Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 1/48

Theevolutionofmalware

andthethreatlandscape

–a10-yearreview

MicrosoftSecurityIntelligenceReport:SpecialEdition

February,2012



ii

MICROSOFT SECURITY INTELLIGENCE REPORT: SPECIAL EDITION

Thisdocumentisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESS,

IMPLIED,ORSTATUTORY,ASTOTHEINFORMATIONINTHISDOCUMENT.

Thisdocumentisprovided“as-is.”Informationandviewsexpressedinthisdocument,including

URLandotherInternetwebsitereferences,maychangewithoutnotice.Youbeartheriskofusing

it.

Copyright©2012MicrosoftCorporation.Allrightsreserved.

Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheir

respectiveowners.

Authors and contributors

BILLBARLOWE–MicrosoftSecurityResponseCenter

JOEBLACKBIRD–MicrosoftMalwareProtectionCenter

WEIJUANSHIDAVIS–WindowsProductManagementConsumer

JOEFAULHABER–MicrosoftMalwareProtectionCenter

HEATHERGOUDEY–MicrosoftMalwareProtectionCenter

PAULHENRY–WadewareLLC

JEFFJONES–MicrosoftTrustworthyComputing

JIMMYKUO–MicrosoftMalwareProtectionCenter

MARCLAURICELLA–MicrosoftTrustworthyComputing

KENMALCOMSON–MicrosoftTrustworthyComputingNAMNG–MicrosoftTrustworthyComputing

HILDALARINARAGRAGIO–MicrosoftMalwareProtectionCenter

TIMRAINS–MicrosoftTrustworthyComputing

ELIZABETHSCOTT–MicrosoftSecurityResponseCenter

JASMINESESSO–MicrosoftMalwareProtectionCenter

JOANNASHARPE–MicrosoftTrustworthyComputing

FRANKSIMORJAY–MicrosoftTrustworthyComputing

HOLLYSTEWART–MicrosoftMalwareProtectionCenter

STEVEWACKER–WadewareLLC

InmemoryofTAREQSAADE



iii

iii

ContentsForeword .............................................................................................................................. v

Scope ................................................................................................................................ v

Reporting period .............................................................................................................. v

Conventions ..................................................................................................................... v

Introduction ........................................................................................................................ 1

Personal computing in 2002 and today .............................................................................. 2

PCs ................................................................................................................................... 2

Mobile computing ........................................................................................................... 2

Online services (precursor to the cloud) ........................................................................ 3

The origins of malware ....................................................................................................... 4

Microsoft Trustworthy Computing ..................................................................................... 6

2002-2003 ....................................................................................................................... 6

2004 ................................................................................................................................ 7

The criminalization of malware ...................................................................................... 7

2005 ................................................................................................................................ 7

Vulnerabilities ................................................................................................................... 10

A decade of maturation ................................................................................................ 10

Industry-wide vulnerability disclosures ........................................................................ 11

Vulnerability severity .................................................................................................... 12

Hardware and software disclosures ............................................................................. 13

Operating system vulnerability disclosures .................................................................. 14

Application vulnerability disclosures ............................................................................ 15

Exploit trends and security bulletins ................................................................................ 16

The state of malware today .............................................................................................. 20

Malware and potentially unwanted software trends ....................................................... 22

How threats have evolved over time ............................................................................ 22

Different threats at different times .............................................................................. 26Threat categories by location ........................................................................................... 29



iv

2011 security intelligence ............................................................................................. 29

Lessons from least infected countries/regions ............................................................. 32

Windows Update and Microsoft Update .......................................................................... 34

In conclusion ..................................................................................................................... 36

Appendix A: Computer protection technologies and mitigations .................................... 37

Appendix B: Threat families referenced in this report ..................................................... 38



v

v

Foreword

Scope

TheMicrosoftSecurityIntelligenceReport(SIR)focusesonsoftwarevulnerabilities,software

vulnerabilityexploits,malicious,andpotentiallyunwantedsoftware.Pastreportsandrelated

resourcesareavailablefordownloadatwww.microsoft.com/sir.Wehopethatreadersfindthe

data,insights,andguidanceinthisspecialeditionoftheSIRusefulinhelpingthemprotecttheir

organizations,software,andusers.

Reporting period

ThisspecialeditionoftheSIRprovidessummarizedinformationfromthelast10years.Where

possible,thisreportincludestrenddataforthefull10-yearperiod;whendataforthefull10-year

periodisnotavailable,trenddataforshorterperiodsisprovided.Generally,becausevulnerability

disclosurescanbehighlyinconsistentfromquartertoquarterandoftenoccurdisproportionately

atcertaintimesoftheyear,statisticsaboutvulnerabilitydisclosuresarepresentedonahalf-yearly

basis,asinrecentvolumesoftheSIR.

Throughoutthereport,half-yearlyandquarterlytimeperiodsarereferencedusingthenHyyor

nQyyformats,respectively,whereyyindicatesthecalendaryearandnindicatesthehalfor

quarter.Forexample,1H11representsthefirsthalfof2011(January1throughJune30),and2Q11

representsthesecondquarterof2011(April1throughJune30).Toavoidconfusion,pleasenote

thereportingperiodorperiodsbeingreferencedwhenconsideringthestatisticsinthisreport.

Conventions

ThisreportusestheMicrosoftMalwareProtectionCenter(MMPC)namingstandardforfamilies

andvariantsofmalwareandpotentiallyunwantedsoftware.Forinformationaboutthisstandard,

seetheMicrosoftMalwareProtectionCenterNamingStandardspageontheMMPCwebsite.

http://www.microsoft.com/sir



http://www.microsoft.com/security/portal/Shared/MalwareNaming.aspx









Introduction

AstheInternethasextendeditsreachoverthelast10years,malware(malicioussoftware)has

evolvedandbecomemorecomplex.Earlyformsofmalwaresoughttogeneratehigh-profile

nuisanceattacks,buttodayitsaimsareincreasinglypernicious,focusingontheftandotherillicit

activities.Malwarehasbecomemuchmoreofaconcernfororganizations;Internetconnectivity

wasstilltheexceptiontotheruleformanyorganizationsbefore2002,butitquicklybecamethe

normasthefirstdecadeofthe21stcenturyunfolded.

Today,inadditiontoindividualcomputersandthenetworksoforganizationsbothlargeandsmall,

Internetconnectivityalsoextendstodevicessuchasgamingconsolesandsmartphones.Andas

computingparadigmsshift,protectingorganizations,governments,andcitizensfrommalwarehas

becomeevenmoreofachallenge.

MicrosoftTrustworthyComputing,establishedin2002,publishestheMicrosoftSecurityIntelligence

Report(SIR)tohelpkeepcustomersandotherinterestedpartiesinformedaboutthechanging

threatlandscape.TheSIRprovidescomprehensivethreatintelligencefromaroundtheworld.



2

Personal computing in 2002 and today

Evenasmalwareandothersignificantchallengesemerged,computeruserscontinuedtoenjoythe

benefitsoftechnologicalinnovationoverthelast10years.Thissectionpaintsabasic“thenand

now”portraitofthestateofcomputingin2002andtodayin2012inthreeareas:PCs,mobile

computing,andonlineservices,theprecursortothecloud.

PCs

By2002,PCCPUsusedasingle-corearchitectureandhadjustsurpassed2.0GHzinprocessing

speed.WindowsXP,whichwasreleasedinlate2001,required64MBofRAMbut128MBwas

recommended;512MBwasafairlycommonconfiguration.Harddiskdrivesrangedto120GBin

size,andLCDmonitorswerebecomingincreasinglypopular.USBconnectivityforperipheral

deviceswaswidespread,butthemuchfasterUSB2.0specificationhadonlyrecentlybeenratified

andwasthereforenotyetavailable.

Attheoutsetof2012,multi-coreCPUsarecommonandspeedshavesurpassedthe4.0GHzmark,

severaltimesfasterthansystemsavailablein2002.Windows7,releasedin2009,requires1GBof

RAMbut2GBisrecommended.Typicalharddiskdrivesrangefrom600GB,afive-foldincrease

from2002,to1TBormoreinsize.It’spossibletoobtaina23-inchmonitorforlessthan$200USD

intheUnitedStates,andmonitorsbuiltwithLEDtechnology(animprovementovertheolderLCD

technology)arewidelyavailable.USB3.0istheemergingconnectivitytechnology,butUSB2.0is

stillthemostwidelyusedstandard.

Mobile computing

In2002,thefastestlaptopCPUshadbarelybrokenthe1.0GHzmark.512MBofRAMwasa

commonconfiguration,alongwitha20GBto30GBharddiskdrive.CombinationDVD/CD-RW

driveswerestillararityandCD-ROMdriveswerestillthenorm.Soundqualityandhigh-definition

(HD)displayswerestillonusers’wishlists,andsmartphonesdidnotemergeuntil2005.

In2012,laptopPCCPUsarethreetimesasfastasthoseavailablein2002;3.0+GHzclockspeeds

arewidelyavailable.Generally,2GBto4GBofRAMisavailable—4to8timestheamountin

2002—buthigh-endlaptopsofferasmuchas8GB.Typicalharddiskdrivesrangefrom500GBto

600GB,some25timesgreaterthanlaptopdrivesavailablein2002,andnewsolid-stateharddisk

drivesaresignificantlyfaster.HDdisplayswithbuilt-inwebcamsandfacialrecognitiontechnology

(inlieuofpasswords)areareality.DVD/RWdrivesarestandard,andmanysupportthehigh-

resolutionBlu-rayDisctechnologyforvideoplayback.However,suchaccessoriesarebeing



3

3

sacrificedinsomemodelstocreateverythinandlightweightlaptops.High-qualityaudiooptions

arealsoincreasinglycommon.

Ethernetdatatransmissionspeedstandardshavecontinuedtoevolve.GigabitEthernet—which

supportsadatatransmissionrateof1,000megabitspersecond(Mbps)—becamewidelyavailable

duringthedecade,and10GigabitEthernetbecamecertifiedasastandardbytheInstituteofElectricalandElectronicsEngineers(IEEE).However,thesestandardsapplytocopperwire,cable

(coaxialwire),andfiberopticconnections.Thewidespreadproliferationofwirelessnetwork

connectivity,whichaccommodatesthegrowingnumberofmobiledevicesthatareavailabletoday,

alsooccurredduringthe2002–2012timeperiod.In2012,bothdesktopandlaptopcomputers

typicallyofferwiredandwirelessconnectivityoptions.

Online services (precursor to the cloud)

Fromaconsumer’sperspective,anumberofonlinepaymentserviceswereavailableby2002.

TheseservicesfacilitatedthegrowthofInternetcommerce(e-commerce)sitessuchasAmazon.comandeBay,bothofwhichhadbeenopenforbusinesssince1995.E-commerce

explodedinpopularitybetween2002and2012.

Asignificantphenomenonoccurredduringthedecadethathadaconsiderableeffectonpopular

cultureandtheentertainmentindustry.Asmusicandvideobecameavailableasdigitized

computerfiles,theyalsobecameshareableovertheInternet.Napster,perhapsthemostwell-

knownfile-sharingservice,emergedin1999andceasedtradinginJuly2001.However,otherfile-

sharingmodelsalsoemergedandbecamepopular.

ThegrowthoftheInternetandtheemergingavailabilityofbroadbandconnectivityalsoresulted

inonlineservicessuchasRhapsody,thefirststreamingon-demandmusicsubscriptionservicefora

monthlyfee,whichwaslaunchedinDecember2001.

Althoughtheconceptofcloudcomputinghadexistedforsometime,thefirstcloudcomputing

servicesbecamecommerciallyavailablein2002.Sincethattime,moreflexibleoptionshave

emergedthatmakecloudcomputingmoreattractiveandfeasibleforlargeandsmall

organizationsalike,aswellasforindividuals.Cloudcomputingarchitecturescurrentlyinclude

infrastructureasaservice(IaaS),whichprovidescomponentssuchasnetworkingandstorage;

platformasaservice(PaaS),whichprovidesaplatformsuchasadatabaseorawebserverfor

runningapplications;andsoftwareasaservice(SaaS),whichprovidesasoftwareapplicationor

solutionasafinishedorcompleteservice.



4

In2012thereislittledisagreementaboutthelikelihoodofcloudcomputingasthenextsignificant

computingparadigm.Thetechnologyisgainingacceptancefrommanyorganizationsandcloud

computingmodelscontinuetoevolve.

The origins of malware

Malwarebecameknowntomanycomputerusersthroughwidespreadinfectionscausedby

Melissa(in1999)andLoveLetter(in2000).Bothwereemail-based,andLoveLetterspreadviaan

infectedemailattachment.Whentheattachmentwasopened,themalwareoverwroteavarietyof

differenttypesoffilesontheuser’sPCandemaileditselftoothersintheuser’semailaddress

book.

LoveLetterquicklybecamethemostcostlyincidentofitskindtothatpointintime.Despitethe

damagethatMelissaandLoveLettercaused,itcouldbearguedthattheyhadthreepositive

effects:theycausedcomputermalwaretocomeunderincreasingscrutiny;theyincreasedsocialawarenessaboutcomputermalware(throughpeerpressurefrommanyupsetmessagerecipients);

andtheyunderscoredtheimportanceofbackups(becauseLoveLetteroverwrotefileswhichwere

lostifbackupswerenotavailable).

Amoredeviousanddirectmalwarethreatemergedintoprominencein2001:malwarethatcould

spreadwithoutanyhumaninteraction.Onesuchformofmalwarewasaworm,knownasCode

Red,whichwasreleasedontheInternetinJulyof2001andwhichtargetedserversrunning

MicrosoftInternetInformationServices(IIS).Althoughwormshadbeendetectedsinceatleast

1988,CodeRedwasconsideredbyMicrosoftMalwareProtectionCenter(MMPC)researcherstobe

aperfectexampleofawormbecausetherewasnofilecomponent.CodeRedneededtobedetectedintransitorinthememoryofaninfectedcomputer;atthetime,traditionaldesktop

antimalwareproductsthatlookedforfile-basedmalwarecouldnotdetectit.

CodeRedspreadviaTCPport80,thesamechannelthatiscommonlyusedforInternetweb

queries,sowebserversneededtobesecuredagainstsuchattacks.However,othercomputers

requireaccesstoport80forwebbrowserfunctionality.CodeRedmaynothavecausedasmuch

damageasLoveLetter,althoughthisisdifficulttoascertainbecausesomecomputersinfectedwith

CodeRedweresubsequentlyinfectedwithWin32/Nimda,whichalsospreadviaTCPport80.

Win32/Nimdawaswhatsomecallamalwarecocktail,orablendedthreat—thestartofatrendin

malwaredevelopmentthatcontinuestothisday.Itusedatleastfivedifferentattackvectors,

includingmakinguseofbackdoorsleftbypreviousmalware.Becauseitfollowedsocloselyonthe

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Melissa


http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=loveletter



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=CodeRed




http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=nimda










5

5

heelsofsuchmalware,notmuchtimewasavailableforittobedeveloped.Therefore,itwaswidely

believedthatWin32/Nimdawasdevelopedbyateamofpeople,notjustasolitarymalwarecoder.

Regardlessofwhocreatedit,Win32/Nimdademonstratedthatifnetworkedcomputersareleft

unprotectedtheycanbecommandeeredandusedagainsttheirownersinamatterofhours,

perhapsevenminutes.HundredsofthousandsofcomputerswereovercomebyWin32/Nimda,manyofwhichoperatedwell-knownwebsitesandmailserversformediumtolargecompanies.In

total,morethan50,000importantInternetsiteswereinfected.Andmorethanonepersonnoted

thatWin32/NimdawasreleasedonSept.18,justoneweekaftertheterroristattacksofSept.11,

2001,afactthatmademanysecurityexpertsuneasy.

Inaddition,2001sawtheemergenceofmalwarefromemailmessagesthatappearedtobe

innocuous.Suchmalwareemergedfrommessagesthathadnocodeorfilesattached—theyused

URLsinstead.ThesemessageswouldusesocialengineeringtacticstoenticeuserstoclicktheURLs,

whichwouldthenconnectuserstowebsitesthatwereprogrammedwithexploitsdesignedto

performundesirableactionsontheusers’PCs.

2001alsosawtheemergenceof Win32/Sircam,thefirstwidespreadmalwarethatexfiltrated

informationfromcomputers,althoughitisnotknownwhetherthiswastheintentofthemalware.

However,theUkrainianPresident’sprivateitinerarywasunexpectedlypublishedpubliclyasaresult

ofaWin32/Sircaminfection.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=sircam






6

Microsoft Trustworthy Computing

OnJanuary15,2002,thechairmanoftheboardofdirectorsatMicrosoft,BillGates,sentamemo

toallfull-timeemployeesofMicrosoftanditssubsidiaries.Thismemoproposedafundamental

shiftinthecompany’sapproachtoacentralcomponentofitsbusiness,aconceptcalled

TrustworthyComputing(TwC).

TwCisMicrosoft’scommitmenttoprovidemoresecure,private,andreliablecomputing

experiencesbasedonsoundbusinesspractices.MostoftheintelligencethatTwCpublishesinthe

SIRcomesfromthreesecuritycenters—theMicrosoftMalwareProtectionCenter(MMPC),the

MicrosoftSecurityResponseCenter(MSRC),andtheMicrosoftSecurityEngineeringCenter

(MSEC)—whichdeliverin-depththreatintelligence,threatresponse,andsecurityscience.

AdditionalinformationcomesfromproductgroupsacrossMicrosoftandfromMicrosoftIT(MSIT),

thegroupthatmanagesglobalITservicesforMicrosoft.TheSIRisdesignedtogiveMicrosoft

customers,partners,andthesoftwareindustryawell-roundedunderstandingofthethreat

landscapetohelpthemtoprotectthemselvesandtheirassetsfromcriminalactivity.

ThefollowingfigureshowssignificantactionsandmilestonesduringthefirstfiveyearsofTwC’s

existence,aswellassomesignificantmalware-relatedevents.

Figure 1. Significant events and milestones in the threat landscape from 2002 thru 2006

2002-2003

TheeraofmassmailingmalwarethatbeganwithMelissaandLoveLetterextendedtothe2002-

2003timeframeandcausedsignificantincreasesinthevolumeofspam;muchofthismalware



7

7

usedmacrosandMicrosoftVisualBasicscriptingfunctionality.Mostofthismalwarewasdefeated

bysecurityfeaturesintheMicrosoftOfficeXPversionofMicrosoftExcelandtheOffice2003

versionofMicrosoftWord,whentheseprogramsadoptedXMLformatsfortheirdatafiles.

In2003Microsoftstarteditsregularmonthlyprocessforissuingsecurityupdates,whichcontinues

today.Microsoftbeganthisprogramtoprovidetimelyupdatestocustomersonaregularlyscheduledbasis.Someupdatesaresecurityrelated,butnotall.Securityupdatesareprovidedon

thesecondTuesdayofeachmonth,andoptionalupdatesaswellasnon-securityupdatesare

providedonthefourthTuesdayofeachmonth.

2004

MicrosoftreleasedWindowsXPServicePack2(SP2)in2004,whichcontainedextensivesecurity

updatesandimprovements.SP2wastheresultofconsiderableeffortbyMicrosoftdevelopersand

securityexperts.ItwasperhapstheclearestindicationfromMicrosofttothatpointintimeofhow

seriouslythecompanywasconcernedaboutthegrowingproblemofmalwarethroughtheglobalconnectivityoftheInternet.SP2wasasignificantaccomplishmentandamilestoneinthejourney

thatMicrosoftandtherestoftheindustryisontoprotecttechnologyusersfromcriminals.

2004wasalsotheyearthatthefirstsignificantfor-profitmalwareemerged.Themass-mailing

wormfamilyWin32/Mydoomcreatedoneoftheearliestexamplesofabotnet —asetofcomputers

thataresecretlyandillicitlycontrolledbyanattacker,whoordersthemtoperformactivitiessuch

assendingspam,hostingpagesusedinphishingattacks,stealingpasswordsorsensitive

information,anddistributingothermalware.

The criminalization of malware

Manyoftheearlyformsofmalwareweredisruptiveandcostlyintermsofcleanupcostsandlost

productivity,butmostwerecreatedaspranksorasameansofraisingthecreators’statusinthe

onlinehackercommunity.WiththeemergenceofWin32/Mydoomin2004,itbecameapparent

thatmalwarecreatorshadseizedontheopportunitiesmalwareprovidedfortheft,blackmail,and

otherfor-profitcriminalactivities.

2005

In2005theWin32/Zotobwormwasreleased.Win32/Zotobwasnotaswidespreadasoriginally

anticipated.ItsoughttoreducethesecuritysettingsinWindowsInternetExplorerandimpedeitspop-upblockingfunctionalitytodisplayadsforwebsitesthatwouldpayhackersforhits—another

exampleofmalwareforprofit.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=mydoom



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Zotob







8

Latein2005theWin32/Zlobtrojanbeganspreading.Itdisplayedpop-upadsthatwarnedusers

aboutspywareandencouragedthemtopurchasefakeantispyware,whichactuallyredirected

userstoothersitesandcausedotherproblems.Win32/Zlobwasyetanotherindicatorthatthe

daysofmalwarepranksterswereyieldingtocriminalsmotivatedbypotentialprofits.(Formore

informationaboutWin32/Zlob,seethe“Howthreatshaveevolvedovertime”sectionlaterinthis

paper.)

Priorto2005,Microsoftreleasedsecurityupdatestoaddressspecificformsofmalware.For

example,MicrosoftSecurityBulletinMS02-039,whichaddressedthemalwareknownasSlammer,

wasmadeavailableinJulyof2002.InJanuary2005,Microsoftreleasedthefirstversionofthe

MaliciousSoftwareRemovalTool(MSRT),whichremovesspecificprevalentmalicioussoftware

fromcomputersrunningrecentversionsofWindows.MicrosoftmakesanewversionoftheMSRT

availableeverymonthforautomaticdownloadtousers’computersviaWindowsUpdate/Microsoft

Update,afterwhichitrunsonetimetocheckforandremovemalwareinfections.

TheconsistentandautomaticavailabilityoftheMSRThelpsmaintainacleanercomputing

ecosystem.Forexample,inthefirsthalfof2011theMSRTranonanaverageofmorethan600

millionindividualcomputersaroundtheworldeachmonth.However,theMSRTdoesnotreplacea

preventiveantimalwareproduct;itisstrictlyapost-infectionremovaltool.Microsoftstrongly

recommendsuseofanup-to-datepreventiveantimalwareproduct.

Astechnicallysophisticatedandorganizedcriminalsstartedleveragingtechnologytotake

advantageoftechnologyusers,theMMPCwasestablishedin2005withatwofoldmission:tohelp

protectMicrosoftcustomersfromemergingandexistingthreats,andtoprovideworld-class

antimalwareresearchandresponsecapabilitiestosupportMicrosoftsecurityproductsand

services.

Morerecently,MicrosoftestablishedtheMicrosoftDigitalCrimesUnit(DCU),aworldwideteamof

lawyers,investigators,technicalanalysts,andotherspecialists.ThemissionoftheDCUistomake

theInternetsaferandmoresecurethroughstrongenforcement,globalpartnerships,policy,and

technologysolutionsthathelpdefendagainstfraudandotherthreatstoonlinesafetyandalsoto

protectchildrenfromtechnology-facilitatedcrimes.

ThefollowingfigureshowssomesignificantmilestonesduringthesecondfiveyearsofTwC’s

existence,aswellassomesignificantmalware-relatedevents.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Zlob






9

9

Figure 2. Significant events and milestones in the threat landscape from 2007 thru 2011

InadditiontocreatingtheMMPCandtheDCU,Microsofthasworkedtofosterdeeperindustry

collaborationandsharethelessonslearnedtohelpotherswiththeirsecurityefforts.Onesuch

exampleistheIndustryConsortiumforAdvancementofSecurityontheInternet(ICASI),which

MicrosoftcofoundedinJuneof2008withIntelCorporation,IBM,CiscoSystems,andJuniper

Networks.Sinceitsfounding,Amazon.comandNokiahavealsobecomemembers.

ICASIfosterscollaborationamongglobalcompanieswiththegoalofaddressingcomplexsecurity

threatsandbetterprotectingthecriticalITinfrastructuresthatsupporttheworld’sorganizations,

governments,andcitizens.



10

Vulnerabilities

Vulnerabilitiesareweaknessesinsoftwarethatenableanattackertocompromisetheintegrity,

availability,orconfidentialityofthatsoftwareorthedataitprocesses.Someoftheworst

vulnerabilitiesallowattackerstoexploitacompromisedcomputer,causingittorunarbitrarycode

withouttheuser’sknowledge.

Thepast10yearsrepresentaveryinterestingtimeframeforreviewingvulnerabilitydisclosuresand

ensuingchangesthatcontinuetoaffectriskmanagementinITorganizationsaroundtheworld.

Beforeexaminingthechartsandtrends,abriefreviewofthepastdecadewithregardtoindustry

vulnerabilitiesisinorder.

A decade of maturation

In2002MITRE1presentedAProgressReportontheCVEInitiative(PDF),whichprovidedanupdate

onamulti-yearefforttocreateaconsistentandcommonsetofvulnerabilityinformation—witha

particularfocusonuniquenaming—toenabletheindustrytoeasierassess,manage,andfix

vulnerabilitiesandexposures.TheCVEeffortanddatalaterformedthecoreoftheNational

InstituteofStandards(NIST)NationalVulnerabilityDatabase(NVD),theU.S.government

repositoryofstandards-basedvulnerabilitymanagementdatathatservesastheprimary

vulnerabilityindexforindustryvulnerabilitiesreferencedintheSIR.

2002alsomarkedthebeginningofacommercialmarketforvulnerabilities;iDefensestarteda

vulnerabilitycontributorprogramthatpaidfindersforvulnerabilityinformation.

In2003,theU.S.NationalInfrastructureAdvisoryCouncil(NIAC)commissionedaproject“to

proposeanopenanduniversalvulnerabilityscoringsystemtoaddressandsolvethese

shortcomings,withtheultimategoalofpromotingacommonunderstandingofvulnerabilitiesand

theirimpact.”ThisprojectresultedinareportrecommendingtheadoptionoftheCommon

VulnerabilityandScoringSystem(PDF)(CVSSv1)inlate2004.Vulnerabilityseverity(orscoring)

informationwasabigstepforward,becauseitprovidedastandardmethodforrating

vulnerabilitiesacrosstheindustryinavendor-neutralmanner.

2007broughtanupdatetoCVSS,withchangesthataddressedissuesidentifiedbythepractical

applicationofCVSSsinceitsinception.SIRvolume4,whichprovideddataandanalysisforthe

secondhalfof2007,includedvulnerabilitytrendsusingbothCVSSv1andCVSSv2,andsincethen

1 MITRE is a not-for-profit company that works in the public interest to provide systems engineering, research and

development, and information technology support to the U. S. government.

https://cve.mitre.org/docs/docs-2002/prog-rpt_06-02/CVE_FIRST_paper.pdf



http://nvd.nist.gov/



http://www.first.org/cvss/cvss-dhs-12-02-04.pdf










11

11

CVSSv2ratingshavebeenused.Asnotedatthetime,onepracticaleffectofthenewratings

formulaswasthatamuchhigherpercentageofvulnerabilitieswereratedHighorMedium

severity.

Industry-wide vulnerability disclosures

Adisclosure,asthetermisusedintheSIR,istherevelationofasoftwarevulnerabilitytothepublic

atlarge.Itdoesnotrefertoanytypeofprivatedisclosureordisclosuretoalimitednumberof

people.Disclosurescancomefromavarietyofsources,includingthesoftwarevendor,security

softwarevendors,independentsecurityresearchers,andevenmalwarecreators.

Muchoftheinformationinthissectioniscompiledfromvulnerabilitydisclosuredatathatis

publishedintheNVD.ItrepresentsalldisclosuresthathaveaCVE(CommonVulnerabilitiesand

Exposures)number.

Thepastdecadehasseendrasticgrowthinnewvulnerabilitydisclosures,whichpeakedin2006

and2007andthensteadilydeclinedoverthenextfouryearstojustover4,000in2011,whichis

stillalargenumberofvulnerabilities.

Figure 3. Industry-wide vulnerability disclosures since 2002



12

Vulnerabilitydisclosuretrends:

Vulnerabilitydisclosuresacrosstheindustryin2011weredown11.8percentfrom2010.

Thisdeclinecontinuesanoveralltrendofmoderatedeclines.Vulnerabilitydisclosureshave

declinedatotalof37percentsincetheirpeakin2006.

Vulnerability severity

TheCommonVulnerabilityScoringSystem(CVSS)isastandardized,platform-independentscoring

systemforratingITvulnerabilities.TheCVSSassignsanumericvaluebetween0and10to

vulnerabilitiesaccordingtoseverity,withhigherscoresrepresentinggreaterseverity.(Seethe

VulnerabilitySeveritypageontheSIRwebsiteformoreinformation.)

Figure 4. Relative severity of vulnerabilities disclosed since 2002

Vulnerabilityseveritytrends:

Theoverallvulnerabilityseveritytrendhasbeenapositiveone.MediumandHighseverity

vulnerabilitieshavesteadilydecreasedsincetheirhighpointsin2006and2007.

Evenasfewervulnerabilitiesarebeingdisclosedoverall,thenumberofLowseverityvulnerabilitiesbeingdisclosedhasbeenrelativelyflat.Lowseverityvulnerabilitiesaccounted

forapproximately8percentofallvulnerabilitiesdisclosedin2011.

http://microsoft.com/security/sir/keyfindings/default.aspx#!section_2_1_def





13

13

Hardware and software disclosures

TheNVDtracksbothhardwareandsoftwarevulnerabilities.Thenumberofhardware

vulnerabilitiesdisclosedeachyearremainslow,asshowninthefollowingfigure.Thepeaknumber

was198(3.4percent)hardwarevulnerabilitiesdisclosedin2009.

Figure 5. Hardware and software vulnerability disclosures since 2002

Softwarevulnerabilitiesconsistofvulnerabilitiesthataffectoperatingsystems,applications,or

both.Asinmanyotherindustries,onevendor’sproductcanbeanothervendor’scomponent.For

example,CVE-2011-1089affectsGNUlibc2.3,whichislistedasanapplicationproductfromGNU.

However,libcisalsoanintegratedcomponentinseveraloperatingsystemsandisthereforealso

anoperatingsystemvulnerability.Forthisreason,itisdifficulttodrawadistinctlinebetween

operatingsystemandapplicationvulnerabilities.Inthefollowingfigure,vulnerabilitiesthataffect

bothoperatingsystemsandapplicationsareshowninred.



14

Figure 6. Application and operating system vulnerability disclosures since 2002

In2010and2011,approximately13percentofsoftwarevulnerabilitiesaffectedbothapplication

andoperatingsystemproducts.

Operating system vulnerability disclosures

Todeterminethenumberofvulnerabilitiesthataffectoperatingsystems(showninthefollowing

figure),vulnerabilitieswerefilteredforaffectedproductsthatweredesignatedasoperating

systemsintheNVD.



15

15

Figure 7. Operating system vulnerability disclosures since 2002

Application vulnerability disclosures

Todeterminethenumberofvulnerabilitiesthataffectapplications(showninthefollowingfigure),

vulnerabilitieswerefilteredforaffectedproductsthatweredesignatedasapplicationsintheNVD.



16

Figure 8. Application vulnerability disclosures since 2002

Exploit trends and security bulletins

TheMicrosoftSecurityEngineeringCenter(MSEC)isoneofthreesecuritycentersthathelps

protectcustomersfrommalware.TheMSECfocusesonfoundationalwaystodevelopmoresecure

productsandservicesfromthesoftwareengineeringperspective,througheffortssuchasthe

MicrosoftSecurityDevelopmentLifecycle(SDL)andsecurityscience.

TheMicrosoftSecurityResponseCenter(MSRC)identifies,monitors,resolves,andrespondsto

Microsoftsoftwaresecurityvulnerabilities.TheMSRCreleasessecuritybulletinseachmonthto

addressvulnerabilitiesinMicrosoftsoftware.Securitybulletinsarenumberedseriallywithineach

calendaryear.Forexample,“MS11-057”referstothe57thsecuritybulletinreleasedin2011.

SecuritybulletinsaretypicallyreleasedonthesecondTuesdayofeachmonth,althoughonrare

occasionsMicrosoftreleasesan“out-of-band”securityupdatetoaddressanurgentissue.

Microsoftreleasedoneout-of-bandupdatein2011.



17

17

Thefollowingfigureshowsthenumberofsecuritybulletinsandout-of-bandupdatesissuedsince

2005,whichwaswhenMicrosoftreleasedthefirstversionoftheMaliciousSoftwareRemovalTool

(MSRT).

Figure 9. MSRC security bulletins released since 2005

Period Security bulletins Out-of-band updates

1H05 33 0

2H05 22 0

1H06 32 1

2H06 46 1

1H07 35 1

2H07 34 0

1H08 36 02H08 42 2

1H09 27 0

2H09 47 1

1H10 41 2

2H10 65 1

1H11 52 0

2H11 48 1

AsinglesecuritybulletinoftenaddressesmultiplevulnerabilitiesfromtheCVEdatabase,eachof

whichislistedinthebulletin,alongwithanyotherrelevantissues.Thefollowingfigureshowsthe

numberofsecuritybulletinsreleasedandthenumberofindividualCVE-identifiedvulnerabilities

thattheyhaveaddressedineachhalf-yearperiodsince1H05.(Notethatnotallvulnerabilitiesare

addressedintheperiodinwhichtheyareinitiallydisclosed.)



18

Figure 10. Number of MSRC security bulletins and CVE-identified vulnerabilities addressed

In2011theMSRCreleased100securitybulletinsthataddressed236individualCVE–identified

vulnerabilities,decreasesof7%and6%,respectively,from2010.Asthefollowingfigureshows,the

averagenumberofCVEsaddressedbyeachsecuritybulletinhasincreasedovertime,from1.5in

1H05to2.4in2H11.



19

19

Figure 11. Average number of CVEs per MSRC security bulletin

Wheneverpossible,theMSRCconsolidatesmultiplevulnerabilitiesthataffectasinglebinaryor

componenttoaddresstheminasinglesecuritybulletin.Thisapproachmaximizestheeffectiveness

ofeachupdateandminimizesthepotentialdisruptionthatcustomersfacefromtestingand

integratingindividualsecurityupdatesintotheircomputingenvironments.



20

The state of malware today

Attheendof2001,approximately60,000formsofmalwareorthreatswereknowntoexist.This

numberwasasignificantincreasefrom1996(about10,000)and1991(about1,000).

Figure 12. Approximate growth of malware since 1991

Overthelastdecade,theproliferationofmalwarehasbecomeanonlinecrimestory.Today,

estimatesofthenumberofknowncomputerthreatssuchasviruses,worms,trojans,exploits,

backdoors,passwordstealers,spyware,andothervariationsofpotentiallyunwantedsoftware

rangeintothemillions.

Eversincecriminalmalwaredevelopersbeganusingclientandserverpolymorphism(theabilityfor

malwaretodynamicallycreatedifferentformsofitselftothwartantimalwareprograms),ithas

becomeincreasinglydifficulttoanswerthequestion“Howmanythreatvariantsarethere?”

Polymorphismmeansthattherecanbeasmanythreatvariantsasinfectedcomputerscan

produce;thatis,thenumberisonlylimitedbymalware’sabilitytogeneratenewvariationsofitself.

Ithasbecomelessmeaningfultocountthenumberofthreatvariantsthanitistodetectand

eliminatetheirsources.In2011,morethan49,000differentuniquethreatfamilieswerereported

totheMMPCfromcustomers.Manyofthesereportedfamilieswereduplicates,polymorphic

versionsofkeythreatfamilies;detectingandeliminatingkeythreatfamiliesfrominfected

computersisanongoingactivity.



21

21

In2011Microsoftaddedmorethan22,000signaturestodetectkeythreatfamilies.Ascriminal

malwaredeveloperscreatemorethreats,thesizeoftypicalantimalwaresignaturefilesincreases;

todayantimalwaresignaturefilesrangetomorethan100MBinsize.In2002,typicalantimalware

signaturefileswerelessthan1MBinsize.

Thenumberoffilessubmittedtoantimalwareorganizationshasalsoincreased.Thefollowingfigureshowshowthenumberofsubmittedfilessuspectedofcontainingmalwareorpotentially

unwantedsoftwaretotheMMPChasincreasedsince2005,anincreaseofmorethan200percent.

(SuspectedmalwarefilescanbesubmittedtotheMMPCSubmitasamplepage.)

Figure 13. Percentage increase in the number of files submitted to the MMPC since 2005

https://www.microsoft.com/security/portal/Submission/Submit.aspx






22

Malware and potentially unwanted software trends

Malwarecontinuestoevolve,andthefluctuationsindetectionsofdifferentformsofmalware

sometimesindicatethesuccessesatgivenpointsintimeofthesoftwareindustry’spersistent

antimalwareeffortsversustheeffortsofmalwaredevelopers.

How threats have evolved over time

Whenviewedfromamulti-yearperspective,somemalwareandpotentiallyunwantedsoftware

familiestendtopeak,orbecomequiteprevalent,forshortperiodsoftimeasantimalwarevendors

focustheireffortsondetectingandremovingthesethreats.Thesepeakperiodsarefollowedby

periodsofdeclineasattackerschangetheirtacticsandmoveon.Thefollowingfigureillustrates

thisphenomenon.(ForFigures14through18,theverticalaxisrepresentsthepercentageofall

computersthatwereinfectedwithmalware.)

Figure 14. Malware and potentially unwanted software families that have peaked and declined since 2006

Win32/Rbotwasanearlybotnetfamilythatgainednotorietyin2004and2005afteranumberof

highprofileoutbreakincidentsthataffectedmediaandgovernmentnetworks,amongothers.

Rbotisa“kit”family:RbotvariantsarebuiltfromanopensourcebotnetcreationkitcalledRxBot,whichiswidelyavailableamongmalwareoperators,andmanydifferentgroupshaveproduced

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Rbot





23

23

theirownvariantswithdifferentfunctionality.TheMSRTwasupdatedtodetectRbotinApril2005,

anddetectionsdecreasedsharplythrough2006,fallingbelow2percentofcomputerswith

detectionsby2H08.

ThetrojanfamilyWin32/Zlobwasfoundonalmostoneofeveryfourcomputersthatwasinfected

withmalwarein1H08,alevelofprevalencethatnootherfamilyhasequaledbeforeorsince.Zlobwastypicallydistributedonwebpages,posingasamediacodecthatvisitorswouldhavetoinstall

towatchvideocontentdownloadedorstreamedfromtheInternet.Afteritisinstalledonatarget

computer,Zlobdisplayspersistentpop-upadvertisementsforroguesecuritysoftware.AZlob

variantdetectedattheendof2008includedanencodedmessage,apparentlywrittenbytheZlob

authorandintendedforMMPCresearchers,indicatingthattheauthorwouldbeceasing

developmentanddistributionofthetrojan:

ForWindowsDefender'sTeam:

Isawyourpostintheblog(10-Oct-2008)aboutmypreviousmessage.

Justwanttosay'Hello'fromRussia.

Youarereallygoodguys.ItwasasurpriseformethatMicrosoftcanrespondonthreatsso

fast.

Ican'tsignherenow(he-he,sorry),howitwassomeyearsagoformoreseriously

vulnerabilityforallWindows;)

HappyNewYear,guys,andgoodluck!

P.S.BTW,weareclosingsoon.Notbecauseofyourwork.:-))

So,youwillnotseesomeofmygreat;)ideasinthatfamilyofsoftware.

Trytosearchinexploits/shellcodesandrootkits.

Also,itisfunny(probablyforyou),butMicrosoftofferedmeajobtohelpimprovesomeofVista'sprotection.It'snotinterestingforme,justalife'sirony.

Indeed,detectionsofZlobdecreasedsignificantlyin2H08,andby2010Zlobwasnolonger

amongthetop50most-detectedfamiliesworldwide.

Win32/ConfickerisawormfamilydiscoveredinNovember2008thatinitiallyspreadbyexploiting

avulnerabilityaddressedbysecurityupdateMS08-067,whichwasreleasedthepreviousmonth.

Confickerdetectionspeakedin1H09anddeclinedtoamuchlowerlevelthereafter,following

coordinatedeffortsbytheConfickerWorkingGrouptocontainthespreadofthewormandclean

infectedcomputers.Ithasbeendetectedonbetween3percentand6percentofinfected

computersineach6-monthperiodsincethen.




http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Conficker


http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx



http://www.confickerworkinggroup.org/









24

JS/PornpopisadwarethatconsistsofspeciallycraftedJavaScript-enabledobjectsthatattemptto

displaypop-underadvertisements.FirstdetectedinAugust2010,itwasthesecondmost

commonlydetectedfamilyin2H10and1H11,andislikelytobethemostcommonlydetected

familyin2H11.

Win32/AutorunisagenericdetectionforwormsthatattempttospreadbetweenmountedcomputervolumesbymisusingtheAutoRunfeatureinWindows.DetectionsofWin32/Autorun

increasedgraduallyforseveralperiodsbeforepeakingin2H10asthemostcommonlydetected

familyduringthatperiod.

MicrosoftintroducedachangetothewaythattheAutoRunfeatureworksinWindows7and

WindowsServer2008R2inanefforttohelpprotectusersfromAutoRunthreats.Intheseversions

ofWindows,theAutoRuntaskisdisabledforallvolumesexceptopticaldrivessuchasCD-ROM

andDVD-ROMdrives,whichhavehistoricallynotbeenusedtotransmitAutoRunmalware.

Subsequently,Microsoftpublishedasetofupdatesthatback-portedthischangetoWindowsXP,

WindowsServer2003,WindowsVista,andWindowsServer2008.Theseupdateshavebeen

publishedasImportantupdatesthroughtheWindowsUpdateandMicrosoftUpdateservicessince

February2011,whichmayhavehelpedcontributetothedeclineinWin32/Autorundetections

observedthroughout2011.

Othermalwareandpotentiallyunwantedsoftwarefamiliesaren’tasprevalentasthepeakfamilies,

butexistforlongerperiodsoftime.Thefollowingfigureillustratestheprevalenceofsomeofthese

morepersistentmalwarefamilies.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=JS/Pornpop


http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Autorun






25

25

Figure 15. Malware families that have remained active at lower levels since 2007

Win32/Renos,assignedtotheTrojanDownloaders&Dropperscategoryinpreviousvolumesof

theSIR,wasoneofthefourmostcommonlydetectedmalwarefamiliesineachsix-monthperiod

from1H07to2H10,takingthetopslotin2H08and1H10,andonlydroppedoutofthetop25in

2H11.Renosisatrojandownloaderthatinstallsroguesecuritysoftwareoninfectedcomputers.

Win32/Taterf ,assignedtotheWormscategoryinpreviousvolumesoftheSIR,wasamongthefive

mostcommonlydetectedmalwarefamiliesineachperiodfrom2H08to2H10,andwasthemostcommonlydetectedfamilyin2H09.Taterfisawormthatspreadsviamappeddrivestosteallogon

andaccountdetailsforpopularonlinegames.Theincreasingpopularityofmassivelymultiplayer

onlinerole-playinggameshascreatedamarket(usuallydiscouragedbythemakersofthegames

themselves)invirtual“gold”andin-gameequipment,whichplayerstradeforreal-worldcash.This

inturnhasledtoaclassofthreatslikeTaterf,whichstealplayers’gamingpasswordsonbehalfof

thieveswhocanthenauctionthevictims’virtuallootthemselves.Taterfisamodifiedversionofa

similarthreat,Win32/Frethog,whichitselfhasbeenpersistentlyprevalentoverthesameperiodof

time.

Win32/Alureon,assignedtotheMiscellaneousTrojanscategoryinpreviousvolumesoftheSIR,isafamilyofdata-stealingtrojanswithrootkitcharacteristics.Itwasfirstdiscoveredinearly2007and

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Renos


http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Taterf


http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Frethog



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Alureon








26

hasbeeninornearthetop25familiesineachhalf-yearperiodsincethen.Alureonvariantsallow

anattackertointerceptincomingandoutgoingInternettrafficandgatherconfidential

informationsuchasusernames,passwords,andcreditcarddata.

Different threats at different times

Anotherpointthatbecomesapparentwhenmalwareandpotentiallyunwantedsoftwareisviewed

fromamulti-yearperspectiveisthatdifferentcategoriesofmalware—thatis,differenttypesof

threats—havebeenprevalentatdifferenttimes.Thefollowingfigureillustratestherelative

prevalenceofthreedifferentcategoriesofmalware.

Figure 16. Worms, Backdoors, and Miscellaneous Potentially Unwanted Software categories since 2006

In2006and2007,themalwarelandscapewasdominatedbytheWorms,MiscellaneousPotentially

UnwantedSoftware,andBackdoorscategories.(Theterm“MiscellaneousPotentiallyUnwanted

Software”referstoprogramswithpotentiallyunwantedbehaviorthatmayaffectauser’sprivacy,

security,orcomputingexperience.)Bythistime,large-scaleoutbreaksofwormssuchas

Win32/MsblastandWin32/Sasser,whichspreadbyexploitingvulnerabilitiesinnetworkservices,

weremostlyinthepast.Themostlikelyreasonfortheirdeclinewasthehigh-profilenatureof

theseoutbreaks,whichcausedantimalwarevendorstoincreasetheirdetection,cleaning,and

blockingeffortsandultimatelyspurredwidespreadadoptionofthesecurityupdatesthat

addressedtheaffectedvulnerabilities.Mostoftheprevalentwormsin2006weremass-mailers,

suchasWin32/WukillandWin32/Bagle,whichspreadbyemailingcopiesofthemselvestoaddressesdiscoveredoninfectedcomputers.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Msblast


http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Sasser



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Wukill



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Bagle









27

27

Prevalentbackdoorsincludedapairofrelatedbotnetfamilies,Win32/RbotandWin32/Sdbot.

Variantsinthesefamiliesarebuiltfrombotnetconstructionkitsthataretradedinthe

undergroundmarketformalware,andareusedtocontrolinfectedcomputersoverInternetRelay

Chat(IRC).RbotandSdbothavelargelybeensupplantedbynewerbotnetfamilies,butremainin

activeusenonetheless,probablybecauseoftherelativeeasewithwhichprospectivebotnet

operatorscanobtaintheconstructionkits.

Prevalenttrojanfamiliesin2006and2007includedWin32/WinFixer,anearlyroguesecurity

softwarefamily,andthebrowsertoolbarWin32/Starware.Unlikemostmodernroguefamilies,

whichtypicallyposeasantimalwarescanners,WinFixermasqueradesasautilitythatsupposedly

identifies“privacyviolations”inthecomputer’sregistryandfilesystemandoffersto“remove”

themforafee.Win32/Starwareisabrowsertoolbarthatmonitorssearchesatpopularsearch

engines,conductingitsownsearchintandemanddisplayingtheresultsinaninlineframewithin

thebrowserwindow.

Figure 17. Worms, Trojan Downloaders and Droppers, and Password Stealers and Monitoring Tools categories since 2006

TheTrojanDownloadersandDropperscategory,whichaffectedlessthan9percentofcomputers

withdetectionsin1H06,roserapidlytobecomeoneofthemostsignificantthreatcategoriesin

2007and2008,primarilybecauseofincreaseddetectionsof Win32/ZlobandWin32/Renos.

Afterdecreasingsignificantlyfromits1H06peak,theWormscategorybegantoincreaseagainin2009afterthediscoveryof Win32/Confickerandreachedasecondpeakin2Q10withincreased

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Rbot



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Sdbot



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/WinFixer



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Starware





















28

detectionsof Win32/Taterf andWin32/Rimecud.Rimecudisafamilyofwormswithmultiple

componentsthatspreadsviaremovabledrivesandinstantmessaging.Italsocontainsbackdoor

functionalitythatallowsunauthorizedaccesstoanaffectedcomputer.

MalwarefamiliesinthePasswordStealersandMonitoringToolscategory,whichwereresponsible

foranegligiblepercentageofdetectionsin1H06,increasedslowlybutsteadilythrough2008and2009beforepeakingin2Q10.GamepasswordstealerssuchasWin32/Frethogwereresponsiblefor

muchofthisincrease.

Figure 18. Adware, Miscellaneous Potentially Unwanted Software, and Miscellaneous Trojans categories since 2006

TheAdware,MiscellaneousPotentiallyUnwantedSoftware,andMiscellaneousTrojanscategories

werethemostcommonlydetectedcategoriesin2010and2011.Adwaredetectionsincreased

significantlyin1H11,includingtheadwarefamiliesWin32/OpenCandyandJS/Pornpop.

OpenCandyisanadwareprogramthatmaybebundledwithcertainthird-partysoftware

installationprograms.SomeversionsoftheOpenCandyprogramsenduser-specificinformation

withoutobtainingadequateuserconsent,andtheseversionsaredetectedbyMicrosoft

antimalwareproducts.PornpopisadetectionforspeciallycraftedJavaScript-enabledobjectsthat

attempttodisplaypop-underadvertisementsinusers’webbrowsers.Initially,JS/Pornpop

appearedexclusivelyonwebsitesthatcontainedadultcontent;however,ithassincebeen

observedtoappearonwebsitesthatmaycontainnoadultcontentwhatsoever.

TheMiscellaneousPotentiallyUnwantedSoftwarecategory,whichwasthemostcommonly




http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Rimecud






http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/OpenCandy













29

29

detectedcategoryin2006,declinedinprevalencein2007and2008,thenincreasedagainto

becomethesecondmostprevalentcategoryin2Q11.Significantfamiliesinthiscategoryin2Q11

wereWin32/Keygen,agenericdetectionfortoolsthatgenerateproductkeysforillegallyobtained

versionsofvarioussoftwareproducts,andWin32/Zwangi,aprogramthatrunsasaserviceinthe

backgroundandmodifieswebbrowsersettingstovisitaspecificwebsite.

TheMiscellaneousTrojanscategoryhasconsistentlyaffectedaboutathirdofcomputersthatwere

infectedwithmalwareineachperiodsince2H08.Anumberofroguesecuritysoftwarefamiliesfall

intothiscategory,suchasWin32/FakeSpyPro,themostcommonlydetectedroguesecurity

softwarefamilyin2010.OtherprevalentfamiliesinthiscategoryincludeWin32/Alureon,thedata-

stealingtrojan,andWin32/Hiloti,whichinterfereswithanaffecteduser'sbrowsinghabitsand

downloadsandexecutesarbitraryfiles.

Threat categories by location

Themalwareecosystemhasmovedawayfromhighlyvisiblethreats,suchasself-replicating

worms,towardlessvisiblethreatsthatrelymoreonsocialengineeringfordistributionand

installation.Thisshiftmeansthatthespreadandeffectivenessofmalwarehavebecomemore

dependentonlanguageandculturalfactors.Somethreatsarespreadusingtechniquesthattarget

peoplewhospeakaparticularlanguageorwhouseservicesthatarelocaltoaparticular

geographicregion.Otherstargetvulnerabilitiesoroperatingsystemconfigurationsand

applicationsthatareunequallydistributedaroundtheglobe.InfectiondatafromseveralMicrosoft

securityproductsforsomeofthemorepopulouslocationsaroundtheworlddemonstratesthe

highlylocalizednatureofmalwareandpotentiallyunwantedsoftware.

Accordingly,thethreatlandscapeismuchmorecomplexthanasimpleexaminationofthebiggest

globalthreatswouldsuggest.

2011 security intelligence

Thefollowingfigureshowsthosecountries/regionsreportingsignificantlylargenumbersof

computerscleanedbyMicrosoftdesktopantimalwareproductssince2009.2

2 For information about how PC locations are determined, see the blog post Determining the Geolocation of Systems Infected

with Malware.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Keygen



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Zwangi



http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/FakeSpyPro






http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/Hiloti



http://blogs.technet.com/b/security/archive/2011/11/15/determining-the-geolocation-of-systems-infected-with-malware.aspx














30

Figure 19. Countries/regions with significantly large numbers of computers cleaned since 2009

Thefollowingfigureshowscountries/regionsthathavehistoricallyreportedhighinfectionratesas

comparedtotheaverageinfectionrateforallcountries/regions.











31

31

Figure 20. Countries/regions with historically high infection rates as compared to the worldwide average since 2009

Thefollowingfigureshowscountries/regionsthathavehistoricallyreportedlowinfectionratesas

comparedtotheaverageinfectionrateforallcountries/regions.

Figure 21. Countries/regions with historically low infection rates as compared to the worldwide average since 2009













32

Lessons from least infected countries/regions

Austria,Finland,Germany,andJapanhaveallenjoyedrelativelylowmalwareinfectionratesover

thepastseveralyears.However,manyofthesameglobalthreatsthatareprevalentin

countries/regionswithhighmalwareinfectionrates,suchasBrazil,Korea,andTurkey,arealso

prevalentincountries/regionswithlowinfectionrates.

Adwareisamongthemostprevalentcategoriesofthreatsfoundincountries/regionswith

bothhighmalwareinfectionratesandlowmalwareinfectionrates;itwasobservedasthetop

orsecondtotopcategoryineach.BothJS/Pornpop(detectedonmorethan6.5million

uniquecomputersgloballyinthesecondhalfof2010)andWin32/ClickPotatoarevery

prevalentinthesecountries/regions.

Win32/Renoswasprimarilyresponsibleforthelevelsoftrojandownloadersanddroppers

foundincountries/regionswithbothhighmalwareinfectionratesandlowmalwareinfection

rates.Win32/Renoshasbeenaprevalentfamilyoftrojandownloadersanddroppersforanumberofyears,andwasdetectedonmorethan8millionuniquecomputersaroundthe

worldin2010.

Win32/Autorun,detectedonmorethan9millionuniquecomputersgloballyin2010,and

Win32/Conficker,detectedonmorethan6.5millionuniquecomputersgloballyin2010,arein

thetoptenlistsofthreatsforcountries/regionswithbothhighmalwareinfectionratesand

lowmalwareinfectionrates,exceptFinland.

TherelativelylowmalwareinfectionratesinAustria,Finland,Germany,andJapandoesnot

necessarilymeanthatcriminalsarenotactiveinthesecountries/regions.Forexample:

Moremalwarehostingsites(per1,000hosts)wereobservedinGermanythanintheUnited

Statesin2010.

Thepercentageofsiteshostingdrive-bydownloadsinFinlandwasalmosttwicethatofthe

UnitedStatesinthefirsthalfof2010.

InQ4of2010,thepercentageofsiteshostingdrive-bydownloadsinGermanywasobserved

tobe3.7timeshigherthanthenumberobservedintheUnitedStates.

Thepercentageofsiteshostingdrive-bydownloadsinJapanwas12percenthigherthanthat

oftheUnitedStatesduringthefirsthalfof2010.Althoughthispercentagewentdown

precipitouslyinbothlocationsbythefourthquarterof2010,thepercentageofsiteshosting
















http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Win32/ClickPotato
















33

33

drive-bydownloadsinJapanwas4.7timeshigherthanthatoftheUnitedStatesinQ4.

Securityexpertsinthesecountries/regionsindicatethatthefollowingfactorscontributeto

consistentlylowmalwareinfectionratesintheircountries/regions:

Strongpublic–privatepartnershipsexistthatenableproactiveandresponsecapabilities.

Computeremergencyresponseteams(CERTs),Internetserviceproviders(ISPs),andothers

whoactivelymonitorforthreatsenablerapidresponsetoemergingthreats.

AnITcultureinwhichsystemadministratorsrespondrapidlytoreportsofsysteminfectionsor

abuseishelpful.

Enforcementpoliciesandactiveremediationofthreatsviaquarantininginfectedsystemson

networksinthecountry/regioniseffective.

Educationalcampaignsandmediaattentionthathelpimprovethepublic’sawarenessof

securityissuescanpaydividends.

LowsoftwarepiracyratesandwidespreadusageofWindowsUpdate/MicrosoftUpdatehas

helpedkeepinfectionratesrelativelylow.

ThislisthasstrikingsimilaritiestotheCollectiveDefenseconceptoutlinedinapaperwrittenby

ScottCharney,CorporateVicePresidentofTrustworthyComputingatMicrosoft,in2010.

“CollectiveDefense:ApplyingPublicHealthModelstotheInternet”(PDF)outlinesamodelto

improvethehealthofdevicesconnectedtotheInternet.Toaccomplishthis,governments,theIT

industry,andISPsshouldensurethehealthofconsumerdevicesbeforegrantingthemunfettered

accesstotheInternet.Theapproachofferedinthepaperistolookataddressingonlinesecurityissuesusingamodelsimilartotheonesocietyusestoaddresshumanillness.Thepublichealth

modelencompassesseveralinterestingconceptsthatcanbeappliedtoInternetsecurity.

Theconsistentlyleastinfectedcountries/regionsintheworldappeartobealreadydoingmanyof

thethingsthattheCollectiveDefensehealthmodelproposes.Avideothatexaminesthemodelis

availableontheTrustworthyComputingwebsitehere.

http://download.microsoft.com/download/7/F/B/7FB2F266-7914-4174-BBEF-2F5687882A93/Collective%20Defense%20-%20Applying%20Global%20Health%20Models%20to%20the%20Internet.pdf



http://www.microsoft.com/mscorp/twc/endtoendtrust/framework/controls/video/ModalVideoPlayer.aspx?t=Collective+Defense%3A+Applying+Public+Health+Models+to+the+Internet







34

Windows Update and Microsoft Update

Microsoftprovidesseveraltoolsandservicesthatenablesystemsortheiruserstodownloadand

installupdatesdirectlyfromMicrosoftor,forbusinesscustomers,fromupdateserversmanagedby

theirsystemadministrators.Theupdateclientsoftware(calledAutomaticUpdatesinWindowsXP

andWindowsServer2003,andsimplyWindowsUpdateinWindows7,WindowsVista,and

WindowsServer2008)connectstoanupdateserviceforthelistofavailableupdates.Afterthe

updateclientdetermineswhichupdatesareapplicabletoeachuniquesystem,itinstallsthe

updatesornotifiestheuserthattheyareavailable,dependingonthewaytheclientisconfigured

andthenatureofeachupdate.

Forusers,Microsoftprovidestwoupdateservicesthattheupdateclientscanuse:

WindowsUpdateprovidesupdatesforWindowscomponentsandfordevicedriversprovided

byMicrosoftandotherhardwarevendors.WindowsUpdatealsodistributessignatureupdates

forMicrosoftantimalwareproductsandthemonthlyreleaseoftheMSRT.Bydefault,whenauserenablesautomaticupdating,theupdateclientconnectstotheWindowsUpdateservice

forupdates.

MicrosoftUpdateprovidesalloftheupdatesofferedthroughWindowsUpdateaswellas

updatesforotherMicrosoftsoftware,suchastheMicrosoftOfficesystem,MicrosoftSQL

Server,andMicrosoftExchangeServer.Userscanoptintotheservicewheninstallingsoftware

thatisservicedthroughMicrosoftUpdateorattheMicrosoftUpdatewebsite.

EnterprisecustomerscanalsouseWindowsServerUpdateServices(WSUS)ortheMicrosoft

SystemCenter2012familyofmanagementproductstoprovideupdateservicesfortheirmanaged

computers.

http://update.microsoft.com/microsoftupdate



http://technet.microsoft.com/en-us/windowsserver/bb332157







35

35

Figure 22. Usage of Windows Update and Microsoft Update, 2H06-2H11, indexed to 2H06 total usage

Sinceitsintroductionin2005,usageofMicrosoftUpdatehasincreaseddramatically.



36

In conclusion

ThisspecialeditionoftheSIRprovidesinformationabouthowmalwareandotherformsof

potentiallyunwantedsoftwarehaveevolvedoverthelast10years.

Computinghasbecomepartofthefabricofoureverydaylives,andthefoundationsofmodernsocietyarebecomingmoredigitaleveryday.Informationandcommunicationstechnology(ICT)

hastransformedforthebetterhowwelive,butsocietystillconfrontssomelong-standingand

evolvingchallenges.

Asthenumberofpeople,computers,anddevicesthatconnecttotheInternetcontinuesto

increase,cyberthreatsarebecomingmoresophisticatedintheirabilitytogathersensitivedata,

disruptcriticaloperations,andconductfraud.

Cyberthreatstodayareoftencharacterizedastechnicallyadvanced,persistent,well-funded,and

motivatedbyprofitorstrategicadvantage.SecurityintelligenceisavaluableassettoallInternet

users,organizations,governments,andconsumersalike,whofaceamyriadofthreatsthatare

anythingbutstatic.BecauseweliveinaworldthatissodependentonIT,Microsoft’sdedicationto

security,privacy,andreliabilitymightbemoreimportanttodaythanitwasthanwhenTrustworthy

Computingwasestablishedin2002.

Manyindustriesandorganizations,includingMicrosoft,areinvestinginresearchintelligence,

softwaredevelopmentmethods,andtoolstohelpgovernments,industry,andindividualsbetter

reduceandmanagetherisksthatresultfromtheuncertaintyoftherapidlychangingthreat

landscape.MicrosoftTrustworthyComputingcontinuestocontributetothecomputingecosystem

aswefaceanewworldofdevices,services,andcommunicationstechnologiesthatcontinueto

evolve.



37

37

Appendix A: Computer protection technologies and mitigations

Addressingthreatsandrisksrequiresaconcertedeffortonthepartofpeople,organizations,and

governmentsaroundtheworld.The“ManagingRisk”sectionoftheMicrosoftSecurityIntelligence

Report(SIR)websitepresentsmanysuggestionsforpreventingharmfulactionsfrommalware,

breaches,andothersecuritythreats,andfordetectingandmitigatingproblemswhentheyoccur.

Topicsinthissectionofthewebsiteinclude:

“ProtectingYourOrganization,”whichoffersguidanceforITadministratorsinsmall,medium-

sized,andlargeorganizationsseekingtoimprovetheirsecuritypracticesandtostaycurrent

onthelatestdevelopments.

“ProtectingYourSoftware,”whichofferssoftwaredevelopersinformationaboutdeveloping

securesoftware,includingin-housesoftware,andsecuringInternet-facingsystemsfrom

attack.

“ProtectingYourPeople,”whichoffersguidanceforpromotingawarenessofsecuritythreats

andsafeInternetusagehabitswithinanorganization.

Additionalhelpfulinformationaboutvulnerabilityandmalwareprotectioneffortsisavailablein

thefollowingdocuments:

InformationSharingandMSRC2010,areportbytheMicrosoftSecurityResponseCenter

MitigatingSoftwareVulnerabilitieswhitepaper

MalwareresearchandresponseatMicrosoft.Thisreportfocusesontheroleandactivitiesof

theMicrosoftMalwareProtectionCenterandourvisiontoprovidethorough,ongoing

malwareresearchandresponse.

IntroducingMicrosoftAntimalwareTechnologies.ThiswhitepaperhelpsITprofessionalsto

understandtheoverallmalwarelandscapeandhowtotakeadvantageofthefeaturesintheir

antimalwaretechnology.

http://www.microsoft.com/security/sir/strategy/default.aspx#!section_1












http://go.microsoft.com/?linkid=9738546


















38

Appendix B: Threat families referenced in this report

ThedefinitionsforthethreatfamiliesreferencedinthisreportareadaptedfromtheMicrosoft

MalwareProtectionCenterMalwareencyclopedia,whichcontainsdetailedinformationabouta

largenumberofmalwareandpotentiallyunwantedsoftwarefamilies.Seetheencyclopediafor

morein-depthinformationandguidanceforthefamilieslistedhereandthroughoutthereport.

Win32/Alureon.Adata-stealingtrojanthatgathersconfidentialinformationsuchasusernames,

passwords,andcreditcarddatafromincomingandoutgoingInternettraffic.Itmayalsodownload

maliciousdataandmodifyDNSsettings.

Win32/Autorun.Afamilyofwormsthatspreadsbycopyingitselftothemappeddrivesofan

infectedcomputer.Themappeddrivesmayincludenetworkorremovabledrives.

Win32/Bagle.Awormthatspreadsbyemailingitselftoaddressesfoundonaninfected

computer.SomevariantsalsospreadthroughP2Pnetworks.Bagleactsasabackdoortrojanand

canbeusedtodistributeothermalicioussoftware.

Win32/ClickPotato.Aprogramthatdisplayspop-upandnotification-styleadvertisementsbased

ontheuser’sbrowsinghabits.

Win32/Conficker.AwormthatspreadsbyexploitingavulnerabilityaddressedbySecurityBulletin

MS08-067.Somevariantsalsospreadviaremovabledrivesandbyexploitingweakpasswords.It

disablesseveralimportantsystemservicesandsecurityproducts,anddownloadsarbitraryfiles.

Win32/FakeSpyPro.AroguesecuritysoftwarefamilydistributedunderthenamesAntivirus

SystemPRO,SpywareProtect2009,andothers.

Win32/Fixer.Malwarethatlocatesvariousregistryentriesandothertypesofdata,misidentifies

themasprivacyviolations,andpromptstheusertopurchaseaproducttoremovethealleged

violations.

Win32/Frethog.Alargefamilyofpassword-stealingtrojansthattargetconfidentialdata,suchas

accountinformation,frommassivelymultiplayeronlinegames.

Win32/Hiloti.Afamilyoftrojansthatinterfereswithanaffecteduser'sbrowsinghabitsand

downloadsandexecutesarbitraryfiles.

Win32/Keygen.Agenericdetectionfortoolsthatgenerateproductkeysforillegallyobtained

versionsofvarioussoftwareproducts.

http://www.microsoft.com/security/portal/Threat/Threats.aspx?id=1








39

39

Win32/Msblast.AfamilyofnetworkwormsthatexploitsavulnerabilityinMicrosoftWindows

2000andWindowsXP,andmayalsoattemptdenialofservice(DoS)attacksonsomeserversites

orcreatebackdoorprogramsthatallowattackerstoaccessinfectedcomputers.

Win32/Mydoom.Afamilyofmass-mailingwormsthatactasbackdoortrojansandallow

attackerstoaccessinfectedsystems.Win32/Mydoommaybeusedtodistributeothermalicioussoftware,andsomevariantslaunchDoSattacksagainstspecificwebsites.

Win32/Nimda.AfamilyofwormsthattargetscomputersrunningcertainversionsofWindows

andexploitsthevulnerabilitydescribedinMicrosoftSecurityBulletinMS01-020tospreadby

infectingweb-contentdocumentsandattachingitselftoemailmessages.

Win32/OpenCandy.Anadwareprogramthatmaybebundledwithcertainthird-partysoftware

installationprograms.Someversionsmaysenduser-specificinformation,includingaunique

machinecode,operatingsysteminformation,locale,andcertainotherinformationtoaremote

serverwithoutobtainingadequateuserconsent.

JS/Pornpop.Agenericdetectionforspecially-craftedJavaScript-enabledobjectsthatattemptto

displaypop-underadvertisements,usuallywithadultcontent.

Win32/Rbot.AfamilyofbackdoortrojansthattargetscertainversionsofWindowsandallows

attackerstocontrolinfectedcomputersthroughanIRCchannel.

Win32/Renos.Afamilyoftrojandownloadersthatinstallroguesecuritysoftware.

Win32/Rimecud.Afamilyofwormswithmultiplecomponentsthatspreadviafixedand

removabledrivesandviainstantmessaging.Italsocontainsbackdoorfunctionalitythatallows

unauthorizedaccesstoanaffectedsystem.

Win32/Rustock .Amulti-componentfamilyofrootkit-enabledbackdoortrojansthatwerefirst

developedaround2006toaidinthedistributionofspamemail.

Win32/Sasser.AfamilyofnetworkwormsthatexploittheLocalSecurityAuthoritySubsystem

Service(LSASS)vulnerabilityfixedinMicrosoftSecurityUpdateMS04-011.

Win32/Sdbot.Afamilyofbackdoortrojansthatallowattackerstocontrolinfectedcomputers.

Win32/Sircam.Afamilyofmass-mailingnetworkwormsthattargetscertainversionsofWindows

andspreadsbysendingacopyofitselfasanemailattachmenttoemailaddressesfoundon

infectedcomputers.



40

Win32/Starware.Awebbrowsertoolbarthatmonitorssearchesatpopularsearchengines,

conductsitsownsearchintandem,anddisplaystheresultsinanIFramewithinthebrowser

window.

Win32/Taterf .Afamilyofwormsthatspreadthroughmappeddrivestostealloginandaccount

detailsforpopularonlinegames.

Win32/Wukill.Afamilyofmass-mailingemailandnetworkwormsthatspreadstorootdirectories

oncertainlocalandmappeddrives.Italsospreadsbysendingacopyofitselfasanemail

attachmenttoemailaddressesfoundoninfectedcomputers.

Win32/Zlob.AlargemulticomponentfamilyofmalwarethatmodifiesWindowsInternetExplorer

settings,altersandredirectsusers’defaultInternetsearchandhomepages,andattemptsto

downloadandexecutearbitraryfiles(includingadditionalmalicioussoftware).

Win32/Zotob.AnetworkwormthatprimarilytargetscomputersrunningWindows2000thatdo

nothaveMicrosoftSecurityBulletinMS05-039installed;itexploitstheWindowsPlug-and-Play

bufferoverflowvulnerability.

Win32/Zwangi.Aprogramthatrunsasaserviceinthebackgroundandmodifieswebbrowser

settingstovisitaparticularwebsite.



41

41



Microsoft Security Intelligence Report Special Edition 10 Year Review

Documents