Microsoft Security Intelligence Report Volume 4: July through December 2007 Key Findings for Australia Developed by Tim Rains, Ziv Mador, Scott Wu, Jeff Williams and Jakub Kaminski This is a snap shot of malware and potentially unwanted software trends observed by Microsoft in 2007, focusing on the second half of the year. Most of the figures in this document were calculated using the top five or six categories of malware and potentially unwanted software as opposed to the more comprehensive list used in the Microsoft Security Intelligence Report (www.microsoft.com/sir ). In terms of the top five categories of malware threats in Australia, Microsoft products and tools performed more than 830,000 malware disinfections in Australia in 2007, 266,803 in the first half of the year and 568,125 in the second half of the year. Additionally, in terms of the top five categories of potentially unwanted software, more than 1 million potentially unwanted software disinfections were performed in Australia in 2007, 415,727 in the first half of the year and 662,208 disinfections in the second half of the year.
14
Embed
Microsoft Security Intelligence Reportdownload.microsoft.com/documents/australia/security/...Microsoft Security Intelligence Report Volume 4: July through December 2007 Key Findings
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Microsoft Security Intelligence Report Volume 4: July through December 2007
Key Findings for Australia Developed by Tim Rains, Ziv Mador, Scott Wu, Jeff Williams and Jakub Kaminski
This is a snap shot of malware and potentially unwanted software trends observed by Microsoft in 2007, focusing on the second half of the year. Most of the figures in this document were calculated using the top five or six categories of malware and potentially unwanted software as opposed to the more comprehensive list used in the Microsoft Security Intelligence Report (www.microsoft.com/sir). In terms of the top five categories of malware threats in Australia, Microsoft products and tools performed more than 830,000 malware disinfections in Australia in 2007, 266,803 in the first half of the year and 568,125 in the second half of the year. Additionally, in terms of the top five categories of potentially unwanted software, more than 1 million potentially unwanted software disinfections were performed in Australia in 2007, 415,727 in the first half of the year and 662,208 disinfections in the second half of the year.
During each month in the second half of 2007 the Microsoft Malicious Software Removal Tool (MSRT),
on average, removed malware from 1 out of every 204 Windows based computers it was executed on in
Australia. The malware infection rates in Australia were much lower than the worldwide average where
malware was removed from 1 out of every 123 computers in the second half of 2007. The malware
infection rates in Australia are comparable to those observed in Denmark and Nigeria, and slightly
higher than those in Malaysia (1:216) or New Zealand (1:264). The MSRT was executed in Australia
approximately 2.4 million times per month during the second half of 2007, including about 700,000
executions per month on Windows Vista based systems, 1.6 million executions per month on Windows
XP based systems, 37,000 executions per month on Windows Server 2003 based systems, and 22,000
executions per month on Windows 2000 based systems.
Malware detections by country/region1
Consistent with the global trend observed in 2007, there was a large increase in the detection of trojan
downloaders and trojans in Australia. Criminals use trojan downloaders to install other malicious files
on the infected system either by downloading them from a remote computer or by dropping them
1 The nomenclature used throughout the report to refer to different reporting periods is nHYY, where nH refers to
either the first (1) or second (2) half of the year, and YY denotes the year. For example, 1H07 represents the period covering the first half of 2007 (January 1 through June 30), while 2H05 represents the period covering the second half of 2005 (July 1 through December 31).
directly from a copy contained in its own code. Clearly these threats have become the tool of choice
among criminals in targeting victims around the world and in Australia.
Top 5 Categories of Malware Found in Australia in 20072
The large increase in trojan downloaders in 2007 was accompanied by a large increase in trojans throughout the year in Australia. Although these increases are partly due to adding prevalent trojan downloader families and trojan families to the MSRT, criminals are using these two types of malware in Australia more than any other type of malware. Top 5 Categories of Malware Found in Australia in 2007 by Month
2 Other less prevalent threats were not included in this analysis. These include: rootkits, viruses, password stealers
and keyloggers
41.62%
34.89%
10.66%
6.59%6.24%
2007
Trojan Downloader
Trojan
Worm
Exploit
Backdoor
-
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
50,000
Trojan Downloader
Trojan
Worm
Exploit
Backdoor
The chart below illustrates how the mix or percentage of the top five categories of malware changed during 2007 in Australia. Trojan downloaders constituted 44.67% of the top five in the first half of 2007. Then trojan downloaders decreased to 40.19% of the top five in the second half of the year as the percentage of trojans increased from 30.66% to 36.87% of the top five malware threats. Note that although trojan downloaders dropped slightly as a percentage of the top five threats, the volume of detections and disinfections increased over the same period (as seen in the previous section). First Half vs. Second Half of 2007 Detections: Top 5 Categories of Malware Found in Australia in 2007
3
3 The nomenclature used throughout the report to refer to different reporting periods is nHYY, where nH refers to
either the first (1) or second (2) half of the year, and YY denotes the year. For example, 1H07 represents the period covering the first half of 2007 (January 1 through June 30), while 2H05 represents the period covering the second half of 2005 (July 1 through December 31).
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
Trojan Downloader
Trojan Worm Exploit Backdoor
1H07
2H07
Potentially Unwanted Software Trends in Australia
Consistent with the worldwide trend, adware was the most prevalent category of potentially unwanted software detected in Australia throughout 2007. As a percentage of the top five categories of potentially unwanted software, adware constituted almost half of the detections. The potentially unwanted software category also constituted a significant percentage of the top five. This category encompasses a variety of software families that do not fall into the other categories listed, notably rogue security software families. Top 5 Categories of Potentially Unwanted Software Found in Australia in 2007
Adware detections in Australia increased from 174,546 total detections in the first half of 2007 to 320,761 detections in the second half of 2007; the difference between the two halves is an 83.77% increase. Potentially unwanted software detections increased from 128,156 detections in the first half of 2007 to 205,805 in the second half, a 60.59% increase. Although remote control software constituted only 10.2% of the top five, detections increased from 45,204 in the first half of 2007 to 64,726 in the second half of 2007; the difference between the two halves is a 43.19% increase.
45.95%
30.98%
10.20%
6.76%6.12%
2007
Adware
Potentially Unwanted Software
Remote Control Software
Software Bundler
Spyware
Top 5 Categories of Potentially Unwanted Software Found in Australia in 2007 by Month
The chart below illustrates how the mix or percentage of the top five categories of potentially unwanted software changed during 2007 in Australia. Adware made up an increasing percentage of the top five as the year progressed, while the other categories stayed relatively flat or decreased. First Half vs. Second Half of 2007 Detections: Top 5 Categories of Potentially Unwanted Software Found in Australia
-
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000
Adware
Potentially Unwanted Software
Remote Control Software
Software Bundler
Spyware
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
Adware Potentially Unwanted Software
Remote Control Software
Software Bundler
Spyware
1H07
2H07
Looking at all categories of potentially unwanted software, opposed to just the top five categories, Australia had over 1.6 million potentially unwanted software detections in the second half of 2007; this was an increase in detections of 25.5% between the first and second halves of 2007. Top 25 Potentially unwanted software detections by country/region
Top Malware and Potentially Unwanted Software
Families in Australia
Consistent with the global trend, of the malware and potentially unwanted software families detected in Australia in 2007, the” Zlob” family was the most prevalent family for most of the year. Win32/Zlob refers to a large multi-component family of malware that modifies Internet Explorer's settings, alters and redirects the user's default Internet search page and home page, and attempts to download and execute arbitrary files (including additional malicious software). The Win32/Zlob family has also been used as the delivery vehicle for rogue security programs that display misleading warnings regarding bogus malware infections.4 Win32/Starware is a Web browser toolbar. Starware monitors searches at popular search engines, conducting its own search in tandem and displaying the results in an IFrame within the browser window.5 Hotbar displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity. The toolbar appears in Internet Explorer and Windows Explorer. The toolbar contains buttons that can change depending on the current Web page and keywords on the page. Clicking a button on the toolbar may open an advertiser Web site or paid search site. Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. Hotbar may collect user-related information and may silently download and run updates or other code from its servers.6 More details on all of these threats can be found on the Microsoft Malware Protection Center portal at www.microsoft.com/security/portal Top 6 Malware and Potentially Unwanted Software Families Detected in Australia in 2007
For most of 2007, Zlob remained the most prevalent malware family detected in Australia with a peak in detections in October and November. Top 6 Malware and Potentially Unwanted Software Families Detected in Australia in 2007 by Month
Although Zlob, a trojan downloader, was the most prevalent malware found in Australia, adware represents a large and growing category of potentially unwanted software in Australia and in the rest of the world. Change in Top 6 Malware and Potentially Unwanted Software Families Detected in Australia in 2007 by Half Year
The following chart illustrates how the mix or percentage of the top five families of malware and
potentially unwanted software changed during 2007 in Australia. Zlob remained the most prevalent
threat detected in Australia as a percentage of the top five in both halves of the year. Hotbar grew as a
percentage of the top five in the second half of the year as did Agent.
First Half vs. Second Half of 2007 Detections: Top 6 Categories of Malware and Potentially Unwanted Software Found in Australia
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
Zlob (Trojan Downloader)
Starware (Potenitally Unwanted Software)
Hotbar (Adware)
WhenU (Adware)
Winfixer (Potentially Unwanted Software)
Agent (Trojan and Trojan
Downloader)
1H07
2H07
Resources Previously published Microsoft Security Intelligence Reports http://microsoft.com/sir Microsoft Malware Protection Center Portal http://www.microsoft.com/security/portal/ Understanding Anti-Malware Research and Response at Microsoft http://download.microsoft.com/download/0/c/0/0c040c8f-2109-4760-a75096443fd14ef2/Understanding%20Malware%20Research%20and%20Response%20at%20Microsoft.pdf Anti-malware product Information for IT Professionals http://www.microsoft.com/forefront/default.mspx Windows Malicious Software Removal Tool http://www.microsoft.com/malwareremove Windows Defender http://www.microsoft.com/windowsdefender Windows Live OneCare http://onecare.live.com Windows Live OneCare safety scanner http://onecare.live.com/scan Microsoft Exchange Hosted Services http://www.microsoft.com/exchange/services/default.mspx Microsoft Forefront Client Security http://www.microsoft.com/clientsecurity Microsoft Forefront Security for Exchange Server http://www.microsoft.com/forefront/serversecurity/exchange/download.mspx Microsoft Online Safety Technologies (anti-spam and anti-phishing) http://www.microsoft.com/safety Sender ID Framework http://www.microsoft.com/senderid