Top Banner
 Theevolutionofmalware andthethreatlandscape a10-yearreview MicrosoftSecurityIntelligenceReport:SpecialEdition February,2012  
48

Microsoft Security Intelligence Report Special Edition 10 Year Review

Apr 06, 2018

Download

Documents

MSFTSIR
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 1/48

 

Theevolutionofmalware

andthethreatlandscape

–a10-yearreview

MicrosoftSecurityIntelligenceReport:SpecialEdition

February,2012

 

Page 2: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 2/48

 

ii

MICROSOFT SECURITY INTELLIGENCE REPORT: SPECIAL EDITION

Thisdocumentisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESS,

IMPLIED,ORSTATUTORY,ASTOTHEINFORMATIONINTHISDOCUMENT.

Thisdocumentisprovided“as-is.”Informationandviewsexpressedinthisdocument,including

URLandotherInternetwebsitereferences,maychangewithoutnotice.Youbeartheriskofusing

it.

Copyright©2012MicrosoftCorporation.Allrightsreserved.

Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheir

respectiveowners.

Authors and contributors

BILLBARLOWE–MicrosoftSecurityResponseCenter 

JOEBLACKBIRD–MicrosoftMalwareProtectionCenter 

WEIJUANSHIDAVIS–WindowsProductManagementConsumer 

JOEFAULHABER–MicrosoftMalwareProtectionCenter 

HEATHERGOUDEY–MicrosoftMalwareProtectionCenter

PAULHENRY–WadewareLLC 

JEFFJONES–MicrosoftTrustworthyComputing

JIMMYKUO–MicrosoftMalwareProtectionCenter 

MARCLAURICELLA–MicrosoftTrustworthyComputing

KENMALCOMSON–MicrosoftTrustworthyComputingNAMNG–MicrosoftTrustworthyComputing

HILDALARINARAGRAGIO–MicrosoftMalwareProtectionCenter 

TIMRAINS–MicrosoftTrustworthyComputing

ELIZABETHSCOTT–MicrosoftSecurityResponseCenter 

JASMINESESSO–MicrosoftMalwareProtectionCenter

JOANNASHARPE–MicrosoftTrustworthyComputing

FRANKSIMORJAY–MicrosoftTrustworthyComputing

HOLLYSTEWART–MicrosoftMalwareProtectionCenter

STEVEWACKER–WadewareLLC

InmemoryofTAREQSAADE

Page 3: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 3/48

 

iii

iii

ContentsForeword .............................................................................................................................. v

Scope ................................................................................................................................ v

Reporting period .............................................................................................................. v

Conventions ..................................................................................................................... v

Introduction ........................................................................................................................ 1

Personal computing in 2002 and today .............................................................................. 2

PCs ................................................................................................................................... 2

Mobile computing ........................................................................................................... 2

Online services (precursor to the cloud) ........................................................................ 3

The origins of malware ....................................................................................................... 4

Microsoft Trustworthy Computing ..................................................................................... 6

2002-2003 ....................................................................................................................... 6

2004 ................................................................................................................................ 7

The criminalization of malware ...................................................................................... 7

2005 ................................................................................................................................ 7

Vulnerabilities ................................................................................................................... 10

A decade of maturation ................................................................................................ 10

Industry-wide vulnerability disclosures ........................................................................ 11

Vulnerability severity .................................................................................................... 12

Hardware and software disclosures ............................................................................. 13

Operating system vulnerability disclosures .................................................................. 14

Application vulnerability disclosures ............................................................................ 15

Exploit trends and security bulletins ................................................................................ 16

The state of malware today .............................................................................................. 20

Malware and potentially unwanted software trends ....................................................... 22

How threats have evolved over time ............................................................................ 22

Different threats at different times .............................................................................. 26Threat categories by location ........................................................................................... 29

Page 4: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 4/48

 

iv

2011 security intelligence ............................................................................................. 29

Lessons from least infected countries/regions ............................................................. 32

Windows Update and Microsoft Update .......................................................................... 34

In conclusion ..................................................................................................................... 36

Appendix A: Computer protection technologies and mitigations .................................... 37

Appendix B: Threat families referenced in this report ..................................................... 38

Page 5: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 5/48

 

v

v

Foreword

Scope

TheMicrosoftSecurityIntelligenceReport(SIR)focusesonsoftwarevulnerabilities,software

vulnerabilityexploits,malicious,andpotentiallyunwantedsoftware.Pastreportsandrelated

resourcesareavailablefordownloadatwww.microsoft.com/sir.Wehopethatreadersfindthe

data,insights,andguidanceinthisspecialeditionoftheSIRusefulinhelpingthemprotecttheir

organizations,software,andusers.

Reporting period

ThisspecialeditionoftheSIRprovidessummarizedinformationfromthelast10years.Where

possible,thisreportincludestrenddataforthefull10-yearperiod;whendataforthefull10-year

periodisnotavailable,trenddataforshorterperiodsisprovided.Generally,becausevulnerability

disclosurescanbehighlyinconsistentfromquartertoquarterandoftenoccurdisproportionately

atcertaintimesoftheyear,statisticsaboutvulnerabilitydisclosuresarepresentedonahalf-yearly

basis,asinrecentvolumesoftheSIR.

Throughoutthereport,half-yearlyandquarterlytimeperiodsarereferencedusingthenHyyor

nQyyformats,respectively,whereyyindicatesthecalendaryearandnindicatesthehalfor

quarter.Forexample,1H11representsthefirsthalfof2011(January1throughJune30),and2Q11

representsthesecondquarterof2011(April1throughJune30).Toavoidconfusion,pleasenote

thereportingperiodorperiodsbeingreferencedwhenconsideringthestatisticsinthisreport.

Conventions

ThisreportusestheMicrosoftMalwareProtectionCenter(MMPC)namingstandardforfamilies

andvariantsofmalwareandpotentiallyunwantedsoftware.Forinformationaboutthisstandard,

seetheMicrosoftMalwareProtectionCenterNamingStandardspageontheMMPCwebsite.

Page 6: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 6/48

Page 7: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 7/48

 

Introduction

AstheInternethasextendeditsreachoverthelast10years,malware(malicioussoftware)has

evolvedandbecomemorecomplex.Earlyformsofmalwaresoughttogeneratehigh-profile

nuisanceattacks,buttodayitsaimsareincreasinglypernicious,focusingontheftandotherillicit

activities.Malwarehasbecomemuchmoreofaconcernfororganizations;Internetconnectivity

wasstilltheexceptiontotheruleformanyorganizationsbefore2002,butitquicklybecamethe

normasthefirstdecadeofthe21stcenturyunfolded.

Today,inadditiontoindividualcomputersandthenetworksoforganizationsbothlargeandsmall,

Internetconnectivityalsoextendstodevicessuchasgamingconsolesandsmartphones.Andas

computingparadigmsshift,protectingorganizations,governments,andcitizensfrommalwarehas

becomeevenmoreofachallenge.

MicrosoftTrustworthyComputing,establishedin2002,publishestheMicrosoftSecurityIntelligence

Report(SIR)tohelpkeepcustomersandotherinterestedpartiesinformedaboutthechanging

threatlandscape.TheSIRprovidescomprehensivethreatintelligencefromaroundtheworld.

 

Page 8: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 8/48

 

2

Personal computing in 2002 and today

Evenasmalwareandothersignificantchallengesemerged,computeruserscontinuedtoenjoythe

benefitsoftechnologicalinnovationoverthelast10years.Thissectionpaintsabasic“thenand

now”portraitofthestateofcomputingin2002andtodayin2012inthreeareas:PCs,mobile

computing,andonlineservices,theprecursortothecloud.

PCs

By2002,PCCPUsusedasingle-corearchitectureandhadjustsurpassed2.0GHzinprocessing

speed.WindowsXP,whichwasreleasedinlate2001,required64MBofRAMbut128MBwas

recommended;512MBwasafairlycommonconfiguration.Harddiskdrivesrangedto120GBin

size,andLCDmonitorswerebecomingincreasinglypopular.USBconnectivityforperipheral

deviceswaswidespread,butthemuchfasterUSB2.0specificationhadonlyrecentlybeenratified

andwasthereforenotyetavailable.

Attheoutsetof2012,multi-coreCPUsarecommonandspeedshavesurpassedthe4.0GHzmark,

severaltimesfasterthansystemsavailablein2002.Windows7,releasedin2009,requires1GBof

RAMbut2GBisrecommended.Typicalharddiskdrivesrangefrom600GB,afive-foldincrease

from2002,to1TBormoreinsize.It’spossibletoobtaina23-inchmonitorforlessthan$200USD

intheUnitedStates,andmonitorsbuiltwithLEDtechnology(animprovementovertheolderLCD

technology)arewidelyavailable.USB3.0istheemergingconnectivitytechnology,butUSB2.0is

stillthemostwidelyusedstandard.

Mobile computing

In2002,thefastestlaptopCPUshadbarelybrokenthe1.0GHzmark.512MBofRAMwasa

commonconfiguration,alongwitha20GBto30GBharddiskdrive.CombinationDVD/CD-RW

driveswerestillararityandCD-ROMdriveswerestillthenorm.Soundqualityandhigh-definition

(HD)displayswerestillonusers’wishlists,andsmartphonesdidnotemergeuntil2005.

In2012,laptopPCCPUsarethreetimesasfastasthoseavailablein2002;3.0+GHzclockspeeds

arewidelyavailable.Generally,2GBto4GBofRAMisavailable—4to8timestheamountin

2002—buthigh-endlaptopsofferasmuchas8GB.Typicalharddiskdrivesrangefrom500GBto

600GB,some25timesgreaterthanlaptopdrivesavailablein2002,andnewsolid-stateharddisk

drivesaresignificantlyfaster.HDdisplayswithbuilt-inwebcamsandfacialrecognitiontechnology

(inlieuofpasswords)areareality.DVD/RWdrivesarestandard,andmanysupportthehigh-

resolutionBlu-rayDisctechnologyforvideoplayback.However,suchaccessoriesarebeing

Page 9: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 9/48

 

3

3

sacrificedinsomemodelstocreateverythinandlightweightlaptops.High-qualityaudiooptions

arealsoincreasinglycommon.

Ethernetdatatransmissionspeedstandardshavecontinuedtoevolve.GigabitEthernet—which

supportsadatatransmissionrateof1,000megabitspersecond(Mbps)—becamewidelyavailable

duringthedecade,and10GigabitEthernetbecamecertifiedasastandardbytheInstituteofElectricalandElectronicsEngineers(IEEE).However,thesestandardsapplytocopperwire,cable

(coaxialwire),andfiberopticconnections.Thewidespreadproliferationofwirelessnetwork

connectivity,whichaccommodatesthegrowingnumberofmobiledevicesthatareavailabletoday,

alsooccurredduringthe2002–2012timeperiod.In2012,bothdesktopandlaptopcomputers

typicallyofferwiredandwirelessconnectivityoptions.

Online services (precursor to the cloud)

Fromaconsumer’sperspective,anumberofonlinepaymentserviceswereavailableby2002.

TheseservicesfacilitatedthegrowthofInternetcommerce(e-commerce)sitessuchasAmazon.comandeBay,bothofwhichhadbeenopenforbusinesssince1995.E-commerce

explodedinpopularitybetween2002and2012.

Asignificantphenomenonoccurredduringthedecadethathadaconsiderableeffectonpopular

cultureandtheentertainmentindustry.Asmusicandvideobecameavailableasdigitized

computerfiles,theyalsobecameshareableovertheInternet.Napster,perhapsthemostwell-

knownfile-sharingservice,emergedin1999andceasedtradinginJuly2001.However,otherfile-

sharingmodelsalsoemergedandbecamepopular.

ThegrowthoftheInternetandtheemergingavailabilityofbroadbandconnectivityalsoresulted

inonlineservicessuchasRhapsody,thefirststreamingon-demandmusicsubscriptionservicefora

monthlyfee,whichwaslaunchedinDecember2001.

Althoughtheconceptofcloudcomputinghadexistedforsometime,thefirstcloudcomputing

servicesbecamecommerciallyavailablein2002.Sincethattime,moreflexibleoptionshave

emergedthatmakecloudcomputingmoreattractiveandfeasibleforlargeandsmall

organizationsalike,aswellasforindividuals.Cloudcomputingarchitecturescurrentlyinclude

infrastructureasaservice(IaaS),whichprovidescomponentssuchasnetworkingandstorage;

platformasaservice(PaaS),whichprovidesaplatformsuchasadatabaseorawebserverfor

runningapplications;andsoftwareasaservice(SaaS),whichprovidesasoftwareapplicationor

solutionasafinishedorcompleteservice.

Page 10: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 10/48

 

4

In2012thereislittledisagreementaboutthelikelihoodofcloudcomputingasthenextsignificant

computingparadigm.Thetechnologyisgainingacceptancefrommanyorganizationsandcloud

computingmodelscontinuetoevolve.

The origins of malware

Malwarebecameknowntomanycomputerusersthroughwidespreadinfectionscausedby

Melissa(in1999)andLoveLetter(in2000).Bothwereemail-based,andLoveLetterspreadviaan

infectedemailattachment.Whentheattachmentwasopened,themalwareoverwroteavarietyof

differenttypesoffilesontheuser’sPCandemaileditselftoothersintheuser’semailaddress

book.

LoveLetterquicklybecamethemostcostlyincidentofitskindtothatpointintime.Despitethe

damagethatMelissaandLoveLettercaused,itcouldbearguedthattheyhadthreepositive

effects:theycausedcomputermalwaretocomeunderincreasingscrutiny;theyincreasedsocialawarenessaboutcomputermalware(throughpeerpressurefrommanyupsetmessagerecipients);

andtheyunderscoredtheimportanceofbackups(becauseLoveLetteroverwrotefileswhichwere

lostifbackupswerenotavailable).

Amoredeviousanddirectmalwarethreatemergedintoprominencein2001:malwarethatcould

spreadwithoutanyhumaninteraction.Onesuchformofmalwarewasaworm,knownasCode

Red,whichwasreleasedontheInternetinJulyof2001andwhichtargetedserversrunning

MicrosoftInternetInformationServices(IIS).Althoughwormshadbeendetectedsinceatleast

1988,CodeRedwasconsideredbyMicrosoftMalwareProtectionCenter(MMPC)researcherstobe

aperfectexampleofawormbecausetherewasnofilecomponent.CodeRedneededtobedetectedintransitorinthememoryofaninfectedcomputer;atthetime,traditionaldesktop

antimalwareproductsthatlookedforfile-basedmalwarecouldnotdetectit.

CodeRedspreadviaTCPport80,thesamechannelthatiscommonlyusedforInternetweb

queries,sowebserversneededtobesecuredagainstsuchattacks.However,othercomputers

requireaccesstoport80forwebbrowserfunctionality.CodeRedmaynothavecausedasmuch

damageasLoveLetter,althoughthisisdifficulttoascertainbecausesomecomputersinfectedwith

CodeRedweresubsequentlyinfectedwithWin32/Nimda,whichalsospreadviaTCPport80.

Win32/Nimdawaswhatsomecallamalwarecocktail,orablendedthreat—thestartofatrendin

malwaredevelopmentthatcontinuestothisday.Itusedatleastfivedifferentattackvectors,

includingmakinguseofbackdoorsleftbypreviousmalware.Becauseitfollowedsocloselyonthe

Page 11: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 11/48

 

5

5

heelsofsuchmalware,notmuchtimewasavailableforittobedeveloped.Therefore,itwaswidely

believedthatWin32/Nimdawasdevelopedbyateamofpeople,notjustasolitarymalwarecoder.

Regardlessofwhocreatedit,Win32/Nimdademonstratedthatifnetworkedcomputersareleft

unprotectedtheycanbecommandeeredandusedagainsttheirownersinamatterofhours,

perhapsevenminutes.HundredsofthousandsofcomputerswereovercomebyWin32/Nimda,manyofwhichoperatedwell-knownwebsitesandmailserversformediumtolargecompanies.In

total,morethan50,000importantInternetsiteswereinfected.Andmorethanonepersonnoted

thatWin32/NimdawasreleasedonSept.18,justoneweekaftertheterroristattacksofSept.11,

2001,afactthatmademanysecurityexpertsuneasy.

Inaddition,2001sawtheemergenceofmalwarefromemailmessagesthatappearedtobe

innocuous.Suchmalwareemergedfrommessagesthathadnocodeorfilesattached—theyused

URLsinstead.ThesemessageswouldusesocialengineeringtacticstoenticeuserstoclicktheURLs,

whichwouldthenconnectuserstowebsitesthatwereprogrammedwithexploitsdesignedto

performundesirableactionsontheusers’PCs.

2001alsosawtheemergenceof Win32/Sircam,thefirstwidespreadmalwarethatexfiltrated

informationfromcomputers,althoughitisnotknownwhetherthiswastheintentofthemalware.

However,theUkrainianPresident’sprivateitinerarywasunexpectedlypublishedpubliclyasaresult

ofaWin32/Sircaminfection.

 

Page 12: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 12/48

 

6

Microsoft Trustworthy Computing

OnJanuary15,2002,thechairmanoftheboardofdirectorsatMicrosoft,BillGates,sentamemo

toallfull-timeemployeesofMicrosoftanditssubsidiaries.Thismemoproposedafundamental

shiftinthecompany’sapproachtoacentralcomponentofitsbusiness,aconceptcalled

TrustworthyComputing(TwC).

TwCisMicrosoft’scommitmenttoprovidemoresecure,private,andreliablecomputing

experiencesbasedonsoundbusinesspractices.MostoftheintelligencethatTwCpublishesinthe

SIRcomesfromthreesecuritycenters—theMicrosoftMalwareProtectionCenter(MMPC),the

MicrosoftSecurityResponseCenter(MSRC),andtheMicrosoftSecurityEngineeringCenter

(MSEC)—whichdeliverin-depththreatintelligence,threatresponse,andsecurityscience.

AdditionalinformationcomesfromproductgroupsacrossMicrosoftandfromMicrosoftIT(MSIT),

thegroupthatmanagesglobalITservicesforMicrosoft.TheSIRisdesignedtogiveMicrosoft

customers,partners,andthesoftwareindustryawell-roundedunderstandingofthethreat

landscapetohelpthemtoprotectthemselvesandtheirassetsfromcriminalactivity.

ThefollowingfigureshowssignificantactionsandmilestonesduringthefirstfiveyearsofTwC’s

existence,aswellassomesignificantmalware-relatedevents.

 

Figure 1. Significant events and milestones in the threat landscape from 2002 thru 2006

2002-2003

TheeraofmassmailingmalwarethatbeganwithMelissaandLoveLetterextendedtothe2002-

2003timeframeandcausedsignificantincreasesinthevolumeofspam;muchofthismalware

Page 13: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 13/48

 

7

7

usedmacrosandMicrosoftVisualBasicscriptingfunctionality.Mostofthismalwarewasdefeated

bysecurityfeaturesintheMicrosoftOfficeXPversionofMicrosoftExcelandtheOffice2003

versionofMicrosoftWord,whentheseprogramsadoptedXMLformatsfortheirdatafiles.

In2003Microsoftstarteditsregularmonthlyprocessforissuingsecurityupdates,whichcontinues

today.Microsoftbeganthisprogramtoprovidetimelyupdatestocustomersonaregularlyscheduledbasis.Someupdatesaresecurityrelated,butnotall.Securityupdatesareprovidedon

thesecondTuesdayofeachmonth,andoptionalupdatesaswellasnon-securityupdatesare

providedonthefourthTuesdayofeachmonth.

2004

MicrosoftreleasedWindowsXPServicePack2(SP2)in2004,whichcontainedextensivesecurity

updatesandimprovements.SP2wastheresultofconsiderableeffortbyMicrosoftdevelopersand

securityexperts.ItwasperhapstheclearestindicationfromMicrosofttothatpointintimeofhow

seriouslythecompanywasconcernedaboutthegrowingproblemofmalwarethroughtheglobalconnectivityoftheInternet.SP2wasasignificantaccomplishmentandamilestoneinthejourney

thatMicrosoftandtherestoftheindustryisontoprotecttechnologyusersfromcriminals.

2004wasalsotheyearthatthefirstsignificantfor-profitmalwareemerged.Themass-mailing

wormfamilyWin32/Mydoomcreatedoneoftheearliestexamplesofabotnet —asetofcomputers

thataresecretlyandillicitlycontrolledbyanattacker,whoordersthemtoperformactivitiessuch

assendingspam,hostingpagesusedinphishingattacks,stealingpasswordsorsensitive

information,anddistributingothermalware.

The criminalization of malware

Manyoftheearlyformsofmalwareweredisruptiveandcostlyintermsofcleanupcostsandlost

productivity,butmostwerecreatedaspranksorasameansofraisingthecreators’statusinthe

onlinehackercommunity.WiththeemergenceofWin32/Mydoomin2004,itbecameapparent

thatmalwarecreatorshadseizedontheopportunitiesmalwareprovidedfortheft,blackmail,and

otherfor-profitcriminalactivities.

2005

In2005theWin32/Zotobwormwasreleased.Win32/Zotobwasnotaswidespreadasoriginally

anticipated.ItsoughttoreducethesecuritysettingsinWindowsInternetExplorerandimpedeitspop-upblockingfunctionalitytodisplayadsforwebsitesthatwouldpayhackersforhits—another

exampleofmalwareforprofit.

Page 14: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 14/48

 

8

Latein2005theWin32/Zlobtrojanbeganspreading.Itdisplayedpop-upadsthatwarnedusers

aboutspywareandencouragedthemtopurchasefakeantispyware,whichactuallyredirected

userstoothersitesandcausedotherproblems.Win32/Zlobwasyetanotherindicatorthatthe

daysofmalwarepranksterswereyieldingtocriminalsmotivatedbypotentialprofits.(Formore

informationaboutWin32/Zlob,seethe“Howthreatshaveevolvedovertime”sectionlaterinthis

paper.)

Priorto2005,Microsoftreleasedsecurityupdatestoaddressspecificformsofmalware.For

example,MicrosoftSecurityBulletinMS02-039,whichaddressedthemalwareknownasSlammer,

wasmadeavailableinJulyof2002.InJanuary2005,Microsoftreleasedthefirstversionofthe

MaliciousSoftwareRemovalTool(MSRT),whichremovesspecificprevalentmalicioussoftware

fromcomputersrunningrecentversionsofWindows.MicrosoftmakesanewversionoftheMSRT

availableeverymonthforautomaticdownloadtousers’computersviaWindowsUpdate/Microsoft

Update,afterwhichitrunsonetimetocheckforandremovemalwareinfections.

TheconsistentandautomaticavailabilityoftheMSRThelpsmaintainacleanercomputing

ecosystem.Forexample,inthefirsthalfof2011theMSRTranonanaverageofmorethan600

millionindividualcomputersaroundtheworldeachmonth.However,theMSRTdoesnotreplacea

preventiveantimalwareproduct;itisstrictlyapost-infectionremovaltool.Microsoftstrongly

recommendsuseofanup-to-datepreventiveantimalwareproduct.

Astechnicallysophisticatedandorganizedcriminalsstartedleveragingtechnologytotake

advantageoftechnologyusers,theMMPCwasestablishedin2005withatwofoldmission:tohelp

protectMicrosoftcustomersfromemergingandexistingthreats,andtoprovideworld-class

antimalwareresearchandresponsecapabilitiestosupportMicrosoftsecurityproductsand

services.

Morerecently,MicrosoftestablishedtheMicrosoftDigitalCrimesUnit(DCU),aworldwideteamof

lawyers,investigators,technicalanalysts,andotherspecialists.ThemissionoftheDCUistomake

theInternetsaferandmoresecurethroughstrongenforcement,globalpartnerships,policy,and

technologysolutionsthathelpdefendagainstfraudandotherthreatstoonlinesafetyandalsoto

protectchildrenfromtechnology-facilitatedcrimes.

ThefollowingfigureshowssomesignificantmilestonesduringthesecondfiveyearsofTwC’s

existence,aswellassomesignificantmalware-relatedevents.

Page 15: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 15/48

 

9

9

Figure 2. Significant events and milestones in the threat landscape from 2007 thru 2011

InadditiontocreatingtheMMPCandtheDCU,Microsofthasworkedtofosterdeeperindustry

collaborationandsharethelessonslearnedtohelpotherswiththeirsecurityefforts.Onesuch

exampleistheIndustryConsortiumforAdvancementofSecurityontheInternet(ICASI),which

MicrosoftcofoundedinJuneof2008withIntelCorporation,IBM,CiscoSystems,andJuniper

Networks.Sinceitsfounding,Amazon.comandNokiahavealsobecomemembers.

ICASIfosterscollaborationamongglobalcompanieswiththegoalofaddressingcomplexsecurity

threatsandbetterprotectingthecriticalITinfrastructuresthatsupporttheworld’sorganizations,

governments,andcitizens.

 

Page 16: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 16/48

 

10

Vulnerabilities

Vulnerabilitiesareweaknessesinsoftwarethatenableanattackertocompromisetheintegrity,

availability,orconfidentialityofthatsoftwareorthedataitprocesses.Someoftheworst

vulnerabilitiesallowattackerstoexploitacompromisedcomputer,causingittorunarbitrarycode

withouttheuser’sknowledge.

Thepast10yearsrepresentaveryinterestingtimeframeforreviewingvulnerabilitydisclosuresand

ensuingchangesthatcontinuetoaffectriskmanagementinITorganizationsaroundtheworld.

Beforeexaminingthechartsandtrends,abriefreviewofthepastdecadewithregardtoindustry

vulnerabilitiesisinorder.

A decade of maturation

In2002MITRE1presentedAProgressReportontheCVEInitiative(PDF),whichprovidedanupdate

onamulti-yearefforttocreateaconsistentandcommonsetofvulnerabilityinformation—witha

particularfocusonuniquenaming—toenabletheindustrytoeasierassess,manage,andfix

vulnerabilitiesandexposures.TheCVEeffortanddatalaterformedthecoreoftheNational

InstituteofStandards(NIST)NationalVulnerabilityDatabase(NVD),theU.S.government

repositoryofstandards-basedvulnerabilitymanagementdatathatservesastheprimary

vulnerabilityindexforindustryvulnerabilitiesreferencedintheSIR.

2002alsomarkedthebeginningofacommercialmarketforvulnerabilities;iDefensestarteda

vulnerabilitycontributorprogramthatpaidfindersforvulnerabilityinformation.

In2003,theU.S.NationalInfrastructureAdvisoryCouncil(NIAC)commissionedaproject“to

proposeanopenanduniversalvulnerabilityscoringsystemtoaddressandsolvethese

shortcomings,withtheultimategoalofpromotingacommonunderstandingofvulnerabilitiesand

theirimpact.”ThisprojectresultedinareportrecommendingtheadoptionoftheCommon

VulnerabilityandScoringSystem(PDF)(CVSSv1)inlate2004.Vulnerabilityseverity(orscoring)

informationwasabigstepforward,becauseitprovidedastandardmethodforrating

vulnerabilitiesacrosstheindustryinavendor-neutralmanner.

2007broughtanupdatetoCVSS,withchangesthataddressedissuesidentifiedbythepractical

applicationofCVSSsinceitsinception.SIRvolume4,whichprovideddataandanalysisforthe

secondhalfof2007,includedvulnerabilitytrendsusingbothCVSSv1andCVSSv2,andsincethen

 1 MITRE is a not-for-profit company that works in the public interest to provide systems engineering, research and

development, and information technology support to the U. S. government. 

Page 17: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 17/48

 

11

11

CVSSv2ratingshavebeenused.Asnotedatthetime,onepracticaleffectofthenewratings

formulaswasthatamuchhigherpercentageofvulnerabilitieswereratedHighorMedium

severity.

Industry-wide vulnerability disclosures

Adisclosure,asthetermisusedintheSIR,istherevelationofasoftwarevulnerabilitytothepublic

atlarge.Itdoesnotrefertoanytypeofprivatedisclosureordisclosuretoalimitednumberof

people.Disclosurescancomefromavarietyofsources,includingthesoftwarevendor,security

softwarevendors,independentsecurityresearchers,andevenmalwarecreators.

Muchoftheinformationinthissectioniscompiledfromvulnerabilitydisclosuredatathatis

publishedintheNVD.ItrepresentsalldisclosuresthathaveaCVE(CommonVulnerabilitiesand

Exposures)number.

Thepastdecadehasseendrasticgrowthinnewvulnerabilitydisclosures,whichpeakedin2006

and2007andthensteadilydeclinedoverthenextfouryearstojustover4,000in2011,whichis

stillalargenumberofvulnerabilities.

 

Figure 3. Industry-wide vulnerability disclosures since 2002

Page 18: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 18/48

 

12

Vulnerabilitydisclosuretrends:

  Vulnerabilitydisclosuresacrosstheindustryin2011weredown11.8percentfrom2010.

  Thisdeclinecontinuesanoveralltrendofmoderatedeclines.Vulnerabilitydisclosureshave

declinedatotalof37percentsincetheirpeakin2006.

Vulnerability severity

TheCommonVulnerabilityScoringSystem(CVSS)isastandardized,platform-independentscoring

systemforratingITvulnerabilities.TheCVSSassignsanumericvaluebetween0and10to

vulnerabilitiesaccordingtoseverity,withhigherscoresrepresentinggreaterseverity.(Seethe

VulnerabilitySeveritypageontheSIRwebsiteformoreinformation.)

 

Figure 4. Relative severity of vulnerabilities disclosed since 2002

Vulnerabilityseveritytrends:

  Theoverallvulnerabilityseveritytrendhasbeenapositiveone.MediumandHighseverity

vulnerabilitieshavesteadilydecreasedsincetheirhighpointsin2006and2007.

 Evenasfewervulnerabilitiesarebeingdisclosedoverall,thenumberofLowseverityvulnerabilitiesbeingdisclosedhasbeenrelativelyflat.Lowseverityvulnerabilitiesaccounted

forapproximately8percentofallvulnerabilitiesdisclosedin2011.

Page 19: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 19/48

 

13

13

Hardware and software disclosures

TheNVDtracksbothhardwareandsoftwarevulnerabilities.Thenumberofhardware

vulnerabilitiesdisclosedeachyearremainslow,asshowninthefollowingfigure.Thepeaknumber

was198(3.4percent)hardwarevulnerabilitiesdisclosedin2009.

 

Figure 5. Hardware and software vulnerability disclosures since 2002

Softwarevulnerabilitiesconsistofvulnerabilitiesthataffectoperatingsystems,applications,or

both.Asinmanyotherindustries,onevendor’sproductcanbeanothervendor’scomponent.For

example,CVE-2011-1089affectsGNUlibc2.3,whichislistedasanapplicationproductfromGNU.

However,libcisalsoanintegratedcomponentinseveraloperatingsystemsandisthereforealso

anoperatingsystemvulnerability.Forthisreason,itisdifficulttodrawadistinctlinebetween

operatingsystemandapplicationvulnerabilities.Inthefollowingfigure,vulnerabilitiesthataffect

bothoperatingsystemsandapplicationsareshowninred.

Page 20: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 20/48

 

14

Figure 6. Application and operating system vulnerability disclosures since 2002

In2010and2011,approximately13percentofsoftwarevulnerabilitiesaffectedbothapplication

andoperatingsystemproducts.

Operating system vulnerability disclosures

Todeterminethenumberofvulnerabilitiesthataffectoperatingsystems(showninthefollowing

figure),vulnerabilitieswerefilteredforaffectedproductsthatweredesignatedasoperating

systemsintheNVD.

Page 21: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 21/48

 

15

15

Figure 7. Operating system vulnerability disclosures since 2002

Application vulnerability disclosures

Todeterminethenumberofvulnerabilitiesthataffectapplications(showninthefollowingfigure),

vulnerabilitieswerefilteredforaffectedproductsthatweredesignatedasapplicationsintheNVD.

Page 22: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 22/48

 

16

 

Figure 8. Application vulnerability disclosures since 2002

Exploit trends and security bulletins

TheMicrosoftSecurityEngineeringCenter(MSEC)isoneofthreesecuritycentersthathelps

protectcustomersfrommalware.TheMSECfocusesonfoundationalwaystodevelopmoresecure

productsandservicesfromthesoftwareengineeringperspective,througheffortssuchasthe

MicrosoftSecurityDevelopmentLifecycle(SDL)andsecurityscience.

TheMicrosoftSecurityResponseCenter(MSRC)identifies,monitors,resolves,andrespondsto

Microsoftsoftwaresecurityvulnerabilities.TheMSRCreleasessecuritybulletinseachmonthto

addressvulnerabilitiesinMicrosoftsoftware.Securitybulletinsarenumberedseriallywithineach

calendaryear.Forexample,“MS11-057”referstothe57thsecuritybulletinreleasedin2011.

SecuritybulletinsaretypicallyreleasedonthesecondTuesdayofeachmonth,althoughonrare

occasionsMicrosoftreleasesan“out-of-band”securityupdatetoaddressanurgentissue.

Microsoftreleasedoneout-of-bandupdatein2011.

 

Page 23: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 23/48

 

17

17

Thefollowingfigureshowsthenumberofsecuritybulletinsandout-of-bandupdatesissuedsince

2005,whichwaswhenMicrosoftreleasedthefirstversionoftheMaliciousSoftwareRemovalTool

(MSRT).

 

Figure 9. MSRC security bulletins released since 2005

Period Security bulletins Out-of-band updates

1H05 33 0

2H05 22 0

1H06 32 1

2H06 46 1

1H07 35 1

2H07 34 0

1H08 36 02H08 42 2

1H09 27 0

2H09 47 1

1H10 41 2

2H10 65 1

1H11 52 0

2H11 48 1

AsinglesecuritybulletinoftenaddressesmultiplevulnerabilitiesfromtheCVEdatabase,eachof

whichislistedinthebulletin,alongwithanyotherrelevantissues.Thefollowingfigureshowsthe

numberofsecuritybulletinsreleasedandthenumberofindividualCVE-identifiedvulnerabilities

thattheyhaveaddressedineachhalf-yearperiodsince1H05.(Notethatnotallvulnerabilitiesare

addressedintheperiodinwhichtheyareinitiallydisclosed.)

Page 24: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 24/48

 

18

 

Figure 10. Number of MSRC security bulletins and CVE-identified vulnerabilities addressed

In2011theMSRCreleased100securitybulletinsthataddressed236individualCVE–identified

vulnerabilities,decreasesof7%and6%,respectively,from2010.Asthefollowingfigureshows,the

averagenumberofCVEsaddressedbyeachsecuritybulletinhasincreasedovertime,from1.5in

1H05to2.4in2H11.

Page 25: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 25/48

 

19

19

Figure 11. Average number of CVEs per MSRC security bulletin

Wheneverpossible,theMSRCconsolidatesmultiplevulnerabilitiesthataffectasinglebinaryor

componenttoaddresstheminasinglesecuritybulletin.Thisapproachmaximizestheeffectiveness

ofeachupdateandminimizesthepotentialdisruptionthatcustomersfacefromtestingand

integratingindividualsecurityupdatesintotheircomputingenvironments.

Page 26: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 26/48

 

20

The state of malware today

Attheendof2001,approximately60,000formsofmalwareorthreatswereknowntoexist.This

numberwasasignificantincreasefrom1996(about10,000)and1991(about1,000).

 

Figure 12. Approximate growth of malware since 1991

Overthelastdecade,theproliferationofmalwarehasbecomeanonlinecrimestory.Today,

estimatesofthenumberofknowncomputerthreatssuchasviruses,worms,trojans,exploits,

backdoors,passwordstealers,spyware,andothervariationsofpotentiallyunwantedsoftware

rangeintothemillions.

Eversincecriminalmalwaredevelopersbeganusingclientandserverpolymorphism(theabilityfor

malwaretodynamicallycreatedifferentformsofitselftothwartantimalwareprograms),ithas

becomeincreasinglydifficulttoanswerthequestion“Howmanythreatvariantsarethere?”

Polymorphismmeansthattherecanbeasmanythreatvariantsasinfectedcomputerscan

produce;thatis,thenumberisonlylimitedbymalware’sabilitytogeneratenewvariationsofitself.

Ithasbecomelessmeaningfultocountthenumberofthreatvariantsthanitistodetectand

eliminatetheirsources.In2011,morethan49,000differentuniquethreatfamilieswerereported

totheMMPCfromcustomers.Manyofthesereportedfamilieswereduplicates,polymorphic

versionsofkeythreatfamilies;detectingandeliminatingkeythreatfamiliesfrominfected

computersisanongoingactivity.

Page 27: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 27/48

 

21

21

In2011Microsoftaddedmorethan22,000signaturestodetectkeythreatfamilies.Ascriminal

malwaredeveloperscreatemorethreats,thesizeoftypicalantimalwaresignaturefilesincreases;

todayantimalwaresignaturefilesrangetomorethan100MBinsize.In2002,typicalantimalware

signaturefileswerelessthan1MBinsize.

Thenumberoffilessubmittedtoantimalwareorganizationshasalsoincreased.Thefollowingfigureshowshowthenumberofsubmittedfilessuspectedofcontainingmalwareorpotentially

unwantedsoftwaretotheMMPChasincreasedsince2005,anincreaseofmorethan200percent.

(SuspectedmalwarefilescanbesubmittedtotheMMPCSubmitasamplepage.)

 

Figure 13. Percentage increase in the number of files submitted to the MMPC since 2005

 

Page 28: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 28/48

 

22

Malware and potentially unwanted software trends

Malwarecontinuestoevolve,andthefluctuationsindetectionsofdifferentformsofmalware

sometimesindicatethesuccessesatgivenpointsintimeofthesoftwareindustry’spersistent

antimalwareeffortsversustheeffortsofmalwaredevelopers.

How threats have evolved over time

Whenviewedfromamulti-yearperspective,somemalwareandpotentiallyunwantedsoftware

familiestendtopeak,orbecomequiteprevalent,forshortperiodsoftimeasantimalwarevendors

focustheireffortsondetectingandremovingthesethreats.Thesepeakperiodsarefollowedby

periodsofdeclineasattackerschangetheirtacticsandmoveon.Thefollowingfigureillustrates

thisphenomenon.(ForFigures14through18,theverticalaxisrepresentsthepercentageofall

computersthatwereinfectedwithmalware.)

 

Figure 14. Malware and potentially unwanted software families that have peaked and declined since 2006

Win32/Rbotwasanearlybotnetfamilythatgainednotorietyin2004and2005afteranumberof

highprofileoutbreakincidentsthataffectedmediaandgovernmentnetworks,amongothers.

Rbotisa“kit”family:RbotvariantsarebuiltfromanopensourcebotnetcreationkitcalledRxBot,whichiswidelyavailableamongmalwareoperators,andmanydifferentgroupshaveproduced

Page 29: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 29/48

 

23

23

theirownvariantswithdifferentfunctionality.TheMSRTwasupdatedtodetectRbotinApril2005,

anddetectionsdecreasedsharplythrough2006,fallingbelow2percentofcomputerswith

detectionsby2H08.

ThetrojanfamilyWin32/Zlobwasfoundonalmostoneofeveryfourcomputersthatwasinfected

withmalwarein1H08,alevelofprevalencethatnootherfamilyhasequaledbeforeorsince.Zlobwastypicallydistributedonwebpages,posingasamediacodecthatvisitorswouldhavetoinstall

towatchvideocontentdownloadedorstreamedfromtheInternet.Afteritisinstalledonatarget

computer,Zlobdisplayspersistentpop-upadvertisementsforroguesecuritysoftware.AZlob

variantdetectedattheendof2008includedanencodedmessage,apparentlywrittenbytheZlob

authorandintendedforMMPCresearchers,indicatingthattheauthorwouldbeceasing

developmentanddistributionofthetrojan:

ForWindowsDefender'sTeam:

Isawyourpostintheblog(10-Oct-2008)aboutmypreviousmessage.

 Justwanttosay'Hello'fromRussia.

Youarereallygoodguys.ItwasasurpriseformethatMicrosoftcanrespondonthreatsso

fast.

Ican'tsignherenow(he-he,sorry),howitwassomeyearsagoformoreseriously

vulnerabilityforallWindows;)

HappyNewYear,guys,andgoodluck!

P.S.BTW,weareclosingsoon.Notbecauseofyourwork.:-))

So,youwillnotseesomeofmygreat;)ideasinthatfamilyofsoftware.

Trytosearchinexploits/shellcodesandrootkits.

 Also,itisfunny(probablyforyou),butMicrosoftofferedmeajobtohelpimprovesomeofVista'sprotection.It'snotinterestingforme,justalife'sirony.

Indeed,detectionsofZlobdecreasedsignificantlyin2H08,andby2010Zlobwasnolonger

amongthetop50most-detectedfamiliesworldwide.

Win32/ConfickerisawormfamilydiscoveredinNovember2008thatinitiallyspreadbyexploiting

avulnerabilityaddressedbysecurityupdateMS08-067,whichwasreleasedthepreviousmonth.

Confickerdetectionspeakedin1H09anddeclinedtoamuchlowerlevelthereafter,following

coordinatedeffortsbytheConfickerWorkingGrouptocontainthespreadofthewormandclean

infectedcomputers.Ithasbeendetectedonbetween3percentand6percentofinfected

computersineach6-monthperiodsincethen.

Page 30: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 30/48

 

24

JS/PornpopisadwarethatconsistsofspeciallycraftedJavaScript-enabledobjectsthatattemptto

displaypop-underadvertisements.FirstdetectedinAugust2010,itwasthesecondmost

commonlydetectedfamilyin2H10and1H11,andislikelytobethemostcommonlydetected

familyin2H11.

Win32/AutorunisagenericdetectionforwormsthatattempttospreadbetweenmountedcomputervolumesbymisusingtheAutoRunfeatureinWindows.DetectionsofWin32/Autorun

increasedgraduallyforseveralperiodsbeforepeakingin2H10asthemostcommonlydetected

familyduringthatperiod.

MicrosoftintroducedachangetothewaythattheAutoRunfeatureworksinWindows7and

WindowsServer2008R2inanefforttohelpprotectusersfromAutoRunthreats.Intheseversions

ofWindows,theAutoRuntaskisdisabledforallvolumesexceptopticaldrivessuchasCD-ROM

andDVD-ROMdrives,whichhavehistoricallynotbeenusedtotransmitAutoRunmalware.

Subsequently,Microsoftpublishedasetofupdatesthatback-portedthischangetoWindowsXP,

WindowsServer2003,WindowsVista,andWindowsServer2008.Theseupdateshavebeen

publishedasImportantupdatesthroughtheWindowsUpdateandMicrosoftUpdateservicessince

February2011,whichmayhavehelpedcontributetothedeclineinWin32/Autorundetections

observedthroughout2011.

Othermalwareandpotentiallyunwantedsoftwarefamiliesaren’tasprevalentasthepeakfamilies,

butexistforlongerperiodsoftime.Thefollowingfigureillustratestheprevalenceofsomeofthese

morepersistentmalwarefamilies.

Page 31: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 31/48

 

25

25

Figure 15. Malware families that have remained active at lower levels since 2007

Win32/Renos,assignedtotheTrojanDownloaders&Dropperscategoryinpreviousvolumesof

theSIR,wasoneofthefourmostcommonlydetectedmalwarefamiliesineachsix-monthperiod

from1H07to2H10,takingthetopslotin2H08and1H10,andonlydroppedoutofthetop25in

2H11.Renosisatrojandownloaderthatinstallsroguesecuritysoftwareoninfectedcomputers.

Win32/Taterf ,assignedtotheWormscategoryinpreviousvolumesoftheSIR,wasamongthefive

mostcommonlydetectedmalwarefamiliesineachperiodfrom2H08to2H10,andwasthemostcommonlydetectedfamilyin2H09.Taterfisawormthatspreadsviamappeddrivestosteallogon

andaccountdetailsforpopularonlinegames.Theincreasingpopularityofmassivelymultiplayer

onlinerole-playinggameshascreatedamarket(usuallydiscouragedbythemakersofthegames

themselves)invirtual“gold”andin-gameequipment,whichplayerstradeforreal-worldcash.This

inturnhasledtoaclassofthreatslikeTaterf,whichstealplayers’gamingpasswordsonbehalfof

thieveswhocanthenauctionthevictims’virtuallootthemselves.Taterfisamodifiedversionofa

similarthreat,Win32/Frethog,whichitselfhasbeenpersistentlyprevalentoverthesameperiodof

time.

Win32/Alureon,assignedtotheMiscellaneousTrojanscategoryinpreviousvolumesoftheSIR,isafamilyofdata-stealingtrojanswithrootkitcharacteristics.Itwasfirstdiscoveredinearly2007and

Page 32: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 32/48

 

26

hasbeeninornearthetop25familiesineachhalf-yearperiodsincethen.Alureonvariantsallow

anattackertointerceptincomingandoutgoingInternettrafficandgatherconfidential

informationsuchasusernames,passwords,andcreditcarddata.

Different threats at different times

Anotherpointthatbecomesapparentwhenmalwareandpotentiallyunwantedsoftwareisviewed

fromamulti-yearperspectiveisthatdifferentcategoriesofmalware—thatis,differenttypesof

threats—havebeenprevalentatdifferenttimes.Thefollowingfigureillustratestherelative

prevalenceofthreedifferentcategoriesofmalware.

 

Figure 16. Worms, Backdoors, and Miscellaneous Potentially Unwanted Software categories since 2006

In2006and2007,themalwarelandscapewasdominatedbytheWorms,MiscellaneousPotentially

UnwantedSoftware,andBackdoorscategories.(Theterm“MiscellaneousPotentiallyUnwanted

Software”referstoprogramswithpotentiallyunwantedbehaviorthatmayaffectauser’sprivacy,

security,orcomputingexperience.)Bythistime,large-scaleoutbreaksofwormssuchas

Win32/MsblastandWin32/Sasser,whichspreadbyexploitingvulnerabilitiesinnetworkservices,

weremostlyinthepast.Themostlikelyreasonfortheirdeclinewasthehigh-profilenatureof

theseoutbreaks,whichcausedantimalwarevendorstoincreasetheirdetection,cleaning,and

blockingeffortsandultimatelyspurredwidespreadadoptionofthesecurityupdatesthat

addressedtheaffectedvulnerabilities.Mostoftheprevalentwormsin2006weremass-mailers,

suchasWin32/WukillandWin32/Bagle,whichspreadbyemailingcopiesofthemselvestoaddressesdiscoveredoninfectedcomputers.

Page 33: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 33/48

 

27

27

Prevalentbackdoorsincludedapairofrelatedbotnetfamilies,Win32/RbotandWin32/Sdbot.

Variantsinthesefamiliesarebuiltfrombotnetconstructionkitsthataretradedinthe

undergroundmarketformalware,andareusedtocontrolinfectedcomputersoverInternetRelay

Chat(IRC).RbotandSdbothavelargelybeensupplantedbynewerbotnetfamilies,butremainin

activeusenonetheless,probablybecauseoftherelativeeasewithwhichprospectivebotnet

operatorscanobtaintheconstructionkits.

Prevalenttrojanfamiliesin2006and2007includedWin32/WinFixer,anearlyroguesecurity

softwarefamily,andthebrowsertoolbarWin32/Starware.Unlikemostmodernroguefamilies,

whichtypicallyposeasantimalwarescanners,WinFixermasqueradesasautilitythatsupposedly

identifies“privacyviolations”inthecomputer’sregistryandfilesystemandoffersto“remove”

themforafee.Win32/Starwareisabrowsertoolbarthatmonitorssearchesatpopularsearch

engines,conductingitsownsearchintandemanddisplayingtheresultsinaninlineframewithin

thebrowserwindow.

 

Figure 17. Worms, Trojan Downloaders and Droppers, and Password Stealers and Monitoring Tools categories since 2006

TheTrojanDownloadersandDropperscategory,whichaffectedlessthan9percentofcomputers

withdetectionsin1H06,roserapidlytobecomeoneofthemostsignificantthreatcategoriesin

2007and2008,primarilybecauseofincreaseddetectionsof Win32/ZlobandWin32/Renos.

Afterdecreasingsignificantlyfromits1H06peak,theWormscategorybegantoincreaseagainin2009afterthediscoveryof Win32/Confickerandreachedasecondpeakin2Q10withincreased

Page 34: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 34/48

 

28

detectionsof Win32/Taterf andWin32/Rimecud.Rimecudisafamilyofwormswithmultiple

componentsthatspreadsviaremovabledrivesandinstantmessaging.Italsocontainsbackdoor

functionalitythatallowsunauthorizedaccesstoanaffectedcomputer.

MalwarefamiliesinthePasswordStealersandMonitoringToolscategory,whichwereresponsible

foranegligiblepercentageofdetectionsin1H06,increasedslowlybutsteadilythrough2008and2009beforepeakingin2Q10.GamepasswordstealerssuchasWin32/Frethogwereresponsiblefor

muchofthisincrease.

 

Figure 18. Adware, Miscellaneous Potentially Unwanted Software, and Miscellaneous Trojans categories since 2006

TheAdware,MiscellaneousPotentiallyUnwantedSoftware,andMiscellaneousTrojanscategories

werethemostcommonlydetectedcategoriesin2010and2011.Adwaredetectionsincreased

significantlyin1H11,includingtheadwarefamiliesWin32/OpenCandyandJS/Pornpop.

OpenCandyisanadwareprogramthatmaybebundledwithcertainthird-partysoftware

installationprograms.SomeversionsoftheOpenCandyprogramsenduser-specificinformation

withoutobtainingadequateuserconsent,andtheseversionsaredetectedbyMicrosoft

antimalwareproducts.PornpopisadetectionforspeciallycraftedJavaScript-enabledobjectsthat

attempttodisplaypop-underadvertisementsinusers’webbrowsers.Initially,JS/Pornpop

appearedexclusivelyonwebsitesthatcontainedadultcontent;however,ithassincebeen

observedtoappearonwebsitesthatmaycontainnoadultcontentwhatsoever.

TheMiscellaneousPotentiallyUnwantedSoftwarecategory,whichwasthemostcommonly

Page 35: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 35/48

 

29

29

detectedcategoryin2006,declinedinprevalencein2007and2008,thenincreasedagainto

becomethesecondmostprevalentcategoryin2Q11.Significantfamiliesinthiscategoryin2Q11

wereWin32/Keygen,agenericdetectionfortoolsthatgenerateproductkeysforillegallyobtained

versionsofvarioussoftwareproducts,andWin32/Zwangi,aprogramthatrunsasaserviceinthe

backgroundandmodifieswebbrowsersettingstovisitaspecificwebsite.

TheMiscellaneousTrojanscategoryhasconsistentlyaffectedaboutathirdofcomputersthatwere

infectedwithmalwareineachperiodsince2H08.Anumberofroguesecuritysoftwarefamiliesfall

intothiscategory,suchasWin32/FakeSpyPro,themostcommonlydetectedroguesecurity

softwarefamilyin2010.OtherprevalentfamiliesinthiscategoryincludeWin32/Alureon,thedata-

stealingtrojan,andWin32/Hiloti,whichinterfereswithanaffecteduser'sbrowsinghabitsand

downloadsandexecutesarbitraryfiles.

Threat categories by location

Themalwareecosystemhasmovedawayfromhighlyvisiblethreats,suchasself-replicating

worms,towardlessvisiblethreatsthatrelymoreonsocialengineeringfordistributionand

installation.Thisshiftmeansthatthespreadandeffectivenessofmalwarehavebecomemore

dependentonlanguageandculturalfactors.Somethreatsarespreadusingtechniquesthattarget

peoplewhospeakaparticularlanguageorwhouseservicesthatarelocaltoaparticular

geographicregion.Otherstargetvulnerabilitiesoroperatingsystemconfigurationsand

applicationsthatareunequallydistributedaroundtheglobe.InfectiondatafromseveralMicrosoft

securityproductsforsomeofthemorepopulouslocationsaroundtheworlddemonstratesthe

highlylocalizednatureofmalwareandpotentiallyunwantedsoftware.

Accordingly,thethreatlandscapeismuchmorecomplexthanasimpleexaminationofthebiggest

globalthreatswouldsuggest.

2011 security intelligence

Thefollowingfigureshowsthosecountries/regionsreportingsignificantlylargenumbersof

computerscleanedbyMicrosoftdesktopantimalwareproductssince2009.2

 2 For information about how PC locations are determined, see the blog post  Determining the Geolocation of Systems Infected

with Malware. 

Page 37: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 37/48

 

31

31

Figure 20. Countries/regions with historically high infection rates as compared to the worldwide average since 2009

Thefollowingfigureshowscountries/regionsthathavehistoricallyreportedlowinfectionratesas

comparedtotheaverageinfectionrateforallcountries/regions.

 

Figure 21. Countries/regions with historically low infection rates as compared to the worldwide average since 2009

Page 38: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 38/48

 

32

Lessons from least infected countries/regions

Austria,Finland,Germany,andJapanhaveallenjoyedrelativelylowmalwareinfectionratesover

thepastseveralyears.However,manyofthesameglobalthreatsthatareprevalentin

countries/regionswithhighmalwareinfectionrates,suchasBrazil,Korea,andTurkey,arealso

prevalentincountries/regionswithlowinfectionrates.

  Adwareisamongthemostprevalentcategoriesofthreatsfoundincountries/regionswith

bothhighmalwareinfectionratesandlowmalwareinfectionrates;itwasobservedasthetop

orsecondtotopcategoryineach.BothJS/Pornpop(detectedonmorethan6.5million

uniquecomputersgloballyinthesecondhalfof2010)andWin32/ClickPotatoarevery

prevalentinthesecountries/regions.

  Win32/Renoswasprimarilyresponsibleforthelevelsoftrojandownloadersanddroppers

foundincountries/regionswithbothhighmalwareinfectionratesandlowmalwareinfection

rates.Win32/Renoshasbeenaprevalentfamilyoftrojandownloadersanddroppersforanumberofyears,andwasdetectedonmorethan8millionuniquecomputersaroundthe

worldin2010.

  Win32/Autorun,detectedonmorethan9millionuniquecomputersgloballyin2010,and

Win32/Conficker,detectedonmorethan6.5millionuniquecomputersgloballyin2010,arein

thetoptenlistsofthreatsforcountries/regionswithbothhighmalwareinfectionratesand

lowmalwareinfectionrates,exceptFinland.

TherelativelylowmalwareinfectionratesinAustria,Finland,Germany,andJapandoesnot

necessarilymeanthatcriminalsarenotactiveinthesecountries/regions.Forexample:

  Moremalwarehostingsites(per1,000hosts)wereobservedinGermanythanintheUnited

Statesin2010.

  Thepercentageofsiteshostingdrive-bydownloadsinFinlandwasalmosttwicethatofthe

UnitedStatesinthefirsthalfof2010.

  InQ4of2010,thepercentageofsiteshostingdrive-bydownloadsinGermanywasobserved

tobe3.7timeshigherthanthenumberobservedintheUnitedStates.

  Thepercentageofsiteshostingdrive-bydownloadsinJapanwas12percenthigherthanthat

oftheUnitedStatesduringthefirsthalfof2010.Althoughthispercentagewentdown

precipitouslyinbothlocationsbythefourthquarterof2010,thepercentageofsiteshosting

Page 39: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 39/48

 

33

33

drive-bydownloadsinJapanwas4.7timeshigherthanthatoftheUnitedStatesinQ4.

Securityexpertsinthesecountries/regionsindicatethatthefollowingfactorscontributeto

consistentlylowmalwareinfectionratesintheircountries/regions:

  Strongpublic–privatepartnershipsexistthatenableproactiveandresponsecapabilities.

  Computeremergencyresponseteams(CERTs),Internetserviceproviders(ISPs),andothers

whoactivelymonitorforthreatsenablerapidresponsetoemergingthreats.

  AnITcultureinwhichsystemadministratorsrespondrapidlytoreportsofsysteminfectionsor

abuseishelpful.

  Enforcementpoliciesandactiveremediationofthreatsviaquarantininginfectedsystemson

networksinthecountry/regioniseffective.

  Educationalcampaignsandmediaattentionthathelpimprovethepublic’sawarenessof

securityissuescanpaydividends.

  LowsoftwarepiracyratesandwidespreadusageofWindowsUpdate/MicrosoftUpdatehas

helpedkeepinfectionratesrelativelylow.

ThislisthasstrikingsimilaritiestotheCollectiveDefenseconceptoutlinedinapaperwrittenby

ScottCharney,CorporateVicePresidentofTrustworthyComputingatMicrosoft,in2010.

“CollectiveDefense:ApplyingPublicHealthModelstotheInternet”(PDF)outlinesamodelto

improvethehealthofdevicesconnectedtotheInternet.Toaccomplishthis,governments,theIT

industry,andISPsshouldensurethehealthofconsumerdevicesbeforegrantingthemunfettered

accesstotheInternet.Theapproachofferedinthepaperistolookataddressingonlinesecurityissuesusingamodelsimilartotheonesocietyusestoaddresshumanillness.Thepublichealth

modelencompassesseveralinterestingconceptsthatcanbeappliedtoInternetsecurity.

Theconsistentlyleastinfectedcountries/regionsintheworldappeartobealreadydoingmanyof

thethingsthattheCollectiveDefensehealthmodelproposes.Avideothatexaminesthemodelis

availableontheTrustworthyComputingwebsitehere.

 

Page 40: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 40/48

 

34

Windows Update and Microsoft Update

Microsoftprovidesseveraltoolsandservicesthatenablesystemsortheiruserstodownloadand

installupdatesdirectlyfromMicrosoftor,forbusinesscustomers,fromupdateserversmanagedby

theirsystemadministrators.Theupdateclientsoftware(calledAutomaticUpdatesinWindowsXP

andWindowsServer2003,andsimplyWindowsUpdateinWindows7,WindowsVista,and

WindowsServer2008)connectstoanupdateserviceforthelistofavailableupdates.Afterthe

updateclientdetermineswhichupdatesareapplicabletoeachuniquesystem,itinstallsthe

updatesornotifiestheuserthattheyareavailable,dependingonthewaytheclientisconfigured

andthenatureofeachupdate.

Forusers,Microsoftprovidestwoupdateservicesthattheupdateclientscanuse:

  WindowsUpdateprovidesupdatesforWindowscomponentsandfordevicedriversprovided

byMicrosoftandotherhardwarevendors.WindowsUpdatealsodistributessignatureupdates

forMicrosoftantimalwareproductsandthemonthlyreleaseoftheMSRT.Bydefault,whenauserenablesautomaticupdating,theupdateclientconnectstotheWindowsUpdateservice

forupdates.

  MicrosoftUpdateprovidesalloftheupdatesofferedthroughWindowsUpdateaswellas

updatesforotherMicrosoftsoftware,suchastheMicrosoftOfficesystem,MicrosoftSQL

Server,andMicrosoftExchangeServer.Userscanoptintotheservicewheninstallingsoftware

thatisservicedthroughMicrosoftUpdateorattheMicrosoftUpdatewebsite.

EnterprisecustomerscanalsouseWindowsServerUpdateServices(WSUS)ortheMicrosoft

SystemCenter2012familyofmanagementproductstoprovideupdateservicesfortheirmanaged

computers.

Page 41: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 41/48

 

35

35

Figure 22. Usage of Windows Update and Microsoft Update, 2H06-2H11, indexed to 2H06 total usage

  Sinceitsintroductionin2005,usageofMicrosoftUpdatehasincreaseddramatically.

 

Page 42: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 42/48

 

36

In conclusion

ThisspecialeditionoftheSIRprovidesinformationabouthowmalwareandotherformsof

potentiallyunwantedsoftwarehaveevolvedoverthelast10years.

Computinghasbecomepartofthefabricofoureverydaylives,andthefoundationsofmodernsocietyarebecomingmoredigitaleveryday.Informationandcommunicationstechnology(ICT)

hastransformedforthebetterhowwelive,butsocietystillconfrontssomelong-standingand

evolvingchallenges.

Asthenumberofpeople,computers,anddevicesthatconnecttotheInternetcontinuesto

increase,cyberthreatsarebecomingmoresophisticatedintheirabilitytogathersensitivedata,

disruptcriticaloperations,andconductfraud.

Cyberthreatstodayareoftencharacterizedastechnicallyadvanced,persistent,well-funded,and

motivatedbyprofitorstrategicadvantage.SecurityintelligenceisavaluableassettoallInternet

users,organizations,governments,andconsumersalike,whofaceamyriadofthreatsthatare

anythingbutstatic.BecauseweliveinaworldthatissodependentonIT,Microsoft’sdedicationto

security,privacy,andreliabilitymightbemoreimportanttodaythanitwasthanwhenTrustworthy

Computingwasestablishedin2002.

Manyindustriesandorganizations,includingMicrosoft,areinvestinginresearchintelligence,

softwaredevelopmentmethods,andtoolstohelpgovernments,industry,andindividualsbetter

reduceandmanagetherisksthatresultfromtheuncertaintyoftherapidlychangingthreat

landscape.MicrosoftTrustworthyComputingcontinuestocontributetothecomputingecosystem

aswefaceanewworldofdevices,services,andcommunicationstechnologiesthatcontinueto

evolve.

 

Page 43: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 43/48

 

37

37

Appendix A: Computer protection technologies and mitigations

Addressingthreatsandrisksrequiresaconcertedeffortonthepartofpeople,organizations,and

governmentsaroundtheworld.The“ManagingRisk”sectionoftheMicrosoftSecurityIntelligence

Report(SIR)websitepresentsmanysuggestionsforpreventingharmfulactionsfrommalware,

breaches,andothersecuritythreats,andfordetectingandmitigatingproblemswhentheyoccur.

Topicsinthissectionofthewebsiteinclude:

  “ProtectingYourOrganization,”whichoffersguidanceforITadministratorsinsmall,medium-

sized,andlargeorganizationsseekingtoimprovetheirsecuritypracticesandtostaycurrent

onthelatestdevelopments.

  “ProtectingYourSoftware,”whichofferssoftwaredevelopersinformationaboutdeveloping

securesoftware,includingin-housesoftware,andsecuringInternet-facingsystemsfrom

attack.

  “ProtectingYourPeople,”whichoffersguidanceforpromotingawarenessofsecuritythreats

andsafeInternetusagehabitswithinanorganization.

Additionalhelpfulinformationaboutvulnerabilityandmalwareprotectioneffortsisavailablein

thefollowingdocuments:

  InformationSharingandMSRC2010,areportbytheMicrosoftSecurityResponseCenter

  MitigatingSoftwareVulnerabilitieswhitepaper

  MalwareresearchandresponseatMicrosoft.Thisreportfocusesontheroleandactivitiesof

theMicrosoftMalwareProtectionCenterandourvisiontoprovidethorough,ongoing

malwareresearchandresponse.

  IntroducingMicrosoftAntimalwareTechnologies.ThiswhitepaperhelpsITprofessionalsto

understandtheoverallmalwarelandscapeandhowtotakeadvantageofthefeaturesintheir

antimalwaretechnology.

 

Page 44: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 44/48

 

38

Appendix B: Threat families referenced in this report

ThedefinitionsforthethreatfamiliesreferencedinthisreportareadaptedfromtheMicrosoft

MalwareProtectionCenterMalwareencyclopedia,whichcontainsdetailedinformationabouta

largenumberofmalwareandpotentiallyunwantedsoftwarefamilies.Seetheencyclopediafor

morein-depthinformationandguidanceforthefamilieslistedhereandthroughoutthereport.

Win32/Alureon.Adata-stealingtrojanthatgathersconfidentialinformationsuchasusernames,

passwords,andcreditcarddatafromincomingandoutgoingInternettraffic.Itmayalsodownload

maliciousdataandmodifyDNSsettings.

Win32/Autorun.Afamilyofwormsthatspreadsbycopyingitselftothemappeddrivesofan

infectedcomputer.Themappeddrivesmayincludenetworkorremovabledrives.

Win32/Bagle.Awormthatspreadsbyemailingitselftoaddressesfoundonaninfected

computer.SomevariantsalsospreadthroughP2Pnetworks.Bagleactsasabackdoortrojanand

canbeusedtodistributeothermalicioussoftware.

Win32/ClickPotato.Aprogramthatdisplayspop-upandnotification-styleadvertisementsbased

ontheuser’sbrowsinghabits.

Win32/Conficker.AwormthatspreadsbyexploitingavulnerabilityaddressedbySecurityBulletin

MS08-067.Somevariantsalsospreadviaremovabledrivesandbyexploitingweakpasswords.It

disablesseveralimportantsystemservicesandsecurityproducts,anddownloadsarbitraryfiles.

Win32/FakeSpyPro.AroguesecuritysoftwarefamilydistributedunderthenamesAntivirus

SystemPRO,SpywareProtect2009,andothers.

Win32/Fixer.Malwarethatlocatesvariousregistryentriesandothertypesofdata,misidentifies

themasprivacyviolations,andpromptstheusertopurchaseaproducttoremovethealleged

violations.

Win32/Frethog.Alargefamilyofpassword-stealingtrojansthattargetconfidentialdata,suchas

accountinformation,frommassivelymultiplayeronlinegames.

Win32/Hiloti.Afamilyoftrojansthatinterfereswithanaffecteduser'sbrowsinghabitsand

downloadsandexecutesarbitraryfiles.

Win32/Keygen.Agenericdetectionfortoolsthatgenerateproductkeysforillegallyobtained

versionsofvarioussoftwareproducts.

Page 45: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 45/48

 

39

39

Win32/Msblast.AfamilyofnetworkwormsthatexploitsavulnerabilityinMicrosoftWindows

2000andWindowsXP,andmayalsoattemptdenialofservice(DoS)attacksonsomeserversites

orcreatebackdoorprogramsthatallowattackerstoaccessinfectedcomputers.

Win32/Mydoom.Afamilyofmass-mailingwormsthatactasbackdoortrojansandallow

attackerstoaccessinfectedsystems.Win32/Mydoommaybeusedtodistributeothermalicioussoftware,andsomevariantslaunchDoSattacksagainstspecificwebsites.

Win32/Nimda.AfamilyofwormsthattargetscomputersrunningcertainversionsofWindows

andexploitsthevulnerabilitydescribedinMicrosoftSecurityBulletinMS01-020tospreadby

infectingweb-contentdocumentsandattachingitselftoemailmessages.

Win32/OpenCandy.Anadwareprogramthatmaybebundledwithcertainthird-partysoftware

installationprograms.Someversionsmaysenduser-specificinformation,includingaunique

machinecode,operatingsysteminformation,locale,andcertainotherinformationtoaremote

serverwithoutobtainingadequateuserconsent.

JS/Pornpop.Agenericdetectionforspecially-craftedJavaScript-enabledobjectsthatattemptto

displaypop-underadvertisements,usuallywithadultcontent.

Win32/Rbot.AfamilyofbackdoortrojansthattargetscertainversionsofWindowsandallows

attackerstocontrolinfectedcomputersthroughanIRCchannel.

Win32/Renos.Afamilyoftrojandownloadersthatinstallroguesecuritysoftware.

Win32/Rimecud.Afamilyofwormswithmultiplecomponentsthatspreadviafixedand

removabledrivesandviainstantmessaging.Italsocontainsbackdoorfunctionalitythatallows

unauthorizedaccesstoanaffectedsystem.

Win32/Rustock .Amulti-componentfamilyofrootkit-enabledbackdoortrojansthatwerefirst

developedaround2006toaidinthedistributionofspamemail.

Win32/Sasser.AfamilyofnetworkwormsthatexploittheLocalSecurityAuthoritySubsystem

Service(LSASS)vulnerabilityfixedinMicrosoftSecurityUpdateMS04-011.

Win32/Sdbot.Afamilyofbackdoortrojansthatallowattackerstocontrolinfectedcomputers.

Win32/Sircam.Afamilyofmass-mailingnetworkwormsthattargetscertainversionsofWindows

andspreadsbysendingacopyofitselfasanemailattachmenttoemailaddressesfoundon

infectedcomputers.

Page 46: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 46/48

 

40

Win32/Starware.Awebbrowsertoolbarthatmonitorssearchesatpopularsearchengines,

conductsitsownsearchintandem,anddisplaystheresultsinanIFramewithinthebrowser

window.

Win32/Taterf .Afamilyofwormsthatspreadthroughmappeddrivestostealloginandaccount

detailsforpopularonlinegames.

Win32/Wukill.Afamilyofmass-mailingemailandnetworkwormsthatspreadstorootdirectories

oncertainlocalandmappeddrives.Italsospreadsbysendingacopyofitselfasanemail

attachmenttoemailaddressesfoundoninfectedcomputers.

Win32/Zlob.AlargemulticomponentfamilyofmalwarethatmodifiesWindowsInternetExplorer

settings,altersandredirectsusers’defaultInternetsearchandhomepages,andattemptsto

downloadandexecutearbitraryfiles(includingadditionalmalicioussoftware).

Win32/Zotob.AnetworkwormthatprimarilytargetscomputersrunningWindows2000thatdo

nothaveMicrosoftSecurityBulletinMS05-039installed;itexploitstheWindowsPlug-and-Play

bufferoverflowvulnerability.

Win32/Zwangi.Aprogramthatrunsasaserviceinthebackgroundandmodifieswebbrowser

settingstovisitaparticularwebsite.

 

Page 47: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 47/48

 

41

41

Page 48: Microsoft Security Intelligence Report Special Edition 10 Year Review

8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review

http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 48/48