2004

2005

2006

2007

CVSSv2 100%

80% Low

60%

Medium

40%

High

20%

0% 2003

2004

2005

2006

2007

21


2H07

Figure 7 breaks out the number of vulnerabilities rated as High-severity using the CVSSv1 and CVSSv2 rating systems, respectively, for the half-year periods. Both charts show a rise in High-severity vulnerability disclosures until 2H07, when the number decreases. In the CVSSv1 chart, the decline follows a significant increase in High-severity disclosures in 1H07, compared to a more moderate 1H07 increase in the CVSSv2 chart. Figure 7. CVSSv1 and CVSSv2 High-severity vulnerabilities disclosed industry-wide by half-year, 1H03–2H07

CVSSv1

600 500 400 300 200 100 0 1H03

2H03

1H04

2H04

1H05

2H05

1H06

2H06

1H07

2H07

CVSSv2

2000 1800 1600 1400 1200 1000 800 600 400 200 0 1H03

22

2H03

1H04

2H04

1H05

2H05

1H06

2H06

1H07

2H07


Despite the decline in High-severity vulnerabilities disclosed across the industry in 2H07 and the decline in overall vulnerabilities for 2007 as a whole, High-severity vulnerability disclosures actually increased for 2007 as a whole, as shown in Figure 8. Here, the two rating systems lead to somewhat different conclusions. The Despite the decline in Highseverity vulnerabilities disclosed CVSSv1 chart, which shows fluctuating numbers of High-severity vulneracross the industry in 2H07 and abilities between 2003 and 2006, suggests the possibility that the significant the decline in overall vulnerabilincrease seen in 2007 may be anomalously high. By contrast, the CVSSv2 ities for 2007 as a whole, Highchart illustrates a steady increase in High-severity vulnerabilities up through severity vulnerability disclosures and including 2007, which shows an increase of roughly 10 percent over actually increased for 2007 as a 2006. The degree to which CVSSv2 is accepted by the IT security community whole. will ultimately decide which conclusion is generally seen as more accurate.

Figure 8. CVSSv1 and CVSSv2 High-severity vulnerabilities disclosed industry-wide by year, 2003–2007

CVSSv1

CVSSv2

3500

3500

3000

3000

2500

2500

2000

2000

1500

1500

1000

1000

500

500

0

0 2003

2004

2005

2006

2007

2003

2004

2005

2006

2007

The shift to CVSSv2 and the corresponding reclassification of a large number of vulnerabilities as High-severity have important implications for security professionals.

23


2H07

Focusing on mitigating the most severe vulnerabilities first is a security best practice. Using CVSSv1, security administrators have historically been able to focus on the approximately 5 percent of vulnerabilities rated High. Under CVSSv2, roughly 40 percent of all vulnerabilities are now grouped together in the most severe category. This translates to a big increase in prospective workload—although if 40 percent of vulnerabilities are that severe, it is difficult to justify not treating them as such. …if CVSSv2 becomes the preAs a practical matter, it seems likely that if CVSSv2 becomes the predomidominant cross-product rating nant cross-product rating system, security professionals will need to leverage system, security professionals will need to leverage other other sources of information for filtering and prioritization. If the product sources of information for filter- vendor provides its own rating system, that should be the primary source ing and prioritization. of severity information, as vendors know their products best and can give the most informed guidance. For others, it may be useful to draw on several sources in order to collect a richer set of information. Access Complexity

Access Complexity is a metric used by the CVSS to measure the complexity of an attack required to exploit a given vulnerability, assuming an attacker has the required access to the system. For example, consider two vulnerabilities, each of which potentially allows an attacker to remotely run code: oo One of the vulnerabilities only works on Tuesdays, when the available free memory

is less than 56K, and at least three user accounts are logged in to the system. This is a highly complex set of requirements.

oo The other vulnerability is in a default Internet-facing service, and the exploit works

reliably regardless of the state of the system. This is a Low-complexity scenario.

In CVSSv1, the metric could take one of two values, High or Low. For CVSSv2, the Access Complexity attribute was expanded to take one of three values, High, Medium, or Low. The expanded values are defined in Figure 9.4

Definition from: Mell, Peter, Karen Scarfone, and Sasha Romanosky. “A Complete Guide to the Common Vulnerability Scoring System Version 2.0,” (http://www.first.org/cvss/cvss-guide.html) section 2.1.2.

4

24


Figure 9. NVD complexity rankings and definitions High

Specialized access conditions exist. For example: • In most configurations, the attacking party must already have elevated privileges or spoof additional systems in addition to the attacking system (for example, DNS hijacking). • The attack depends on social engineering methods that would be easily detected by knowledgeable people. For example, the victim must perform several suspicious or atypical actions. • The vulnerable configuration is seen very rarely in practice. • If a race condition exists, the window is very narrow.

Medium

The access conditions are somewhat specialized. The following are examples: • The attacking party is limited to a group of systems or users at some level of authorization, possibly untrusted. • Some information must be gathered before a successful attack can be launched. • The affected configuration is non-default and is not commonly configured (for example, a vulnerability present when a server performs user account authentication via a specific scheme but not present for another authentication scheme). • The attack requires a small amount of social engineering that might occasionally fool cautious users (for example, phishing attacks that modify a Web browser’s status bar to show a false link, having to be on someone’s “buddy” list before sending an IM exploit).

Low

Specialized access conditions or extenuating circumstances do not exist. The following are examples: • The affected product typically requires access to a wide range of systems and users, possibly anonymous and untrusted (for example, Internet-facing Web or mail server). • The affected configuration is default or ubiquitous. • The attack can be performed manually and requires little skill or additional information gathering. • The “race condition” is a lazy one (in other words, it is technically a race but easily winnable).

Low-access complexity embodies the characteristics that make exploitation easy, predictable, and repeatable. For Medium-complexity vulnerabilities, broad, automated attacks are less likely, either because the required configuration is much less common or because an attack requires some level of specialization to succeed. A complexity value of High effectively means that a practical exploit is very challenging.

25


2H07

Given a set number of vulnerabilities, then, the ideal scenario is one with a high percentage of High-complexity vulnerabilities—or, failing that, at least a low percentage of Low-complexity vulnerabilities. Unfortunately, as Figure 10 illustrates, the opposite has historically been true. Figure 10. Industry-wide vulnerability disclosures by access complexity, 1H05–2H07 100%

80% Low Complexity

60%

Medium Complexity 40%

High Complexity

20%

0%

1H05

2H05

1H06

2H06

1H07

2H07

High-complexity vulnerabilities account for a very small portion (3Â percent) of all vulnerabilities disclosed in 2007 across the software industry, significantly less than in previous periods. However, the trend for Low-access complexity has improved, accounting for a smaller portion of the total during each successive period. In 2H07, half of all vulnerabilities required some level of specialization for potential exploits, a higher portion than in any other period since 2005. Vulnerability Trends Summary and Conclusion

The number of disclosures of new software vulnerabilities across the industry continues to be in the thousands, with 2,900 new vulnerabilities disclosed in 2H07, but a 15 percent decline in the number of new disclosures since 1H07 is cause for some optimism. The adoption of CVSSv2 substantially increased the estimated severity of a large number of new and previously disclosed vulnerabilities, which should put security professionals on guard against attack vectors that create significantly more potential risk than had previously been supposed. Both security vendors and IT Professionals should adjust their risk management processes appropriately to ensure that important systems are protected.

26


Software Vulnerability Exploits Section Highlights oo During 2007, 32.2 percent of known security vulnerabilities (CVE IDs) in the Microsoft

products analyzed for this report had publicly available exploit code. This is nearly identical to the totals from 2006 when 32.7 percent of known security vulnerabilities for the same products had publicly available exploit code.

oo Microsoft matched each public exploit with its corresponding vulnerability using CVE

identifiers and Microsoft security bulletins. The number of Microsoft security bulletins released in 2007 was 11.5 percent lower than in 2006, and the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletins.

oo In a product-by-product comparison, more recent versions of Microsoft products were

proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000.

Strategy, Mitigations, and Countermeasures oo Analyzing the availability or probability of exploit code being developed for specific vul-

nerabilities can help customers prioritize which vulnerabilities require faster mitigation.

oo More recent Microsoft products appear to be at less risk to publicly available exploit

code than earlier products.

oo Organizations should participate in IT security communities to keep abreast of the

wide range of potential security issues they may face and to understand what vulnerabilities are more likely to be exploited. The monthly Microsoft Security Bulletin Webcast is a good place to start because it provides access to various security-related resources, as well as up-to-the-minute updates on each release.

As noted in the previous section, not all vulnerabilities are easily exploited, and a significant majority of known vulnerabilities have no publicly available exploits associated with them. By staying up to date on which products are more or less likely to be exploited, security professionals can more effectively prioritize their mitigation efforts. Microsoft conducted a survey to determine the overall change in reliability of publicly available exploits against Microsoft products between 2006 and 2007. To perform this survey, researchers collected a broad sample of data from a variety of public sources, including exploit archives, antivirus alerts, mailing lists, hacking Web sites, and exploitation frameworks. Each individual data point was classified and matched to a particular vulnerability, and the results were tabulated.

27


2H07

Survey Details

To produce the final counts of exploits for each product, researchers looked for exploit data in a number of locations on the Internet, from publicly available exploit libraries like the Metasploit Project (http://www.metasploit.com) to some of the lesser known mailing lists and Web sites used by the underground hacking community, setting a time limit for discovery. Any reliable exploit discovered in the time allowed was considered public. Any worm that wasn’t targeted at a specific corporation was also considered proof of a public exploit. A list of criteria was used to judge whether an incident would or would not be considered exploitable for the purposes of this study. Discussions within the security community sometimes conflate reliable, code-execution exploits with Denial-of-Service (DoS) attacks. The potential for confusion tends to increase as a search moves away from the major security sites to lesser-known and quasi-underground resources. Figure 11 lists the criteria used for determining whether an exploit was within scope for this research. Figure 11. Criteria for judging exploits Criteria

Result

Exploit found with shell code or command line

Exploitable

Exploit available in exploitation framework

Exploitable

Exploit code could be purchased from major vendor

Exploitable

Common virus or trojan uses the technique

Exploitable

Major Web site reports public exploits available

Exploitable

Microsoft reports publicly available exploit

Exploitable

Proof of Concept (POC) with placeholder such as a long string

Exploitable if other evidence exists

Major news site report of exploitation

Exploitable if POC available

POC is labeled as a DoS

Not Exploitable

To normalize the data set, each exploit was matched with its corresponding vulnerability using Common Vulnerabilities and Exposures (CVE) identifiers and Microsoft security bulletins.5

5

28

See Appendix A for more information about these resources.


Exploit developers don’t necessarily label their exploits with a corresponding identifier, and most exploits found in the wild aren’t matched with any formal numbering system at all. Exploits generated by commercial or open-source projects to specifically exploit a known vulnerability generally contain references to some numbering system, but don’t always contain a Microsoft security bulletin number. If an exploit does reference a numbering system, by far the most common cross-reference is a CVE identifier. Each Microsoft security bulletin may address multiple vulnerabilities, so the Microsoft security bulletin-to-CVE translation isn’t a one-to-one correlation. Researchers used information provided by the Microsoft Security Response Center (MSRC), the CVE, the NVD, and SecurityPatch.org to create a final MSRC-to-CVE mapping. Exploits targeting a product usually don’t apply to all versions of that product. Each exploit was assigned to a specific product version using a number of factors. If the associated vulnerability was only available for a single product version, the exploit was assigned to that version. If a worm or documented attack used a particular version of the product, the exploit was assigned to the version of the product exploited by the malware or attacker. If known addresses were present in the exploit that could be tied to a particular version, the exploit was assigned to that version. Findings

The survey found that 32.2 percent of known vulnerabilities announced in 2007 in Microsoft products had publicly available exploit code, on par with the percentage from 2006 (32.7 percent). In 2007, Microsoft released 69 security bulletins covering 100 unique vulnerabilities, whereas in 2006, Microsoft released 78 security bulIn 2007, Microsoft released 69 security bulletins covering letins covering 142 unique vulnerabilities. This translates into an 11.5 percent 100 unique vulnerabilities, decrease in security bulletins, and a 29.6 percent decrease in the number of whereas in 2006, Microsoft unique vulnerabilities covered by those security bulletins in 2007. released 78 security bulletins covering 142 unique vulnerFigure 12 and Figure 13 summarize the results of the survey for versions of abilities. Microsoft Windows, Microsoft Internet Explorer®, and the Microsoft Office system. (See Appendix B for more comprehensive lists that include other Microsoft products.)

29


2H07

Figure 12. Exploits in select Microsoft products by Microsoft Security Bulletin, 2006–2007 By Microsoft Security Bulletin Product

2006

2007

Microsoft Security Bulletin Count

Exploits

Percentage

Microsoft Security Bulletin Count

Exploits

Percentage

Delta Microsoft Security Bulletin

5

8

4

50.0%

8

3

37.5%

-12.5%

6

7

3

42.9%

8

3

37.5%

-5.4%

7

0

0

8

3

37.5%

2000

13

7

53.9%

11

6

60.0%

6.2%

XP

13

5

38.5%

12

6

54.6%

16.1%

2003

12

5

41.7%

13

6

46.2%

4.5%

X-Mac

7

2

28.6%

1

1

100.0%

71.4%

2004-Mac

7

3

42.9%

11

5

45.5%

2.6%

2007

0

0

5

1

20.0%

98

13

5

38.5%

0

0

ME

13

4

30.8%

0

0

2000

46

14

30.4%

36

5

13.9%

-16.5%

Version

Internet Explorer®

Microsoft Office

Windows

®

XP

53

27

51.9%

39

5

12.8%

-39.1%

2003

49

26

53.1%

39

18

46.2%

-6.9%

Windows Vista

0

0

22

9

40.9%

As noted above, each Microsoft security bulletin may address multiple vulnerabilities. A Microsoft security bulletin number was included in a product if any of the vulnerabilities it covered related to that product. For example, it is possible that the same Microsoft security bulletin is counted for Internet Explorer as well as Microsoft Office. Also, if two or more vulnerabilities of a particular product had reliable exploits available, the Microsoft security bulletin was only counted once for the total.

30


Figure 13. Exploits in select Microsoft products by CVE identifier, 2006–2007 By CVE ID Product

2006

2007

CVE ID Count

CVE Exploits

Percentage

CVE ID Count

CVE Exploits

Percentage

Delta CVE ID

5

26

7

26.9%

19

3

15.8%

-11.1%

6

26

5

19.2%

19

3

15.8%

-3.4%

7

0

0

19

3

15.8%

2000

45

8

17.8%

21

11

52.4%

34.6%

XP

44

9

20.5%

24

11

45.8%

25.3%

2003

40

9

22.5%

24

11

45.8%

23.3%

X-Mac

26

3

11.5%

5

2

40.0%

28.5%

2004-Mac

33

5

15.2%

22

8

36.4%

21.2%

2007

0

0

9

1

11.1%

98

27

7

25.9%

0

0

ME

27

6

22.2%

0

0

2000

73

18

24.7%

51

6

11.8%

-12.9%

XP

84

59

70.2%

55

6

10.9%

-59.3%

2003

78

32

41.0%

57

21

36.8%

-4.2%

1

0

0.0%

40

12

30.0%

30.0%

Version

Internet Explorer®

Microsoft Office

Windows®

Windows Vista

31


2H07

Software Vulnerability Exploit Trends

Overall, the survey revealed a decrease in exploitability between the years of 2006 and 2007. Specifically, the total, non-weighted decrease in exploitability of vulnerabilities in products is 7.4 percent, based on exploits for all products. (The term non-weighted implies that no exemptions were made in the statistical gathering of these numbers. Products with no vulnerability were included in the overall calculation.) In a product-by-product comparison, more recent versions of Microsoft products were proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000. Exploit Details Summary and Conclusion

32

While the main focus of this research was to measure the data, there could be several reasons for the reduction in available exploits, ranging from technical (for example, changes in the environment, such as the introduction of address space layout randomization in Windows Vista) to social (like legal issues or pressures among the exploit Overall, the survey revealed developer community). While interpretation of the data is open to debate, the a decrease in exploitability data itself is compelling as a potential method for helping customers make between the years of 2006 prioritization assessments based on verifiable risk on a product-by-product basis. and 2007.


Security Breach Notifications As a Lens into Security Failures Section Highlights oo Several jurisdictions around the world now require that companies and other organizations

publicly disclose security breaches that put personally identifiable information (PII) at risk. Analyzing these notifications offers insights into how and why such breaches occur.

oo Exploits, malware, and hacking account for less than a quarter of security breach noti-

fications. The majority of the breaches analyzed resulted from the absence or failure of proper information handling or physical security procedures.

Strategy, Mitigations, and Countermeasures oo Consider a broad set of information security problems when building an information

security policy. A security program that focuses entirely on malware, exploits, and hacking will potentially miss up to 80Â percent or more of total incidents that put sensitive information in jeopardy. Consider all stages of the data life cycle, including storage, transit, and destruction, when developing policies.

oo Encrypt all data on all computers and storage devices, not just on laptops. oo Prepare an incident response plan for personally identifiable data that you collect or store. oo Consider tracking data on security breaches as an input into your security planning.

Over the last few years, laws have been passed in a number of jurisdictions around the world requiring that affected individuals be notified when an organization loses control of personally identifiable information (PII) with which it has been entrusted. These mandatory notifications offer unique insights into what goes wrong with information security. They differ from surveys in that the information offered is not from self-selected respondents, and, for a given set of criteria, participation is mandated by law. The data collection used in this analysis is publicly available. This section of the SIR examines the details of 910 breach incidents from 12 countries, dating back to January 2000, as downloaded from the Data Loss Database—Open Source at http://attrition.org/dataloss.6 The data, despite containing much of value, is not perfect. It is not as detailed as might be hoped for, and laws in different jurisdictions contain different trigger clauses for when notice must be given. Nevertheless, the data is of sufficient quality to lend itself to an effective analysis of security failures.

Researchers notified Attrition.org when they detected issues with the database, some of which involved inconsistent or duplicate data. For example, incidents 0697, 0734, and 0759 all concerned a single incident at a now-defunct medical bill claims processor; 0697 was listed as a hack, and the other two were listed as Web issues. As a result, the database may have changed slightly since this analysis was performed. The researchers are confident that any such changes to the database have served to improve its accuracy and quality, but security professionals should recognize that these and other corrections will have a small impact on the ability to perfectly reproduce the results reported here.

6

33


2H07

Analysis

For the purposes of this analysis, the data has been grouped into 10 categories, which are supersets of the coding used by Attrition.org.7 The groups are shown in Figure 14. Figure 14. Security breach incident categories used in this section

Our Label

Definition

Maps to Attrition.org BreachType

Stolen equipment

Stolen computers, disks, tapes, or documents

Starts with “stolen”

“Hack”

Reported as some type of computer intrusion where the data is not available to the public

Hack

Accidental Web

Accidental exposure on a Web site, available to the public with a Web browser

Web

Lost equipment

Reported as lost computers, disks, tapes, or documents

Starts with “lost”

Fraud

Frauds and scams, perpetrated by insiders or outsiders; this includes disputed cases, on which we take no position

Starts with “fraud”

Disposal

Improper disposal of any sort

Starts with “disposal”

Snail mail

Information exposed by physical mail, either the wrong recipient or the data visible outside the envelope

Snail mail

E-mail

E-mail sent to an unintended/unplanned recipient

E-mail

Virus

A computer virus was blamed

Virus

Missing

A laptop or laptops gone missing without explanation

Starts with “missing”

In the Attrition.org data, there are 15 “unknowns” (that is, the BreachType is listed as “?”). These incidents are not included in the following analysis or totals.

7

34

See http://attrition.org/dataloss/dldoskey.html for more information about this data.


Figure 15 illustrates the overall distribution of incidents by type, for both the full 2000–1H07 dataset and for 2H07 alone. Figure 15. Security breach incidents by type, 2000–1H07, and 2H07 alone, expressed as percentages of the total 50% 45% 40% 35% 30% 2000-1H07

25%

2H07

20% 15% 10% 5%

g M

iss

in

s ru Vi

l ai m E-

l ai lm ai Sn

Di

sp

os

al

d au

pm

Lo

st

eq

ui

ta en cid

Fr

en

t

eb lW

ck Ha Ac

St

ol

en

eq

ui

pm

en

t

0%

This data reveals a number of significant facts. oo Although security breaches are often linked in the popular consciousness with hack-

Figure 16. Hacks account for just

of disclosed security ing incidents involving malicious parties defeating technical security measures to gain 21 percent breaches. unlawful access to sensitive data, more than three-quarters of total breaches result from something that Attrition.org does not classify as a hack. Hacking incidents Other Hack account for an even smaller portion of 2H07 incidents (12.7 percent, compared to 21.3 percent for the full dataset).

This is important because it helps put the IT security landscape in perspective. This report focuses primarily on malware and technology-based attacks, as does much of the attention of IT security professionals. Yet sensitive information can be exposed through a variety of means, and a security program focused entirely on malware, exploits, and hacking will potentially miss up to 80 percent or more of total incidents that put sensitive information in jeopardy.

35


2H07

oo Stolen hardware as a category accounts for significantly more incidents than hacking,

possibly because these incidents are more easily detected. A number of the incident reports reviewed for this analysis mentioned that hacks or accidental exposure of information on the Web had been going on for quite a while before they were detected. Stolen hardware accounted for a significantly larger portion of 2H07 incidents than for the dataset as a whole (45.0 percent, compared to 35.9 percent).

oo Aside from the differences in the stolen equipment and hacking categories, the distri-

bution of incidents in 2H07 is substantially similar to the distribution in the overall 2000–1H07 dataset, which may be considered a factor supporting the reliability of the data. The reasons behind the shifts in stolen equipment and hacking are not known, and whether they constitute a trend remains to be seen.

oo Improper disposal of business records accounts for quite a few incidents, and is rela-

tively easy for organizations to address by effectively developing and enforcing policies regarding the destruction of paper and electronic records containing sensitive information.

oo Viruses accounted for only two of the reported incidents. This is probably an artifact

of the way the data is collected and analyzed. For example, an incident classified as a hack may involve a trojan infection. In addition, malware often causes small losses that may not meet the reporting threshold required by law.

oo Information about the portion of hacking incidents that involved Microsoft products

is not easy to obtain from the data provided. The original data is widely variable, and it is difficult to analyze for useful information that could help software developers improve their engineering processes. More complete data could help provide substantial insights into security problems.

Study of breach data provides a unique way to look at issues experienced in the real world, and could be an aid to organizations seeking to develop and improve effective information security policies. Unfortunately, the usefulness of the data is limited by a lack of uniform reporting standards and requirements, which leads to variations and omissions in the details reported. It may be worth investigating why the data is so sparse and looking for ways to improve it.

36


Malicious and Potentially Unwanted Software Section Highlights oo The trends observed in the second half of 2007 are consistent with the observed shift

of malware away from an amateur phenomenon to a tool used by professional criminals and criminal organizations to generate revenue.

oo Trojan downloaders and droppers have grown to account for more infections than

any other category of malware, due in large part to a small handful of very prevalent trojan downloader/dropper families.

oo Many of the more prevalent malware families rely on social engineering tactics that

trick the user into taking action that bypasses or lessens the effectiveness of the user’s existing protection.

oo Infection rates observed by the Microsoft Windows Malicious Software Removal Tool

(MSRT) are significantly lower on Microsoft Windows XP Service Pack 2 (SP2) and Windows Vista compared to older operating systems.

oo MSRT data shows that the infection rate for Windows Vista–based computers is

60.5 percent less than that of computers running Windows XP SP2, and 91.5 percent less than the infection rate for Windows XP with no service packs installed.

oo Backdoor trojans now account for more than half of all instant messaging (IM) disinfec-

tions, with both worms and trojans showing significant increases.

Strategy, Mitigations, and Countermeasures

The risk of exposure to malware may not necessarily correlate to actual infection rates. Installed antivirus software, firewalls, and various content-filtering technologies help mitigate that risk. However, social engineering attacks are on the rise and can often trick the user into taking action that bypasses or lessens the effectiveness of the user’s existing protection. Countering this increased exposure risk requires educating users to take protective actions, like the following:

oo Use an anti-malware product from a known, trusted source, and keep it up

to date to guard against new threats as well as new variants of older malware families.

Social engineering attacks are on the rise and can often trick the user into taking action that bypasses or lessens the effectiveness of the user’s existing protection.

oo Avoid opening attachments or clicking on links in e-mail or instant messages that are

received unexpectedly or from an unknown source.

37


2H07

oo Use a mail client that suppresses active content and that blocks the unintentional

opening of executable attachments.

oo Use a robust spam filter to guard against fraudulent and dangerous e-mail. oo Install a phishing filter. Web browsers such as Internet Explorer 7 and Mozilla Firefox 2

use phishing filters to protect users from known phishing sites. Some e-mail applications, such as recent versions of Microsoft OutlookÂŽ, include phishing detection features in addition to spam filters.

oo If you receive an e-mail from a bank or commerce site, visit their site using a pre-

bookmarked link or by typing in the link from your monthly statement. Don’t use links provided in the suspect e-mail. If all else fails, contact the bank or business by telephone or through contact information found in a recent statement, again avoiding any numbers provided in the suspect e-mail.

oo Deploy inbound and outbound e-mail authentication to protect both your brand and

consumers from e-mail spoofing and forgery, and to detect inbound spoofing. The Sender ID Framework (SIDF) is such an authentication solution, currently being used to send more than half of all legitimate e-mail sent daily worldwide.

Malicious software, once largely the province of amateurs, has become a tool used by skilled criminals to target hundreds of millions of computer users worldwide in pursuit of profit. With this shift has come a fundamental change in the nature of malicious software itself. The attention-getting e-mail worms of years past, which hampered computer systems worldwide for days or weeks at a time before fading, have largely given way to threats designed to evade all attempts at detection in order to stay active for much longer periods of time. Some of the most persistent threats are updated dozens of times a day by their creators in a continual effort to stay one step ahead of the security software that attempts to remove them, contributing to an ever-escalating arms race. The data in this section was collected using a number of different Microsoft products, services, and tools. See Appendix A for more information on these tools.

38


Malware Trends for 2H07

Though direct comparisons between the tools are generally not possible due to the differences in their scope and function, a number of trends manifest with some consistency across the different sets of data. Generally, detections of malware have been increasing in absolute numbers over the past several half-year periods, and the rate at which detections rise has grown over time. Figure 17 shows the total number of disinfections and distinct computers cleaned by the MSRT since 2005, and clearly demonstrates this trend. (Note that Microsoft did not begin to measure unique computers cleaned until 2H05, so this data is unavailable for 1H05.) Figure 17. Total malware disinfections and distinct computers cleaned by the MSRT since 1H05, in half-year increments 50 Million 45 Million 40 Million 35 Million 30 Million 25 Million

Disinfections Computers Cleaned

20 Million 15 Million 10 Million 5 Million 0 1H05

2H05

1H06

2H06

1H07

2H07

In 2H07, the MSRT removed malware from 15.8 million distinct computers worldwide, an 80 percent increase over the first half of 2007. The number of total disinfections performed in 2H07 rose to 42.2 million, an increase of nearly 120 percent over 1H07. A disinfection is defined as the removal of a distinct type of malware, such as a specific file infector variant, present on an infected computer. The number of total disinfections is greater than the number of distinct computers cleaned because the MSRT often detects multiple infections on a single computer and because computers can become reinfected from month to month. Disinfections and cleanings generally rose month to month during 2H07 before leveling off at about 12 million disinfections (8 million distinct computers) in October and November, and declining slightly in December, concomitant with the decrease in total executions that month as seen in Appendix A. The December decrease can also be attributed to the fact that the families added in October and November (Win32/RJump and Win32/ConHook) were significantly more prevalent than the single family added in December (Win32/Fotomoto).

39


2H07

Figure 18. Total malware disinfections and distinct computers cleaned by the MSRT in 2H07, by month 10 Million

8 Million

6 Million

Disinfections Computers Cleaned

4 Million

2 Million Jul-07

Aug-07

Sep-07

Oct-07

Nov-07

Dec-07

To produce Figure 19, illustrating how the infection ratio detected by the MSRT has changed over time, the total number of executions was divided by the number of unique computers cleaned for each month, and the results were then averaged for each six-month period. This averaging method compensates for the fact that the group of computers that run the MSRT changes slightly from month to month, with new computers being brought online and older computers being taken out of service. Since 1H06, the infection ratio has trended down, which means that the MSRT has been finding infections on larger and larger percentages of all the computers that run the tool. Figure 19. Number of computers cleaned by the MSRT for every 1000 executions, averaged for every six-month period 10.0

8.0

6.0

4.0

2.0 2H05

40

1H06

2H06

1H07

2H07


In 2H07, the MSRT cleaned about 8 computers for every 1,000 executions (1 out of every 123 computers on which it ran each month). The rate of increase is consistent with the rate observed between 2H06 and 1H07, when it rose from about 3 computers per 1,000 executions to just under 6 computers per 1,000 executions. These increases in malware detections can be attributed to a number of factors: oo Over time, the number of computers running the detection and disinfection tools

worldwide has risen, and continues to rise.

oo The detection and removal capabilities of the tools themselves have improved.

Improvements in the scanning technologies used by the tools allow the tools to detect and remove malware that would have successfully eluded earlier versions.8 The addition of a number of prevalent malware families to the MSRT in 2H07 also had a significant effect on that tool’s detection figures.

oo Malware activity around the world continues to increase as the underground criminal

economy expands its use of malware as a method of generating income.

There is no clear reason to believe that any of these trends are likely to reverse in the near future. The number of computers running the detection and disinfection tools is expected to continue to rise, as computers running older versions of Windows are phased out and are replaced by computers running newer versions that incorporate or are compatible with the tools. Meanwhile, financially successful malware creators are motivated to increase their output in order to bring their illicit messages to more users.

The number of computers running the detection and disinfection tools is expected to continue to rise, as computers running older versions of Windows are phased out and are replaced by computers running newer versions that incorporate or are compatible with the tools.

This includes improved generic/heuristic detection, in addition to new signatures for specific malware families. See: Clementi, Andreas. “Anti-Virus Comparative No. 16.” November 2007. http://www.av-comparatives.org/seiten/ergebnisse/report16.pdf

8

41


2H07

Malware Infections by Category

Categorizing threats can be tricky. Malware categories often overlap, and many threats exhibit characteristics of multiple categories. To produce the information and figures in this section, each threat has been associated with the single category that Microsoft security analysts judge to be most appropriate for the threat. See the Glossary, beginning on page 92, for definitions of the categories described in this section. Figure 20. MSRT disinfections by category, 2H05–2H07 20 Million

2H05

15 Million

1H06 1H07 2H06

10 Million

2H07

5 Million

0 Downloaders/ Droppers

Backdoors

Worms

Trojans

Viruses

Rootkits

PWS/ Keyloggers

As demonstrated in Figure 20, the MSRT showed significantly increased detections in five of seven tracked malware categories in 2H07, due to the factors discussed earlier—more computers running the tool worldwide, improvements in the tool’s detection and removal capabilities, and increases in the prevalence of malware in general. The most significant trend visible in the MSRT data by far is the dramatic increase in the prevalence of downloaders and droppers, a category of threat that has grown to dominate MSRT disinfections over a very short period of time. Over the past year, in fact, the number of downloader and dropper disinfections has grown from just under 1 million in 2H06 to more than 19 million in 2H07. In 2H07, downloaders accounted for almost half of all the MSRT disinfections worldwide.

42


Figure 21. MSRT disinfections by category, 2H05–2H07, in percentages 60%

2H05

50%

1H06 1H07

40%

2H06 2H07 30%

20%

10%

0% Downloaders/ Droppers

Backdoors

Worms

Trojans

Viruses

Rootkits

PWS/ Keyloggers

The vast majority of these downloader and dropper disinfections involve Win32/Zlob and Win32/Renos, which were the first and second most prevalent malware families detected by the MSRT in 1H07, as well as a pair of new families, Win32/ConHook and Win32/RJump. See “Malware Families,” beginning on page 50, for more information about these families. Some of the increase in downloader and dropper disinfections over the past year can be attributed to improvements in the tool’s ability to detect Win32/Zlob in the first half of 2007, as well as the addition of several new families that were added to the MSRT in recent months, like Win32/ConHook and Win32/RJump. Nevertheless, the new and growing dominance of downloaders among infected computers is real and is an unsurprising result of a change in the motivation of malware authors. Malware has evolved into a profit-driven criminal enterprise, and attackers infect computers in order to use them later for their purposes—stealing information, sending spam, installing spyware or adware, and so on. After the attackers have gained access to a victim’s computer through social engineering or a vulnerability exploit, they typically expect to run additional programs to serve these purposes. Downloaders allow attackers to update these programs frequently to evade detection. After the initial illicit code execution, the downloader activates and starts downloading additional files from a remote location. As malware authors develop new ways to profit from malware, they can use preexisting downloader installations to download new code to

43


2H07

Edited by Foxit Reader Copyright(C) by Foxit Software Company,2005-2007 For Evaluation Only.

the controlled computers without having to resort to additional social engineering. (This behavior also helps explain the increase in total disinfections seen in Figure 17.) Downloaders are often persistent, which means that they reinstall and run themselves every time the computer is started or the user logs on. Though their growth is masked somewhat by the increase in downloaders, several other categories of malware remain significant threats. Backdoors, worms, viruses, and trojans continue to account for more than half of all disinfections in 2H07. Rootkits and password stealers (PWS)/keyloggers account for a negligible proportion of disinfections as depicted in Figure 21, although it is important to recognize that many malware families exhibit properties of multiple categories. For example, many variants of Win32/Banker, classified as a trojan, also include password-stealing capabilities. (See page 76 for more information about Win32/Banker.) The breakdown of malware detections from Windows Live OneCare is a bit different from that of the MSRT due to the differing functions and goals of the two tools, but the overall patterns and trends are consistent with data from the other security products and tools used to produce this report, as shown in Figure 22. Figure 22. Windows Live OneCare detections by category, 2H07 Password Stealers and Monitoring Software (1.2%) Viruses (1.6%) Rootkits (1.6%) Backdoors (2.4%)

Trojans (28.1%)

Worms (5.8%)

Exploits (9.1%)

Adware (15.7%)

Potentially Unwanted Software (16.3%) (Totals may not equal 100% due to rounding.)

44

Downloaders and Droppers (18.3%)


Malicious software accounts for the majority of threats blocked by Windows Live OneCare in 2H07, with the top two categories—trojans and downloaders—being responsible for nearly half of all detections. Windows Live OneCare provides real-time protection against a variety of threats not covered by the MSRT, including adware and potentially unwanted software, so the threats detected by Windows Live OneCare in 2H07 include these categories, in addition to the ones discussed above. Together, the adware and potentially unwanted software categories account for 32 percent of the threats blocked by Windows Live OneCare. Exploits account for 9.1 percent of Windows Live OneCare detections. The most common exploits detected are Web pages that host iFrame exploits (about 3.0 percent of all Windows Live OneCare detections) and exploits of the ANI vulnerability9 (about 2 percent of all detections). Worms account for about 5.8 percent of all detections, with Win32/Netsky, a mass-mailer that can also copy itself to network-share folders, topping the list of worms. Whereas Windows Live OneCare provides real-time background protection against threats, the Windows Live OneCare safety scanner is an on-demand tool that users explicitly choose to run, especially when they suspect their computers might have become infected. Despite this, the malware category breakdown from Windows Live OneCare safety scanner data is broadly consistent with that of Windows Live OneCare, as shown in Figure 23. Figure 23. Windows Live OneCare safety scanner disinfections by category, 2H06–2H07, in percentages 30%

25% 2H06 20%

1H07 2H07

15%

10%

5%

9

s ea

ler

lo its

St rd wo

es ru s Vi

its ot k Ro

s or m W

oo rs ck d Ba

wa re Ad

ns ja Tr o

Ex p

Pa ss

Un

wa nt Po ed te So nti ftw ally ar e Do an wn d lo Dr ad op er pe s rs

0%

See CVE-2007-0038 and MS07-017.

45


2H07

Removals of downloaders and trojans have both increased by nearly 22 percent in absolute numbers since 1H07, consistent with trends observed over the past year. Adware and potentially unwanted software detections continue to decline in relative terms, but remain significant threats. Collectively, these four categories account for more than 75 percent of all disinfections performed by the safety scanner in 2H07, with each of the remaining categories—backdoors, worms, rootkits, viruses, exploits, and password stealers—accounting for less than 5 percent each. Windows Live™ Messenger can be configured to use the Windows Live OneCare safety scanner to scan files as they are transferred over instant message (IM) connections. Unlike the online safety scanner, the scanner integrated into Windows Live Messenger detects and removes only malware and does not detect potentially unwanted software. Data from the Windows Live Messenger scanner differs significantly in some respects from that produced by other tools, in large part due to the emergence of malware families that are designed specifically to use instant messaging (IM) clients as an attack vector. Figure 24. Windows Live Messenger disinfections by category, 2H06–2H07, in percentages 70% 60% 50% 2H06

40%

1H07

30%

2H07 20% 10%

ts

s m or

plo i Ex

dS Pa

ss w

or

W

ler s tea

ru se s Vi

rs pp e

Do

wn

lo

ad

er s

an

dD ro

oj an s Tr

Ro ot ki ts

Ba

ck d

oo rs

0%

Detection of backdoors accounted for 64.3 percent of all Windows Live Messenger disinfections in 2H07, due to the prevalence of a number of backdoor families—notably Win32/ Sdbot and Win32/IRCbot—that use Windows Live Messenger to propagate. Win32/Sdbot and Win32/IRCbot are similar, apparently related backdoor trojan families that connect to

46


Internet Relay Chat (IRC) servers to receive commands from attackers. Win32/IRCbot also includes dropper capabilities and has been known to drop copies of Win32/Sdbot, among other families, on infected computers. The next most common category of disinfections, trojans, accounts for only 15.8 percent of disinfections, with all other categories accounting for the remaining 19.9 percent. Malware Infections by Operating System

For 2H07, as for previous periods, Windows XP SP2 accounts for the most executions by an overwhelming margin, due to its continuing dominance on desktops worldwide, though the proportion of executions involving computers running Windows Vista continues to rise. Figure 25 illustrates the number of executions involving Windows XP SP2 (top graph) and other operating systems (bottom graph). Figure 25. Monthly MSRT executions by Windows XP SP2 and other operating systems, 2H07 500 Million

Grand Total

400 Million

Windows XP SP2 300 Million

200 Million

0 Jul-07

Aug-07

Sep-07

Oct-07

Nov-07

Dec-07

60 Million 50 Million 40 Million Windows Vista 30 Million

Windows 2K SP4 Windows XP SP1

20 Million

Windows 2K3 SP2 Windows XP no SP

10 Million

Windows 2K SP3 and Windows 2K3 SP1

0 Jul-07

Aug-07

Sep-07

Oct-07

Nov-07

Dec-07

47


2H07

To compensate for the unequal deployments of the operating systems monitored and to obtain accurate infection rates for each operating system/service pack combination, a set of normalized graphs were created using the following formula: Normalized disinfectionsOS = DisinfectionsOS / Execution percentageOS Figure 26 illustrates the percentages of prevalence of malicious software by operating system (OS) for 2H06, 1H07, and 2H07. Figure 26. Computers cleaned by operating system, 2H06, 1H07, and 2H07

2H06

2H06 (Normalized) Windows 2K SP4 (8.7%) Windows 2K3 no SP (6.1%) Windows XP SP2 (4.9%) Windows 2K3 SP1 (2.8%)

Windows XP SP2 (77.7%) Windows 2K3 SP1 (0.6%) Windows 2K SP3 (0.3%) Windows XP no SP (6.8%)

Windows XP SP1 (23.0%)

Windows 2K SP3 (18.0%)

Windows XP SP1 (8.7%) Windows 2K SP4 (5.8%) Windows 2K3 no SP (0.1%)

Windows XP no SP (36.5%)

1H07

1H07 (Normalized) Windows XP SP2 (7.0%) Windows 2K3 SP1 (3.4%)

Windows 2K3 no SP (5.8%) Windows Vista (2.8%) Windows 2K SP4 (6.6%)

Windows 2K SP3 (13.3%)

Windows 2K3 SP1 (0.4%) Windows 2K SP3 (0.2%) Windows XP no SP (3.3%) Windows 2K3 SP2 (0.1%) Windows XP SP1 (4.3%)

Windows XP SP1 (20.9%)

Windows 2K SP4 (3.0%) Windows Vista (1.1%) Windows 2K3 no SP (0.1%) Windows XP SP2 (87.5%)

Windows XP no SP (32.9%)

2H07

Windows XP SP2 (87.9%) Windows XP SP1 (3.5%) Windows XP no SP (2.5%) Windows 2K SP4 (1.8%) Windows 2K3 SP2 (0.2%) Windows 2K3 SP1 (0.1%) Windows 2K SP3 (0.1%) Windows Vista (3.9%)

Windows 2K3 SP2 (7.3%)

2H07 (Normalized) Windows Vista (2.8%) Windows XP SP2 (7.2%)

Windows XP SP1 (21.5%)

Windows XP (30.6%)

Windows 2K SP3 (12.2%) Windows 2K SP4 (5.0%) Windows 2K3 SP1 (19.2%)

Windows 2K3 SP2 (1.5%) (Totals may not equal 100% due to rounding.)

48


The major trends observed include the following: oo The higher the service pack level, the lower the rate of infection. This trend can be

observed consistently across all three operating systems shown for which service packs have been issued. There are two reasons for this: oo Service packs include fixes for all security vulnerabilities fixed in security updates

at the time of issue, and also sometimes include additional security features or changes to default settings to protect users.

oo Users who install service packs generally maintain their computers better than

users who do not install service packs, and therefore may also be more cautious in the way they browse the Internet, open attachments, and engage in other activities that can open computers to attack.

oo The infection rate for Windows Vista is 60.5 percent less than the infection rate for

Windows XP SP2. This is approximately the same ratio as observed for the first half of the year. This is a somewhat surprising result, as the installed base of Windows Vista has grown by tens of millions of users worldwide over the past six months, and the average user profile of Windows Vista can be presumed to have moved on from the early-adopter phase to more closely approximate that of a typical business or home computer user.

oo The infection rate for Windows Vista is 91.5 percent less than the infection rate for

Windows XP with no service packs installed. (Note that each of the operating system/ service pack combinations listed may include computers that have had individual security fixes installed, either through Windows Update or some other delivery mechanism.) Again, this is approximately the same ratio observed for the first half of the year.

oo Server versions of Windows typically display a lower infection rate on average

than client versions, especially when comparing the latest service pack version for each operating system. Windows Server® 2003, which includes only server editions, has a lower rate of infection than Windows XP, which is intended for home and workplace users. The infection rate of Windows 2000 SP4, which includes both server and client editions, falls between the infection rates of the pure server version (Windows Server 2003 SP2) and the client version (Windows XP SP2). Servers are typically accessed directly only by trained system administrators in controlled enterprise environments, so their effective attack surface tends to be much lower than computers running client operating systems. In particular, Windows Server 2003 and its successors are hardened against attack in a number of ways, reflecting this difference in usage (for example, by default, Internet Explorer cannot be used to browse untrusted Web pages).

49


2H07

Malware Families

A small number of active malware families were responsible for the majority of malware activity detected during 2H07. The top 25 malware families detected by the MSRT accounted for 96.9 percent of all disinfections during 2H07, with the remaining 3.1 percent distributed among the other 71 families detected by the tool. The top 10 families alone were responsible for 77.4 percent of all removals, with more than half (51.5 percent) of all disinfections in 2H07 involving only the top three families. The top two families, Win32/Zlob and Win32/Renos, occupy the same positions they held in 1H07, while the third, Win32/ConHook, is a new addition to the list for this period due to its inclusion in the MSRT in November. Figure 27. Top 25 malware families detected by the MSRT in 2H07

Rank

50

Malware Family

Added to the MSRT

Disinfections

Computers Cleaned

Computers Cleaned Change from 1H07

Rank from 1H07

Rank Change

March 2006

14,351,774

4,375,794

149.4%

1

May 2007

4,263,697

2,374,746

79.0%

2

November 2007

2,419,023

1,152,151

October 2007

2,268,529

1,228,200

April 2005

2,257,546

1,168,576

54.7%

5

1

Win32/Zlob

2

Win32/Renos

3

Win32/ConHook

4

Win32/RJump

5

Win32/Rbot

6

Win32/Brontok

November 2006

1,767,449

781,835

1.6%

4

7

Win32/Hupigon

July 2006

1,392,050

720,814

-20.5%

3

8

Win32/Jeefo

August 2006

1,358,413

471,713

3.7%

8

9

Win32/Parite

January 2006

1,297,617

402,463

11.3%

10

10

Win32/Nuwar, WinNT/Nuwar

September 2007

1,274,684

526,607

11

Win32/Sdbot

May 2006

970,536

563,963

188.9%

13

12

Win32/Zonebac

August 2007

906,762

543,882

13

Win32/Banker

August 2006

907,054

538,183

12.9%

7

14

Win32/Virut

August 2007

848,872

502,936

15

Win32/IRCBot

December 2005

766,828

460,939

60.2%

12

16

Win32/Alureon

March 2007

803,905

555,785

-18.4%

6

17

Win32/Alcan

February 2006

584,260

338,103

-20.4%

9

18

Win32/Wukill

October 2005

495,517

245,303

-15.4%

11

19

Win32/Busky

July 2007

462,744

197,259 99.4%

16

20

Win32/Tibs

October 2006

420,521

235,747

21

Win32/Fotomoto

December 2007

297,233

190,808

22

Win32/Stration

February 2007

264,329

85,527

-50.4%

14

23

Win32/Bancos

September 2006

201,514

119,647

-13.7%

15

24

Win32/Chir

25

Win32/Bagle

July 2006

153,657

79,489

45.7%

17

March 2005

130,074

69,580

57.3%

19


The most prevalent malware family detected by the MSRT in 2H07 by a significant margin was Win32/Zlob, which was removed more than three times as often in 2H07 (and from almost twice as many computers) as any other individual family. The number of distinct computers infected by Win32/Zlob in 2H07 was up 149.4 percent from 1H06, following a 387.8 percent rise between 2H06 and 1H07. Win32/Zlob typically poses as a media codec a user must download to watch video content downloaded or streamed from the Internet. Some Zlob variants even include an end-user licensing agreement (EULA) when installing. Once installed on the target computer, Zlob bombards the user with pop-up advertisements and fake “spyware warnings” that are actually advertisements for rogue security software. (See page 82 for more information on rogue security software.) Win32/Renos was the second most prevalent family detected and removed by the MSRT in 2H07 for the second half-year period in a row, infecting 79 percent more distinct computers than in 1H07. The Win32/Renos family automatically downloads potentially unwanted software, such as SpySheriff, SpyAxe, SpyFalcon, SpyDawn, SpywareStrike, and other similarly named programs. These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee. In some cases, the programs may also cause system instability. Symptoms of a Win32/Renos infection may differ according to the particular variant. The trojan may display a red (possibly blinking) icon in the system tray and may also display a deceptive message that says the computer is infected; the warning encourages the user to download certain software that claims to provide malware or spyware protection. Figure 28 shows two variations of a warning message that may appear. Figure 28. Two examples of fake warning messages displayed by different variants of Win32/Renos

51


2H07

Win32/ConHook is a new downloader family that was added to the MSRT in November 2007. In November and December, the MSRT removed Win32/ConHook from infected computers enough times for it to place third on the list of total disinfections by family for all of 2H07. (It is not unusual for the MSRT to remove a family from a large number of computers in the first month that the family is added to the tool, though Win32/ConHook is notable for the large number of disinfections in just two months of a six-month period.) Win32/ConHook variants install themselves as browser helper objects (BHOs) and connect to the Internet without user consent. They also terminate specific security services and download additional malware to the computer. There are six other new families in the MSRT top 25: oo Win32/RJump is a worm that attempts to spread by copying itself to newly attached

media (such as USB memory devices or network drives). It also contains backdoor functionality that allows an attacker unauthorized access to an infected machine.

oo Win32/Nuwar (including WinNT/Nuwar) is a family of trojan droppers that attempts

to connect affected computers to a large botnet. See “A Focus on Win32/Nuwar (The ‘Storm Worm’)” on page 60, for more information about this threat.

oo Win32/Zonebac is a family of backdoor trojans that allows a remote attacker to down-

load and run arbitrary programs, and which may upload computer configuration information and other potentially sensitive data to remote Web sites.

oo Win32/Virut is a family of file-infecting viruses that target and infect .exe and .src files

accessed on infected systems. Win32/Virut also opens a back door by connecting to an Internet Relay Chat (IRC) server, allowing a remote attacker to download and run files on the infected computer.

oo Win32/Busky is a family of trojans that monitor and redirect Internet traffic, gather

system information, and download potentially unwanted software, such as Win32/ Renos and Win32/SpySheriff. Win32/Busky may be installed by a Web browser exploit or other vulnerability when visiting a malicious Web site.

oo Win32/Fotomoto is a trojan that lowers security settings, delivers advertisements, and

sends system and network configuration details to a remote Web site.

The rest of the families in the top 25 were added to the MSRT during previous periods. Of the returning families, only Win32/Parite and Win32/Sdbot increased their rank from 1H07, with the other families remaining flat or declining in relative terms (though many families increased in absolute terms, in keeping with the general trend of rising malware prevalence). Win32/Parite is a file infector. Exterminating file infectors is difficult because they often infect a large number of files on the system and on network shares, and because infected files may be Windows system files or other files that the user needs. The increase

52


in the number of removals for Win32/Sdbot is the result of improved detection. (See page 46 for more information about Win32/Sdbot.) The list of the top 10 families detected by Windows Live OneCare and the Windows Live OneCare safety scanner in 2H07 differs in some respect from the MSRT list, notably because the Windows Live OneCare products offer protection against a number of families not covered by the MSRT, including potentially unwanted software. Thousands of different malware and potentially unwanted software families are detected by Windows Live OneCare, with the top 10 accounting for 37 percent of all disinfections. Figure 29. Top 10 malware families detected by Windows Live OneCare in 2H07 Zlob (4.8%)

Vundo (3.9%)

Agent (11.6%)

Virtumonde (3.8%) IframeRef (2.9%) Renos (2.4%) ConHook (2.3%) Anicmoo (2.0%) Small (1.6%) Psyme (1.5%)

Other (63.0%)

(Totals may not equal 100% due to rounding.)

Figure 30. Top 10 malware families detected by the Windows Live OneCare safety scanner in 2H07 Family

Disinfections

Computers Cleaned

Win32/Agent

169,168

101,959

Win32/Zlob

268,835

81,738

Win32/Small

118,817

78,561

JS/Agent

69,122

57,304

Win32/Renos

73,253

52,756

Win32/Obfuscator

67,533

44,071

Win32/VB

51,141

36,118

Win32/Delf

46,644

34,074

Java/Classloader

71,158

31,618

Win32/ConHook

38,209

24,624

53


2H07

Win32/Zlob places high on both lists, as with the MSRT. Two entries that appear prominently on both lists, Win32/Agent and Win32/Small, are generic detections used for malware that has not been categorized into particular families. Primarily, this group consists of trojans, droppers, and downloaders, although it can also include worms. JS/Agent, Win32/Delf, and Win32/VB are similar generic detections. Win32/Obfuscator is a generic signature for programs that have had their purpose obfuscated to hinder analysis and detection. Families ranked highly on the Windows Live OneCare and Windows Live OneCare safety scanner lists that were not detected by the MSRT during 2H07 are typically new or newly prevalent families, and provide insight into the kinds of threats that may occupy an increasing share of security professionals’ attention in the future. Two notable families, Win32/Virtumonde and Win32/Vundo, are two closely related families that deliver out-ofcontext pop-up advertisements. Win32/Virtumonde and Win32/Vundo typically install themselves as BHOs without the user’s consent. Some variants also display characteristics of trojan downloaders or other categories of malware. Malware Activity and Variants

Malware authors attempt to evade detection by continually releasing new variants in an effort to outpace the release of new signatures by antivirus vendors. Counting variants is one way to determine which families and categories of malware are currently most active (in other words, which families and categories are currently being most actively worked on by their developers), and how effective such activity is in helping malware developers reach their goal of infecting large numbers of users. The Microsoft Malware Protection Center (MMPC) collects and analyzes unique malware samples from many different sources in an effort to accurately understand the state of malware development activity. Figure 31. Unique samples of new malware collected by the Microsoft Malware Protection Center (MMPC) in 2H07 1.4 Million 1.2 Million 1 Million 800,000 600,000 400,000 200,000

54

kits Roo t

ors kdo Bac

PW Key S/ log ger s

rms Wo

s loit Exp

s use Vir

Do Dro wnloa ppe der s/ rs

Tro

jan

s

0


A number of factors complicate the counting of variants. A single variant of a file infector may produce large numbers of unique samples when it infects files, which would have the effect of inflating the reported infected files count for the file infector without necessarily indicating massive activity on the part of its authors. In addition, as malware variants proliferate, many vendors are using generic signatures more frequently. A generic signature looks for commonalities between known variants of a specific malware family and looks for these commonalities to detect the different files associated with the malware. Generic signatures can also sometimes catch new variants of a family as soon as they are released, if they are similar enough to past variants. This approach has worked well for a number of widespread families. For families that are successfully detected by a generic signature, it’s not possible to get an accurate count of variants as they are traditionally understood. In this section, therefore, the number of unique samples received that are detected by a generic signature are counted as variants for that family. Figure 32. Malware categories by number of variants, 2007 250,000

200,000

1H07

150,000

2H07 100,000

50,000

0 Downloaders/ Droppers

Trojans

Viruses

Backdoors

Exploits

PWS/ Keyloggers

Worms

Rootkits

55


2H07

Figure 33. Top 25 most-active malware families by number of variants, 2H07

Malware Family

Trojans

Downloaders/ Droppers

Viruses

Exploits

Worms

PWS/ Keyloggers

Rootkits

Win32/Zlob

Variants

84,910

HTML/IframeRef

33,428

Win32/Zonebac

31,685

Win32/Dialsnif

Win32/Vanti

20,369

Win32/Vxidl

16,607

Win32/ SystemHijack

Win32/ Virtumonde

13,872

Win32/Renos

12,951

30,260

14,893

Win32/Bankrypt

12,934

Win32/Anomaly

Win32/DelfInject

Win32/Luder

Win32/Vundo

12,130

JS/Psyme

10,156

6,869

6,863

Win32/WinShow Win32/SpamThru

12,885

• •

HTML/Expascii

12,506 12,195

6,741

Win32/Baglezip

6,489

Win32/Scano

5,661

Win32/Diamin

Win32/Zbot

5,455

• •

Win32/Swizzor

4,989 4,672

VBS/Starter

4,576

Win32/MS05002

4,127

HTML/MhtRedir

4,037

Win32/Lowzones Win32/Ceekat

56

Backdoors

3,696

3,597


Many of the most active families have multiple components, as indicated in Figure 33. For example, some families contain a downloader component that downloads other components, such as keyloggers, trojans, rootkits, backdoors, or others. Trojans and downloaders continue to be the two most actively developed malware categories, consistent with the meteoric rise of the downloader as the front line malware delivery mechanism of choice for modern malware developers. The downloader family Win32/Zlob, discussed earlier, is an excellent example, including nearly 85,000 discovered variants, which is quadruple the number known at the end of 1H07. This proliferation of variants— more than twice as many as the second most active family on the list—has helped Win32/Zlob become the most widespread malware family in the world by a huge margin. The second-highest number of variants belongs to the HTML/IframeRef, a generic detection for exploits that use malicious iFrame tags to surreptitiously or forcibly redirect the user to other malicious Web pages. The iFrame exploits were found on 33,428 pages in 2H07, down from nearly 86,000 in the first half of the year, a decrease of 61 percent. Patches for the iFrame vulnerability have been available for several years; as more Windows systems get patched over time, the effectiveness of exploiting old vulnerabilities decreases, and such exploits are less commonly used. Geographic Distribution

The MSRT executes on hundreds of millions of systems worldwide. To compensate for the unequal use of different locales worldwide, the infection rate data in this section has been normalized by the execution percentage of a locale, similar to the normalization of operating system numbers performed earlier. The normalization formula used is as follows: Normalized disinfectionsLocale = DisinfectionsLocale / Execution PercentageLocale As a general rule, more malware is proportionally found by the MSRT in developing countries/regions than in developed countries/regions. For example, the most infected country/ region in Europe is Albania, while the least infected countries/regions in Europe are Austria and Finland. In the Asia-Pacific region, the most infected countries/ regions are Mongolia and Vietnam, while the least infected countries/regions are Taiwan and Japan. The United States is proportionally less infected than most of the countries/regions in the Americas. This trend makes sense because the deployment of security products is wider in developed countries/regions, and user education around computer safety is usually better.

As a general rule, more malware is proportionally found by the MSRT in developing countries/regions than in developed countries/regions.

57


2H07

Figure 34. Malware detections by country/region

The figure for each locale, as shown in Figure 35, was obtained by determining the infection rate for the locale for each of the six months in the second half of 2007, and then averaging those figures to produce a single figure for the entire six-month period. An asterisk (*) means that the locale had at least one month in which no infections were discovered.

58


Figure 35. Normalized disinfections by country/region Country/Region

2H07 Average (MSRT Executions/ Computers Cleaned)

Country/Region

2H07 Average (MSRT Executions/ Computers Cleaned)

Country/Region

2H07 Average (MSRT Executions/ Computers Cleaned)

Afghanistan

17

Oman

75

South Africa

131

Morocco

32

Brazil

76

Slovakia

132

Albania

33

Azerbaijan

77

Philippines

137

Mongolia

33

Spain

78

Belarus

140

Bahrain

35

Bosnia and Herzegovina

78

Estonia

141

Turkey

39

Bolivia

79

United Kingdom

144

Dominican Republic

41

Zimbabwe

79

Indonesia

145 145

Egypt

41

Ecuador

81

Belgium

Iraq

42

El Salvador

84

Argentina

152

Algeria

45

Serbia and Montenegro

85

Brunei Darussalam

156

Saudi Arabia

45

Russia

88

Norway

160

Lebanon

49

Croatia

89

Sweden

164

Jordan

49

Slovenia

91

Hong Kong SAR, PRC

165

Romania

51

Tajikistan

91

Netherlands

170

United Arab Emirates

55

Puerto Rico

92

Canada

172

Yemen

57

Kenya

95

Greenland

173

Libya

58

Faero Islands

95

Uruguay

179

Vietnam

60

Nicaragua

96

India

181

Pakistan

60

Belize

100

Switzerland

182

Macedonia

61

Bulgaria

102

Ireland

187

Honduras

62

Ukraine

102

Italy

189

Tunisia

63

France

104

Latvia

194 199

Iran

63

Macao SAR

106

Singapore

Panama

66

Colombia

107

Czech Republic

199

Syria

66

Israel

109

Denmark

203

Jamaica

67

Liechtenstein

110

Australia

204

Korea

67

Costa Rica

110

Nigeria

204

Chile

67

Hungary

111

China

214

Qatar

67

Kazakhstan

112

Malaysia

216 226

Portugal

67

United States

112

Germany

Mexico

68

Greece

114

Rwanda

239

Thailand

68

Trinidad and Tobago

115

Austria

242

Guatemala

70

Peru

116

New Zealand

264

Uzbekistan

70

Iceland

124

Finland

265

Monaco

73

Lithuania

126

Taiwan

305

Paraguay

73

Poland

126

Senegal

372

Venezuela

74

Caribbean

128

Japan

685

Kuwait

74

Luxembourg

130

World Wide Average

123

59


2H07

A Focus on Win32/Nuwar (the “storm worm�)

Win32/Nuwar, called the storm worm in some reports, is a family of trojans and associated components discovered in early 2007. By continually updating and adapting Win32/Nuwar in an effort to thwart detection and removal efforts, its authors have created a botnet that is estimated to have consisted of half a million infected systems worldwide at some points. During the second half of 2007, the Win32/Nuwar authors continued to adapt their attacks technically, by updating and developing the binary components that make up the Nuwar family of malware, and socially, by tailoring their e-mailed pitches and by finding new and different ways to leverage the botnet’s ability to send spam at their command. The second half of 2007 was a period of consistent permutation and adaptation. Technical Information

The main peer-to-peer (P2P) component is capable of disseminating spam. It can also harvest e-mail addresses from the local machine and participate in distributed denial of service attacks. As with other components, the authors continued to develop and improve the worm in the second half of 2007. In October, variants emerged that had the ability to modify Web pages found on the local machine by inserting an iFrame tag. Web page modifications observed in the wild have been altered to point to remote sites hosting browser exploits. These modified pages are then used to disseminate Nuwar to unsuspecting visitors. Win32/Nuwar uses server-side polymorphism to disseminate itself, employing the encryptor commonly referred to as Tibs to create thousands of different binaries for the same piece of malware. These different binaries are not considered variants because the binary obfuscation does not change the underlying function of the malware. By disregarding the outer layer of obfuscation, observers have identified 17 different variants introduced in 2H07, an average of almost three new releases per month.

60


Many of the changes detected with each Nuwar release relate to how a system is infected. Nuwar always presents a moving target, transforming any telltale sign of infection from one release to the next. For example, a new variant first observed in July infected the system file kbdclass.sys. This infection was moved to tcpip.sys in a later variant, and then removed entirely in October. Process injection was another technique that was introduced, removed, and reintroduced during December.

“

The Win32/Nuwar authors introduced two additional enhancements at the beginning of October. The first enhancement uses a 40-bit key to encrypt communication between Nuwar peers on the network, making observation of network traffic more difficult. All releases observed during 2H07 made use of the same key. The second enhancement enables the main component to make multiple copies of itself on local, network, and removable drives; however, no method was implemented that would execute this copy, so it would have to be manually executed by a user.

Nuwar always presents a moving target, transforming any telltale sign of infection from one release to the next.

Dissemination

The Nuwar authors harness the power of their botnet with frequent spam campaigns, with the goal of maintaining and expanding the size of the network by persuading new users to run the Nuwar malware. Social engineering is their primary method for luring new targets. The authors appeal to primal emotions and urges like empathy, guilt, desire, sex, and fear. The storm nickname comes from an early subject line, “230 dead as storm batters Europe,� used to propagate the worm in the wake of a severe winter storm that devastated parts of Europe in January 2007. E-mail subject lines have generally used fictitious and incendiary topics, often inspired by contemporary headlines. Other subject lines have included: oo U.S. Southwest braces for another winter blast. More than 1000 people are dead oo [Chinese/Russian] missile shot down [Chinese/Russian/USA] [satellite/aircraft] oo A kiss for you

During 2H07 the authors shifted their malware delivery tactics, sending more spam that contained links to malware hosted on remote sites, instead of binary attachments. By shifting to remotely hosted content, the authors were able to make use of browser exploits to increase the effectiveness of their spam campaigns.

61


2H07

Some spam campaigns have centered around holidays and other festive events, and often use highly appealing visuals. Some of the campaigns from 2H07 were associated with events like Independence Day, Labor Day, Halloween, Christmas, and New Year’s Eve. Figure 36. Holiday-themed lures used humor and provocative imagery to appeal to potential targets.

In order to achieve maximum effectiveness from social engineering, each spam run tends to include many varied subjects and message bodies. An “Invitation to Beta Test” lured users with a promise of free software: Subject: Can you help us out? Body: Please give us a hand with our new software development Home Improvement Planner This will help us get the software ready for consumer release. To say thanks, Beta testers will receive a free copy and 5 years of free updates. 1: Download the software 2: Try it 3: Tell us what you think If you would like to help us with this no obligation Beta test, follow this link to our secure download server:

62


A YouTube–themed lure from August used a spoofed URL accompanied by various salacious message bodies to grab attention. Clicking on the purported YouTube link would take the user to a Web site laden with exploits. Subject: sheesh man, what are you thinkin Body: OMG, what are you doing man. This video of you is all over the net. take a look, lol...

The second half of 2007 saw many other effective campaigns with well-designed imagery, such as “Arcade World” and “NFL Game Tracker” from September, and “Laughing Psycho Kitty Cat” and “Krackin v1.2” from October. NFL Tracker Lure Subject:

Get Your Free NFL Game Tracker

Body: Football is back, Life may resume again! Know all the games, what time, what channel and the stats. Get all the info you need from our online game tracker:

Laughing Psycho Kitty Cat Lure Subject: I’ve never laughed so hard! Body: Click here to view your laughing kitty card online.

In addition to these social engineering tactics, the Nuwar authors used at least 10 different browser based exploits in 2H07 to deliver malware to unsuspecting targets. These exploits targeted vulnerabilities in Windows, Internet Explorer, and QuickTime, as well as Microsoft ActiveX® controls from WinZip, Yahoo! Messenger, GOM Player, NCTAudioFile, and SuperBuddy. (Patches are available for each of the vulnerabilities, some of which date back to 2006.) Botnet Usage

In addition to the self-promoting spam discussed earlier, the Nuwar botnet is also used to send traditional unsolicited e-mails. Nuwar has been used to send stock, commodity, and pharmacy spam messages; work from home scams; and e-mails linking to phishing sites. The botnet has also been used to deliver unsolicited messages in unconventional ways, such as an MP3-encoded audio file of a computer-generated feminine voice promoting a specific stock. Nuwar has also been used to send spam that “promotes” other malware, such as the password stealer PWS:Win32/Zbot.

63


2H07

Disinfections

The Win32/Nuwar malware family was added to the MSRT in September 2007. Four monthly editions of the MSRT (September through December) were therefore released with support for detecting and removing Nuwar during 2H07. Figure 37. MSRT removals of Win32/Nuwar, September–December 2007 700,000 600,000 500,000 Disinfections

400,000

Computers Cleaned 300,000 200,000 100,000 0 Sep-07

Oct-07

Nov-07

Dec-07

As expected, the first month of release had the largest effect, with 291,227 distinct Nuwarinfected computers cleaned worldwide, or 774 computers disinfected for every 1,000,000 executions of the MSRT, as shown in Figure 38. 626,886 Nuwar-related disinfections were recorded by the MSRT in September, which means that each Nuwar cleaning involved an average of 2.2 separate components. (See the Glossary for more on the difference between cleaning and disinfecting.) Over the following three months, Nuwar was removed from an average of 115,132 computers each month. A total of 526,605 distinct Nuwar-infected computers were cleaned in total over the last four months of 2007. A minority of the computers from which Nuwar components were removed in 2H07 were later reinfected. Adding the total number of Nuwar cleanings over the last four months of 2007 together yields a total of 636,623 total disinfections, which is 110,018 greater than the number of distinct computers cleaned. The 110,018 total represents the total number of reinfections that occurred during the last four months of 2H07 (though not necessarily the total number of reinfected computers, as some computers may have been reinfected more than once).

64


Figure 38. Number of computers disinfected of Win32/Nuwar for every 1 million executions of the MSRT, September–December 2007 800 700 600 500 400 300 200 100 0 Sep-07

Oct-07

Nov-07

Dec-07

On the individual component level, one of the P2P components was removed from 249,682 distinct computers over the four-month period, with 7,570 reinfections. Variants of the P2P component that exhibited parasitic viral characteristics were released between approximately the end of July and the beginning of October. These Virus:Win32/ Nuwar variants were removed from a total of 98,141 distinct computers during 2H07. In late December 2007, the Nuwar authors waged an aggressive spam campaign using a pool of 15 different domain names manipulated with the fast-flux technique, which involves rapidly altering Domain Name Service (DNS) records in an attempt to impede efforts to shut the network down. Extrapolating from the telemetry data provided by the Hotmail Feedback Loop (FBL), a mechanism that allows over 100,000 randomly selected Hotmail users to give feedback about which of their messages are good and which are spam, suggests that about 120,000 botnet IP addresses participated in the attack between December 24 and December 31.10

10 The FBL detected a total 7,418 distinct IP addresses participating in the attack between December 24 and December 31. During this time period, a total of 12,000,000 e-mails were sent to Hotmail from those distinct IP addresses, yielding an average number of e-mails per IP address of 1,600. All Nuwar IP addresses are estimated to have sent at least 191,000,000 e-mails to Hotmail during the last week of 2H07. If each peer sent an average of 1,600 e-mails to Hotmail during the attack, that suggests that the total number of IP addresses that participated in the attack was at least 120,000.

65


2H07

Fighting Win32/Nuwar

The sophisticated methods that the Win32/Nuwar botnet uses to cover its tracks make it very difficult to fight directly. The best way for IT Professionals to help neutralize Win32/Nuwar is to educate users to take overall protective actions against malware and other threats, including: oo Use an anti-malware product from a known, trusted source, and keep it updated. oo Enable Automatic Updates in Windows, which ensures that the MSRT is downloaded

every month.

oo Avoid opening attachments or clicking on links in e-mail or instant messages that are

received unexpectedly or from an unknown source. Use a mail client that suppresses active content and that blocks unintentional opening of executable attachments.

Users should be urged to take these preventative actions on any computers they have at home, as well as at work. Monitoring Internet-based IT security communities also helps security personnel stay up to date on the latest social engineering methods used to lure victims into installing the malware and helps them warn their users accordingly. A Focus on E-Mail Threats

Over 90 percent of all e-mail messages sent over the Internet today are spam. In addition to annoying the recipients and taxing the resources of e-mail providers, the flood of spam creates a potent vector for malware attacks and phishing attempts. Effectively combating spam and phishing is a top priority, not only for e-mail providers, but also for operators of social networks and other online communities—in short, any entity that provides communications services to users. Spam Trends

Despite advances in filtering technologies that have helped keep spam out of users’ inboxes, spam remains a huge and growing threat that taxes the resources of the worldwide e-mail infrastructure. Microsoft Exchange Hosted Services (EHS)11, which provides e-mail filtering services to subscribing companies and organizations around the world, blocked the delivery of 94 percent of inbound e-mail messages in the second half of 2007.

11

66

For more information, see http://www.microsoft.com/exchange/services.


Figure 39. Percentage of inbound messages blocked by Exchange Hosted Services, July–December 2007 100%

95%

90%

85% Jul-07

Aug-07

Sep-07

Oct-07

Nov-07

Dec-07

As Figure 39 shows, EHS experienced a prolonged increase in the volume of blocked messages that began in August and lasted through December. Spam is seasonal, to an extent; for the last several years, EHS has detected a significant temporary rise in spam volume at the end of the calendar year, typically beginning around October and lasting through December. In 2007, owing primarily to elevated Win32/Nuwar activity, this increase began about three months early and stayed strong through the end of the year. (See page 83 for more information on Win32/Nuwar.) As with malware, spam has evolved from a tool used by small operators to one typically used by larger, organized criminal groups to perpetuate scams and to sell fraudulent or dubious goods and services. An estimated 80 percent of spam received by Windows Live Hotmail in mid-2007 was sent through distributed botnets, like the one created by the Win32/Nuwar worm. Botnets typically consist of hijacked computers in multiple countries, making it difficult or impossible to defend against them using IP blocks. Botnets are frequently used to launch short, extremely intense spam campaigns that can send as many as 5 million messages in less than an hour, leveraging the power of tens of thousands of hijacked computers worldwide. Hijacked computers are also often used to send much lower volumes of spam for longer periods of time in an effort to avoid triggering IP blocks. A botnet sending very low volumes of spam can remain largely intact for several months.

67


2H07

As with the senders behind spam and the mechanisms used to send it, the content of spam messages has changed and evolved over the past several years. Figure 40 illustrates the shift in subject matter of spam messages reported by Windows Live Hotmail users between 2004 and 2007. Figure 40. Categories of spam reported by Windows Live Hotmail users in 2004 and 2007 Category

2004

2007

Description

OtherSpam

13%

33%

20%

Everything else that appears to be spam

Rx/Herbal

10%

31%

21%

Cheap drugs or herbal supplements

Scams

6%

14%

8%

Get rich quick, phishing scams, and so on

Dubious Products

10%

11%

1%

Pirated software, diplomas, and so on

Financial

13%

4%

-9%

Travel/Casino

3%

4%

1%

Refinancing, get out of debt, financial advice

Porn/Sex Non-graphic

34%

3%

-31%

Enhancers with sexual connotation, link to porn

Porn/Sex Graphic

7%

0%

-7%

Anything that contains pornographic images

Insurance

4%

0%

-4%

Health, dental, life, home, auto insurance

Airline tickets, hotel reservations, rental car; Internet casino sites; Other gaming sites

The largest observed increase has been in spam selling cheap drugs or herbal remedies, which tripled its share of all spam between 2004 and 2007, followed by outright scam messages, including phishing attempts. Pornographic spam, the largest category in 2004, had greatly diminished by 2007, further evidence of a long-term shift in the spam landscape away from reviled but (in many jurisdictions) legal products, and towards the underground economy of illegal products and scams. Malware and E-Mail

Despite the rise in malware activity documented elsewhere in this report, only 0.07 percent of inbound messages handled by EHS in 2H07 were filtered for containing malware, similar to previous periods. This should not necessarily be taken as an indicator of the prevalence of malware in the e-mail stream as a whole, as the EHS filters only handle mail that makes it past a series of non-content–based edge blocks. (See “Fighting E-Mail Threats” on page 70 for more information about these blocks.) As the 0.07 percent figure is significantly lower than most estimates of the proportion of e-mail that is infected by malware, it may be concluded that much of the infected e-mail exhibits qualities of spam and can be effectively mitigated using typical spam-fighting methods.

68


Phishing

Phishing remained a significant threat in 2H07, eroding people’s trust in the Internet and harming the reputations of the institutions victimized by phishing sites. The number of live phishing pages tracked by the Microsoft Phishing Filter remained roughly constant in 2H07, with new pages being discovered at approximately the same rate that older pages were going offline. Phishing is still predominantly an English-language phenomenon. Typically, 75–80 percent of the active phishing pages tracked by the Microsoft Phishing Filter at a given moment in 2H07 were English language pages, with European languages, like Italian, Spanish, German, French, and Turkish, accounting for most of the remainder. Asian languages, like Chinese, Japanese, and Korean, currently account for a very small percentage of active pages. Among English-language pages, banks and other financial institutions in the United States are the most frequent targets, though pages targeting institutions in the United Kingdom and India were observed to be on the rise in 2007. Once a largely e-mail–based phenomenon, phishing attempts are increasingly being posted to social networks, exploiting the trust that victims place in these networks and in the friends with whom they have connected through them. One recent attack on a large social networking site involved obtaining login credentials from victims through phishing messages posted to their profiles; the phishers then used an automated program to log into the victims’ accounts and post additional phishing messages to all of the victims’ contacts on the service, repeating and perpetuating the process. The techniques used by phishers to host Web pages and attract victims have evolved over time. Currently, about three-fourths of known active phishing pages are hosted on hijacked servers, often in obscure locations where illicit pages may not be discovered immediately (for example, a directory like /images/ temp). The remaining active pages are typically split between botnets and free Web hosts. While some phishing attempts involve simply posting a Web page on a server and collecting as much personal information from visitors as possible in the short time before the page is discovered and shut down, more sophisticated attempts involve using tricks like DNS fast flux to rapidly rotate between pages on large numbers of compromised hosts.

Currently, about threefourths of known active phishing pages are hosted on hijacked servers, often in obscure locations where illicit pages may not be discovered immediately.

69


2H07

Fighting E-Mail Threats

Effectively fighting spam and phishing requires a multipronged strategy. Despite the increasingly sophisticated tricks employed by spammers, some of the simplest spam-fighting techniques, like blocking the IP addresses of known offenders, remain very effective. Windows Live Hotmail has used IP blocking to cut spam from 90 percent of the e-mail stream down to about 40 percent. Some additional blocking mechanisms that have proven effective include: oo SMTP connection analysis. SMTP clients that use malformed or nonstandard syntax

when connecting to a host are more likely to be sources of spam.

oo Recipient validation. Spammers often send to random addresses within a domain

(for example, john@example.com; jsmith@example.com; jdoe@example.com) hoping that some of them will correspond to valid e-mail accounts. Some providers block the delivery of messages that contain nonexistent domain addresses in the To: line, so that valid addresses will not receive them.

Techniques such as these can help block incoming spam messages at the edge, precluding the need to subject them to more computationally intensive forms of validation, like Bayesian screening and sender authentication. In 2H07, EHS blocked 88.2 percent of incoming messages at the edge using a combination of IP address–based reputation management, SMTP connection analysis, and recipient validation. (Additional filters classified 77.9 percent of the remaining messages as spam.) As spammers and phishers continue to modify and improve their techniques, large e-mail providers are likely to accelerate the development and adoption of anti-spam frameworks that combine authentication and reputation management to more accurately identify bad actors and prevent false positives. Fighting phishing requires different techniques than fighting spam because phishing attempts are designed to resemble legitimate communications in every way. Users should be encouraged to use Web browsers with anti-phishing features, like Internet Explorer 7 and Mozilla Firefox 2, which display alerts when users attempt to visit known phishing sites. Figure 41. Phishing alerts in Internet Explorer 7, left, and Mozilla Firefox 2, right

70


In addition, users should be trained to recognize phishing attempts by taking precautionary measures, like verifying the address in the browser’s address bar when following links from e-mail messages to financial and commercial Web sites, or simply typing the Web site address directly in to the address bar. Potentially Unwanted Software

Whereas the previous section discussed software that is fundamentally malicious in nature, software behaviors cannot always be classified in binary terms. Some software inhabits a gray area wherein the behavior or value proposition presented by the software is neither universally desired nor universally reviled. This gray area includes a number of programs that do things like display advertisements to the user, which are often targeted based on the programs’ observation of the user’s browsing habits. Many users consider these programs objectionable, but some may appreciate the advertisements, or wish to use other applications that come bundled with the advertising programs and that will not function if they are not present. Microsoft refers to software in this gray area as potentially unwanted software, and provides products and technologies to give visibility and control to the individual. While it is certainly possible to use absolute detection figures to examine the prevalence of different potentially unwanted software families, as in the “Malware Trends for 2H07” section, this approach provides an incomplete picture of the potentially unwanted software landscape. The tools Microsoft provides for dealing with potentially unwanted software are designed to allow users to make informed decisions about removing or retaining specific software, rather than to simply remove it outright. Windows Defender and Microsoft Forefront™ Client Security give each of the potentially unwanted software programs they track a severity rating of Low, Medium, High, or Severe, as well as a default recommended action: oo Ignore. Ignores the alert once. Users may choose to ignore an alert multiple times for

the same piece of potentially unwanted software.

oo Ignore Always. Ignores the alert from that point forward, even if the software is

seen again.

oo Prompt. Prompts the user to make a decision about what to do with the software. oo Quarantine. Removes the software in such a way that it can be restored at a later point. oo Remove. Removes the software from the system. Software rated with a severity of

High or Severe will be removed automatically.

71


2H07

These decisions are influenced by a number of factors, such as users’ level of expertise, how certain they feel about their judgment regarding the software in question, the context in which the software was obtained, societal considerations, and the benefit (if any) being delivered by the software or by other software that is bundled with Users make choices about what it. Users make choices about what to do about a piece of potentially unwanted to do about a piece of potensoftware for different reasons, so it’s important not to draw unwarranted tially unwanted software for different reasons, so it’s impor- conclusions about their intent. For instance, Remove indicates a clear, active tant not to draw unwarranted choice. Ignore Always usually suggests that the user wants to keep the softconclusions about their intent. ware. However, users choose Quarantine or Ignore for a variety of reasons. For example, they might be confused by the choices, they might want to defer the action to a more convenient time, or they might want to spend more time evaluating the software before making a decision. Potentially Unwanted Software Trends in 2H07

The second half of 2007 has seen a significant increase in the number of detections and the number of removals of potentially unwanted software. This increase should not necessarily be interpreted as an increased prevalence of potentially unwanted software on the Internet. As with malicious software, a number of factors contribute to this increase. oo The number of computers running the tools used to collect the data for this sec-

tion continues to increase. For example, Windows Defender, which is available as an optional add-on for Windows XP SP2, is included as a component of Windows Vista, so increased adoption of Windows Vista has added a significant number of new computers with Windows Defender installed automatically. In addition, the release of new language versions of many of these tools has enabled their introduction into parts of the world that had previously been unprotected from potentially unwanted software.

oo Changes in the distribution practices for different pieces of potentially unwanted soft-

ware can have an effect on how many people are exposed to it and how often, and how they tend to respond to alerts raised about the software.

Overall, Microsoft tools and products (Windows Defender, the MSRT, Windows Live OneCare, the Windows Live OneCare safety scanner, scanners for Windows Live Hotmail and Windows Live Messenger, and Microsoft Forefront Client Security) detected 129.5 million pieces of potentially unwanted software between July 1 and December 31, 2007, resulting in 71.7 million removals. These figures represent increases of 66.7 percent in total detections and 55.4 percent in removals over 1H07.

72


Worldwide disinfections of potentially unwanted software are comparable to those of malware. Figure 42 shows the top 25 families detected by all Microsoft products and tools in 2H07, with potentially unwanted software families listed in italics. Figure 42. Top 25 families detected in 2H07, ordered by total number of detections Rank

Family

Category

2H07

1H07

% Change

1

Win32/Zlob

Trojan Downloader

17,655,154

8,775,412

101.2%

2

Win32/Hotbar

Adware

7,169,122

2,035,895

252.1%

3

Win32/WhenU

Adware

6,372,798

3,686,805

72.9%

4

Win32/Renos

Trojan Downloader

5,825,594

3,138,297

85.6%

5

Win32/ZangoSearchAssistant

Adware

4,909,890

2,308,075

112.7%

6

Win32/Virtumonde

Trojan

4,531,655

637,789

610.5%

7

Win32/ConHook

Trojan

4,090,363

313,362

1205.3%

8

Win32/Starware

Potentially Unwanted Software

4,046,113

2,632,554

53.7%

9

Win32/Agent

Trojan

3,672,984

1,018,435

260.7%

10

Win32/Winfixer

Potentially Unwanted Software

3,382,135

1,664,164

103.2%

11

Win32/CnsMin

Spyware

2,454,488

1,309,615

87.4%

12

Win32/BaiduSobar

Browser Modifier

2,279,149

659,509

245.6%

13

Win32/Sogou

Potentially Unwanted Software

2,079,260

573,998

262.2%

14

Win32/CNNIC

Browser Modifier

2,072,464

756,895

173.8%

15

Win32/RealVNC

Remote Control Software

1,986,692

1,818,376

9.3%

16

Win32/ClickSpring

Adware

1,783,502

808,475

120.6%

17

Win32/BearShare

Software Bundler

1,498,451

910,321

64.6%

18

Win32/Comscore

Potentially Unwanted Software

1,251,109

725,904

72.4%

19

Win32/ZenoSearch

Adware

1,243,077

365,674

239.9%

20

Win32/C2Lop

Trojan

1,231,137

753,637

63.4%

21

Win32/AdRotator

Adware

992,509

80,248

1136.8%

22

Win32/Banker

Trojan

969,605

852,936

13.7%

23

HTML/IframeRef

Exploit

965,910

181,361

432.6%

24

Win32/Fotomoto

Trojan

954,452

511,141

86.7%

25

Win32/Small

Trojan Downloader

948,652

717,123

32.3%

73


2H07

The 15 potentially unwanted software families in Figure 42 displayed a 114 percent increase over 1H07, rising from 20.3 million detections to 43.5 million detections, owing in part to an increase in the number of users worldwide running one or more The top potentially unwant- of the appropriate detection tools, as explained above. Nine of the 15 displayed ed software family (second increases of 100 percent or more, with five families increasing by more than overall) detected in 2H07 200 percent, and one family—Win32/AdRotator—increased by more than was Win32/Hotbar, rising 1,000 percent. AdRotator is a browser helper object (BHO) that facilitates from fourth place (sixth click fraud. overall) in 1H07. The top potentially unwanted software family (second overall) detected in 2H07 was Win32/Hotbar, rising from fourth place (sixth overall) in 1H07. Win32/Hotbar installs a dynamic toolbar in Internet Explorer and Windows Explorer, and delivers targeted popup ads based on its monitoring of Web-browsing activity. The significant increases observed for Win32/CnsMin, Win32/Sogou, and Win32/ BaiduSobar are due to increased adoption of Chinese-language versions of the detection tools and should not necessarily be taken as indicators of wider distribution for the families themselves. As explained above, when Windows Defender detects a malware or potentially unwanted software infection, it gives the user a choice of four possible responses: Remove, Quarantine, Ignore Always, and Ignore. Examining the choices users make when confronted with these warnings yields useful insights into the way users react to different families.

74


Figure 43. Actions taken by users when warned about malware and potentially unwanted software by Windows Defender Threat Family

Category

% Remove

% Quarantine

% Ignore Always

% Ignore

Win32/Banker

Trojan

98.8%

0.8%

0.02%

0.5%

Win32/Zlob

Trojan Downloader

88.4%

4.2%

0.01%

7.5%

Win32/ConHook

Trojan

86.6%

3.4%

0.04%

10.0%

Win32/Renos

Trojan Downloader

85.7%

4.8%

0.01%

9.5%

Win32/Agent

Trojan

81.4%

10.6%

0.08%

8.0%

Win32/Fotomoto

Trojan

76.8%

3.6%

0.04%

19.6%

Win32/C2Lop

Trojan

75.9%

5.8%

0.05%

18.2%

Win32/ZenoSearch

Adware

73.5%

1.1%

0.03%

25.3%

Win32/Sogou

Potentially Unwanted Software

72.6%

0.2%

0.2%

27.1%

Win32/Small

Trojan Downloader

62.0%

14.5%

0.1%

23.3%

Win32/Winfixer

Potentially Unwanted Software

59.2%

2.0%

0.07%

38.7%

Win32/AdRotator

Adware

55.5%

0.6%

0.07%

43.9%

Win32/ClickSpring

Adware

49.6%

11.4%

0.04%

38.9%

Win32/CnsMin

Spyware

48.1%

0.6%

0.07%

51.3%

Win32/BaiduSobar

Browser Modifier

45.8%

0.9%

0.1%

53.2%

Win32/Virtumonde

Trojan

45.4%

15.0%

0.1%

39.4%

Win32/Comscore

Potentially Unwanted Software

43.4%

3.0%

0.2%

53.3%

Win32/WhenU

Adware

38.9%

9.0%

0.5%

51.6%

Win32/CNNIC

Browser Modifier

38.7%

0.5%

0.2%

60.7%

Win32/ZangoSearch Assistant

Adware

26.3%

5.8%

0.2%

67.8%

Win32/Hotbar

Adware

20.4%

11.2%

0.1%

68.3%

Win32/Starware

Potentially Unwanted Software

17.6%

7.7%

0.2%

74.5%

Win32/RealVNC

Remote Control Software

9.5%

2.7%

8.9%

78.8%

Win32/BearShare

Software Bundler

7.7%

4.4%

3.6%

84.3%

HTML/IframeRef

Exploit

0.8%

94.4%

0.05%

4.8%

(Totals may not equal 100% due to rounding.)

75


2H07

Users’ reactions to warnings about the top 25 families varied significantly, indicating clearly that users perceive different potentially unwanted software families to have different value propositions. oo Users chose the Remove option most frequently when informed that the software was

unambiguously malicious. Win32/Banker, a family of data-stealing trojans that mainly targets customers of Brazilian banks, was the most frequently removed family in the top 25, with 98.8 percent of users choosing to remove it immediately when warned. Other unambiguously malicious programs like Win32/Zlob, Win32/ConHook, and Win32/Renos also had high rates of removal, above 85 percent in all four cases. See “Malware Families” on page 50 for more information on these families.

oo The Quarantine option neutralizes the questionable software, but gives the user the

ability to restore it in the future. Users did not make heavy use of the Quarantine option, typically choosing to either remove the software permanently or to ignore the warning temporarily. Other than the exploit HTML/IframeRef, for which Quarantine is the default option, no family in the top 25 had a quarantine rate significantly above 15 percent.

oo Win32/RealVNC and Win32/BearShare have the highest rate of Ignore Always

responses, by a significant margin, among the top 25 families. RealVNC is a program that enables a computer to be controlled remotely, similar to Remote Desktop. It has a number of legitimate uses, but is considered potentially unwanted software because it can be used by an attacker with malicious intent to gain control of a user’s computer under some circumstances. The relatively high Ignore Always rate for this software (8.9 percent) indicates that many users are aware of the nature of the software and wish to retain it for its perceived value. A similar percentage (9.5 percent) chose to remove the software immediately, presumably indicating that they did not intentionally install the software. BearShare is a peer-to-peer file sharing client that uses the decentralized Gnutella network. Free versions of BearShare have come bundled with advertising-supported and other potentially unwanted software. Its relatively high Ignore Always rate (3.6 percent) indicates that many users are loyal to the program and believe its benefits outweigh any specific behaviors that are unwanted by some.

oo It is more difficult to discern the motives of users choosing the Ignore option, which

allows the software to run for the current session and lets the user delay making a final decision about what to do about the software until later. Users choose Ignore for a variety of reasons—they may want to defer the decision until after they’ve had a chance to consider its implications; they may be focused on a task and don’t want to be distracted by a warning dialog; they may not understand the question being asked; they may want to uninstall the software themselves at a more convenient time; or they may have other reasons.

76


Some of the software with a higher-than-average Ignore percentage includes a value proposition of some kind in exchange for the potentially unwanted behavior. Win32/Hotbar, for example, offers functionality such as “smileys” in exchange for targeted advertising, and Win32/ComScore offers bundled software and/or giveaways in exchange for behavior monitoring for market research. An Ignore rate below 10 percent tends to indicate software that is unambiguously unwanted. An Ignore response typically indicates that the user does not understand the decision they are being asked to make; they intend to address the matter at a different time (for example, a security researcher analyzing the software); they are involved in a task and do not wish to be distracted, even if the software is not desired in the long term; or some other, similar motivation. A low Ignore rate tends to indicate that the user was not expecting the software to be present and wishes to remove or quarantine the software immediately. Prevalence of Detection by Category

Potentially unwanted software categories are comparable with malware categories in prevalence. As with Figure 42 earlier, Figure 44 lists potentially unwanted software categories alongside malware categories for comparison purposes. Figure 44. Detection by category for 2H07 Category

Total 2H07

Total 1H07

% Change

Adware

34,255,739

20,591,216

66.4%

Trojan Downloader

27,953,025

15,271,645

83.0%

Trojan

19,978,826

9,072,711

120.2%

Potentially Unwanted Software

17,895,191

10,694,833

67.3%

Browser Modifier

7,215,262

4,752,055

51.8%

Spyware

5,247,720

3,522,106

49.0%

Remote Control Software

4,068,633

3,444,829

18.1%

Software Bundler

3,186,098

3,366,788

-5.4%

Exploit

2,547,119

1,560,330

63.2%

Trojan Dropper

2,222,371

1,325,702

67.6%

Settings Modifier

963,248

1,123,383

-14.3%

Password Stealer

798,642

424,978

87.9%

Monitoring Software

732,618

608,538

20.4%

Malware Creation Tool

716,300

565,984

26.6%

Dialer

494,537

718,787

-31.2%

77


2H07

Adware remained the most prevalent category in 2H07, increasing by more than 66 percent, from 20.6 million detections to 34.3 million detections. The category listed as Potentially Unwanted Software in the table encompasses a variety of software families that do not fall into the other categories listed, notably rogue security software families. (See page 82 for more information about rogue security software.) The Potentially Unwanted Software category increased by more than 67 percent in 2H07, from 10.7 million detections to 17.9 million detections. Figure 45 and Figure 46 show the trends for these categories, in absolute numbers and in percentage terms. Figure 45. Potentially unwanted software detection trends, 1H06–2H07, in total detections 35 Million

30 Million

Adware

25 Million

Trojan Downloader Trojan Potentially Unwanted Software

20 Million

Browser Modifier Spyware 15 Million

Remote Control Software Monitoring Software

10 Million

5 Million

0 1H06

78

2H06

1H07

2H07


The increases shown in Figure 45 are due at least in part to an increase in the number of computers running the detection tools worldwide, as explained earlier in this report. In terms of percentages, as Figure 46 indicates, each of the potentially unwanted software categories has remained remarkably stable relative to each other since 1H07, despite a significant increase in total detections overall. Unlike in previous periods, 2H07 did not feature any new “breakout” families that spread significantly faster than others to a degree that would significantly impact the category distribution. Figure 46. Potentially unwanted software detection trends, 1H06–2H07, by percentage 50%

40%

Adware Trojan Downloader

30%

Trojan Potentially Unwanted Software Browser Modifier Spyware

20%

Remote Control Software Monitoring Software

10%

0% 1H06

2H06

1H07

2H07

79


2H07

Variation by Operating System

The majority (60.5 percent) of computers from which Windows Defender removed potentially unwanted software in 2H07 were running Windows Vista. This is due to the fact that Windows Defender is included with Windows Vista as a component of the operating system, so Windows Vista users do not have to obtain Windows Defender separately as an add-on. Most of the rest of the computers (39.3 percent) were running Windows XP SP2, with a very small fraction (0.1 percent) running Windows Server 2003, the only other operating system with which Windows Defender is currently compatible. Windows Defender is targeted at the consumer market, so the server platform’s small share of removals is not surprising. When the data is normalized according to each operating system’s percentage of total executions, the results are much closer to being equal, ranging from 27.5 percent for Windows Server 2003 to 44.5 percent for Windows XP SP2. Figure 47. Computers cleaned by Windows Defender in 2H07, by operating system

Cleaned Computers (Pre-Normalized) Windows 2003 (0.1%)

Windows XP SP2 (39.3%)

Windows Vista (60.5%)

Cleaned Computers (Normalized) Windows 2003 (27.5%)

Windows XP SP2 (44.5%)

Windows Vista (28.0%) (Totals may not equal 100% due to rounding.)

80


Geographical Differences

Potentially unwanted software continues to target predominantly English-speaking markets, although other countries have also showed strong increases. Figure 48 shows the top 25 countries for potentially unwanted software detections by all Microsoft tools in 2H07. This data has not been normalized, so the table reflects absolute numbers of detections. Figure 48. Potentially unwanted software detections by country/region Rank

Country/Region

2H07

1H07

% Change

1

United States

63,916,808

41,146,428

55.3%

2

China

11,082,690

4,552,690

143.4%

3

United Kingdom

7,744,229

5,353,635

44.7%

4

France

5,898,466

3,134,730

88.2%

5

Spain

4,525,899

1,865,983

142.6%

6

Germany

3,353,615

1,616,276

107.5%

7

Canada

3,140,801

2,071,002

51.7%

8

Brazil

2,511,458

1,761,412

42.6%

9

Netherlands

2,474,783

1,862,850

32.9%

10

Korea

2,450,070

701,092

249.5%

11

Italy

2,171,724

1,210,313

79.4%

12

Turkey

1,873,935

900,829

108.0%

13

Australia

1,670,991

1,331,438

25.5%

14

Mexico

1,486,973

544,035

173.3%

15

Japan

1,432,108

1,417,566

1.0%

16

Poland

1,386,996

537,222

158.2%

17

Portugal

950,912

594,557

59.9%

18

Belgium

912,707

571,508

59.7%

19

Sweden

834,991

570,097

46.5%

20

Taiwan

663,334

469,470

41.3%

21

Denmark

643,370

450,518

42.8%

22

Norway

640,208

422,815

51.4%

23

Switzerland

424,270

258,058

64.4%

24

Singapore

374,346

227,380

64.6%

25

Ireland

294,722

208,073

41.6%

81


2H07

The United States was firmly in the lead in potentially unwanted software detections in 2H07 with 63.9 million detections in 2H07, nearly six times as many as any other country. The United Kingdom, Canada, and Australia rank third, seventh, and thirteenth, respectively, reflecting the predominance of English-language potentially unwanted software programs. China had the second highest number of detections with 11.1 million detections, up from 4.6 million detections in 1H07, due in part to increased adoption of Chinese-language versions of the detection tools. Rogue Security Software

Rogue security software exploits computer users’ anxieties about malicious software with fraudulent offers of “protection” for a price. Rogue security software uses a number of different techniques to attempt to trick users into installing the software and to obtain money from them. The prevalence of rogue security software continues to increase, with many common families being delivered by trojan downloaders and other malware, as well as by conventional social engineering methods. Figure 49. Top 25 rogue security software families in 2H07, by number of detections Rank 1

82

Rogue Win32/Winfixer

Volume 3,382,135

2

Win32/SpywareSecure

610,616

3

Win32/SpySheriff

569,147

4

Win32/WinSoftware

384,630

5

Win32/VirusProtectpro

219,685

6

Win32/UltimateDefender

210,970

7

Win32/Contravirus

157,798

8

Win32/DriveCleaner

153,857

9

Win32/AdvancedCleaner

134,533

10

Win32/AntivirusGold

121,954

11

Win32/AntiVirGear

120,352

12

Win32/UltimateCleaner

118,559

13

Win32/VirusRanger

97,221

14

Win32/SpyAxe

91,864

15

Win32/SpyLocked

80,898

16

Win32/SpyHeal

59,534

17

Win32/SystemDoctor

44,181

18

Win32/VirusLocker

41,081

19

Win32/SpyCrush

35,697

20

Win32/AntivirusProtection

33,156

21

Win32/AntispyStorm

32,513

22

Win32/UltimateFixer

26,408

23

Win32/EZCatch

26,219

24

Win32/SpywareStormer

20,849

25

Win32/ErrorGuard

19,314


The most prevalent rogue security software detected in 2H07 was Win32/Winfixer, with more than five times as many detections as any other single family. Win32/Winfixer displays erroneous alerts warning of severe system threats. The program then offers to remove the erroneous detections for a fee. These warnings appear under multiple false product names in several different language versions. Figure 50. False warning dialogs displayed by Win32/Winfixer variants

When prompted about rogue security software, nearly 60 percent of users choose to remove it immediately, with most of the rest electing to quarantine the software or ignore the warning temporarily. Less than 0.5 percent of users choose the Ignore Always option, indicating that very few users remain deceived about rogue security software when given information about its nature. For additional information about rogue security software, see the July–December 2006 edition of the Security Intelligence Report at http://go.microsoft.com/fwlink/?LinkID=884 36&clcid=0x409. Malicious and Potentially Unwanted Software Summary and Conclusion

The family names that have appeared repeatedly in this section—Win32/Nuwar, Win32/Zlob, Win32/Renos, and others—have different functions and goals, and they use different technical and social mechanisms for infection and distribution. By and large, however, they are all highly characteristic of a fundamental shift in the malware landscape, from flashy amateur pranks to professionally designed, extremely persistent tools for criminal activity. Correspondingly, IT security professionals are increasingly finding their jobs dominated not only by technical challenges and responsibilities, but by social and legal ones, as well.

83


2H07

Edited by Foxit Reader Copyright(C) by Foxit Software Company,2005-2007 For Evaluation Only.

Focus on Internet Safety Enforcement Tim Cranton, Associate General Counsel

“What happened in this case is a textbook example of the cooperation necessary in this new era of globalization to be successful in addressing computer intrusions and other computer-supported criminal operations. In Microsoft, we have an excellent partner and today we acknowledge them in this small way.” – FBI Cyber Division Assistant Director James E. Finch, announcing the recognition of nine Microsoft employees for “Exceptional Service in the Public Interest” related to the ZOTOB investigation (September 25, 2006)

M

icrosoft recognizes that our leadership requires a comprehensive, global approach to Internet safety enforcement. Accordingly, this “Focus on Internet Safety Enforcement” section is designed to provide an overview of our enforcement initiatives, as a complement to the data and analysis provided by our Security Response Center in the remainder of this report. The Internet Safety Enforcement Team, a division of Microsoft Legal and Corporate Affairs group, develops and implements innovative programs to combat Internet threats, such as malicious code, botnets, phishing, spyware, spam, and online child exploitation. We assist law enforcement by developing effective technology tools and by providing training and technical support for Microsoft products and services, specifically, and, more generally, on how to investigate computer-facilitated crimes. In addition to our collaboration with law enforcement, we also work on our own and through partnerships with governmental and non-governmental agencies, and with other industry leaders, to develop technology tools, implement strong laws, enforce existing laws against bad actors, and raise awareness about cybercrime threats. We believe these five fundamental pillars—technology, legislation, enforcement, education, and partnerships—are critical to promoting a safer online environment. We focus here on a few examples of Microsoft Internet security enforcement efforts in the areas of spam, phishing, and botnets that build on these five fundamental pillars. Fighting Phishing

According to the Anti-Phishing Working Group—a cross-industry association of which Microsoft is a founding member—between 75 million and 150 million phishing e-mails are sent out every day. A Gartner survey estimates that approximately 109 million people in the United States have received a phishing e-mail, with an estimated 3.6 million adults

84


losing money to phishing attacks in the 12 months ending August 2007. In these same 12 months, financial losses stemming from phishing attacks reached $3.2 billion (U.S.) in the United States alone. These are staggering statistics that demonstrate an escalation in the amount of online fraud. Microsoft believes a holistic and global approach must be used to address the growing problem of phishing. Industry leaders, law enforcement, and governments each can play an important role in creating new technology to prevent phishing attacks, by tracking down and punishing phishers, implementing strong laws, and providing the public with the knowledge and tools to protect themselves. Global Phishing Enforcement Initiative: Microsoft actively addresses the threats posed by phishing through its Global Phishing Enforcement Initiative. This initiative contains three central components: (1) proactive domain defense; (2) worldwide investigations and referrals; and (3) strong international partnerships. Domain Defense: Our Domain Defense program is intended to protect the Microsoft customer experience, brand name, and intellectual property online. To those ends, we preemptively register domains that include both the Microsoft name and common phishing terms, such as “account” or “confirm,” we monitor domain registrations for potential phishing sites, we issue “takedown notices” to quickly remove identified phishing sites, and we engage in anti-cybersquatting initiatives. To date, Microsoft has registered over 3,000 domain names and successfully taken down close to 6,200 phishing sites worldwide that targeted Windows Live and Microsoft. As of the end of 2007, we have also pursued 15 enforcement actions worldwide against cybersquatters. Enforcement: Through December 2007, Microsoft has supported more than 186 enforcement actions against phishers worldwide. These include civil lawsuits filed by Microsoft, as well as civil and criminal actions by international government and law enforcement agencies for which Microsoft made referrals and subsequently provided support. In addition, Microsoft has collaborated with global law enforcement agencies in Europe, the Middle East, and Africa to conduct 263 investigations against phishers, focusing on sites that are most likely to deceive users. These investigations have resulted in 40 phishing enforcement actions in this region alone. In one successful investigation, Microsoft provided investigative and technical support to Bulgarian authorities in January 2006, which led to the arrest of eight members of an international criminal network. Known as the Microsoft Billing Account Management (“MBAM”) Gang by Microsoft investigators, the perpetrators spoofed e-mails to look as though they were from MSN® customer service and created dozens of fake Web pages. Launching a coordinated attack in 11 countries, the phishers invited consumers to reveal their personal information by “updating” their accounts. Using this stolen data, the group made purchases valued at over $50,000 (U.S.). Another investigative success took place in May 2007. Microsoft, in conjunction with the Brazilian federal police, conducted a

85


2H07

phishing raid in Brazil against a phisher who had designed a Web site to steal Hotmail passwords. This case was the first success in Brazil with leads generated from the Global Phishing Enforcement Initiative. Partnerships: Building strong international partnerships is a critical component of Microsoft’s anti-phishing efforts. Microsoft is a key strategic partner to the National Cyber-Forensics and Training Alliance (“NCFTA”) and contributes through both non-monetary and monetary support, including funding a full-time phishing analyst. A joint public-private sector effort, NCFTA was first established by the FBI, the National White Collar Crime Center, Carnegie Mellon University, and West Virginia University to test and investigate cybercrime tactics, help fight online threats, and prepare businesses and organizations to guard against such threats. As part of our NCFTA efforts, Microsoft helped develop Digital PhishNet (“DPN”), a collaborative enforcement operation to combat phishing that unites industry leaders in technology, banking, financial services, and online retail services with law enforcement. The DPN provides a database that allows companies and law enforcement officials to share information about phishing and strengthens international partnerships for identifying and tracking phishers. Microsoft sponsors and facilitates international DPN conferences to develop partnerships, share knowledge, and expand relationships internationally among those on the front lines of the phishing threat. Through these conferences, DPN facilitates cooperation between industry and law enforcement, presents specific case studies of successful phishing enforcement actions, and provides hands-on training about how to conduct phishing investigations. Additionally, when Microsoft issues takedown notices for fraudulent Web sites, the notices request that the Web host or registrar redirect phishing sites to a DPN page for consumer education. Microsoft’s support of and participation in DPN is having a measurable, positive impact on investigations. For example, DPN members have been working with NCFTA and the FBI to understand the inside workings of the “Rock Phish,” a pervasive global phishing operation. Rock Phish attacks have targeted more than 80 global financial institutions, with a loss impact that is estimated to have exceeded $250 million (U.S.). The DPN Rock Phish Working Group has made significant breakthroughs over the past six months, much of which can be attributed to goals set during the 2007 DPN Conference held in Berlin.

86


Beating Botnets

The threats to online security have been enhanced by the prevalence of botnets, through which a series of machines under centralized control are used to launch a range of nefarious activities. Through a combination of teamwork, training, and technology, Microsoft works to identify, prosecute, and ultimately stop the developers and distributors of botnets. Recognizing Trends. As malicious code attacks evolved beyond the Blaster and Sasser worms, Microsoft noted a trend in attacks toward the surreptitious creation of botnets. Additionally, we realized that the propagators of these bots had become increasingly sophisticated in their techniques and organizational structure, inflicting unprecedented personal and commercial harm on their victims. For example, these cybercriminals were no longer working alone, but rather as a loosely affiliated enterprise of criminals with specific roles. Recognizing these developments early, Microsoft mobilized an internal team focused on understanding the botnet threat and developing technical and other solutions to address it. Enforcement Successes. Our work to combat the botnet threat has included support for a number of successful enforcement actions around the world. The Zotob investigation, which resulted in the arrest of the distributors of the Zotob and Mytob worms in 2005, served as an early example of the type of success that could be achieved through international law enforcement, industry, and the judicial system cooperating to hold cybercriminals responsible for their actions. Subsequently, Microsoft aided the Federal Bureau of Investigation in “Operation Bot Roast,” an ongoing operation announced in June 2007 that is aimed at disrupting and dismantling persons utilizing botnets. In conjunction with this coordinated initiative, approximately 1 million compromised computers throughout the United States have been identified. Additionally, as a direct result of the operation, the FBI has charged numerous individuals with cyber crimes, including a Seattle resident accused of using botnets to send tens of millions of spam messages touting his Web site; a Texas resident accused of infecting tens of thousands of computers worldwide, including some Chicago-area hospitals; and a Kentucky resident charged with using botnets to disable other systems. The Microsoft Internet Crime Investigations Team provided technical information and analytical support for a number of these actions, and led the mitigation, along with several other companies, by taking down the botnets’ command and control servers. The press release announcing Operation Bot Roast stated, “The FBI also wants to thank our industry partners, such as the Microsoft Corporation and the Botnet Task Force, in referring criminal botnet activity to law enforcement.”

87


2H07

Stopping Spam

It is now widely accepted throughout the industry that unwanted commercial solicitations account for upwards of 90 percent of all e-mail sent across cyberspace today. The sheer volume of this unsolicited e-mail can be enough to disrupt communication networks. It is also a costly problem: In 2007, Ferris Research estimated that the global cost of spam is $100 billion (U.S.) worldwide, including $35 billion (U.S.) in the United States. Moreover, spam is frequently the predicate to many other forms of online criminal activity, including phishing and other fraudulent scams, spyware programs, and malicious code. Microsoft has technologies, investigators, technical and forensic experts, and other resources to lend to worldwide efforts to combat spam. Enforcement: Through the end of 2007, Microsoft has filed nearly 250 legal actions worldwide against spammers, often working with law enforcement officials in the North America, Europe, the Asia-Pacific region, Africa, and South America. Recently, Alan Ralsky— one of the world’s most prolific spammers, whose sophisticated scheme brought in millions of dollars by manipulating Chinese stock prices—was indicted along with 10 others. Microsoft contributed to the investigation by generating much of the information leading to the arrests and indictments, and by briefing the FBI, the Postal Inspection Service, the IRS, and the U.S. Attorney’s Office on Ralsky’s operation. Additionally, in November 2007, Microsoft provided live testimony as a government witness during a federal anti-spam sentencing hearing in Denver, CO. This testimony was the primary evidence used by the Court to rule in the United States’ favor on one of the most important unresolved issues related to criminal anti-spam enforcement efforts: the appropriate measure of financial loss. The Court’s conviction and imposition of a 30-month prison sentence was a significant victory and a first-of-its-kind sentencing decision under the CAN-SPAM Act. London Action Plan: Microsoft was the first private sector participant in the London Action Plan, a coalition of international agencies that supports global cooperation on network security, law enforcement, and improved consumer awareness to combat spam. Microsoft has organized and participated in conferences around the world dedicated to facilitating public-private partnerships to combat spam. For example, Microsoft helped to sponsor the first Spam Enforcement Conference in London in November 2005. The event brought together authorities from Britain’s Office of Fair Trading, its Department of Trade and Industry, and the EU’s Contact Network of Spam Authorities (“CNSA”) in a productive exchange with industry partners to discuss ways to limit spam.

88


International Efforts: Our initiatives in Nigeria and France demonstrate the versatility of Microsoft efforts to combat spam. In October 2005, Microsoft signed a Memorandum of Understanding (“MOU”) with Nigeria’s Economic & Financial Crimes Commission (“EFCC”) to support Nigeria’s efforts to combat cybercrime. In particular, the MOU targets financial scams (known as “419 scams” after the relevant section of the Nigerian criminal code) that are propagated through spam. Under the terms of the MOU, Microsoft provides the EFCC with training, technical assistance, and investigative help to prevent and prosecute such activities. As of May 2006, Microsoft efforts had helped Nigerian officials in a dozen enforcement actions. Similarly, in France, Microsoft was the first private company to support the creation of Signal Spam, an anti-spam platform created in France in association with public and private sector entities. Signal Spam offers Internet users two methods for reporting spam. First, a user can copy and paste the spam in the platform’s online form. Second, a user can install a plug-in, which allows users to notify the platform when it receives suspected spam through the user’s e-mail client. Signal Spam then analyzes the message, and if it is confirmed as spam, will blacklist the sender’s IP address. Data collected through the platform is also shared with French law enforcement authorities, as well as ISPs, to assist in antispam investigations and prosecutions. Since it was launched in May 2007, Signal Spam has received a tremendous amount of volume—more than 4 million reports of spam from 300,000 users.

Committed to being a good corporate citizen, Microsoft dedicates our technological innovation and experience to these and numerous other initiatives in order to make the online environment safer and more secure for all users.

89


2H07

Microsoft Malware Protection Center Executive Afterword

T

hank you for taking the time to read this latest volume of the Microsoft Security Intelligence Report. Over the past two years, the report has evolved into a comprehensive assessment of the worldwide IT threat landscape from the perspective of Microsoft, including, for this volume, new content on privacy and security breaches, and our efforts in supporting law enforcement organizations worldwide. We have also provided more data and insights into spam and phishing than in past reports. Looking at the data contained in this report covering the second half of 2007 we can see that antimalware products and solutions from Microsoft and our partners have successfully detected and removed more malware and potentially unwanted software – and more variants of those threats – than ever before. During the same period we saw a continuation of the shift of malware away from an amateur phenomenon to a professional criminal tool. Taking a closer look at the data contained in this report, we can identify a number of key changes in the threat landscape. We saw a 300% increase in the number of trojan downloaders and droppers that were identified and removed by the MSRT, the vast majority coming from four families: Win32/Zlob and Win32/Renos, which were also prevalent in the first half of 2007, and newer families Win32/ConHook and Win32/RJump. Downloaders have become the delivery mechanism of choice for malware authors who rely on rapidly developing variations of a downloader in attempts to defeat anti-malware software. During the second half of 2007, we detected nearly 85,000 variants of the Win32/Zlob family, making it the most widespread malware family in the world by a large margin. Phishing attacks continue to pose a significant threat to computer users and have evolved from a predominantly e-mail based phenomenon to target social networks and takes advantage of the users place in these networks. Phishing remains a largely English-language occurrence with other European languages accounting for most of the remainder. The total number of phishing pages detected remained roughly the same during the second half of 2007. In the last Security Intelligence Report, I shared my thoughts on how the threat landscape would evolve during the second half of 2007. Let’s look back at those predictions and see how I did. I outlined some broad thoughts on how the wider threat landscape would change:

oo Criminals will continue to focus their efforts on financial gains and will continue to leverage

trojan downloaders, bots, spam, phishing, targeted attacks, and social engineering to do this. oo This is indeed the case, as we see from the dramatic rise in trojan downloaders and the

ongoing fight against the Win32/Nuwar (or storm worm) family of malware, which is used to send out huge amounts of spam from compromised machines.

oo Criminals will continue to focus on the development of malware and potentially unwanted

software that seek to violate the privacy and security of individuals and organizations.

oo Again, this is behavior that we are seeing with many families of malware and potentially

unwanted software being updated or altered by their authors many times per day; in fact, the Win32/Zlob family of downloader/droppers generated almost 85,000 unique variations during the second half of 2007.

90


I also made some bolder statements about the future: oo Windows Vista will continue to make a difference in the PC ecosystem. oo I am pleased to report that the focus put on security during the development of

Windows Vista continues to show results. In the second half of 2007, our tools proportionally removed malware from 87% fewer Windows Vista-based computers than computers running Windows XP with Service Pack 1 installed. For computers running Windows XP with no Service Pack installed, the difference was 91%.

oo Enterprises that use e-mail filtering systems and e-mail authentication systems will reduce

the number of e-mail–based attacks that make it through to users’ inboxes.

oo Microsoft Exchange Hosted Services blocked 94% of inbound messages during the sec-

ond half of 2007.

oo Enterprises and consumers that use up-to-date anti-malware solutions will be better

protected.

oo As I hope is obvious from the amount of malware and potentially unwanted software

detected and removed from computers around the world, customers who used up-todate anti-malware solutions were indeed better protected. This advice remains just as relevant for 2008.

So, what statements about the future would I make for the first half of 2008? oo Criminals will continue to use malware and potentially unwanted software as tools to attack

their targets in the hopes of financial reward. These attacks will focus increasingly on social engineering for their effectiveness and on targeting computer applications rather than operating systems.

oo We will see Windows Vista and Windows Server 2008 continue to turn up the dial on

security—the release of Service Pack 1 will enhance the security of Windows Vista even further.

As I said in my closing remarks for the last volume of this report, Microsoft and the Microsoft Malware Protection Center will continue to work to help protect customers and the PC ecosystem. We are very proud of the quality of our anti-malware technology, but rest assured we will continue to work to evolve, improve and enhance our technology and response systems to continue protecting our customers. Again, thank you for reading this report. I hope you found it informative and useful. Please help us to improve future volumes of the Microsoft Security Intelligence Report—we are always interested to hear your feedback and thoughts on how we can better address your needs. Please send your feedback to the Microsoft Security Intelligence Report team at sirfb@microsoft.com. Vinny Gullotto General Manager Microsoft Malware Protection Center Microsoft Corporation 91


2H07

Glossary Adware

A program that displays advertisements. While some adware can be beneficial by subsidizing a program or service, other adware programs may display advertisements without adequate consent. Backdoor trojan

A type of trojan that provides attackers with remote access to infected computers. Bots are a subcategory of backdoor trojans (see botnet). Botnet

A set of computers controlled by a “command and control� (C&C) computer to execute commands as directed. The C&C computer can issue commands directly (often through Internet Relay Chat, or IRC) or by using a decentralized mechanism, like peer-to-peer (P2P) networking. Browser modifier

A program that changes browser settings, such as the home page, without adequate consent. Also includes browser hijackers. Clean

To remove malware or potentially unwanted software from an infected computer. A single cleaning can involve multiple disinfections. Cybersquatting

The act of registering, trafficking in, or using a domain name with bad-faith intent to profit from the goodwill of a trademark belonging to someone else. Dialer

A program that generates unauthorized telephone calls that may have an associated cost to the individual. Disinfect

To remove a malware or potentially unwanted software component from a computer, or to restore functionality to an infected program. Compare to Clean. Exploit

Malicious code that takes advantage of software vulnerabilities to infect a computer. IM worm

Malware that spreads through instant messaging (IM) applications, such as Windows Live Messenger and AOL Instant Messenger, typically by sending IM messages that include a link to an infected copy of itself.

92


Joke program

A program that pretends to do something malicious but actually does nothing harmful (for example, pretending to delete files or format disks). Malware

Malicious software or potentially unwanted software installed without adequate user consent. Mass-mailing worm

Malware that spreads by spontaneously sending copies of itself through e-mail. Microsoft Windows Malicious Software Removal Tool (MSRT)

The MSRT is designed to help identify and remove specifically targeted, prevalent malware from customer computers, and is available at no charge to licensed Windows users. The main release mechanism of the MSRT is through Windows Update (WU), Microsoft Update (MU), or Automatic Updates (AU). A version of the tool is also available for download from the Microsoft Download Center. Additionally, the MSRT is not a replacement for an up-to-date antivirus solution because the MSRT specifically targets only a small subset of malware families that are determined to be particularly prevalent. Further, the MSRT includes no real-time protection and cannot be used for the prevention of malware. More details about the MSRT are available at http://www.microsoft.com/security/malwareremove/default.mspx. Monitoring software

Commercially available software that monitors activity, usually by capturing keystrokes or screen images. It may also include network sniffing software. P2P worm

Malware that copies itself to file shares that are associated with peer-to-peer (P2P) applications, such as KaZaA and Winny, to facilitate its spread over those networks. Password stealer/keylogger

A password stealer (PWS) is malware that is specifically used to transmit personal information, such as user names and passwords. A PWS often works in conjunction with a keylogger, which sends key strokes and/or screenshots to an attacker. Potentially unwanted software

A program with potentially unwanted behavior that is brought to the user’s attention for review. This behavior may impact the user’s privacy, security, or computing experience. Reinfection

When a computer becomes infected after having previously been cleaned or disinfected. Reinfection typically occurs when a user repeats usage patterns without completely updating the computer’s anti-malware protection during the disinfection process.

93


2H07

Remote control software

A program that provides access to a computer from a remote location. These programs are often installed by the computer owner or administrator, and are only a risk if unexpected. Rogue security software

Software that appears to be beneficial from a security perspective but which provides limited or no security capabilities, generates a significant number of erroneous or misleading alerts, or which may attempt to socially engineer the user into participating in a fraudulent transaction. Sender ID Framework

An Internet Engineering Task Force (IETF) protocol developed to authenticate e-mail to detect spoofing and forged e-mail with the typical tactic to drive users to phishing Web sites and to download malicious software. Settings modifier

A program that changes computer settings with or without the user’s knowledge. Software bundler

A program that installs other potentially unwanted software, such as adware or spyware. The license agreement of the bundling program may require these other components in order to function. Spyware

A program that collects information, such as the Web sites a user visits, without adequate consent. Installation may be without prominent notice or without the user’s knowledge. Tool

Software that may have legitimate purposes, but which may also be used by malware authors or attackers. Trojan

A generally self-contained program that does not self-replicate, but takes malicious action on the computer. Trojan downloader/dropper

A form of trojan that installs other malicious files to the infected system either by downloading them from a remote computer or by dropping them directly from a copy contained in its own code. Typosquatting

A form of cybersquatting where someone registers a domain name of a highly visited Web site, except with typographical errors (for example, microsooft.com). Virus

Malware that replicates, commonly by infecting other files in the system, thus allowing the execution of the malware code and its propagation when those files are activated. Other forms of viruses include boot sector viruses and replicating worms.

94


Appendix A: Data Sources Software Vulnerabilities

The efforts to identify and fix vulnerabilities lacked a common naming mechanism until a consortium led by The MITRE Corporation began publishing the Common Vulnerabilities and Exposures (CVE) list, which drives a common naming mechanism that can be leveraged by multiple vulnerability databases and security products. The CVE naming conventions provide the most comprehensive list of vulnerabilities worldwide, across software products of all types. This report uses the CVE naming conventions when identifying individual vulnerabilities. The analysis in this report uses a set of data that has been created by compiling, customizing, and cross-checking several sources of data available on the Internet: oo Common Vulnerabilities and Exposures Web site (http://cve.mitre.org). oo A large portion of the data analyzed originates from the CVE list maintained at

this site, which is currently sponsored by the United States Department of Homeland Security (DHS). The naming mechanisms and external references to sources for additional information were particularly valuable.

oo National Vulnerability Database (NVD) Web site (http://nvd.nist.gov). oo This database superset of the CVE list, which provides additional objective infor-

mation concerning vulnerabilities, was the source used to determine severity ratings and exploit complexity assessment. The NVD is also sponsored by the United States DHS, and their data is downloadable in an XML format at http://nvd.nist. gov/download.cfm.

oo Security Web sites. The following sites, as well as many others, were utilized for

detailed verification and validation of vulnerability specifics: oo http://www.securityfocus.com oo http://www.secunia.com oo http://www.securitytracker.com

oo Vendor Web sites and support sites. The following sites, as well as others, were utilized

for confirmation and validation of vulnerability details: oo https://rhn.redhat.com/errata oo http://support.novell.com/linux/psdb oo http://sunsolve.sun.com

oo http://www.microsoft.com/technet/security/current.aspx oo http://www.ubuntu.com/usn

95


2H07

By leveraging these sources, as well as many others, Microsoft has compiled a database of disclosure dates for vulnerabilities that can be used to determine the year, month, and day that each vulnerability was disclosed publicly and broadly for the first time. Note that, in this report, disclosure is used to mean broad and public disclosure, and not any sort of private disclosure or disclosure to a limited number of people. Malicious Software and Potentially Unwanted Software

Telemetry from several customer-focused Microsoft security products and services, including the Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, and Exchange Hosted Services, representing a total user base of several hundred million computers, was used to compile the trends and information provided in this report. Figure 1 shows the main data sources used in this report to compile data on the prevalence of malicious and potentially unwanted software. Figure 1. Data sources Main Customer Segment Product Name Consumers Windows Malicious Software Removal Tool

96

Business

Malicious Software Scan and Remove

Real-Time Protection

Spyware and Potentially Unwanted Software Scan and Remove

Real-Time Protection

Prevalent Malware Families

Windows Defender

Windows Live OneCare Safety Scanner

Windows Live OneCare

Microsoft Exchange Hosted Filtering

Forefront Client Security

Available at No Additional Charge

Main Distribution Methods

WU / AU, Download Center

Download Center Windows Vista

Web Web / Store Purchase

Web

Volume Licensing


The MSRT is a free tool designed to help identify and remove prevalent malware families from customer computers. The MSRT is primarily released as an important update through Windows Update (WU), Microsoft Update (MU), and Automatic Updates (AU). A version of the tool is also available from the Microsoft Download Center. The MSRT helps remove specific, prevalent malware from computers that are running Windows Vista, Windows Server 2003, Windows XP, and Windows 2000. As of December 2007, the tool detects and removes 96 different malware families, each of which is currently prevalent or was prevalent at the time it was added. The MSRT is not a replacement for an up-to-date antivirus solution because of its lack of real-time protection and also because it uses only the portion of the Microsoft antivirus signature database that enables it to target specifically selected, prevalent malicious software. By the end of 2H07, the MSRT was executing on more than 450 million computers worldwide every month. A large majority (87 percent) of these executions involved computers running Windows XP, with all but a tiny fraction of these running Windows XP SP2. This is due to the fact that SP2 encourages users to enable Windows Automatic Updates, which allows the MSRT to download and execute automatically. Among other operating systems, Windows Vista continues to rise sharply, with monthly executions more than doubling between July and December 2007. Executions on Windows 2000 and Windows Server 2003 remained flat throughout the period and together account for less than 4 percent of total executions. A major change to the Microsoft Update reporting system in October boosted reported executions by almost 90 million per month, as reflected in the data. (See Figure 18 on page 40 for a breakdown of operating system executions by month.) Windows Live OneCare is a real-time protection product that combines an antivirus and antispyware scanner with phishing and firewall protection. Unlike the MSRT, which targets a small number of currently active malware families and is issued monthly, Windows Live OneCare uses the complete Microsoft antivirus signature database, retrieving a signature file update daily from Microsoft servers. Unlike the MSRT, which can be downloaded freely by compatible versions of Windows, Windows Live OneCare is a commercial product, offered for purchased by individuals and enterprise customers on a subscription basis. The Windows Live OneCare product family also includes the Windows Live OneCare safety scanner (http://safety.live.com), which is a free, online tool that detects and removes malware and potentially unwanted software using the same signature database as the Windows Live OneCare client product. Unlike the Windows Live OneCare client product (but like the MSRT), the Windows Live OneCare safety scanner does not offer real-time protection and cannot prevent a user’s computer from becoming infected. The

97


2H07

Windows Live OneCare safety scanner is available worldwide in dozens of different languages and was used to scan computers for malware more than 8.3 million times in 2H07. Toward the end of 2H07 it was being used to perform about 1.8 million malware scans per month, as shown in Figure 2. Figure 2. Malware scans performed by Windows Live OneCare safety scanner per month, January 2006– December 2007 Safety Scanner Malware Scans 2 Million

1.5 Million

1 Million

500,000

Dec-07

Nov-07

Oct-07

Sep-07

Aug-07

Jul-07

Jun-07

May-07

Apr-07

Mar-07

Feb-07

Jan-07

Dec-06

Nov-06

Oct-06

Sep-06

Aug-06

Jul-06

Jun-06

May-06

Apr-06

Mar-06

Feb-06

Jan-06

0

Windows Defender is a free program that provides real-time protection against pop-ups, slow performance, and security threats caused by spyware and other potentially unwanted software. Windows Defender was formally released on October 23, 2006, and by the end of 2007 was installed on more than 42 million computers running Windows XP SP2, Windows Server 2003, and Windows Vista in two dozen different languages. Windows Defender is included with Windows Vista as an integrated component of the operating system rather than as a separate download, which has significantly increased the program’s installed base.

98


If you would like more information about the products, services, and tools used as data sources for this report, please use the URLs provided below. oo The Microsoft Malware Protection Center Portal

http://www.microsoft.com/av

oo Windows Malicious Software Removal Tool

http://www.microsoft.com/malwareremove

oo Windows Defender

http://www.microsoft.com/windowsdefender

oo Windows Live OneCare

http://onecare.live.com

oo Windows Live OneCare safety scanner

http://onecare.live.com/scan

oo Microsoft Exchange Hosted Services

http://www.microsoft.com/exchange/services/default.mspx

oo Microsoft Forefront Client Security

http://www.microsoft.com/clientsecurity

oo Microsoft Forefront Security for Exchange Server

http://www.microsoft.com/forefront/serversecurity/exchange/download.mspx

oo Microsoft Online Safety Technologies (anti-spam and anti-phishing)

http://www.microsoft.com/safety

oo Sender ID Framework

http://www.microsoft.com/senderid

99


2H07

Appendix B: Exploit Counts by Microsoft Security Bulletin and CVE ID

T

hese are comprehensive tallies of publicly available exploits for a range of Microsoft products, cataloged by the Microsoft Security Response Center (MSRC) and by the Common Vulnerabilities and Exposures (CVE) database at http://cve. mitre.org. See Figure 12 on page 30 and Figure 13 on page 31 for exploit tallies for Microsoft Internet Explorer, the Microsoft Office system, and Microsoft Windows. For more information about how this data was collected, see “Software Vulnerability Exploits” beginning on page 27.

Exploits by Microsoft Security Bulletin By Microsoft Security Bulletin

Product

2006

2007

Microsoft Security Bulletin Count

Exploits

5

1

0

6

3

1

Windows Vista Mail

0

0

5

8

Version

Microsoft Security Bulletin Count

Exploits

0.0%

1

0

0.0%

0.0%

33.3%

2

1

50.0%

16.7%

2

1

50.0%

4

50.0%

8

3

37.5%

-12.5%

Percentage

Percentage

Delta Microsoft Security Bulletin

Outlook Express

Internet Explorer 6

7

3

42.9%

8

3

37.5%

-5.4%

7

0

0

8

3

37.5%

5

1

0

0.0%

0

0

5.5

1

0

0.0%

0

0

2000

3

1

33.3%

1

1

100.0%

66.7%

Exchange

2003

2

1

50.0%

1

1

100.0%

50.0%

2007

0

0

1

1

100.0%

6

1

0

0.0%

0

0

7.1

2

2

100.0%

1

0

0.0%

-100.0%

9

2

2

100.0%

1

0

0.0%

-100.0%

Media Player

100

10

2

2

100.0%

1

0

0.0%

-100.0%

11

0

0

1

0

0.0%


By Microsoft Security Bulletin Product

2006

2007

Microsoft Security Bulletin Count

Exploits

Percentage

Microsoft Security Bulletin Count

Exploits

Percentage

Delta Microsoft Security Bulletin

2000

2

1

50.0%

0

0

2001

2

1

50.0%

0

0

2002

2

1

50.0%

0

0

2003

2

1

50.0%

0

0

Version

Works

2004

6

4

66.7%

3

3

100.0%

33.3%

2005

6

4

66.7%

3

3

100.0%

33.3%

2006

6

4

66.7%

2

2

100.0%

33.3%

2

2

2

100.0%

1

-100.0%

.NET IIS

0

0.0%

5

1

1

100.0%

1

1

100.0%

0.0%

6

1

1

100.0%

0

1

2000

4

2

50.0%

2

2

100.0%

50.0%

2002

4

2

50.0%

2

2

100.0%

50.0%

Project

Visual Studio® 2005

1

1

100.0%

1

1

100.0%

0.0%

.NET 2002

0

0

2

1

50.0%

.NET 2003

0

0

2

1

50.0%

N/A

0

0

1

0

0.0%

2004

0

0

1

0

0.0%

2001

0

0

1

1

100.0%

2002

0

0

1

1

100.0%

CAPICOM Biztalk® MCMS

101


2H07

Exploits by CVE ID By CVE ID Product

2006

2007

CVE ID Count

CVE Exploits

5

2

0

6

3

1

Windows Vista Mail

0

0

5

26

Version

CVE ID Count

CVE Exploits

0.0%

1

0

0.0%

0.0%

33.3%

5

3

60.0%

26.7%

5

3

60.0%

7

26.9%

19

3

15.8%

-11.1%

Percentage

Percentage

Delta CVE ID

Outlook Express

Internet Explorer 6

26

5

19.2%

19

3

15.8%

-3.4%

7

0

0

19

3

15.8%

5

1

0

0.0%

0

0

5.5

1

0

0.0%

0

0

2000

3

1

33.3%

4

1

25.0%

-8.3%

Exchange

2003

2

1

50.0%

4

1

25.0%

-25.0%

2007

0

0

4

1

25.0%

6

0

0

0

0

Media Player 7.1

2

2

100.0%

2

0

0.0%

-100.0%

9

2

2

100.0%

2

0

0.0%

-100.0%

10

2

2

100.0%

2

0

0.0%

-100.0%

11

0

0

2

0

0.0%

2000

7

3

42.9%

0

0

Works 2001

7

3

42.9%

0

0

2002

7

3

42.9%

0

0

2003

7

3

42.9%

0

0

2004

21

8

38.1%

9

5

55.6%

17.5%

2005

21

8

38.1%

9

5

55.6%

17.5%

2006

21

8

38.1%

4

3

75.0%

36.9%

2

2

2

100.0%

2

0

0.0%

-100.0%

.NET

102


By CVE ID Product

2006 Version

2007

CVE ID Count

IIS

CVE Exploits

Percentage

CVE ID Count

CVE Exploits

Percentage

Delta CVE ID

5

1

1

100.0%

0

1

6

1

1

100.0%

0

1

Project 2000

11

2

18.2%

3

2

66.7%

48.5%

2002

11

2

18.2%

3

2

66.7%

48.5%

2005

1

1

100.0%

1

1

100.0%

0.0%

Visual Studio® .NET 2002

0

0

2

1

50.0%

.NET 2003

0

0

2

1

50.0%

N/A

0

0

1

0

0.0%

2004

0

0

1

0

0.0%

CAPICOM Biztalk® MCMS 2001

0

0

1

1

100.0%

2002

0

0

1

1

100.0%

103


Microsoft Security Intelligence Report  

An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the...

Read more
Read more
Similar to
Popular now
Just for you