Microsoft Security Intelligence Report Briefing Presentation

Meng-Chow Kang, CISSP, CISA
(ISC)2 Asia Advisory Board
Chief Security Advisor
Microsoft Greater China Region
Vulnerability Disclosure, Malware, and
Potentially Unwanted Software
Information challenges in the New
Economy
Evolving Cybersecurity Strategy and
Approach
Contains data and
trends observed over the past
several years, but
focuses on the first half of 2007
(1H07)
Focuses on
Software Vulnerability Disclosures
Software Vulnerability Exploits
Malicious Software
Potentially Unwanted Software
Report is successor of 2H06 and
1H06 reports and the MSRT White
paper: Progress Made, Trends
Observed
Data sources
Software Vulnerability Disclosures
Common Vulnerabilities and Exposures Website
http://cve.mitre.org
National Vulnerability Database (NVD) Web site
http://nvd.nist.gov/
Security Web sites
Vendor Web sites and support sites
Data sources
Software Exploits
Variety of public sources, including exploit
archives, antivirus alerts, mailing
lists, security related websites
Microsoft Security Bulletins
http://www.microsoft.com/technet/security
SecurityFocus
www.securityfocus.com
Data sources
Malicious Software and Potentially Unwanted Software
Data from several hundred million computers
MSRT has a user base of 350+ million unique computers
During 1H07 executed 1.9 billion times
Since January 2005 total executions surpass 7.4 billion
Main Customer Segment
Product Name
Consumers
Business
Malicious Software
Scan and
Remove
Real-time
Protection
Spyware and Potentially
Unwanted Software
Scan and
Remove
Real-time
Protection
Prevalent
Malware
Families
Windows Malicious Software
Removal Tool
●
Windows Defender
●
Windows Live OneCare
safety scanner
●
●
Windows Live OneCare
●
●
●
●
●
●
Microsoft Exchange
Hosted Filtering
●
●
●
Forefront Client Security
●
●
●
●
●
Available
at No
Additional
Charge
Main
Distribution
Methods
●
WU/AU
Download Center
●
Download Center
Windows Vista
●
Web
Web/Store
Purchase
Web
●
●
Volume Licensing
More than 3,400 new vulnerabilities disclosed in 1H07
from ALL software vendors (not just Microsoft)
A decrease from 2H06
The first period-to-period decrease in total
vulnerabilities since 2003
Vulnerability Disclosures
3500
3000
2500
2000
1500
1000
500
0
By severity
Growth of Low and Medium severity issues appears to be reversing
High severity vulnerabilities continue to grow
It appears that Medium severity issues are being identified
and disclosed much more aggressively
Over half of all vulnerabilities disclosed in 1H07 were rated High severity
Vulnerabilities by Severity Percentage
100%
3500
3000
2500
2000
1500
1000
500
0
High
Vulnerabilities by Severity Percentage
80%
60%
40%
20%
0%
Medium
Low
High
Medium
Low
Complexity of exploit
The increase in complex vulnerabilities reached a peak in 1H06, and
declined in 2H06 and 1H07 to levels similar to 2004 and previous years
The large drop in complexity from 2006 may be contributing
to higher severity ratings
Complexity of Exploit
100%
80%
60%
40%
20%
0%
Complex
Easy
OS versus application vulnerabilities
Application vulnerabilities continued to grow relative to operating
system vulnerabilities as a percentage of all disclosures during 1H07
Supports the observation that security vulnerability researchers
may be focusing more on applications than in the past
OS versus Non-OS Vulnerabilities
100%
80%
60%
40%
20%
0%
OS Vulns
Non-OS Vulns
Trends
Vulnerabilities
Vulnerabilities
where Exploit Code
was available
While the number of vulnerability disclosures continues to increase
across the software industry, the ratio of exploit code available for
these vulnerabilities in Microsoft products remains steady and is even
on a slight decline
New products
Exploit code for newer Microsoft
products is harder to find
2006: 29% of Microsoft vulnerabilities
had public exploit code
2007: 21% of Microsoft vulnerabilities
had public exploit code
Newer Microsoft products are
less at risk to public exploit
code than Microsoft products
in the market longer
Later versions of Microsoft Windows
and Microsoft Office show a distinct
decrease in number of exploitable
vulnerabilities throughout product
lifetime
Product
Version
Exploits
2006
Exploits
2007
98
0
0
ME
0
0
NT
1
0
2000
9
2
XP
8
4
2003
7
2
Vista
1
2
2000
9
3
XP
9
3
2003
9
3
X-Mac
0
0
2004-Mac
0
0
2007
0
0
Windows
Microsoft
Office
Strategies, mitigations, and countermeasures
Prioritize which vulnerabilities require faster
mitigation by checking for availability of exploit code
In a product-by-product comparison, new products
are at less risk to publicly available exploit code than
products that have a longer time in market
Participate in IT security communities
Example: Microsoft Security Bulletin Webcasts
Instant Messaging threats
Backdoor Trojans were
an increased threat to
IM users in 1H07
The large increase from
2H06 to 1H07 was due
almost exclusively to a
single family —
Win32/IRCbot
81% of all the backdoor
Trojan detections in
Windows Live Messenger
in 1H07
60%
50%
40%
30%
20%
10%
0%
1H06
2H06
1H07
E-mail Borne Malware
Phishing scams and e-mail containing malicious iFrame attacks
accounted for 37% of e-mail malware detections in 1H07
Trojan downloaders carried in e-mail dropped from
20% in 2H06 to 7% in 1H07
100%
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
7%
37%
7%
49%
E-mail worms
Phishing and fraud
1H06
2H06
1H07
Downloader Trojans
Greeting card scams
E-mail Borne Malware
90%
The Sober worm represented
40% of the top 20 malware in
1H07 (85% in 1H06)
Win32/Nuwar worm
(a.k.a.―Storm worm‖) comprised
11% of the top 20 e-mail threats
detected in e-mail during
1H07 with Win32/Bagle and
Win32/Netsky closely following
80%
70%
60%
50%
40%
30%
20%
10%
0%
1H06
Win32/Nuwar
Win32/Sober
Win32/Stration
Win32/Netsky
Win32/Bagle
2H06
1H07
E-mail Borne Malware
The decrease in volume of infected e-mail correlates to an
equally significant increase in the number of e-mails filtered
out prior to their reaching the virus scanners
The percentage drop in June corresponds to a 155%
increase in the number of e-mails blocked for spam,
content, and other policy violations
EHS blocked 96 percent of all e-mail, and the percentage
of e-mail scanned for malware dropped to only 4 percent
8.00%
3.00%
2.50%
6.00%
Jan-07
2.00%
4.00%
Feb-07
1.50%
Mar-07
2.00%
1.00%
Apr-07
0.50%
May-07
0.00%
1H06
2H06
1H07
0.00%
Jun-07
E-mail Borne Malware
Seeded Trojan downloaders
disguised as greeting cards
dropped only slightly, to just
over 4.8 million in 1H07
Phishing scams increased from
12.4 million in 2H06 to 31.6
million in 1H07
iFrame exploits in HTML-enabled
e-mail continued to decline
From 3.2 million in 2H06
to 1.9 million in 2H07
35,000,000
30,000,000
25,000,000
20,000,000
15,000,000
10,000,000
5,000,000
0
1H06
2H06
1H07
Downloader/Greeting Card Scams
IFrame Exploits
Fraud/Phishing
Infection and Disinfection Trends
Adware and potentially unwanted
software detections outpaced
detections for viruses, worms,
Trojans, and malware threats
Password stealing (PWS) and
data-theft Trojans increased
slightly: 2.6% in 1H07 vs. 1.4%
in 2H06
Downloader and dropper Trojan
infection rates declined slightly
from 12% in 2H06 to 11.5%
in 1H07
This slight decrease may be due
to a trend in downloaders and
droppers to delete themselves
after executing initial tasks
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
1H06
2H06
1H07
Advantages of real-time protection
Detection rates highlight importance of scanners in
mitigating risk of exposure and illustrate the role
that real-time scanning plays in protecting users
Windows Live OneCare encounters significantly higher
detections, likely as a result of real-time protection
25.00%
20.00%
15.00%
10.00%
5.00%
0.00%
Safety Scanner
OneCare
Infection and disinfection trends
Windows Live OneCare detections are highest for adware
and potentially unwanted software, downloaders/droppers
and Trojans
1H07 Windows Live OneCare % Detections
Trojans
21%
Viruses
1%
Spyware
3%
PWS/Data Theft
4%
Pontentially
Unwanted Software
20%
Worms
5%
Adware
24%
Backdoors
4%
Downloaders and
Droppers
18%
Disinfections and cleans
Removed malware from 1 out of
every 217 computers in 1H07
(1:409 in 2006, 1:359 in 2H05)
20,000,000
Disinfections / Computers
Beginning in 2H05, MSRT began
measuring number of unique
computers cleaned
Since then MSRT has removed
50.3 million infections from 20.5
million computers worldwide
MSRT removed significantly
more malware in 1H07 than in
previous periods
18,000,000
16,000,000
14,000,000
12,000,000
10,000,000
8,000,000
6,000,000
4,000,000
2,000,000
0
Reasons for sharp increase
MSRT detection improvements
Addition of highly prevalent
families such as Win32/Renos,
Win32/Stration, Win32/Alureon
Time Period
Disinfections
Computers
Cleaned
Prevalence by category
Figure below illustrates categories of malicious software
removed by MSRT from infected computers
Note that these percentages correspond to infected computers,
not to all computers scanned
In 1H07 the MSRT recorded a tremendous increase in the number of Trojan
downloaders and droppers detected, with 5.9 million detections, up from
960,000 in the previous period
This increase was almost entirely due to improvements for detection
of Win32/Zlob, as well as the addition of Win32/Renos
6,000,000
5,000,000
4,000,000
Disinfections (2H05)
3,000,000
Disinfections (1H06)
2,000,000
Disinfections (2H06)
1,000,000
Disinfections (1H07)
0
Prevalence by operating system
The MSRT cleaned malware from 60 percent less Windows Vista
computers than Windows XP SP2 computers (normalized)
The MSRT cleaned malware from 91.5 percent less Windows Vista
computers than from computers running Windows XP without any
service pack installed
H107
Win2k3 SP2
0.1%
Win Vista Win2k SP3
1.1%
0.1%
Win2k3 SP1
0.4%
Win2k3
Gold
0.1%
H107 (Normalized)
Win2k SP4
3.0%
WinXP Gold
3.3%
WinXP SP1
4.3%
Win2k3 SP1 Win2k3 SP2 Win Vista
7.3%
2.8%
3.4%
Win2k SP3
Win2k3
13.2%
Gold
5.8%
WinXP SP2
7.0%
WinXP SP2
87.7%
WinXP SP1
20.9%
WinXP Gold
32.9%
Win2k SP4
6.6%
Top infected:
Prevalence by locale
The MSRT executes in almost any country/region around the world
The table shows the countries/regions with the highest and lowest ratios of
executions/infected computers based on MSRT data
The world wide average for 1H07 was 1 computer cleaned for every 217
MSRT executions
Least Infected Countries
Most Infected Countries
Country
Normalized Disinfections executions/removal (H107)
Country
Normalized Disinfections executions/removal (H107)
Mongolia
49
Japan
631
Albania
57
New Zealand
491
Bahrain
63
Finland
455
Dominican Republic
69
Italy
446
Turkey
70
Australia
436
Egypt
79
Austria
433
Iraq
80
Sweden
362
Prevalence by locale
The figures show the infection rates determined by the MSRT from
locales in Asia Pacific and Middle East – Africa
Australia
2.8%
Malaysia
Taiwan
4.3%
3.5%
Singapore
4.9%
Kuwait
3.6%
New
Zealand Japan
1.9%
2.5%
Tunisia
3.9%
Yemen
4.1%
Mongolia
25.0%
Hong Kong
SAR
5.9%
Israel
3.8%
South
Syria Africa
3.5% 2.0%
Bahrain
8.7%
Thailand
8.2%
Indonesia
6.8%
Iraq
6.9%
Morocco
6.7%
Iran
4.9%
India
6.4%
Egypt
7.0%
Libya
4.6%
Korea
5.9%
China
6.3%
1H07 (Normalized)
Middle East - Africa
1H07 (Normalized)
Asia Pacific
Vietnam
7.5%
Macau SAR
8.1%
Oman
5.0%
Saudi Arabia
6.7%
Qatar
5.2%
United Arab Lebanon Algeria
6.2%
5.9%
Emirates
5.2%
Jordan
6.2%
Most active malware categories
Trojans represented the largest number
of variants that were collected during 1H07
Trojan downloaders and droppers had the second-highest
number of variants for samples collected in 1H07
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Windows Defender
The standalone version of Windows Defender
was released on October 23, 2006
This version of Windows Defender
runs on Windows XP SP2 and
Microsoft Windows Server 2003
Windows Defender is also a default component
of the Windows Vista operating system
Windows Defender
1. Windows Defender assigns each potentially unwanted software program an
alert rating
Low
Medium
High
Severe
2. Each software program has also been assigned a default recommended action
from the following list of possible actions:
Ignore: Users should ignore the alert for the current session
Ignore Always: Users should ignore the alert from now on, even if software
seen again
Prompt: Users must make a decision about what to do with the software
Quarantine: Removes software in such a way that it can be restored at a later point
Remove: Removes software from system
Software rated with alert level of High or Severe is automatically
removed during scheduled scans
Windows Defender – prevalence by category
In 1H07 50+ million pieces of potentially unwanted
software were detected by Windows Defender
Rogue security software was the largest factor in a dramatic
increase in the Potentially Unwanted Software category
Increases in the Trojan, downloader, and exploit categories may be
indicative of greater criminal intent and an increasing botnet population
Rank
Category
Total 1H07
Total 2H06
% Change
1
Adware
16,673,939
16,709,368
-0.2%
2
Potentially Unwanted Software
6,877,582
2,561,809
168.4%
3
Trojan Downloader
6,554,225
2,737,200
139.4%
4
Remote Control Software
3,160,543
2,755,996
13.8%
5
Browser Modifier
3,117,687
1,359,098
129.3%
6
Spyware
3,002,795
3,496,078
-14.1%
7
Trojan
2,946,479
1,352,291
117.8%
8
Sofware Bundler
2,695,015
3,740,722
-27.9%
9
Exploit
1,072,930
481,487
122.8%
10
Setting Modifier
930,291
1,130,677
-17.7%
Windows Defender – prevalence by OS
Windows Defender detected 2.8 times less potentially
unwanted software on computers running Windows Vista
than on computers running Windows XP SP2 (normalized)
The number of detections of potentially unwanted software on
computers running Windows Vista was half of the number of
detections of potentially unwanted software on computers
running Windows Server 2003, after normalization
Variation By Operating System
34%
48%
Windows 2003
Windows Vista
Windows XP SP2
18%
Geographical Differences
Removals in the top 25 removal regions represent
94.9% of all removals worldwide (89% in 1H06)
Region
2H06
1H07
% Change
United States
21,958,236
28,125,649
28%
United Kingdom
3,521,976
4,194,037
19%
France
742,464
2,151,045
190%
China
527,055
2,134,286
305%
Canada
1,424,370
1,649,734
16%
Netherlands
1,149,623
1,224,051
6%
Australia
860,404
1,049,231
22%
Germany
568,083
910,950
60%
Japan
256,760
867,183
238%
Italy
422,369
831,741
97%
Geographical differences
Unites States
Canada
United Kingdom
Netherlands
France
Australia
TrojanDownloader: Win32/Zlob
Program: Win32/Winfixer
Adware: Win32/Claria.GAIN
Settings Modifier: Win32/PossibleHostsFileHijack
Program: Win32/Starware
Adware: Win32/NewDotNet
RemoteAccess: Win32/Rserver
TrojanDownloader: Win32/Renos
Adware: Win32/ZangoSearchAssistant
Spyware: Win32/CnsMin
SofwareBundler: Win32/BearShare
Exploit: Win32/Anicmoo.A
Adware: Win32/WhenU.SaveNow
Trojan: Win32/Anomaly.gen
SofwareBundler: Win32/NetPumper
Program: Win32/SearchTool
RemoteAccess: Win32/RealVNC
Adware: Win32/Hotbar
Adware: Win32/SurfAccuracy
RemoteAccess: Win32/GhostRadmin
Program: Win32/Optmedia
Dialer: Win32/Riprova
BrowserModifier: Win32/Matcash
SoftwareBundler: Win32/KaZaA
Program: Win32/Tclock
All Others
Geographical Differences
Germany
Italy
Japan
Belgium
Turkey
TrojanDownloader: Win32/Zlob
Program: Win32/Winfixer
Adware: Win32/Claria.GAIN
Settings Modifier: Win32/PossibleHostsFileHijack
Program: Win32/Starware
Adware: Win32/NewDotNet
RemoteAccess: Win32/Rserver
TrojanDownloader: Win32/Renos
Adware: Win32/ZangoSearchAssistant
Spyware: Win32/CnsMin
SofwareBundler: Win32/BearShare
Exploit: Win32/Anicmoo.A
Adware: Win32/WhenU.SaveNow
Trojan: Win32/Anomaly.gen
SofwareBundler: Win32/NetPumper
Program: Win32/SearchTool
RemoteAccess: Win32/RealVNC
Adware: Win32/Hotbar
Adware: Win32/SurfAccuracy
RemoteAccess: Win32/GhostRadmin
Program: Win32/Optmedia
Dialer: Win32/Riprova
BrowserModifier: Win32/Matcash
SoftwareBundler: Win32/KaZaA
Program: Win32/Tclock
All Others
Geographical Differences
Detections in China rose 305% from 2H06,
with 2.1 million in 1H07
BrowserModifier: Win/CNNIC ChineseKeywords
BrowserModifier: Win/YokSearch
BrowserModifier: Win/Baldu.Sobar
BrowserModifier: Win/My123
BrowserModifier: Win/Kugoo
Spyware: Win32/CnsMin
BrowserModifier: Win/SuperUtilBar
Program: Win32/PigSearch
program: Win32/Sogou
BrowserModifier: Win/BDPlugin
Home
USB Drive
Independent
Consultant
Mobile Devices
The flow of information has no boundaries
Information is shared, stored and accessed
outside the control of its owner
Host and network security controls not
adequate to solve this problem
Partner
Organization
• Strict
Regulatory regulations
Compliance • Implications on
availability
People
• Awareness
• Competency
• Social/Culture
Information
Access &
Protection
• Joint venture
• IT Outsourcing
• Branch & distributed
network
• Mobility
Awareness
Training
Education
Scenarios
Testing/Drills
CERTs &
Industry
Partnership
Focus on the People
Building Competency
Focus on
Responsiveness
Be prepared for the
next incident
Focus on the
Systems
Mitigation and
enablement
Legal and policy foundations
Patch &
vulnerabilities
management
Information
security
management
Integrated, coordinated protection technologies across
clients, server applications, and the network edge, with
dynamic responses to emerging threats, including antimalware, anti-spyware, and network access protection.
Comprehensive
Protection
Unified
Management
Single management console with unified security policies to
protect and manage security across the entire infrastructure.
Ease of deployment of configurations and updates, and
collection of audit events.
Critical
Visibility
Critical visibility into overall security state, including insights
into threats and vulnerabilities. Integrated and summary
reporting. “What you see is what you act” (WYSWYA)
45
Integrated security eases defense in depth architecture deployment
Adoption of open standards allows cross platform integration
Management System
System Center, Active Directory GPO
Data
BitLocker, EFS, RMS, SharePoint, SQL
User
Active Directory and Identity Lifecycle Mgr
Application
SDL process, IIS, Visual Studio, and .NET
Device
Forefront Client Security, Exchange MSFP
Internal Network
Network Access Protection, IPSec
Perimeter
Forefront Edge and Server Security, NAP
Services
IPSec VPN
Network Access
Protection (NAP)
Edge
Server
Content
Client
Identity
Management
Systems
Management
Guidance
Previously published Microsoft Security Intelligence Reports
http://microsoft.com/sir
Microsoft Malware Protection Center Portal
http://www.microsoft.com/security/portal/
Understanding Anti-Malware Research and Response at Microsoft
http://download.microsoft.com/download/0/c/0/0c040c8f-2109-4760a75096443fd14ef2/Understanding%20Malware%20Research%20and%20Respo
nse%20at%20Microsoft.pdf
Anti-malware product Information for IT Professionals
http://www.microsoft.com/forefront/default.mspx
Windows Malicious Software Removal Tool
http://www.microsoft.com/malwareremove
Windows Defender
http://www.microsoft.com/windowsdefender
Windows Live OneCare
http://onecare.live.com
Windows Live OneCare safety scanner
http://onecare.live.com/scan
Microsoft Exchange Hosted Services
http://www.microsoft.com/exchange/services/default.mspx
Microsoft Forefront Client Security
http://www.microsoft.com/clientsecurity
Microsoft Forefront Security for Exchange Server
http://www.microsoft.com/forefront/serversecurity/exchange/download.mspx
Microsoft Online Safety Technologies (antispam and antiphishing)
http://www.microsoft.com/safety
Sender ID Framework
http://www.microsoft.com/senderid
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.