2H07 Microsoft Security Intelligence Report July through December 2007
An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the second half of 2007
2H07
Microsoft Security Intelligence Report The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2008 Microsoft Corporation. All rights reserved. Microsoft, the Microsoft logo, ActiveX, BizTalk, Internet Explorer, MSN, Windows Live OneCare, Forefront, Outlook, Hotmail, the Security Shield logo, Visual Studio, Windows, Windows Live, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
2
Authors
Contributors
Tim Cranton
Daniel Bohm
Vinny Gullotto
Alexandru Carp
Jeff Jones
Doug Cavit
Ziv Mador
Marisela Cerda
Scott Molenkamp
Joe Faulhaber
Mike Reavey
Heather Goudey
Adam Shostack
Michael Grady
George Stathakopoulos
Satomi Hayakawa
Jeff Williams
Rob Hensing
Scott Wu
Yuhui Huang
Internet Safety Enforcement Team Microsoft Malware Protection Center Trustworthy Computing Microsoft Malware Protection Center Microsoft Malware Protection Center Microsoft Security Response Center Security Engineering and Community Microsoft Security Response Center Microsoft Malware Protection Center Microsoft Malware Protection Center
Exchange Hosted Services (EHS) Microsoft Malware Protection Center Trustworthy Computing Windows Live OneCare Microsoft Malware Protection Center Microsoft Malware Protection Center Trustworthy Computing Japan Security Response Center Microsoft Security Technology Unit Microsoft Malware Protection Center
Aaron Hulett
Microsoft Malware Protection Center
Japan Security Response Team Microsoft Japan
Non-Microsoft Contributors
Jeannette Jarvis
Customer Support Services
David Kennedy Paul Henry John Schramm
Microsoft Legal and Corporate Affairs
Jimmy Kuo
Microsoft Malware Protection Center
Ken Malcolmson
Trustworthy Computing
Mark Miller
Trustworthy Computing
Gina Narkunas
Microsoft Online Services Group
Aaron Putman
Microsoft Malware Protection Center
Tim Rains
Trustworthy Computing
Marc Seinfeld
Microsoft Malware Protection Center
Austin Wilson Windows Client
Jaime Wong
Microsoft Malware Protection Center
3
2H07
Key Findings
T
his report provides the MicrosoftÂŽ perspective on the security and privacy threat landscape over the six-month period from July through December 2007. As in previous editions, this report examines software vulnerabilities (both in Microsoft software and third-party software), software exploits (for which there is a related Microsoft Security Bulletin), malicious software, and potentially unwanted software. In addition, the report provides insight into the challenges posed by spam and phishing attacks, a detailed look at the Win32/Nuwar worm, and a focus on the Microsoft commitment to drive Internet safety enforcement. The lists below summarize the key points from each section of the report. Software Vulnerabilities
oo Vulnerability disclosures decreased by about 5Â percent in 2007, reversing a multiyear
trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.
oo Despite the decrease, the number of new disclosures across the industry remains in the
thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006.
oo The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the
NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High-severity than was previously the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.
oo Vulnerabilities requiring a Low-level of complexity in order to exploit accounted for
about half of all vulnerabilities disclosed in 2H07. Although this number is relatively large, the number has declined significantly from earlier periods.
Software Vulnerability Exploits oo During 2007, 32.2 percent of known security vulnerabilities (CVE IDs) in the Microsoft
products analyzed for this report had publicly available exploit code. This is nearly identical to the totals from 2006 when 32.7 percent of known security vulnerabilities for the same products had publicly available exploit code.
oo Microsoft matched each public exploit with its corresponding vulnerability using CVE
identifiers and Microsoft security bulletins. The number of Microsoft security bulletins released in 2007 was 11.5 percent lower than in 2006, and the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletins.
4
oo In a product-by-product comparison, more recent versions of Microsoft products were
proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000.
Security Breach Notifications oo Several jurisdictions around the world now require that companies and other
organizations publicly disclose security breaches that put personally identifiable information (PII) at risk. Analyzing these notifications offers insights into how and why such breaches occur.
oo Exploits, malware, and hacking account for less than a quarter of security breach noti-
fications. The majority of the breaches analyzed resulted from the absence or failure of proper information handling or physical security procedures.
Malicious and Potentially Unwanted Software Malware Trends for 2H07 oo The trends observed in the second half of 2007 are consistent with the observed shift
of malware away from an amateur phenomenon to a tool used by professional criminals and criminal organizations to generate revenue.
oo Trojan downloaders and droppers have grown to account for more infections than any
other category of malware, due in large part to a small handful of very prevalent trojan downloader/dropper families.
oo Many of the more prevalent malware families rely on social engineering tactics that
trick the user into taking action that bypasses or lessens the effectiveness of the user’s existing protection.
oo Infection rates observed by the Microsoft Windows Malicious Software Removal Tool
(MSRT) are significantly lower on Microsoft Windows® XP Service Pack 2 (SP2) and Windows Vista® compared to older operating systems. oo MSRT data shows that the infection rate for Windows Vista–based computers is
60.5 percent less than that of computers running Windows XP SP2, and 91.5 percent less than the infection rate for Windows XP with no service packs installed.
oo Backdoor trojans now account for more than half of all instant messaging (IM) disin-
fections, with both worms and trojans showing significant increases.
5
2H07
Win32/Nuwar oo Win32/Nuwar, called the storm worm in some reports, is a family of trojans and asso-
ciated components discovered in early 2007. By continually updating and adapting Win32/Nuwar in an effort to thwart detection and removal efforts, its authors have created a botnet that is estimated to have consisted of half a million infected systems worldwide.
oo During the second half of 2007, the Win32/Nuwar authors continued to adapt their
attacks technically, by updating and developing the binary components that make up the Nuwar family of malware, and socially, by tailoring their e-mailed pitches and finding new and different ways to leverage the botnet’s ability to send spam at their command. The second half of 2007 was a period of consistent permutation and adaptation.
E-Mail Threats oo Over 90 percent of all e-mail messages sent over the Internet today are spam. In addi-
tion to annoying the recipients and taxing the resources of e-mail providers, the flood of spam creates a potent vector for malware attacks and phishing attempts.
oo As with malware, spam has evolved from a tool used by small operators to one typically
used by larger, organized criminal groups to perpetuate scams and to sell fraudulent or dubious goods and services.
oo As the senders of spam have changed, spam messages themselves have shifted away
from selling legal products and services and toward the underground economy of illegal products and scams.
oo Phishing remained a significant threat in 2H07, eroding people’s trust in the Internet
and harming the reputations of the institutions victimized by phishing sites.
oo The number of live phishing pages tracked by the Microsoft Phishing Filter remained
roughly constant in 2H07, with new pages being discovered at approximately the same rate that older pages were going offline.
oo Phishing is still predominantly an English-language phenomenon. Typically,
75–80 percent of the active phishing pages tracked by the Microsoft Phishing Filter at a given moment in 2H07 were English-language pages.
oo Despite the increasingly sophisticated tricks employed by spammers, some of the
simplest spam-fighting techniques, like IP blocking, SMTP connection analysis, and recipient validation, remain very effective.
oo Users should be encouraged to use Web browsers with anti-phishing features, which
display alerts when users attempt to visit known phishing sites.
6
Potentially Unwanted Software oo Worldwide disinfections of potentially unwanted software are comparable to those of
malware. The top 15 potentially unwanted software families displayed a 114 percent increase over 1H07, owing in part to an increase in the number of users worldwide running one or more of the appropriate detection tools. Nine of the 15 families displayed increases of 100 percent or more, with five families increasing by more than 200 percent.
oo When Windows Defender detects a malware or potentially unwanted software infec-
tion, it gives the user the choice of removing the software, quarantining it, ignoring the warning once, or ignoring the warning permanently. The range of decisions made indicates that users perceive different potentially unwanted software programs as providing different levels of value.
oo Potentially unwanted software continues to target predominantly English-speaking
markets, although other countries have also showed strong increases.
oo The prevalence of rogue security software continues to increase, with many common
families being delivered by trojan downloaders and other malware, as well as by conventional social engineering methods.
oo When prompted about rogue security software, nearly 60 percent of users choose to
remove it immediately, with a large portion of the rest choosing to quarantine the software.
Internet Safety Enforcement oo As a component of the company’s security efforts, Microsoft has adopted a com-
prehensive, global approach to security and Internet safety enforcement. Microsoft believes that five fundamental pillars—technology, legislation, enforcement, education, and partnerships—are critical to promoting a safer online environment.
oo Microsoft has filed nearly 250 legal actions worldwide against spammers, often work-
ing with law enforcement officials in the United States, Europe, the Asia-Pacific region, and South America.
oo Microsoft is a member of the Anti-Spam Technical Alliance (ASTA), dedicated to
developing technical standards and promoting collaboration among industry partners to curb the proliferation of spam. ASTA achievements include filing the first major lawsuits under the CAN-SPAM Act against hundreds of individuals connected with some of the world’s largest spamming operations.
oo Microsoft was the first private-sector participant in the London Action Plan, a coali-
tion of international agencies that supports global cooperation on network security, law enforcement, and improved consumer awareness to combat spam.
7
2H07
oo Microsoft utilizes its technical expertise to combat phishing and online abuse. The
development of the Microsoft Phishing Filter, Windows Live OneCare™, and use of e-mail authentication technologies are examples of how Microsoft remains focused on developing additional layers of defense against phishers.
oo Microsoft actively addresses the threats posed by phishing through its Global Phish-
ing Enforcement Initiative. This initiative contains three central components: proactive domain defense; worldwide investigations and referrals; and strong international partnerships.
oo Microsoft sponsored and is currently an active participant in the International Botnet
Task Force, which supplies education and tools to law enforcement efforts to combat botnets. As a direct result of the operation, the FBI has charged numerous individuals with cyber crimes.
8
About This Report Scope
The Security Intelligence Report (SIR) is published by Microsoft twice per year. These reports focus on data and trends observed in the first and second halves of each calendar year. Past reports and related resources are available for download at http://www.microsoft.com/sir. We continue to focus on malware data, software vulnerability disclosure data, vulnerability exploit data, and related trends in this fourth installment of the Microsoft Security Intelligence Report. Highlights of this edition include new sections on privacy breaches and cybercrime law enforcement activities. In response to popular demand, we have also included a section addressing Win32/Nuwar (also known as the storm worm), a wideranging and sophisticated threat that has occupied the attentions of security professionals over the past year. We hope that readers find the data, insights, and guidance provided in this report useful in helping them protect their networks and users. Reporting Period
This Security Intelligence Report focuses on the second half of 2007 (2H07), though it also contains data and trends observed over the past several years. The nomenclature used throughout the report to refer to different reporting periods is nHYY, where nH refers to either the first (1) or second (2) half of the year, and YY denotes the year. For example, 1H07 represents the period covering the first half of 2007 (January 1 through June 30), while 2H05 represents the period covering the second half of 2005 (July 1 through December 31). Data Sources
If you are interested in the products, services, tools, and Web sites used to provide the data for this report, please see the full listing in Appendix A of this report.
9
2H07
Table of Contents
10
Microsoft Security Intelligence Report
2
Authors
3
Non-Microsoft Contributors
3
Contributors
3
Key Findings Software Vulnerabilities Software Vulnerability Exploits Security Breach Notifications Malicious and Potentially Unwanted Software Internet Safety Enforcement
4 4 4 5 5 7
About This Report Scope Reporting Period Data Sources
9 9 9 9
Microsoft Security Response Center Executive Foreword
12
Software Vulnerabilities Section Highlights Strategy, Mitigations, and Countermeasures Software Vulnerability Trends for 2H07 Vulnerability Disclosures by Year and Half-Year Vulnerability Disclosure by Month Severity Analysis Access Complexity Vulnerability Trends Summary and Conclusion
13 13 13 14 14 17 17 24 26
Software Vulnerability Exploits Section Highlights Strategy, Mitigations, and Countermeasures Survey Details Findings Software Vulnerability Exploit Trends Exploit Details Summary and Conclusion
27 27 27 28 29 32 32
Security Breach Notifications As a Lens into Security Failures Section Highlights Strategy, Mitigations, and Countermeasures Analysis
33 33 33 34
Malicious and Potentially Unwanted Software Section Highlights Strategy, Mitigations, and Countermeasures Malware Trends for 2H07 Malware Infections by Category Malware Infections by Operating System Malware Families Malware Activity and Variants Geographic Distribution A Focus on Win32/Nuwar (the “storm worm�) A Focus on E-Mail Threats Potentially Unwanted Software Malicious and Potentially Unwanted Software Summary and Conclusion
37 37 37 39 42 47 50 54 57 60 66 71
Focus on Internet Safety Enforcement Fighting Phishing Beating Botnets
84 84 87
Stopping Spam
83
88
Microsoft Malware Protection Center Executive Afterword
90
Glossary
92
Appendix A: Data Sources Software Vulnerabilities Malicious Software and Potentially Unwanted Software
95 95 96
Appendix B: Exploit Counts by Microsoft Security Bulletin and CVE ID Exploits by Microsoft Security Bulletin Exploits by CVE ID
100 100 102
11
2H07
Microsoft Security Response Center Executive Foreword
I
n this latest version of Microsoft’s Security Intelligence Report, we finish the chapter on 2007 by sharing our intelligence and corresponding analysis on data that we have collected in the threat landscape during the last half of calendar year 2007. Our data continues to support the improvements that I believe we are making with the security of our products. Again, Windows Vista has shown significantly lower malware infection rates than previous versions of Microsoft Windows. This is yet one data point that helps to reinforce our belief that Windows Vista is our most secure operating system to date. Nevertheless, we also understand security is more than just Windows Vista and that the security ecosystem is far from complacency. We continue to see social engineering tactics that trick users as well as more targeted exploits. As such, we must continually carry the message that security is a journey and while we continue to make progress we are still very far from our destination. After our last report, I made a concerted effort to speak with as many customers to gather valuable feedback and from what I’ve heard, the Security Intelligence Report is well received and is seen as a valuable tool. However, I understand that many of you have an insatiable appetite for more data and more transparency from Microsoft. You want more intelligence that can help you better manage your risk for an overall safer computing experience. Accordingly, we try to add new, relevant and fresh content that will hopefully provide you with additional insight into how the threat environment is evolving. To start, this report includes more data on spam and phishing than in previous reports and we’ve added some information surrounding our work with Law Enforcement agencies that help put cyber criminals in jail. There is also section on security breaches that discusses some research surrounding privacy issues. These topics help us to paint a broader picture that security and privacy are more than simply vulnerabilities, malware and exploits, especially since these account for less than a quarter of security breach notifications. Naturally, we still look to you to share our journey by continually providing us with valuable feedback. What do you like about this report? What don’t you like? What else would you like to see in this report that can help you better understand the threat landscape and ultimately better defend your network? Your feedback is important and will help us shape this report so that we can deliver what is needed. I strongly encourage you to please email me your thoughts at sirfb@microsoft.com. Thank you, George Stathakopoulos General Manager Microsoft Product Security Center Microsoft Security Response Center Microsoft Corporation
12
Software Vulnerabilities Section Highlights oo Vulnerability disclosures across the entire software industry decreased by about 5Â per-
cent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.
oo Despite the decrease, the number of new disclosures across the industry remains in
the thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006. The second half of 2007 also experienced a decline in the disclosure of vulnerabilities rated as High-severity, however, for the full year, Highseverity disclosures continued to grow relative to previous years.
oo The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the
NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High severity than was previously the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.
oo Vulnerabilities requiring a Low level of complexity in order to exploit accounted for
about half of all vulnerabilities disclosed in 2H07. Although this number is relatively large, the number has declined significantly from earlier periods.
Strategy, Mitigations, and Countermeasures oo The Microsoft TechNet Security Center at http://www.microsoft.com/technet/security
provides links to the latest security bulletins for Microsoft products, as well as other security resources, including the Microsoft Security Newsletter.
oo Both security vendors and IT Professionals should adjust their risk management pro-
cesses appropriately to ensure that operating systems and applications are protected. See the Security Risk Management Guide at http://www.microsoft.com/technet/ security/guidance/complianceandpolicies/secrisk/default.mspx for tips and assistance.
oo Organizations should participate in IT security communities to keep abreast of the
wide range of potential security issues they may face.
13
2H07
Software Vulnerability Trends for 2H07
Vulnerabilities are weaknesses in software that allow an attacker to compromise the integrity, availability, or confidentiality of that software. Some of the worst vulnerabilities allow attackers to run their code on the compromised system. This section of the Microsoft Security Intelligence Report analyzes new vulnerabilities that were disclosed during the second half of 2007. It compares trending information for vulnerabilities starting in 2003, with particular focus on trends that may be emerging over the past few half-year periods. Note that, in this report, the term disclosure is used to mean broad and public disclosure, and not any sort of private disclosure or disclosure to a limited number of people. This section discusses software vulnerability disclosures for the software industry as a whole, not just for Microsoft products. Vulnerability Disclosures by Year and Half-Year
In 1H07, reported vulnerabilities were on par with 2H06, departing from a trend of increasing vulnerability disclosures in every six-month period since 2H03. This trend was actually reversed in 2H07, with new vulnerability disclosures in 2H07 declining by more than 15 percent from the first half of the year to a total lower than that observed in any six-month period since 2H05. Figure 1. Industry-wide vulnerability disclosures by half-year, 2003–2007 3500 3000 2500 2000 1500 1000 500 0 1H03
14
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
This decrease represents a change from previous periods in at least three ways: oo It breaks the recent pattern of disclosure totals being higher in the second half of the
year than in the first half.
oo It breaks the pattern for second-half year-over-year disclosure growth. oo It represents a decrease not just from the previous half-year, but a lower total than any
of the three previous half-year periods.
Overall, in calendar year 2007, vulnerability disclosures decreased by about 5 percent since 2006, as illustrated in Figure 2. Figure 2. Industry-wide vulnerability disclosures by year, 2003–2007 8000 7000 6000 5000 4000 3000 2000 1000 0 2003
2004
2005
2006
2007
This break from the drastic growth from past years can likely be attributed to a number of factors, such as the following: oo The decrease could represent a general flattening of vulnerability discoveries. oo The disclosure increases observed in 2006 could have been an atypical spike, with the
2007 numbers more representative of the overall growth trend.
oo As exploitation of vulnerabilities for monetary gain increases, discoverers may have a
financial incentive to remain silent on new vulnerabilities.
15
2H07
A deeper analysis of each of these three possibilities suggests that the answer is not likely to be known for several more periods, if at all. oo If the disclosure increases observed in 2006 were anomalously high, future periods
should display less-steep increases, returning to the growth rate observed in previous years. However, this would not explain the 2H07 decrease relative to 1H07, which had not happened previously.
oo If the observed changes reflect a general flattening of vulnerability discoveries, future
totals should remain relatively flat for some time. Even if this occurs, historical trends demonstrate that any flattening would most likely be a temporary reprieve before attackers and security researchers develop new techniques for finding vulnerabilities.
oo In the past few years, the economic value of vulnerabilities has grown, providing
“
potential attackers with more incentive to sell them privately rather than disclose them publicly. It is conceivable that a number of vulnerabilities were discovered in 2007 and not publicly disclosed because the finder chose to keep the information private, rather than share it with everyone. However, the magnitude of the decrease observed in 2H07 suggests that this explanation is unlikely to account for the In the past few years, the economic value of vulnerabilities entirety of the decrease. has grown, providing potential attackers with more incentive to Historically, products contributing the most vulnerabilities each represent less than 1Â percent of the total number of disclosed vulnerabilities in a given sell them privately rather than disclose them publicly. period. The 2H07 drop is therefore equivalent to a 100 percent drop in disclosures for the 15 most widespread and popular products across the software industry. It is extremely unlikely that all or most of this decrease is due to vulnerability discoverers withholding information, although the increasing financial value of vulnerabilities is probably having a small contributory effect that will delay knowledge of some vulnerabilities until someone attempts to leverage them for gain. Regardless of these recent decreases and the reasons for them, the annual number of disclosures remains very high, with more than twice as many vulnerabilities disclosed in 2007 than were disclosed in 2004, just three years prior, so security professionals must remain vigilant.
16
Vulnerability Disclosure by Month
The general downward trend is also reflected in the monthly disclosure totals for 2H07, representing a fairly significant deviation from previous periods, as shown in Figure 3. Figure 3. Industry-wide vulnerability disclosures by month, July–December 2007 700 600 500 400 300
2003-2007 2H07
200 100 0 July
August
September
October
November
December
Vulnerability disclosures generally trended downward from July to December in 2007, in contrast to the generally upward trend observed over the last several years. December, in particular, is usually the top month in the year for new disclosures, for reasons that are not entirely clear. In 2007, however, it stands side by side with November as having the fewest disclosures of the year. Severity Analysis
In general, large numbers of total disclosed vulnerabilities across the software industry indicate significant challenges for IT administrators who have deployed the affected products. Not all vulnerabilities are equal, however, and an analysis of vulnerability severity can help IT Professionals understand and prioritize the nature and severity of the threats they face from new disclosures.
17
2H07
Database CVSS Severity Rating Changes in 2007 Traditionally, the Microsoft Security Intelligence Report has used the National Institute of Standards and Technology (NIST) National Vulnerability Database1 (NVD) severity ratings for severity analysis, which are derived from the Common Vulnerability Scoring System (CVSS). The CVSS is a standardized, platform-independent scoring system that assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. The NVD additionally assigns each vulnerability a severity ranking of Low, Medium, or High, according to its numeric CVSS score: oo Vulnerabilities are labeled Low-severity if they have a CVSS base score of 0.0–3.9 (out of 10). oo Vulnerabilities are labeled Medium-severity if they have a base CVSS score of 4.0–6.9. oo Vulnerabilities are labeled High-severity if they have a CVSS base score of 7.0–10.0. Until June 2007, the underlying CVSS score was calculated using the CVSSv1 (version 1) formula.2 That month, the NVD released CVSSv2 (version 2), an updated version of the CVSS formula intended to increase the accuracy, consistency, and applicability of the scoring system. The NVD subsequently switched to using the CVSSv2 formula to calculate the underlying CVSS scores for newly discovered vulnerabilities, and calculated CVSSv2 scores for older entries by upgrading and approximating the needed CVSS input values. In some cases, the CVSSv2 severity ratings calculated for existing vulnerabilities differ significantly from the CVSSv1 ratings.3 Because past volumes of the SIR have used the CVSSv1 formula for assessing vulnerability severity, this volume of the SIR provides severity analysis using both CVSSv1 scores and CVSSv2 scores. The CVSSv1 scores were calculated and derived from the CVSSv2 vectors, as provided in the NVD, and were validated against older instances of NVD entries.
1
Available at http://nvd.nist.gov/.
2
You may read about CVSSv1 in detail at http://www.first.org/cvss/v1/guide.html.
You may read a more detailed analysis of the impact of CVSSv2 upon vulnerability severity ratings in: Jones, Jeffrey. “CVSSV1 and CVSSV2 Severity, Exploring Severity Changes in CVSSv2,” April 2008 (http://blogs.technet.com/security/archive/2008/04/01/ countdown-to-rsa-conference-2008.aspx).
3
18
Comparing CVSSv1 and CVSSv2
Comparing the CVSSv1 and CVSSv2 rankings for half-year periods, as shown in Figure 4, illustrates the considerable difference between the two rating systems. In the CVSSv1 chart, Low-severity vulnerabilities have accounted for about 40 percent of the total over the past several periods. The CVSSv2 formula, by comparison, classifies a much larger number of vulnerabilities as High-severity, with negligible numbers of vulnerabilities classified as Low-severity. Both rating systems reveal a drop in the total number of High-severity vulnerabilities disclosed across the software industry during 2H07, with a small drop in the CVSSv1 chart and a larger drop under CVSSv2. Figure 4. Industry-wide vulnerability disclosures by CVSSv1 and CVSSv2 severity by half-year, 2003–2007
CVSSv1
4000 3500 3000 2500
Low
2000 1500
Medium
1000
High
500 0 1H03
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
CVSSv2 4000 3500 3000 2500 Low
2000 1500
Medium
1000
High
500 0 1H03
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
19
2H07
Figure 5, which compares the CVSSv1 and CVSSv2 severity breakdowns for each full year since 2003, shows that even with the decrease in the second half of the year, the number of High-security vulnerabilities disclosed across the software industry increased for the full year of 2007. Figure 5. Industry-wide vulnerability disclosures by CVSSv1 and CVSSv2 severity by year, 2003–2007
CVSSv1
8000 7000 6000 5000
Low
4000 Medium 3000 High
2000 1000 0 2003
2004
2005
2006
2007
CVSSv2
8000 7000 6000 5000
Low
4000 Medium 3000 High
2000 1000 0 2003
20
2004
2005
2006
2007
Figure 6 shows the severity breakdown by percentages. With the CVSSv1 rating system, the percentage of High-severity vulnerabilities disclosed reached an all-time high of 15 percent in 2007, with Low-severity vulnerabilities accounting for roughly 40 percent of vulnerabilities disclosed, and Medium-severity vulnerabilities accounting for the remaining 45 percent. If the CVSSv2 rating system is used, by comparison, High-severity vulnerabilities consistently make up 40–50 percent of annual vulnerabilities disclosed across the software industry, with Low-severity vulnerabilities contributing a much smaller percentage, reaching highs of around 9 percent in 2004 and 2005 and falling to 3.6 percent in 2007. Figure 6. Industry-wide vulnerability disclosures by CVSSv1 and CVSSv2 severity by percentages, 2003–2007
CVSSv1 100%
80% Low
60%
Medium 40% High 20%
0% 2003
2004
2005
2006
2007
CVSSv2 100%
80% Low
60%
Medium
40%
High
20%
0% 2003
2004
2005
2006
2007
21
2H07
Figure 7 breaks out the number of vulnerabilities rated as High-severity using the CVSSv1 and CVSSv2 rating systems, respectively, for the half-year periods. Both charts show a rise in High-severity vulnerability disclosures until 2H07, when the number decreases. In the CVSSv1 chart, the decline follows a significant increase in High-severity disclosures in 1H07, compared to a more moderate 1H07 increase in the CVSSv2 chart. Figure 7. CVSSv1 and CVSSv2 High-severity vulnerabilities disclosed industry-wide by half-year, 1H03–2H07
CVSSv1
600 500 400 300 200 100 0 1H03
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
CVSSv2
2000 1800 1600 1400 1200 1000 800 600 400 200 0 1H03
22
2H03
1H04
2H04
1H05
2H05
1H06
2H06
1H07
2H07
Despite the decline in High-severity vulnerabilities disclosed across the industry in 2H07 and the decline in overall vulnerabilities for 2007 as a whole, High-severity vulnerability disclosures actually increased for 2007 as a whole, as shown in Figure 8. Here, the two rating systems lead to somewhat different conclusions. The Despite the decline in Highseverity vulnerabilities disclosed CVSSv1 chart, which shows fluctuating numbers of High-severity vulneracross the industry in 2H07 and abilities between 2003 and 2006, suggests the possibility that the significant the decline in overall vulnerabilincrease seen in 2007 may be anomalously high. By contrast, the CVSSv2 ities for 2007 as a whole, Highchart illustrates a steady increase in High-severity vulnerabilities up through severity vulnerability disclosures and including 2007, which shows an increase of roughly 10 percent over actually increased for 2007 as a 2006. The degree to which CVSSv2 is accepted by the IT security community whole. will ultimately decide which conclusion is generally seen as more accurate.
“
Figure 8. CVSSv1 and CVSSv2 High-severity vulnerabilities disclosed industry-wide by year, 2003–2007
CVSSv1
CVSSv2
3500
3500
3000
3000
2500
2500
2000
2000
1500
1500
1000
1000
500
500
0
0 2003
2004
2005
2006
2007
2003
2004
2005
2006
2007
The shift to CVSSv2 and the corresponding reclassification of a large number of vulnerabilities as High-severity have important implications for security professionals.
23
2H07
“
Focusing on mitigating the most severe vulnerabilities first is a security best practice. Using CVSSv1, security administrators have historically been able to focus on the approximately 5 percent of vulnerabilities rated High. Under CVSSv2, roughly 40 percent of all vulnerabilities are now grouped together in the most severe category. This translates to a big increase in prospective workload—although if 40 percent of vulnerabilities are that severe, it is difficult to justify not treating them as such. …if CVSSv2 becomes the preAs a practical matter, it seems likely that if CVSSv2 becomes the predomidominant cross-product rating nant cross-product rating system, security professionals will need to leverage system, security professionals will need to leverage other other sources of information for filtering and prioritization. If the product sources of information for filter- vendor provides its own rating system, that should be the primary source ing and prioritization. of severity information, as vendors know their products best and can give the most informed guidance. For others, it may be useful to draw on several sources in order to collect a richer set of information. Access Complexity
Access Complexity is a metric used by the CVSS to measure the complexity of an attack required to exploit a given vulnerability, assuming an attacker has the required access to the system. For example, consider two vulnerabilities, each of which potentially allows an attacker to remotely run code: oo One of the vulnerabilities only works on Tuesdays, when the available free memory
is less than 56K, and at least three user accounts are logged in to the system. This is a highly complex set of requirements.
oo The other vulnerability is in a default Internet-facing service, and the exploit works
reliably regardless of the state of the system. This is a Low-complexity scenario.
In CVSSv1, the metric could take one of two values, High or Low. For CVSSv2, the Access Complexity attribute was expanded to take one of three values, High, Medium, or Low. The expanded values are defined in Figure 9.4
Definition from: Mell, Peter, Karen Scarfone, and Sasha Romanosky. “A Complete Guide to the Common Vulnerability Scoring System Version 2.0,” (http://www.first.org/cvss/cvss-guide.html) section 2.1.2.
4
24
Figure 9. NVD complexity rankings and definitions High
Specialized access conditions exist. For example: • In most configurations, the attacking party must already have elevated privileges or spoof additional systems in addition to the attacking system (for example, DNS hijacking). • The attack depends on social engineering methods that would be easily detected by knowledgeable people. For example, the victim must perform several suspicious or atypical actions. • The vulnerable configuration is seen very rarely in practice. • If a race condition exists, the window is very narrow.
Medium
The access conditions are somewhat specialized. The following are examples: • The attacking party is limited to a group of systems or users at some level of authorization, possibly untrusted. • Some information must be gathered before a successful attack can be launched. • The affected configuration is non-default and is not commonly configured (for example, a vulnerability present when a server performs user account authentication via a specific scheme but not present for another authentication scheme). • The attack requires a small amount of social engineering that might occasionally fool cautious users (for example, phishing attacks that modify a Web browser’s status bar to show a false link, having to be on someone’s “buddy” list before sending an IM exploit).
Low
Specialized access conditions or extenuating circumstances do not exist. The following are examples: • The affected product typically requires access to a wide range of systems and users, possibly anonymous and untrusted (for example, Internet-facing Web or mail server). • The affected configuration is default or ubiquitous. • The attack can be performed manually and requires little skill or additional information gathering. • The “race condition” is a lazy one (in other words, it is technically a race but easily winnable).
Low-access complexity embodies the characteristics that make exploitation easy, predictable, and repeatable. For Medium-complexity vulnerabilities, broad, automated attacks are less likely, either because the required configuration is much less common or because an attack requires some level of specialization to succeed. A complexity value of High effectively means that a practical exploit is very challenging.
25
2H07
Given a set number of vulnerabilities, then, the ideal scenario is one with a high percentage of High-complexity vulnerabilities—or, failing that, at least a low percentage of Low-complexity vulnerabilities. Unfortunately, as Figure 10 illustrates, the opposite has historically been true. Figure 10. Industry-wide vulnerability disclosures by access complexity, 1H05–2H07 100%
80% Low Complexity
60%
Medium Complexity 40%
High Complexity
20%
0%
1H05
2H05
1H06
2H06
1H07
2H07
High-complexity vulnerabilities account for a very small portion (3Â percent) of all vulnerabilities disclosed in 2007 across the software industry, significantly less than in previous periods. However, the trend for Low-access complexity has improved, accounting for a smaller portion of the total during each successive period. In 2H07, half of all vulnerabilities required some level of specialization for potential exploits, a higher portion than in any other period since 2005. Vulnerability Trends Summary and Conclusion
The number of disclosures of new software vulnerabilities across the industry continues to be in the thousands, with 2,900 new vulnerabilities disclosed in 2H07, but a 15 percent decline in the number of new disclosures since 1H07 is cause for some optimism. The adoption of CVSSv2 substantially increased the estimated severity of a large number of new and previously disclosed vulnerabilities, which should put security professionals on guard against attack vectors that create significantly more potential risk than had previously been supposed. Both security vendors and IT Professionals should adjust their risk management processes appropriately to ensure that important systems are protected.
26
Software Vulnerability Exploits Section Highlights oo During 2007, 32.2 percent of known security vulnerabilities (CVE IDs) in the Microsoft
products analyzed for this report had publicly available exploit code. This is nearly identical to the totals from 2006 when 32.7 percent of known security vulnerabilities for the same products had publicly available exploit code.
oo Microsoft matched each public exploit with its corresponding vulnerability using CVE
identifiers and Microsoft security bulletins. The number of Microsoft security bulletins released in 2007 was 11.5 percent lower than in 2006, and the number of vulnerabilities covered by those bulletins was 29.6 percent lower than the number covered by the 2006 bulletins.
oo In a product-by-product comparison, more recent versions of Microsoft products were
proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000.
Strategy, Mitigations, and Countermeasures oo Analyzing the availability or probability of exploit code being developed for specific vul-
nerabilities can help customers prioritize which vulnerabilities require faster mitigation.
oo More recent Microsoft products appear to be at less risk to publicly available exploit
code than earlier products.
oo Organizations should participate in IT security communities to keep abreast of the
wide range of potential security issues they may face and to understand what vulnerabilities are more likely to be exploited. The monthly Microsoft Security Bulletin Webcast is a good place to start because it provides access to various security-related resources, as well as up-to-the-minute updates on each release.
As noted in the previous section, not all vulnerabilities are easily exploited, and a significant majority of known vulnerabilities have no publicly available exploits associated with them. By staying up to date on which products are more or less likely to be exploited, security professionals can more effectively prioritize their mitigation efforts. Microsoft conducted a survey to determine the overall change in reliability of publicly available exploits against Microsoft products between 2006 and 2007. To perform this survey, researchers collected a broad sample of data from a variety of public sources, including exploit archives, antivirus alerts, mailing lists, hacking Web sites, and exploitation frameworks. Each individual data point was classified and matched to a particular vulnerability, and the results were tabulated.
27
2H07
Survey Details
To produce the final counts of exploits for each product, researchers looked for exploit data in a number of locations on the Internet, from publicly available exploit libraries like the Metasploit Project (http://www.metasploit.com) to some of the lesser known mailing lists and Web sites used by the underground hacking community, setting a time limit for discovery. Any reliable exploit discovered in the time allowed was considered public. Any worm that wasn’t targeted at a specific corporation was also considered proof of a public exploit. A list of criteria was used to judge whether an incident would or would not be considered exploitable for the purposes of this study. Discussions within the security community sometimes conflate reliable, code-execution exploits with Denial-of-Service (DoS) attacks. The potential for confusion tends to increase as a search moves away from the major security sites to lesser-known and quasi-underground resources. Figure 11 lists the criteria used for determining whether an exploit was within scope for this research. Figure 11. Criteria for judging exploits Criteria
Result
Exploit found with shell code or command line
Exploitable
Exploit available in exploitation framework
Exploitable
Exploit code could be purchased from major vendor
Exploitable
Common virus or trojan uses the technique
Exploitable
Major Web site reports public exploits available
Exploitable
Microsoft reports publicly available exploit
Exploitable
Proof of Concept (POC) with placeholder such as a long string
Exploitable if other evidence exists
Major news site report of exploitation
Exploitable if POC available
POC is labeled as a DoS
Not Exploitable
To normalize the data set, each exploit was matched with its corresponding vulnerability using Common Vulnerabilities and Exposures (CVE) identifiers and Microsoft security bulletins.5
5
28
See Appendix A for more information about these resources.
Exploit developers don’t necessarily label their exploits with a corresponding identifier, and most exploits found in the wild aren’t matched with any formal numbering system at all. Exploits generated by commercial or open-source projects to specifically exploit a known vulnerability generally contain references to some numbering system, but don’t always contain a Microsoft security bulletin number. If an exploit does reference a numbering system, by far the most common cross-reference is a CVE identifier. Each Microsoft security bulletin may address multiple vulnerabilities, so the Microsoft security bulletin-to-CVE translation isn’t a one-to-one correlation. Researchers used information provided by the Microsoft Security Response Center (MSRC), the CVE, the NVD, and SecurityPatch.org to create a final MSRC-to-CVE mapping. Exploits targeting a product usually don’t apply to all versions of that product. Each exploit was assigned to a specific product version using a number of factors. If the associated vulnerability was only available for a single product version, the exploit was assigned to that version. If a worm or documented attack used a particular version of the product, the exploit was assigned to the version of the product exploited by the malware or attacker. If known addresses were present in the exploit that could be tied to a particular version, the exploit was assigned to that version. Findings
The survey found that 32.2 percent of known vulnerabilities announced in 2007 in Microsoft products had publicly available exploit code, on par with the percentage from 2006 (32.7 percent). In 2007, Microsoft released 69 security bulletins covering 100 unique vulnerabilities, whereas in 2006, Microsoft released 78 security bulIn 2007, Microsoft released 69 security bulletins covering letins covering 142 unique vulnerabilities. This translates into an 11.5 percent 100 unique vulnerabilities, decrease in security bulletins, and a 29.6 percent decrease in the number of whereas in 2006, Microsoft unique vulnerabilities covered by those security bulletins in 2007. released 78 security bulletins covering 142 unique vulnerFigure 12 and Figure 13 summarize the results of the survey for versions of abilities. Microsoft Windows, Microsoft Internet Explorer®, and the Microsoft Office system. (See Appendix B for more comprehensive lists that include other Microsoft products.)
“
29
2H07
Figure 12. Exploits in select Microsoft products by Microsoft Security Bulletin, 2006–2007 By Microsoft Security Bulletin Product
2006
2007
Microsoft Security Bulletin Count
Exploits
Percentage
Microsoft Security Bulletin Count
Exploits
Percentage
Delta Microsoft Security Bulletin
5
8
4
50.0%
8
3
37.5%
-12.5%
6
7
3
42.9%
8
3
37.5%
-5.4%
7
0
0
—
8
3
37.5%
—
2000
13
7
53.9%
11
6
60.0%
6.2%
XP
13
5
38.5%
12
6
54.6%
16.1%
2003
12
5
41.7%
13
6
46.2%
4.5%
X-Mac
7
2
28.6%
1
1
100.0%
71.4%
2004-Mac
7
3
42.9%
11
5
45.5%
2.6%
2007
0
0
—
5
1
20.0%
—
98
13
5
38.5%
0
0
—
—
ME
13
4
30.8%
0
0
—
—
2000
46
14
30.4%
36
5
13.9%
-16.5%
Version
Internet Explorer®
Microsoft Office
Windows
®
XP
53
27
51.9%
39
5
12.8%
-39.1%
2003
49
26
53.1%
39
18
46.2%
-6.9%
Windows Vista
0
0
—
22
9
40.9%
—
As noted above, each Microsoft security bulletin may address multiple vulnerabilities. A Microsoft security bulletin number was included in a product if any of the vulnerabilities it covered related to that product. For example, it is possible that the same Microsoft security bulletin is counted for Internet Explorer as well as Microsoft Office. Also, if two or more vulnerabilities of a particular product had reliable exploits available, the Microsoft security bulletin was only counted once for the total.
30
Figure 13. Exploits in select Microsoft products by CVE identifier, 2006–2007 By CVE ID Product
2006
2007
CVE ID Count
CVE Exploits
Percentage
CVE ID Count
CVE Exploits
Percentage
Delta CVE ID
5
26
7
26.9%
19
3
15.8%
-11.1%
6
26
5
19.2%
19
3
15.8%
-3.4%
7
0
0
—
19
3
15.8%
—
2000
45
8
17.8%
21
11
52.4%
34.6%
XP
44
9
20.5%
24
11
45.8%
25.3%
2003
40
9
22.5%
24
11
45.8%
23.3%
X-Mac
26
3
11.5%
5
2
40.0%
28.5%
2004-Mac
33
5
15.2%
22
8
36.4%
21.2%
2007
0
0
—
9
1
11.1%
—
98
27
7
25.9%
0
0
—
—
ME
27
6
22.2%
0
0
—
—
2000
73
18
24.7%
51
6
11.8%
-12.9%
XP
84
59
70.2%
55
6
10.9%
-59.3%
2003
78
32
41.0%
57
21
36.8%
-4.2%
1
0
0.0%
40
12
30.0%
30.0%
Version
Internet Explorer®
Microsoft Office
Windows®
Windows Vista
31
2H07
Software Vulnerability Exploit Trends
Overall, the survey revealed a decrease in exploitability between the years of 2006 and 2007. Specifically, the total, non-weighted decrease in exploitability of vulnerabilities in products is 7.4 percent, based on exploits for all products. (The term non-weighted implies that no exemptions were made in the statistical gathering of these numbers. Products with no vulnerability were included in the overall calculation.) In a product-by-product comparison, more recent versions of Microsoft products were proportionally less affected by publicly available exploit code than earlier versions. This trend is especially visible with Microsoft Office. Only 11.1 percent of known vulnerabilities in the 2007 Microsoft Office system had exploit code publicly available, compared with 45.8 percent for Office 2003 and Office XP, and 52.4 percent for Office 2000. Exploit Details Summary and Conclusion
“
32
While the main focus of this research was to measure the data, there could be several reasons for the reduction in available exploits, ranging from technical (for example, changes in the environment, such as the introduction of address space layout randomization in Windows Vista) to social (like legal issues or pressures among the exploit Overall, the survey revealed developer community). While interpretation of the data is open to debate, the a decrease in exploitability data itself is compelling as a potential method for helping customers make between the years of 2006 prioritization assessments based on verifiable risk on a product-by-product basis. and 2007.
Security Breach Notifications As a Lens into Security Failures Section Highlights oo Several jurisdictions around the world now require that companies and other organizations
publicly disclose security breaches that put personally identifiable information (PII) at risk. Analyzing these notifications offers insights into how and why such breaches occur.
oo Exploits, malware, and hacking account for less than a quarter of security breach noti-
fications. The majority of the breaches analyzed resulted from the absence or failure of proper information handling or physical security procedures.
Strategy, Mitigations, and Countermeasures oo Consider a broad set of information security problems when building an information
security policy. A security program that focuses entirely on malware, exploits, and hacking will potentially miss up to 80Â percent or more of total incidents that put sensitive information in jeopardy. Consider all stages of the data life cycle, including storage, transit, and destruction, when developing policies.
oo Encrypt all data on all computers and storage devices, not just on laptops. oo Prepare an incident response plan for personally identifiable data that you collect or store. oo Consider tracking data on security breaches as an input into your security planning.
Over the last few years, laws have been passed in a number of jurisdictions around the world requiring that affected individuals be notified when an organization loses control of personally identifiable information (PII) with which it has been entrusted. These mandatory notifications offer unique insights into what goes wrong with information security. They differ from surveys in that the information offered is not from self-selected respondents, and, for a given set of criteria, participation is mandated by law. The data collection used in this analysis is publicly available. This section of the SIR examines the details of 910 breach incidents from 12 countries, dating back to January 2000, as downloaded from the Data Loss Database—Open Source at http://attrition.org/dataloss.6 The data, despite containing much of value, is not perfect. It is not as detailed as might be hoped for, and laws in different jurisdictions contain different trigger clauses for when notice must be given. Nevertheless, the data is of sufficient quality to lend itself to an effective analysis of security failures.
Researchers notified Attrition.org when they detected issues with the database, some of which involved inconsistent or duplicate data. For example, incidents 0697, 0734, and 0759 all concerned a single incident at a now-defunct medical bill claims processor; 0697 was listed as a hack, and the other two were listed as Web issues. As a result, the database may have changed slightly since this analysis was performed. The researchers are confident that any such changes to the database have served to improve its accuracy and quality, but security professionals should recognize that these and other corrections will have a small impact on the ability to perfectly reproduce the results reported here.
6
33
2H07
Analysis
For the purposes of this analysis, the data has been grouped into 10 categories, which are supersets of the coding used by Attrition.org.7 The groups are shown in Figure 14. Figure 14. Security breach incident categories used in this section
Our Label
Definition
Maps to Attrition.org BreachType
Stolen equipment
Stolen computers, disks, tapes, or documents
Starts with “stolen”
“Hack”
Reported as some type of computer intrusion where the data is not available to the public
Hack
Accidental Web
Accidental exposure on a Web site, available to the public with a Web browser
Web
Lost equipment
Reported as lost computers, disks, tapes, or documents
Starts with “lost”
Fraud
Frauds and scams, perpetrated by insiders or outsiders; this includes disputed cases, on which we take no position
Starts with “fraud”
Disposal
Improper disposal of any sort
Starts with “disposal”
Snail mail
Information exposed by physical mail, either the wrong recipient or the data visible outside the envelope
Snail mail
E-mail sent to an unintended/unplanned recipient
Virus
A computer virus was blamed
Virus
Missing
A laptop or laptops gone missing without explanation
Starts with “missing”
In the Attrition.org data, there are 15 “unknowns” (that is, the BreachType is listed as “?”). These incidents are not included in the following analysis or totals.
7
34
See http://attrition.org/dataloss/dldoskey.html for more information about this data.
Figure 15 illustrates the overall distribution of incidents by type, for both the full 2000–1H07 dataset and for 2H07 alone. Figure 15. Security breach incidents by type, 2000–1H07, and 2H07 alone, expressed as percentages of the total 50% 45% 40% 35% 30% 2000-1H07
25%
2H07
20% 15% 10% 5%
g M
iss
in
s ru Vi
l ai m E-
l ai lm ai Sn
Di
sp
os
al
d au
pm
Lo
st
eq
ui
ta en cid
Fr
en
t
eb lW
ck Ha Ac
St
ol
en
eq
ui
pm
en
t
0%
This data reveals a number of significant facts. oo Although security breaches are often linked in the popular consciousness with hack-
Figure 16. Hacks account for just
of disclosed security ing incidents involving malicious parties defeating technical security measures to gain 21 percent breaches. unlawful access to sensitive data, more than three-quarters of total breaches result from something that Attrition.org does not classify as a hack. Hacking incidents Other Hack account for an even smaller portion of 2H07 incidents (12.7 percent, compared to 21.3 percent for the full dataset).
This is important because it helps put the IT security landscape in perspective. This report focuses primarily on malware and technology-based attacks, as does much of the attention of IT security professionals. Yet sensitive information can be exposed through a variety of means, and a security program focused entirely on malware, exploits, and hacking will potentially miss up to 80 percent or more of total incidents that put sensitive information in jeopardy.
35
2H07
oo Stolen hardware as a category accounts for significantly more incidents than hacking,
possibly because these incidents are more easily detected. A number of the incident reports reviewed for this analysis mentioned that hacks or accidental exposure of information on the Web had been going on for quite a while before they were detected. Stolen hardware accounted for a significantly larger portion of 2H07 incidents than for the dataset as a whole (45.0Â percent, compared to 35.9Â percent).
oo Aside from the differences in the stolen equipment and hacking categories, the distri-
bution of incidents in 2H07 is substantially similar to the distribution in the overall 2000–1H07 dataset, which may be considered a factor supporting the reliability of the data. The reasons behind the shifts in stolen equipment and hacking are not known, and whether they constitute a trend remains to be seen.
oo Improper disposal of business records accounts for quite a few incidents, and is rela-
tively easy for organizations to address by effectively developing and enforcing policies regarding the destruction of paper and electronic records containing sensitive information.
oo Viruses accounted for only two of the reported incidents. This is probably an artifact
of the way the data is collected and analyzed. For example, an incident classified as a hack may involve a trojan infection. In addition, malware often causes small losses that may not meet the reporting threshold required by law.
oo Information about the portion of hacking incidents that involved Microsoft products
is not easy to obtain from the data provided. The original data is widely variable, and it is difficult to analyze for useful information that could help software developers improve their engineering processes. More complete data could help provide substantial insights into security problems.
Study of breach data provides a unique way to look at issues experienced in the real world, and could be an aid to organizations seeking to develop and improve effective information security policies. Unfortunately, the usefulness of the data is limited by a lack of uniform reporting standards and requirements, which leads to variations and omissions in the details reported. It may be worth investigating why the data is so sparse and looking for ways to improve it.
36
Malicious and Potentially Unwanted Software Section Highlights oo The trends observed in the second half of 2007 are consistent with the observed shift
of malware away from an amateur phenomenon to a tool used by professional criminals and criminal organizations to generate revenue.
oo Trojan downloaders and droppers have grown to account for more infections than
any other category of malware, due in large part to a small handful of very prevalent trojan downloader/dropper families.
oo Many of the more prevalent malware families rely on social engineering tactics that
trick the user into taking action that bypasses or lessens the effectiveness of the user’s existing protection.
oo Infection rates observed by the Microsoft Windows Malicious Software Removal Tool
(MSRT) are significantly lower on Microsoft Windows XP Service Pack 2 (SP2) and Windows Vista compared to older operating systems.
oo MSRT data shows that the infection rate for Windows Vista–based computers is
60.5 percent less than that of computers running Windows XP SP2, and 91.5 percent less than the infection rate for Windows XP with no service packs installed.
oo Backdoor trojans now account for more than half of all instant messaging (IM) disinfec-
tions, with both worms and trojans showing significant increases.
Strategy, Mitigations, and Countermeasures
The risk of exposure to malware may not necessarily correlate to actual infection rates. Installed antivirus software, firewalls, and various content-filtering technologies help mitigate that risk. However, social engineering attacks are on the rise and can often trick the user into taking action that bypasses or lessens the effectiveness of the user’s existing protection. Countering this increased exposure risk requires educating users to take protective actions, like the following:
“
oo Use an anti-malware product from a known, trusted source, and keep it up
to date to guard against new threats as well as new variants of older malware families.
Social engineering attacks are on the rise and can often trick the user into taking action that bypasses or lessens the effectiveness of the user’s existing protection.
oo Avoid opening attachments or clicking on links in e-mail or instant messages that are
received unexpectedly or from an unknown source.
37
2H07
oo Use a mail client that suppresses active content and that blocks the unintentional
opening of executable attachments.
oo Use a robust spam filter to guard against fraudulent and dangerous e-mail. oo Install a phishing filter. Web browsers such as Internet Explorer 7 and Mozilla Firefox 2
use phishing filters to protect users from known phishing sites. Some e-mail applications, such as recent versions of Microsoft OutlookÂŽ, include phishing detection features in addition to spam filters.
oo If you receive an e-mail from a bank or commerce site, visit their site using a pre-
bookmarked link or by typing in the link from your monthly statement. Don’t use links provided in the suspect e-mail. If all else fails, contact the bank or business by telephone or through contact information found in a recent statement, again avoiding any numbers provided in the suspect e-mail.
oo Deploy inbound and outbound e-mail authentication to protect both your brand and
consumers from e-mail spoofing and forgery, and to detect inbound spoofing. The Sender ID Framework (SIDF) is such an authentication solution, currently being used to send more than half of all legitimate e-mail sent daily worldwide.
Malicious software, once largely the province of amateurs, has become a tool used by skilled criminals to target hundreds of millions of computer users worldwide in pursuit of profit. With this shift has come a fundamental change in the nature of malicious software itself. The attention-getting e-mail worms of years past, which hampered computer systems worldwide for days or weeks at a time before fading, have largely given way to threats designed to evade all attempts at detection in order to stay active for much longer periods of time. Some of the most persistent threats are updated dozens of times a day by their creators in a continual effort to stay one step ahead of the security software that attempts to remove them, contributing to an ever-escalating arms race. The data in this section was collected using a number of different Microsoft products, services, and tools. See Appendix A for more information on these tools.
38
Malware Trends for 2H07
Though direct comparisons between the tools are generally not possible due to the differences in their scope and function, a number of trends manifest with some consistency across the different sets of data. Generally, detections of malware have been increasing in absolute numbers over the past several half-year periods, and the rate at which detections rise has grown over time. Figure 17 shows the total number of disinfections and distinct computers cleaned by the MSRT since 2005, and clearly demonstrates this trend. (Note that Microsoft did not begin to measure unique computers cleaned until 2H05, so this data is unavailable for 1H05.) Figure 17. Total malware disinfections and distinct computers cleaned by the MSRT since 1H05, in half-year increments 50 Million 45 Million 40 Million 35 Million 30 Million 25 Million
Disinfections Computers Cleaned
20 Million 15 Million 10 Million 5 Million 0 1H05
2H05
1H06
2H06
1H07
2H07
In 2H07, the MSRT removed malware from 15.8 million distinct computers worldwide, an 80Â percent increase over the first half of 2007. The number of total disinfections performed in 2H07 rose to 42.2 million, an increase of nearly 120Â percent over 1H07. A disinfection is defined as the removal of a distinct type of malware, such as a specific file infector variant, present on an infected computer. The number of total disinfections is greater than the number of distinct computers cleaned because the MSRT often detects multiple infections on a single computer and because computers can become reinfected from month to month. Disinfections and cleanings generally rose month to month during 2H07 before leveling off at about 12 million disinfections (8 million distinct computers) in October and November, and declining slightly in December, concomitant with the decrease in total executions that month as seen in Appendix A. The December decrease can also be attributed to the fact that the families added in October and November (Win32/RJump and Win32/ConHook) were significantly more prevalent than the single family added in December (Win32/Fotomoto).
39
2H07
Figure 18. Total malware disinfections and distinct computers cleaned by the MSRT in 2H07, by month 10 Million
8 Million
6 Million
Disinfections Computers Cleaned
4 Million
2 Million Jul-07
Aug-07
Sep-07
Oct-07
Nov-07
Dec-07
To produce Figure 19, illustrating how the infection ratio detected by the MSRT has changed over time, the total number of executions was divided by the number of unique computers cleaned for each month, and the results were then averaged for each six-month period. This averaging method compensates for the fact that the group of computers that run the MSRT changes slightly from month to month, with new computers being brought online and older computers being taken out of service. Since 1H06, the infection ratio has trended down, which means that the MSRT has been finding infections on larger and larger percentages of all the computers that run the tool. Figure 19. Number of computers cleaned by the MSRT for every 1000 executions, averaged for every six-month period 10.0
8.0
6.0
4.0
2.0 2H05
40
1H06
2H06
1H07
2H07
In 2H07, the MSRT cleaned about 8 computers for every 1,000 executions (1 out of every 123 computers on which it ran each month). The rate of increase is consistent with the rate observed between 2H06 and 1H07, when it rose from about 3 computers per 1,000 executions to just under 6 computers per 1,000 executions. These increases in malware detections can be attributed to a number of factors: oo Over time, the number of computers running the detection and disinfection tools
worldwide has risen, and continues to rise.
oo The detection and removal capabilities of the tools themselves have improved.
Improvements in the scanning technologies used by the tools allow the tools to detect and remove malware that would have successfully eluded earlier versions.8 The addition of a number of prevalent malware families to the MSRT in 2H07 also had a significant effect on that tool’s detection figures.
oo Malware activity around the world continues to increase as the underground criminal
economy expands its use of malware as a method of generating income.
There is no clear reason to believe that any of these trends are likely to reverse in the near future. The number of computers running the detection and disinfection tools is expected to continue to rise, as computers running older versions of Windows are phased out and are replaced by computers running newer versions that incorporate or are compatible with the tools. Meanwhile, financially successful malware creators are motivated to increase their output in order to bring their illicit messages to more users.
“
The number of computers running the detection and disinfection tools is expected to continue to rise, as computers running older versions of Windows are phased out and are replaced by computers running newer versions that incorporate or are compatible with the tools.
This includes improved generic/heuristic detection, in addition to new signatures for specific malware families. See: Clementi, Andreas. “Anti-Virus Comparative No. 16.” November 2007. http://www.av-comparatives.org/seiten/ergebnisse/report16.pdf
8
41
2H07
Malware Infections by Category
Categorizing threats can be tricky. Malware categories often overlap, and many threats exhibit characteristics of multiple categories. To produce the information and figures in this section, each threat has been associated with the single category that Microsoft security analysts judge to be most appropriate for the threat. See the Glossary, beginning on page 92, for definitions of the categories described in this section. Figure 20. MSRT disinfections by category, 2H05–2H07 20 Million
2H05
15 Million
1H06 1H07 2H06
10 Million
2H07
5 Million
0 Downloaders/ Droppers
Backdoors
Worms
Trojans
Viruses
Rootkits
PWS/ Keyloggers
As demonstrated in Figure 20, the MSRT showed significantly increased detections in five of seven tracked malware categories in 2H07, due to the factors discussed earlier—more computers running the tool worldwide, improvements in the tool’s detection and removal capabilities, and increases in the prevalence of malware in general. The most significant trend visible in the MSRT data by far is the dramatic increase in the prevalence of downloaders and droppers, a category of threat that has grown to dominate MSRT disinfections over a very short period of time. Over the past year, in fact, the number of downloader and dropper disinfections has grown from just under 1 million in 2H06 to more than 19 million in 2H07. In 2H07, downloaders accounted for almost half of all the MSRT disinfections worldwide.
42
Figure 21. MSRT disinfections by category, 2H05–2H07, in percentages 60%
2H05
50%
1H06 1H07
40%
2H06 2H07 30%
20%
10%
0% Downloaders/ Droppers
Backdoors
Worms
Trojans
Viruses
Rootkits
PWS/ Keyloggers
The vast majority of these downloader and dropper disinfections involve Win32/Zlob and Win32/Renos, which were the first and second most prevalent malware families detected by the MSRT in 1H07, as well as a pair of new families, Win32/ConHook and Win32/RJump. See “Malware Families,” beginning on page 50, for more information about these families. Some of the increase in downloader and dropper disinfections over the past year can be attributed to improvements in the tool’s ability to detect Win32/Zlob in the first half of 2007, as well as the addition of several new families that were added to the MSRT in recent months, like Win32/ConHook and Win32/RJump. Nevertheless, the new and growing dominance of downloaders among infected computers is real and is an unsurprising result of a change in the motivation of malware authors. Malware has evolved into a profit-driven criminal enterprise, and attackers infect computers in order to use them later for their purposes—stealing information, sending spam, installing spyware or adware, and so on. After the attackers have gained access to a victim’s computer through social engineering or a vulnerability exploit, they typically expect to run additional programs to serve these purposes. Downloaders allow attackers to update these programs frequently to evade detection. After the initial illicit code execution, the downloader activates and starts downloading additional files from a remote location. As malware authors develop new ways to profit from malware, they can use preexisting downloader installations to download new code to
43
2H07
Edited by Foxit Reader Copyright(C) by Foxit Software Company,2005-2007 For Evaluation Only.
the controlled computers without having to resort to additional social engineering. (This behavior also helps explain the increase in total disinfections seen in Figure 17.) Downloaders are often persistent, which means that they reinstall and run themselves every time the computer is started or the user logs on. Though their growth is masked somewhat by the increase in downloaders, several other categories of malware remain significant threats. Backdoors, worms, viruses, and trojans continue to account for more than half of all disinfections in 2H07. Rootkits and password stealers (PWS)/keyloggers account for a negligible proportion of disinfections as depicted in Figure 21, although it is important to recognize that many malware families exhibit properties of multiple categories. For example, many variants of Win32/Banker, classified as a trojan, also include password-stealing capabilities. (See page 76 for more information about Win32/Banker.) The breakdown of malware detections from Windows Live OneCare is a bit different from that of the MSRT due to the differing functions and goals of the two tools, but the overall patterns and trends are consistent with data from the other security products and tools used to produce this report, as shown in Figure 22. Figure 22. Windows Live OneCare detections by category, 2H07 Password Stealers and Monitoring Software (1.2%) Viruses (1.6%) Rootkits (1.6%) Backdoors (2.4%)
Trojans (28.1%)
Worms (5.8%)
Exploits (9.1%)
Adware (15.7%)
Potentially Unwanted Software (16.3%) (Totals may not equal 100% due to rounding.)
44
Downloaders and Droppers (18.3%)
Malicious software accounts for the majority of threats blocked by Windows Live OneCare in 2H07, with the top two categories—trojans and downloaders—being responsible for nearly half of all detections. Windows Live OneCare provides real-time protection against a variety of threats not covered by the MSRT, including adware and potentially unwanted software, so the threats detected by Windows Live OneCare in 2H07 include these categories, in addition to the ones discussed above. Together, the adware and potentially unwanted software categories account for 32 percent of the threats blocked by Windows Live OneCare. Exploits account for 9.1 percent of Windows Live OneCare detections. The most common exploits detected are Web pages that host iFrame exploits (about 3.0 percent of all Windows Live OneCare detections) and exploits of the ANI vulnerability9 (about 2 percent of all detections). Worms account for about 5.8 percent of all detections, with Win32/Netsky, a mass-mailer that can also copy itself to network-share folders, topping the list of worms. Whereas Windows Live OneCare provides real-time background protection against threats, the Windows Live OneCare safety scanner is an on-demand tool that users explicitly choose to run, especially when they suspect their computers might have become infected. Despite this, the malware category breakdown from Windows Live OneCare safety scanner data is broadly consistent with that of Windows Live OneCare, as shown in Figure 23. Figure 23. Windows Live OneCare safety scanner disinfections by category, 2H06–2H07, in percentages 30%
25% 2H06 20%
1H07 2H07
15%
10%
5%
9
s ea
ler
lo its
St rd wo
es ru s Vi
its ot k Ro
s or m W
oo rs ck d Ba
wa re Ad
ns ja Tr o
Ex p
Pa ss
Un
wa nt Po ed te So nti ftw ally ar e Do an wn d lo Dr ad op er pe s rs
0%
See CVE-2007-0038 and MS07-017.
45
2H07
Removals of downloaders and trojans have both increased by nearly 22 percent in absolute numbers since 1H07, consistent with trends observed over the past year. Adware and potentially unwanted software detections continue to decline in relative terms, but remain significant threats. Collectively, these four categories account for more than 75 percent of all disinfections performed by the safety scanner in 2H07, with each of the remaining categories—backdoors, worms, rootkits, viruses, exploits, and password stealers—accounting for less than 5 percent each. Windows Live™ Messenger can be configured to use the Windows Live OneCare safety scanner to scan files as they are transferred over instant message (IM) connections. Unlike the online safety scanner, the scanner integrated into Windows Live Messenger detects and removes only malware and does not detect potentially unwanted software. Data from the Windows Live Messenger scanner differs significantly in some respects from that produced by other tools, in large part due to the emergence of malware families that are designed specifically to use instant messaging (IM) clients as an attack vector. Figure 24. Windows Live Messenger disinfections by category, 2H06–2H07, in percentages 70% 60% 50% 2H06
40%
1H07
30%
2H07 20% 10%
ts
s m or
plo i Ex
dS Pa
ss w
or
W
ler s tea
ru se s Vi
rs pp e
Do
wn
lo
ad
er s
an
dD ro
oj an s Tr
Ro ot ki ts
Ba
ck d
oo rs
0%
Detection of backdoors accounted for 64.3 percent of all Windows Live Messenger disinfections in 2H07, due to the prevalence of a number of backdoor families—notably Win32/ Sdbot and Win32/IRCbot—that use Windows Live Messenger to propagate. Win32/Sdbot and Win32/IRCbot are similar, apparently related backdoor trojan families that connect to
46
Internet Relay Chat (IRC) servers to receive commands from attackers. Win32/IRCbot also includes dropper capabilities and has been known to drop copies of Win32/Sdbot, among other families, on infected computers. The next most common category of disinfections, trojans, accounts for only 15.8 percent of disinfections, with all other categories accounting for the remaining 19.9 percent. Malware Infections by Operating System
For 2H07, as for previous periods, Windows XP SP2 accounts for the most executions by an overwhelming margin, due to its continuing dominance on desktops worldwide, though the proportion of executions involving computers running Windows Vista continues to rise. Figure 25 illustrates the number of executions involving Windows XP SP2 (top graph) and other operating systems (bottom graph). Figure 25. Monthly MSRT executions by Windows XP SP2 and other operating systems, 2H07 500 Million
Grand Total
400 Million
Windows XP SP2 300 Million
200 Million
0 Jul-07
Aug-07
Sep-07
Oct-07
Nov-07
Dec-07
60 Million 50 Million 40 Million Windows Vista 30 Million
Windows 2K SP4 Windows XP SP1
20 Million
Windows 2K3 SP2 Windows XP no SP
10 Million
Windows 2K SP3 and Windows 2K3 SP1
0 Jul-07
Aug-07
Sep-07
Oct-07
Nov-07
Dec-07
47
2H07
To compensate for the unequal deployments of the operating systems monitored and to obtain accurate infection rates for each operating system/service pack combination, a set of normalized graphs were created using the following formula: Normalized disinfectionsOS = DisinfectionsOS / Execution percentageOS Figure 26 illustrates the percentages of prevalence of malicious software by operating system (OS) for 2H06, 1H07, and 2H07. Figure 26. Computers cleaned by operating system, 2H06, 1H07, and 2H07
2H06
2H06 (Normalized) Windows 2K SP4 (8.7%) Windows 2K3 no SP (6.1%) Windows XP SP2 (4.9%) Windows 2K3 SP1 (2.8%)
Windows XP SP2 (77.7%) Windows 2K3 SP1 (0.6%) Windows 2K SP3 (0.3%) Windows XP no SP (6.8%)
Windows XP SP1 (23.0%)
Windows 2K SP3 (18.0%)
Windows XP SP1 (8.7%) Windows 2K SP4 (5.8%) Windows 2K3 no SP (0.1%)
Windows XP no SP (36.5%)
1H07
1H07 (Normalized) Windows XP SP2 (7.0%) Windows 2K3 SP1 (3.4%)
Windows 2K3 no SP (5.8%) Windows Vista (2.8%) Windows 2K SP4 (6.6%)
Windows 2K SP3 (13.3%)
Windows 2K3 SP1 (0.4%) Windows 2K SP3 (0.2%) Windows XP no SP (3.3%) Windows 2K3 SP2 (0.1%) Windows XP SP1 (4.3%)
Windows XP SP1 (20.9%)
Windows 2K SP4 (3.0%) Windows Vista (1.1%) Windows 2K3 no SP (0.1%) Windows XP SP2 (87.5%)
Windows XP no SP (32.9%)
2H07
Windows XP SP2 (87.9%) Windows XP SP1 (3.5%) Windows XP no SP (2.5%) Windows 2K SP4 (1.8%) Windows 2K3 SP2 (0.2%) Windows 2K3 SP1 (0.1%) Windows 2K SP3 (0.1%) Windows Vista (3.9%)
Windows 2K3 SP2 (7.3%)
2H07 (Normalized) Windows Vista (2.8%) Windows XP SP2 (7.2%)
Windows XP SP1 (21.5%)
Windows XP (30.6%)
Windows 2K SP3 (12.2%) Windows 2K SP4 (5.0%) Windows 2K3 SP1 (19.2%)
Windows 2K3 SP2 (1.5%) (Totals may not equal 100% due to rounding.)
48
The major trends observed include the following: oo The higher the service pack level, the lower the rate of infection. This trend can be
observed consistently across all three operating systems shown for which service packs have been issued. There are two reasons for this: oo Service packs include fixes for all security vulnerabilities fixed in security updates
at the time of issue, and also sometimes include additional security features or changes to default settings to protect users.
oo Users who install service packs generally maintain their computers better than
users who do not install service packs, and therefore may also be more cautious in the way they browse the Internet, open attachments, and engage in other activities that can open computers to attack.
oo The infection rate for Windows Vista is 60.5 percent less than the infection rate for
Windows XP SP2. This is approximately the same ratio as observed for the first half of the year. This is a somewhat surprising result, as the installed base of Windows Vista has grown by tens of millions of users worldwide over the past six months, and the average user profile of Windows Vista can be presumed to have moved on from the early-adopter phase to more closely approximate that of a typical business or home computer user.
oo The infection rate for Windows Vista is 91.5 percent less than the infection rate for
Windows XP with no service packs installed. (Note that each of the operating system/ service pack combinations listed may include computers that have had individual security fixes installed, either through Windows Update or some other delivery mechanism.) Again, this is approximately the same ratio observed for the first half of the year.
oo Server versions of Windows typically display a lower infection rate on average
than client versions, especially when comparing the latest service pack version for each operating system. Windows Server® 2003, which includes only server editions, has a lower rate of infection than Windows XP, which is intended for home and workplace users. The infection rate of Windows 2000 SP4, which includes both server and client editions, falls between the infection rates of the pure server version (Windows Server 2003 SP2) and the client version (Windows XP SP2). Servers are typically accessed directly only by trained system administrators in controlled enterprise environments, so their effective attack surface tends to be much lower than computers running client operating systems. In particular, Windows Server 2003 and its successors are hardened against attack in a number of ways, reflecting this difference in usage (for example, by default, Internet Explorer cannot be used to browse untrusted Web pages).
49
2H07
Malware Families
A small number of active malware families were responsible for the majority of malware activity detected during 2H07. The top 25 malware families detected by the MSRT accounted for 96.9 percent of all disinfections during 2H07, with the remaining 3.1 percent distributed among the other 71 families detected by the tool. The top 10 families alone were responsible for 77.4 percent of all removals, with more than half (51.5 percent) of all disinfections in 2H07 involving only the top three families. The top two families, Win32/Zlob and Win32/Renos, occupy the same positions they held in 1H07, while the third, Win32/ConHook, is a new addition to the list for this period due to its inclusion in the MSRT in November. Figure 27. Top 25 malware families detected by the MSRT in 2H07
Rank
50
Malware Family
Added to the MSRT
Disinfections
Computers Cleaned
Computers Cleaned Change from 1H07
Rank from 1H07
Rank Change
March 2006
14,351,774
4,375,794
149.4%
1
↔
May 2007
4,263,697
2,374,746
79.0%
2
↔
November 2007
2,419,023
1,152,151
October 2007
2,268,529
1,228,200
April 2005
2,257,546
1,168,576
54.7%
5
↔
1
Win32/Zlob
2
Win32/Renos
3
Win32/ConHook
4
Win32/RJump
5
Win32/Rbot
6
Win32/Brontok
November 2006
1,767,449
781,835
1.6%
4
↓
7
Win32/Hupigon
July 2006
1,392,050
720,814
-20.5%
3
↓
8
Win32/Jeefo
August 2006
1,358,413
471,713
3.7%
8
↔
9
Win32/Parite
January 2006
1,297,617
402,463
11.3%
10
↑
10
Win32/Nuwar, WinNT/Nuwar
September 2007
1,274,684
526,607
11
Win32/Sdbot
May 2006
970,536
563,963
188.9%
13
↑
12
Win32/Zonebac
August 2007
906,762
543,882
13
Win32/Banker
August 2006
907,054
538,183
12.9%
7
↓
14
Win32/Virut
August 2007
848,872
502,936
15
Win32/IRCBot
December 2005
766,828
460,939
60.2%
12
↓
16
Win32/Alureon
March 2007
803,905
555,785
-18.4%
6
↓
17
Win32/Alcan
February 2006
584,260
338,103
-20.4%
9
↓
18
Win32/Wukill
October 2005
495,517
245,303
-15.4%
11
↓
19
Win32/Busky
July 2007
462,744
197,259 99.4%
16
↓
20
Win32/Tibs
October 2006
420,521
235,747
21
Win32/Fotomoto
December 2007
297,233
190,808
22
Win32/Stration
February 2007
264,329
85,527
-50.4%
14
↓
23
Win32/Bancos
September 2006
201,514
119,647
-13.7%
15
↓
24
Win32/Chir
25
Win32/Bagle
July 2006
153,657
79,489
45.7%
17
↓
March 2005
130,074
69,580
57.3%
19
↓
The most prevalent malware family detected by the MSRT in 2H07 by a significant margin was Win32/Zlob, which was removed more than three times as often in 2H07 (and from almost twice as many computers) as any other individual family. The number of distinct computers infected by Win32/Zlob in 2H07 was up 149.4 percent from 1H06, following a 387.8 percent rise between 2H06 and 1H07. Win32/Zlob typically poses as a media codec a user must download to watch video content downloaded or streamed from the Internet. Some Zlob variants even include an end-user licensing agreement (EULA) when installing. Once installed on the target computer, Zlob bombards the user with pop-up advertisements and fake “spyware warnings” that are actually advertisements for rogue security software. (See page 82 for more information on rogue security software.) Win32/Renos was the second most prevalent family detected and removed by the MSRT in 2H07 for the second half-year period in a row, infecting 79 percent more distinct computers than in 1H07. The Win32/Renos family automatically downloads potentially unwanted software, such as SpySheriff, SpyAxe, SpyFalcon, SpyDawn, SpywareStrike, and other similarly named programs. These programs typically present erroneous warnings claiming the system is infected with spyware and offer to remove the alleged spyware for a fee. In some cases, the programs may also cause system instability. Symptoms of a Win32/Renos infection may differ according to the particular variant. The trojan may display a red (possibly blinking) icon in the system tray and may also display a deceptive message that says the computer is infected; the warning encourages the user to download certain software that claims to provide malware or spyware protection. Figure 28 shows two variations of a warning message that may appear. Figure 28. Two examples of fake warning messages displayed by different variants of Win32/Renos
51
2H07
Win32/ConHook is a new downloader family that was added to the MSRT in November 2007. In November and December, the MSRT removed Win32/ConHook from infected computers enough times for it to place third on the list of total disinfections by family for all of 2H07. (It is not unusual for the MSRT to remove a family from a large number of computers in the first month that the family is added to the tool, though Win32/ConHook is notable for the large number of disinfections in just two months of a six-month period.) Win32/ConHook variants install themselves as browser helper objects (BHOs) and connect to the Internet without user consent. They also terminate specific security services and download additional malware to the computer. There are six other new families in the MSRT top 25: oo Win32/RJump is a worm that attempts to spread by copying itself to newly attached
media (such as USB memory devices or network drives). It also contains backdoor functionality that allows an attacker unauthorized access to an infected machine.
oo Win32/Nuwar (including WinNT/Nuwar) is a family of trojan droppers that attempts
to connect affected computers to a large botnet. See “A Focus on Win32/Nuwar (The ‘Storm Worm’)” on page 60, for more information about this threat.
oo Win32/Zonebac is a family of backdoor trojans that allows a remote attacker to down-
load and run arbitrary programs, and which may upload computer configuration information and other potentially sensitive data to remote Web sites.
oo Win32/Virut is a family of file-infecting viruses that target and infect .exe and .src files
accessed on infected systems. Win32/Virut also opens a back door by connecting to an Internet Relay Chat (IRC) server, allowing a remote attacker to download and run files on the infected computer.
oo Win32/Busky is a family of trojans that monitor and redirect Internet traffic, gather
system information, and download potentially unwanted software, such as Win32/ Renos and Win32/SpySheriff. Win32/Busky may be installed by a Web browser exploit or other vulnerability when visiting a malicious Web site.
oo Win32/Fotomoto is a trojan that lowers security settings, delivers advertisements, and
sends system and network configuration details to a remote Web site.
The rest of the families in the top 25 were added to the MSRT during previous periods. Of the returning families, only Win32/Parite and Win32/Sdbot increased their rank from 1H07, with the other families remaining flat or declining in relative terms (though many families increased in absolute terms, in keeping with the general trend of rising malware prevalence). Win32/Parite is a file infector. Exterminating file infectors is difficult because they often infect a large number of files on the system and on network shares, and because infected files may be Windows system files or other files that the user needs. The increase
52
in the number of removals for Win32/Sdbot is the result of improved detection. (See page 46 for more information about Win32/Sdbot.) The list of the top 10 families detected by Windows Live OneCare and the Windows Live OneCare safety scanner in 2H07 differs in some respect from the MSRT list, notably because the Windows Live OneCare products offer protection against a number of families not covered by the MSRT, including potentially unwanted software. Thousands of different malware and potentially unwanted software families are detected by Windows Live OneCare, with the top 10 accounting for 37 percent of all disinfections. Figure 29. Top 10 malware families detected by Windows Live OneCare in 2H07 Zlob (4.8%)
Vundo (3.9%)
Agent (11.6%)
Virtumonde (3.8%) IframeRef (2.9%) Renos (2.4%) ConHook (2.3%) Anicmoo (2.0%) Small (1.6%) Psyme (1.5%)
Other (63.0%)
(Totals may not equal 100% due to rounding.)
Figure 30. Top 10 malware families detected by the Windows Live OneCare safety scanner in 2H07 Family
Disinfections
Computers Cleaned
Win32/Agent
169,168
101,959
Win32/Zlob
268,835
81,738
Win32/Small
118,817
78,561
JS/Agent
69,122
57,304
Win32/Renos
73,253
52,756
Win32/Obfuscator
67,533
44,071
Win32/VB
51,141
36,118
Win32/Delf
46,644
34,074
Java/Classloader
71,158
31,618
Win32/ConHook
38,209
24,624
53
2H07
Win32/Zlob places high on both lists, as with the MSRT. Two entries that appear prominently on both lists, Win32/Agent and Win32/Small, are generic detections used for malware that has not been categorized into particular families. Primarily, this group consists of trojans, droppers, and downloaders, although it can also include worms. JS/Agent, Win32/Delf, and Win32/VB are similar generic detections. Win32/Obfuscator is a generic signature for programs that have had their purpose obfuscated to hinder analysis and detection. Families ranked highly on the Windows Live OneCare and Windows Live OneCare safety scanner lists that were not detected by the MSRT during 2H07 are typically new or newly prevalent families, and provide insight into the kinds of threats that may occupy an increasing share of security professionals’ attention in the future. Two notable families, Win32/Virtumonde and Win32/Vundo, are two closely related families that deliver out-ofcontext pop-up advertisements. Win32/Virtumonde and Win32/Vundo typically install themselves as BHOs without the user’s consent. Some variants also display characteristics of trojan downloaders or other categories of malware. Malware Activity and Variants
Malware authors attempt to evade detection by continually releasing new variants in an effort to outpace the release of new signatures by antivirus vendors. Counting variants is one way to determine which families and categories of malware are currently most active (in other words, which families and categories are currently being most actively worked on by their developers), and how effective such activity is in helping malware developers reach their goal of infecting large numbers of users. The Microsoft Malware Protection Center (MMPC) collects and analyzes unique malware samples from many different sources in an effort to accurately understand the state of malware development activity. Figure 31. Unique samples of new malware collected by the Microsoft Malware Protection Center (MMPC) in 2H07 1.4 Million 1.2 Million 1 Million 800,000 600,000 400,000 200,000
54
kits Roo t
ors kdo Bac
PW Key S/ log ger s
rms Wo
s loit Exp
s use Vir
Do Dro wnloa ppe der s/ rs
Tro
jan
s
0
A number of factors complicate the counting of variants. A single variant of a file infector may produce large numbers of unique samples when it infects files, which would have the effect of inflating the reported infected files count for the file infector without necessarily indicating massive activity on the part of its authors. In addition, as malware variants proliferate, many vendors are using generic signatures more frequently. A generic signature looks for commonalities between known variants of a specific malware family and looks for these commonalities to detect the different files associated with the malware. Generic signatures can also sometimes catch new variants of a family as soon as they are released, if they are similar enough to past variants. This approach has worked well for a number of widespread families. For families that are successfully detected by a generic signature, it’s not possible to get an accurate count of variants as they are traditionally understood. In this section, therefore, the number of unique samples received that are detected by a generic signature are counted as variants for that family. Figure 32. Malware categories by number of variants, 2007 250,000
200,000
1H07
150,000
2H07 100,000
50,000
0 Downloaders/ Droppers
Trojans
Viruses
Backdoors
Exploits
PWS/ Keyloggers
Worms
Rootkits
55
2H07
Figure 33. Top 25 most-active malware families by number of variants, 2H07
Malware Family
Trojans
Downloaders/ Droppers
Viruses
Exploits
Worms
PWS/ Keyloggers
Rootkits
•
Win32/Zlob
Variants
84,910
•
HTML/IframeRef
33,428
•
Win32/Zonebac
31,685
Win32/Dialsnif
•
Win32/Vanti
•
•
•
20,369
Win32/Vxidl
•
•
•
16,607
Win32/ SystemHijack
•
Win32/ Virtumonde
•
•
13,872
Win32/Renos
•
•
12,951
30,260
14,893
•
Win32/Bankrypt
12,934
Win32/Anomaly
•
•
Win32/DelfInject
•
•
Win32/Luder
•
Win32/Vundo
•
•
12,130
JS/Psyme
•
•
10,156
•
6,869
•
6,863
Win32/WinShow Win32/SpamThru
•
12,885
• •
•
HTML/Expascii
12,506 12,195
6,741
Win32/Baglezip
•
6,489
Win32/Scano
•
5,661
Win32/Diamin
•
Win32/Zbot
•
5,455
• •
Win32/Swizzor
4,989 4,672
•
VBS/Starter
4,576
Win32/MS05002
•
4,127
HTML/MhtRedir
•
4,037
Win32/Lowzones Win32/Ceekat
56
Backdoors
•
3,696
•
3,597
Many of the most active families have multiple components, as indicated in Figure 33. For example, some families contain a downloader component that downloads other components, such as keyloggers, trojans, rootkits, backdoors, or others. Trojans and downloaders continue to be the two most actively developed malware categories, consistent with the meteoric rise of the downloader as the front line malware delivery mechanism of choice for modern malware developers. The downloader family Win32/Zlob, discussed earlier, is an excellent example, including nearly 85,000 discovered variants, which is quadruple the number known at the end of 1H07. This proliferation of variants— more than twice as many as the second most active family on the list—has helped Win32/Zlob become the most widespread malware family in the world by a huge margin. The second-highest number of variants belongs to the HTML/IframeRef, a generic detection for exploits that use malicious iFrame tags to surreptitiously or forcibly redirect the user to other malicious Web pages. The iFrame exploits were found on 33,428 pages in 2H07, down from nearly 86,000 in the first half of the year, a decrease of 61 percent. Patches for the iFrame vulnerability have been available for several years; as more Windows systems get patched over time, the effectiveness of exploiting old vulnerabilities decreases, and such exploits are less commonly used. Geographic Distribution
The MSRT executes on hundreds of millions of systems worldwide. To compensate for the unequal use of different locales worldwide, the infection rate data in this section has been normalized by the execution percentage of a locale, similar to the normalization of operating system numbers performed earlier. The normalization formula used is as follows: Normalized disinfectionsLocale = DisinfectionsLocale / Execution PercentageLocale As a general rule, more malware is proportionally found by the MSRT in developing countries/regions than in developed countries/regions. For example, the most infected country/ region in Europe is Albania, while the least infected countries/regions in Europe are Austria and Finland. In the Asia-Pacific region, the most infected countries/ regions are Mongolia and Vietnam, while the least infected countries/regions are Taiwan and Japan. The United States is proportionally less infected than most of the countries/regions in the Americas. This trend makes sense because the deployment of security products is wider in developed countries/regions, and user education around computer safety is usually better.
“
As a general rule, more malware is proportionally found by the MSRT in developing countries/regions than in developed countries/regions.
57
2H07
Figure 34. Malware detections by country/region
The figure for each locale, as shown in Figure 35, was obtained by determining the infection rate for the locale for each of the six months in the second half of 2007, and then averaging those figures to produce a single figure for the entire six-month period. An asterisk (*) means that the locale had at least one month in which no infections were discovered.
58
Figure 35. Normalized disinfections by country/region Country/Region
2H07 Average (MSRT Executions/ Computers Cleaned)
Country/Region
2H07 Average (MSRT Executions/ Computers Cleaned)
Country/Region
2H07 Average (MSRT Executions/ Computers Cleaned)
Afghanistan
17
Oman
75
South Africa
131
Morocco
32
Brazil
76
Slovakia
132
Albania
33
Azerbaijan
77
Philippines
137
Mongolia
33
Spain
78
Belarus
140
Bahrain
35
Bosnia and Herzegovina
78
Estonia
141
Turkey
39
Bolivia
79
United Kingdom
144
Dominican Republic
41
Zimbabwe
79
Indonesia
145 145
Egypt
41
Ecuador
81
Belgium
Iraq
42
El Salvador
84
Argentina
152
Algeria
45
Serbia and Montenegro
85
Brunei Darussalam
156
Saudi Arabia
45
Russia
88
Norway
160
Lebanon
49
Croatia
89
Sweden
164
Jordan
49
Slovenia
91
Hong Kong SAR, PRC
165
Romania
51
Tajikistan
91
Netherlands
170
United Arab Emirates
55
Puerto Rico
92
Canada
172
Yemen
57
Kenya
95
Greenland
173
Libya
58
Faero Islands
95
Uruguay
179
Vietnam
60
Nicaragua
96
India
181
Pakistan
60
Belize
100
Switzerland
182
Macedonia
61
Bulgaria
102
Ireland
187
Honduras
62
Ukraine
102
Italy
189
Tunisia
63
France
104
Latvia
194 199
Iran
63
Macao SAR
106
Singapore
Panama
66
Colombia
107
Czech Republic
199
Syria
66
Israel
109
Denmark
203
Jamaica
67
Liechtenstein
110
Australia
204
Korea
67
Costa Rica
110
Nigeria
204
Chile
67
Hungary
111
China
214
Qatar
67
Kazakhstan
112
Malaysia
216 226
Portugal
67
United States
112
Germany
Mexico
68
Greece
114
Rwanda
239
Thailand
68
Trinidad and Tobago
115
Austria
242
Guatemala
70
Peru
116
New Zealand
264
Uzbekistan
70
Iceland
124
Finland
265
Monaco
73
Lithuania
126
Taiwan
305
Paraguay
73
Poland
126
Senegal
372
Venezuela
74
Caribbean
128
Japan
685
Kuwait
74
Luxembourg
130
World Wide Average
123
59
2H07
A Focus on Win32/Nuwar (the “storm worm�)
Win32/Nuwar, called the storm worm in some reports, is a family of trojans and associated components discovered in early 2007. By continually updating and adapting Win32/Nuwar in an effort to thwart detection and removal efforts, its authors have created a botnet that is estimated to have consisted of half a million infected systems worldwide at some points. During the second half of 2007, the Win32/Nuwar authors continued to adapt their attacks technically, by updating and developing the binary components that make up the Nuwar family of malware, and socially, by tailoring their e-mailed pitches and by finding new and different ways to leverage the botnet’s ability to send spam at their command. The second half of 2007 was a period of consistent permutation and adaptation. Technical Information
The main peer-to-peer (P2P) component is capable of disseminating spam. It can also harvest e-mail addresses from the local machine and participate in distributed denial of service attacks. As with other components, the authors continued to develop and improve the worm in the second half of 2007. In October, variants emerged that had the ability to modify Web pages found on the local machine by inserting an iFrame tag. Web page modifications observed in the wild have been altered to point to remote sites hosting browser exploits. These modified pages are then used to disseminate Nuwar to unsuspecting visitors. Win32/Nuwar uses server-side polymorphism to disseminate itself, employing the encryptor commonly referred to as Tibs to create thousands of different binaries for the same piece of malware. These different binaries are not considered variants because the binary obfuscation does not change the underlying function of the malware. By disregarding the outer layer of obfuscation, observers have identified 17 different variants introduced in 2H07, an average of almost three new releases per month.
60
Many of the changes detected with each Nuwar release relate to how a system is infected. Nuwar always presents a moving target, transforming any telltale sign of infection from one release to the next. For example, a new variant first observed in July infected the system file kbdclass.sys. This infection was moved to tcpip.sys in a later variant, and then removed entirely in October. Process injection was another technique that was introduced, removed, and reintroduced during December.
“
The Win32/Nuwar authors introduced two additional enhancements at the beginning of October. The first enhancement uses a 40-bit key to encrypt communication between Nuwar peers on the network, making observation of network traffic more difficult. All releases observed during 2H07 made use of the same key. The second enhancement enables the main component to make multiple copies of itself on local, network, and removable drives; however, no method was implemented that would execute this copy, so it would have to be manually executed by a user.
Nuwar always presents a moving target, transforming any telltale sign of infection from one release to the next.
Dissemination
The Nuwar authors harness the power of their botnet with frequent spam campaigns, with the goal of maintaining and expanding the size of the network by persuading new users to run the Nuwar malware. Social engineering is their primary method for luring new targets. The authors appeal to primal emotions and urges like empathy, guilt, desire, sex, and fear. The storm nickname comes from an early subject line, “230 dead as storm batters Europe,� used to propagate the worm in the wake of a severe winter storm that devastated parts of Europe in January 2007. E-mail subject lines have generally used fictitious and incendiary topics, often inspired by contemporary headlines. Other subject lines have included: oo U.S. Southwest braces for another winter blast. More than 1000 people are dead oo [Chinese/Russian] missile shot down [Chinese/Russian/USA] [satellite/aircraft] oo A kiss for you
During 2H07 the authors shifted their malware delivery tactics, sending more spam that contained links to malware hosted on remote sites, instead of binary attachments. By shifting to remotely hosted content, the authors were able to make use of browser exploits to increase the effectiveness of their spam campaigns.
61
2H07
Some spam campaigns have centered around holidays and other festive events, and often use highly appealing visuals. Some of the campaigns from 2H07 were associated with events like Independence Day, Labor Day, Halloween, Christmas, and New Year’s Eve. Figure 36. Holiday-themed lures used humor and provocative imagery to appeal to potential targets.
In order to achieve maximum effectiveness from social engineering, each spam run tends to include many varied subjects and message bodies. An “Invitation to Beta Test” lured users with a promise of free software: Subject: Can you help us out? Body: Please give us a hand with our new software development Home Improvement Planner This will help us get the software ready for consumer release. To say thanks, Beta testers will receive a free copy and 5 years of free updates. 1: Download the software 2: Try it 3: Tell us what you think If you would like to help us with this no obligation Beta test, follow this link to our secure download server:
62
A YouTube–themed lure from August used a spoofed URL accompanied by various salacious message bodies to grab attention. Clicking on the purported YouTube link would take the user to a Web site laden with exploits. Subject: sheesh man, what are you thinkin Body: OMG, what are you doing man. This video of you is all over the net. take a look, lol...
The second half of 2007 saw many other effective campaigns with well-designed imagery, such as “Arcade World” and “NFL Game Tracker” from September, and “Laughing Psycho Kitty Cat” and “Krackin v1.2” from October. NFL Tracker Lure Subject:
Get Your Free NFL Game Tracker
Body: Football is back, Life may resume again! Know all the games, what time, what channel and the stats. Get all the info you need from our online game tracker:
Laughing Psycho Kitty Cat Lure Subject: I’ve never laughed so hard! Body: Click here to view your laughing kitty card online.
In addition to these social engineering tactics, the Nuwar authors used at least 10 different browser based exploits in 2H07 to deliver malware to unsuspecting targets. These exploits targeted vulnerabilities in Windows, Internet Explorer, and QuickTime, as well as Microsoft ActiveX® controls from WinZip, Yahoo! Messenger, GOM Player, NCTAudioFile, and SuperBuddy. (Patches are available for each of the vulnerabilities, some of which date back to 2006.) Botnet Usage
In addition to the self-promoting spam discussed earlier, the Nuwar botnet is also used to send traditional unsolicited e-mails. Nuwar has been used to send stock, commodity, and pharmacy spam messages; work from home scams; and e-mails linking to phishing sites. The botnet has also been used to deliver unsolicited messages in unconventional ways, such as an MP3-encoded audio file of a computer-generated feminine voice promoting a specific stock. Nuwar has also been used to send spam that “promotes” other malware, such as the password stealer PWS:Win32/Zbot.
63
2H07
Disinfections
The Win32/Nuwar malware family was added to the MSRT in September 2007. Four monthly editions of the MSRT (September through December) were therefore released with support for detecting and removing Nuwar during 2H07. Figure 37. MSRT removals of Win32/Nuwar, September–December 2007 700,000 600,000 500,000 Disinfections
400,000
Computers Cleaned 300,000 200,000 100,000 0 Sep-07
Oct-07
Nov-07
Dec-07
As expected, the first month of release had the largest effect, with 291,227 distinct Nuwarinfected computers cleaned worldwide, or 774 computers disinfected for every 1,000,000 executions of the MSRT, as shown in Figure 38. 626,886 Nuwar-related disinfections were recorded by the MSRT in September, which means that each Nuwar cleaning involved an average of 2.2 separate components. (See the Glossary for more on the difference between cleaning and disinfecting.) Over the following three months, Nuwar was removed from an average of 115,132 computers each month. A total of 526,605 distinct Nuwar-infected computers were cleaned in total over the last four months of 2007. A minority of the computers from which Nuwar components were removed in 2H07 were later reinfected. Adding the total number of Nuwar cleanings over the last four months of 2007 together yields a total of 636,623 total disinfections, which is 110,018 greater than the number of distinct computers cleaned. The 110,018 total represents the total number of reinfections that occurred during the last four months of 2H07 (though not necessarily the total number of reinfected computers, as some computers may have been reinfected more than once).
64
Figure 38. Number of computers disinfected of Win32/Nuwar for every 1 million executions of the MSRT, September–December 2007 800 700 600 500 400 300 200 100 0 Sep-07
Oct-07
Nov-07
Dec-07
On the individual component level, one of the P2P components was removed from 249,682 distinct computers over the four-month period, with 7,570 reinfections. Variants of the P2P component that exhibited parasitic viral characteristics were released between approximately the end of July and the beginning of October. These Virus:Win32/ Nuwar variants were removed from a total of 98,141 distinct computers during 2H07. In late December 2007, the Nuwar authors waged an aggressive spam campaign using a pool of 15 different domain names manipulated with the fast-flux technique, which involves rapidly altering Domain Name Service (DNS) records in an attempt to impede efforts to shut the network down. Extrapolating from the telemetry data provided by the Hotmail Feedback Loop (FBL), a mechanism that allows over 100,000 randomly selected Hotmail users to give feedback about which of their messages are good and which are spam, suggests that about 120,000 botnet IP addresses participated in the attack between December 24 and December 31.10
10 The FBL detected a total 7,418 distinct IP addresses participating in the attack between December 24 and December 31. During this time period, a total of 12,000,000 e-mails were sent to Hotmail from those distinct IP addresses, yielding an average number of e-mails per IP address of 1,600. All Nuwar IP addresses are estimated to have sent at least 191,000,000 e-mails to Hotmail during the last week of 2H07. If each peer sent an average of 1,600 e-mails to Hotmail during the attack, that suggests that the total number of IP addresses that participated in the attack was at least 120,000.
65
2H07
Fighting Win32/Nuwar
The sophisticated methods that the Win32/Nuwar botnet uses to cover its tracks make it very difficult to fight directly. The best way for IT Professionals to help neutralize Win32/Nuwar is to educate users to take overall protective actions against malware and other threats, including: oo Use an anti-malware product from a known, trusted source, and keep it updated. oo Enable Automatic Updates in Windows, which ensures that the MSRT is downloaded
every month.
oo Avoid opening attachments or clicking on links in e-mail or instant messages that are
received unexpectedly or from an unknown source. Use a mail client that suppresses active content and that blocks unintentional opening of executable attachments.
Users should be urged to take these preventative actions on any computers they have at home, as well as at work. Monitoring Internet-based IT security communities also helps security personnel stay up to date on the latest social engineering methods used to lure victims into installing the malware and helps them warn their users accordingly. A Focus on E-Mail Threats
Over 90 percent of all e-mail messages sent over the Internet today are spam. In addition to annoying the recipients and taxing the resources of e-mail providers, the flood of spam creates a potent vector for malware attacks and phishing attempts. Effectively combating spam and phishing is a top priority, not only for e-mail providers, but also for operators of social networks and other online communities—in short, any entity that provides communications services to users. Spam Trends
Despite advances in filtering technologies that have helped keep spam out of users’ inboxes, spam remains a huge and growing threat that taxes the resources of the worldwide e-mail infrastructure. Microsoft Exchange Hosted Services (EHS)11, which provides e-mail filtering services to subscribing companies and organizations around the world, blocked the delivery of 94 percent of inbound e-mail messages in the second half of 2007.
11
66
For more information, see http://www.microsoft.com/exchange/services.
Figure 39. Percentage of inbound messages blocked by Exchange Hosted Services, July–December 2007 100%
95%
90%
85% Jul-07
Aug-07
Sep-07
Oct-07
Nov-07
Dec-07
As Figure 39 shows, EHS experienced a prolonged increase in the volume of blocked messages that began in August and lasted through December. Spam is seasonal, to an extent; for the last several years, EHS has detected a significant temporary rise in spam volume at the end of the calendar year, typically beginning around October and lasting through December. In 2007, owing primarily to elevated Win32/Nuwar activity, this increase began about three months early and stayed strong through the end of the year. (See page 83 for more information on Win32/Nuwar.) As with malware, spam has evolved from a tool used by small operators to one typically used by larger, organized criminal groups to perpetuate scams and to sell fraudulent or dubious goods and services. An estimated 80 percent of spam received by Windows Live Hotmail in mid-2007 was sent through distributed botnets, like the one created by the Win32/Nuwar worm. Botnets typically consist of hijacked computers in multiple countries, making it difficult or impossible to defend against them using IP blocks. Botnets are frequently used to launch short, extremely intense spam campaigns that can send as many as 5 million messages in less than an hour, leveraging the power of tens of thousands of hijacked computers worldwide. Hijacked computers are also often used to send much lower volumes of spam for longer periods of time in an effort to avoid triggering IP blocks. A botnet sending very low volumes of spam can remain largely intact for several months.
67
2H07
As with the senders behind spam and the mechanisms used to send it, the content of spam messages has changed and evolved over the past several years. Figure 40 illustrates the shift in subject matter of spam messages reported by Windows Live Hotmail users between 2004 and 2007. Figure 40. Categories of spam reported by Windows Live Hotmail users in 2004 and 2007 Category
2004
2007
∆
Description
OtherSpam
13%
33%
20%
↑
Everything else that appears to be spam
Rx/Herbal
10%
31%
21%
↑
Cheap drugs or herbal supplements
Scams
6%
14%
8%
↑
Get rich quick, phishing scams, and so on
Dubious Products
10%
11%
1%
Pirated software, diplomas, and so on
Financial
13%
4%
-9%
Travel/Casino
3%
4%
1%
↓
Refinancing, get out of debt, financial advice
Porn/Sex Non-graphic
34%
3%
-31%
↓
Enhancers with sexual connotation, link to porn
Porn/Sex Graphic
7%
0%
-7%
↓
Anything that contains pornographic images
Insurance
4%
0%
-4%
↓
Health, dental, life, home, auto insurance
Airline tickets, hotel reservations, rental car; Internet casino sites; Other gaming sites
The largest observed increase has been in spam selling cheap drugs or herbal remedies, which tripled its share of all spam between 2004 and 2007, followed by outright scam messages, including phishing attempts. Pornographic spam, the largest category in 2004, had greatly diminished by 2007, further evidence of a long-term shift in the spam landscape away from reviled but (in many jurisdictions) legal products, and towards the underground economy of illegal products and scams. Malware and E-Mail
Despite the rise in malware activity documented elsewhere in this report, only 0.07 percent of inbound messages handled by EHS in 2H07 were filtered for containing malware, similar to previous periods. This should not necessarily be taken as an indicator of the prevalence of malware in the e-mail stream as a whole, as the EHS filters only handle mail that makes it past a series of non-content–based edge blocks. (See “Fighting E-Mail Threats” on page 70 for more information about these blocks.) As the 0.07 percent figure is significantly lower than most estimates of the proportion of e-mail that is infected by malware, it may be concluded that much of the infected e-mail exhibits qualities of spam and can be effectively mitigated using typical spam-fighting methods.
68
Phishing
Phishing remained a significant threat in 2H07, eroding people’s trust in the Internet and harming the reputations of the institutions victimized by phishing sites. The number of live phishing pages tracked by the Microsoft Phishing Filter remained roughly constant in 2H07, with new pages being discovered at approximately the same rate that older pages were going offline. Phishing is still predominantly an English-language phenomenon. Typically, 75–80 percent of the active phishing pages tracked by the Microsoft Phishing Filter at a given moment in 2H07 were English language pages, with European languages, like Italian, Spanish, German, French, and Turkish, accounting for most of the remainder. Asian languages, like Chinese, Japanese, and Korean, currently account for a very small percentage of active pages. Among English-language pages, banks and other financial institutions in the United States are the most frequent targets, though pages targeting institutions in the United Kingdom and India were observed to be on the rise in 2007. Once a largely e-mail–based phenomenon, phishing attempts are increasingly being posted to social networks, exploiting the trust that victims place in these networks and in the friends with whom they have connected through them. One recent attack on a large social networking site involved obtaining login credentials from victims through phishing messages posted to their profiles; the phishers then used an automated program to log into the victims’ accounts and post additional phishing messages to all of the victims’ contacts on the service, repeating and perpetuating the process. The techniques used by phishers to host Web pages and attract victims have evolved over time. Currently, about three-fourths of known active phishing pages are hosted on hijacked servers, often in obscure locations where illicit pages may not be discovered immediately (for example, a directory like /images/ temp). The remaining active pages are typically split between botnets and free Web hosts. While some phishing attempts involve simply posting a Web page on a server and collecting as much personal information from visitors as possible in the short time before the page is discovered and shut down, more sophisticated attempts involve using tricks like DNS fast flux to rapidly rotate between pages on large numbers of compromised hosts.
“
Currently, about threefourths of known active phishing pages are hosted on hijacked servers, often in obscure locations where illicit pages may not be discovered immediately.
69
2H07
Fighting E-Mail Threats
Effectively fighting spam and phishing requires a multipronged strategy. Despite the increasingly sophisticated tricks employed by spammers, some of the simplest spam-fighting techniques, like blocking the IP addresses of known offenders, remain very effective. Windows Live Hotmail has used IP blocking to cut spam from 90 percent of the e-mail stream down to about 40 percent. Some additional blocking mechanisms that have proven effective include: oo SMTP connection analysis. SMTP clients that use malformed or nonstandard syntax
when connecting to a host are more likely to be sources of spam.
oo Recipient validation. Spammers often send to random addresses within a domain
(for example, john@example.com; jsmith@example.com; jdoe@example.com) hoping that some of them will correspond to valid e-mail accounts. Some providers block the delivery of messages that contain nonexistent domain addresses in the To: line, so that valid addresses will not receive them.
Techniques such as these can help block incoming spam messages at the edge, precluding the need to subject them to more computationally intensive forms of validation, like Bayesian screening and sender authentication. In 2H07, EHS blocked 88.2 percent of incoming messages at the edge using a combination of IP address–based reputation management, SMTP connection analysis, and recipient validation. (Additional filters classified 77.9 percent of the remaining messages as spam.) As spammers and phishers continue to modify and improve their techniques, large e-mail providers are likely to accelerate the development and adoption of anti-spam frameworks that combine authentication and reputation management to more accurately identify bad actors and prevent false positives. Fighting phishing requires different techniques than fighting spam because phishing attempts are designed to resemble legitimate communications in every way. Users should be encouraged to use Web browsers with anti-phishing features, like Internet Explorer 7 and Mozilla Firefox 2, which display alerts when users attempt to visit known phishing sites. Figure 41. Phishing alerts in Internet Explorer 7, left, and Mozilla Firefox 2, right
70
In addition, users should be trained to recognize phishing attempts by taking precautionary measures, like verifying the address in the browser’s address bar when following links from e-mail messages to financial and commercial Web sites, or simply typing the Web site address directly in to the address bar. Potentially Unwanted Software
Whereas the previous section discussed software that is fundamentally malicious in nature, software behaviors cannot always be classified in binary terms. Some software inhabits a gray area wherein the behavior or value proposition presented by the software is neither universally desired nor universally reviled. This gray area includes a number of programs that do things like display advertisements to the user, which are often targeted based on the programs’ observation of the user’s browsing habits. Many users consider these programs objectionable, but some may appreciate the advertisements, or wish to use other applications that come bundled with the advertising programs and that will not function if they are not present. Microsoft refers to software in this gray area as potentially unwanted software, and provides products and technologies to give visibility and control to the individual. While it is certainly possible to use absolute detection figures to examine the prevalence of different potentially unwanted software families, as in the “Malware Trends for 2H07” section, this approach provides an incomplete picture of the potentially unwanted software landscape. The tools Microsoft provides for dealing with potentially unwanted software are designed to allow users to make informed decisions about removing or retaining specific software, rather than to simply remove it outright. Windows Defender and Microsoft Forefront™ Client Security give each of the potentially unwanted software programs they track a severity rating of Low, Medium, High, or Severe, as well as a default recommended action: oo Ignore. Ignores the alert once. Users may choose to ignore an alert multiple times for
the same piece of potentially unwanted software.
oo Ignore Always. Ignores the alert from that point forward, even if the software is
seen again.
oo Prompt. Prompts the user to make a decision about what to do with the software. oo Quarantine. Removes the software in such a way that it can be restored at a later point. oo Remove. Removes the software from the system. Software rated with a severity of
High or Severe will be removed automatically.
71
2H07
“
These decisions are influenced by a number of factors, such as users’ level of expertise, how certain they feel about their judgment regarding the software in question, the context in which the software was obtained, societal considerations, and the benefit (if any) being delivered by the software or by other software that is bundled with Users make choices about what it. Users make choices about what to do about a piece of potentially unwanted to do about a piece of potensoftware for different reasons, so it’s important not to draw unwarranted tially unwanted software for different reasons, so it’s impor- conclusions about their intent. For instance, Remove indicates a clear, active tant not to draw unwarranted choice. Ignore Always usually suggests that the user wants to keep the softconclusions about their intent. ware. However, users choose Quarantine or Ignore for a variety of reasons. For example, they might be confused by the choices, they might want to defer the action to a more convenient time, or they might want to spend more time evaluating the software before making a decision. Potentially Unwanted Software Trends in 2H07
The second half of 2007 has seen a significant increase in the number of detections and the number of removals of potentially unwanted software. This increase should not necessarily be interpreted as an increased prevalence of potentially unwanted software on the Internet. As with malicious software, a number of factors contribute to this increase. oo The number of computers running the tools used to collect the data for this sec-
tion continues to increase. For example, Windows Defender, which is available as an optional add-on for Windows XP SP2, is included as a component of Windows Vista, so increased adoption of Windows Vista has added a significant number of new computers with Windows Defender installed automatically. In addition, the release of new language versions of many of these tools has enabled their introduction into parts of the world that had previously been unprotected from potentially unwanted software.
oo Changes in the distribution practices for different pieces of potentially unwanted soft-
ware can have an effect on how many people are exposed to it and how often, and how they tend to respond to alerts raised about the software.
Overall, Microsoft tools and products (Windows Defender, the MSRT, Windows Live OneCare, the Windows Live OneCare safety scanner, scanners for Windows Live Hotmail and Windows Live Messenger, and Microsoft Forefront Client Security) detected 129.5 million pieces of potentially unwanted software between July 1 and December 31, 2007, resulting in 71.7 million removals. These figures represent increases of 66.7 percent in total detections and 55.4 percent in removals over 1H07.
72
Worldwide disinfections of potentially unwanted software are comparable to those of malware. Figure 42 shows the top 25 families detected by all Microsoft products and tools in 2H07, with potentially unwanted software families listed in italics. Figure 42. Top 25 families detected in 2H07, ordered by total number of detections Rank
Family
Category
2H07
1H07
% Change
1
Win32/Zlob
Trojan Downloader
17,655,154
8,775,412
101.2%
2
Win32/Hotbar
Adware
7,169,122
2,035,895
252.1%
3
Win32/WhenU
Adware
6,372,798
3,686,805
72.9%
4
Win32/Renos
Trojan Downloader
5,825,594
3,138,297
85.6%
5
Win32/ZangoSearchAssistant
Adware
4,909,890
2,308,075
112.7%
6
Win32/Virtumonde
Trojan
4,531,655
637,789
610.5%
7
Win32/ConHook
Trojan
4,090,363
313,362
1205.3%
8
Win32/Starware
Potentially Unwanted Software
4,046,113
2,632,554
53.7%
9
Win32/Agent
Trojan
3,672,984
1,018,435
260.7%
10
Win32/Winfixer
Potentially Unwanted Software
3,382,135
1,664,164
103.2%
11
Win32/CnsMin
Spyware
2,454,488
1,309,615
87.4%
12
Win32/BaiduSobar
Browser Modifier
2,279,149
659,509
245.6%
13
Win32/Sogou
Potentially Unwanted Software
2,079,260
573,998
262.2%
14
Win32/CNNIC
Browser Modifier
2,072,464
756,895
173.8%
15
Win32/RealVNC
Remote Control Software
1,986,692
1,818,376
9.3%
16
Win32/ClickSpring
Adware
1,783,502
808,475
120.6%
17
Win32/BearShare
Software Bundler
1,498,451
910,321
64.6%
18
Win32/Comscore
Potentially Unwanted Software
1,251,109
725,904
72.4%
19
Win32/ZenoSearch
Adware
1,243,077
365,674
239.9%
20
Win32/C2Lop
Trojan
1,231,137
753,637
63.4%
21
Win32/AdRotator
Adware
992,509
80,248
1136.8%
22
Win32/Banker
Trojan
969,605
852,936
13.7%
23
HTML/IframeRef
Exploit
965,910
181,361
432.6%
24
Win32/Fotomoto
Trojan
954,452
511,141
86.7%
25
Win32/Small
Trojan Downloader
948,652
717,123
32.3%
73
2H07
“
The 15 potentially unwanted software families in Figure 42 displayed a 114 percent increase over 1H07, rising from 20.3 million detections to 43.5 million detections, owing in part to an increase in the number of users worldwide running one or more The top potentially unwant- of the appropriate detection tools, as explained above. Nine of the 15 displayed ed software family (second increases of 100 percent or more, with five families increasing by more than overall) detected in 2H07 200 percent, and one family—Win32/AdRotator—increased by more than was Win32/Hotbar, rising 1,000 percent. AdRotator is a browser helper object (BHO) that facilitates from fourth place (sixth click fraud. overall) in 1H07. The top potentially unwanted software family (second overall) detected in 2H07 was Win32/Hotbar, rising from fourth place (sixth overall) in 1H07. Win32/Hotbar installs a dynamic toolbar in Internet Explorer and Windows Explorer, and delivers targeted popup ads based on its monitoring of Web-browsing activity. The significant increases observed for Win32/CnsMin, Win32/Sogou, and Win32/ BaiduSobar are due to increased adoption of Chinese-language versions of the detection tools and should not necessarily be taken as indicators of wider distribution for the families themselves. As explained above, when Windows Defender detects a malware or potentially unwanted software infection, it gives the user a choice of four possible responses: Remove, Quarantine, Ignore Always, and Ignore. Examining the choices users make when confronted with these warnings yields useful insights into the way users react to different families.
74
Figure 43. Actions taken by users when warned about malware and potentially unwanted software by Windows Defender Threat Family
Category
% Remove
% Quarantine
% Ignore Always
% Ignore
Win32/Banker
Trojan
98.8%
0.8%
0.02%
0.5%
Win32/Zlob
Trojan Downloader
88.4%
4.2%
0.01%
7.5%
Win32/ConHook
Trojan
86.6%
3.4%
0.04%
10.0%
Win32/Renos
Trojan Downloader
85.7%
4.8%
0.01%
9.5%
Win32/Agent
Trojan
81.4%
10.6%
0.08%
8.0%
Win32/Fotomoto
Trojan
76.8%
3.6%
0.04%
19.6%
Win32/C2Lop
Trojan
75.9%
5.8%
0.05%
18.2%
Win32/ZenoSearch
Adware
73.5%
1.1%
0.03%
25.3%
Win32/Sogou
Potentially Unwanted Software
72.6%
0.2%
0.2%
27.1%
Win32/Small
Trojan Downloader
62.0%
14.5%
0.1%
23.3%
Win32/Winfixer
Potentially Unwanted Software
59.2%
2.0%
0.07%
38.7%
Win32/AdRotator
Adware
55.5%
0.6%
0.07%
43.9%
Win32/ClickSpring
Adware
49.6%
11.4%
0.04%
38.9%
Win32/CnsMin
Spyware
48.1%
0.6%
0.07%
51.3%
Win32/BaiduSobar
Browser Modifier
45.8%
0.9%
0.1%
53.2%
Win32/Virtumonde
Trojan
45.4%
15.0%
0.1%
39.4%
Win32/Comscore
Potentially Unwanted Software
43.4%
3.0%
0.2%
53.3%
Win32/WhenU
Adware
38.9%
9.0%
0.5%
51.6%
Win32/CNNIC
Browser Modifier
38.7%
0.5%
0.2%
60.7%
Win32/ZangoSearch Assistant
Adware
26.3%
5.8%
0.2%
67.8%
Win32/Hotbar
Adware
20.4%
11.2%
0.1%
68.3%
Win32/Starware
Potentially Unwanted Software
17.6%
7.7%
0.2%
74.5%
Win32/RealVNC
Remote Control Software
9.5%
2.7%
8.9%
78.8%
Win32/BearShare
Software Bundler
7.7%
4.4%
3.6%
84.3%
HTML/IframeRef
Exploit
0.8%
94.4%
0.05%
4.8%
(Totals may not equal 100% due to rounding.)
75
2H07
Users’ reactions to warnings about the top 25 families varied significantly, indicating clearly that users perceive different potentially unwanted software families to have different value propositions. oo Users chose the Remove option most frequently when informed that the software was
unambiguously malicious. Win32/Banker, a family of data-stealing trojans that mainly targets customers of Brazilian banks, was the most frequently removed family in the top 25, with 98.8 percent of users choosing to remove it immediately when warned. Other unambiguously malicious programs like Win32/Zlob, Win32/ConHook, and Win32/Renos also had high rates of removal, above 85 percent in all four cases. See “Malware Families” on page 50 for more information on these families.
oo The Quarantine option neutralizes the questionable software, but gives the user the
ability to restore it in the future. Users did not make heavy use of the Quarantine option, typically choosing to either remove the software permanently or to ignore the warning temporarily. Other than the exploit HTML/IframeRef, for which Quarantine is the default option, no family in the top 25 had a quarantine rate significantly above 15 percent.
oo Win32/RealVNC and Win32/BearShare have the highest rate of Ignore Always
responses, by a significant margin, among the top 25 families. RealVNC is a program that enables a computer to be controlled remotely, similar to Remote Desktop. It has a number of legitimate uses, but is considered potentially unwanted software because it can be used by an attacker with malicious intent to gain control of a user’s computer under some circumstances. The relatively high Ignore Always rate for this software (8.9 percent) indicates that many users are aware of the nature of the software and wish to retain it for its perceived value. A similar percentage (9.5 percent) chose to remove the software immediately, presumably indicating that they did not intentionally install the software. BearShare is a peer-to-peer file sharing client that uses the decentralized Gnutella network. Free versions of BearShare have come bundled with advertising-supported and other potentially unwanted software. Its relatively high Ignore Always rate (3.6 percent) indicates that many users are loyal to the program and believe its benefits outweigh any specific behaviors that are unwanted by some.
oo It is more difficult to discern the motives of users choosing the Ignore option, which
allows the software to run for the current session and lets the user delay making a final decision about what to do about the software until later. Users choose Ignore for a variety of reasons—they may want to defer the decision until after they’ve had a chance to consider its implications; they may be focused on a task and don’t want to be distracted by a warning dialog; they may not understand the question being asked; they may want to uninstall the software themselves at a more convenient time; or they may have other reasons.
76
Some of the software with a higher-than-average Ignore percentage includes a value proposition of some kind in exchange for the potentially unwanted behavior. Win32/Hotbar, for example, offers functionality such as “smileys” in exchange for targeted advertising, and Win32/ComScore offers bundled software and/or giveaways in exchange for behavior monitoring for market research. An Ignore rate below 10 percent tends to indicate software that is unambiguously unwanted. An Ignore response typically indicates that the user does not understand the decision they are being asked to make; they intend to address the matter at a different time (for example, a security researcher analyzing the software); they are involved in a task and do not wish to be distracted, even if the software is not desired in the long term; or some other, similar motivation. A low Ignore rate tends to indicate that the user was not expecting the software to be present and wishes to remove or quarantine the software immediately. Prevalence of Detection by Category
Potentially unwanted software categories are comparable with malware categories in prevalence. As with Figure 42 earlier, Figure 44 lists potentially unwanted software categories alongside malware categories for comparison purposes. Figure 44. Detection by category for 2H07 Category
Total 2H07
Total 1H07
% Change
Adware
34,255,739
20,591,216
66.4%
Trojan Downloader
27,953,025
15,271,645
83.0%
Trojan
19,978,826
9,072,711
120.2%
Potentially Unwanted Software
17,895,191
10,694,833
67.3%
Browser Modifier
7,215,262
4,752,055
51.8%
Spyware
5,247,720
3,522,106
49.0%
Remote Control Software
4,068,633
3,444,829
18.1%
Software Bundler
3,186,098
3,366,788
-5.4%
Exploit
2,547,119
1,560,330
63.2%
Trojan Dropper
2,222,371
1,325,702
67.6%
Settings Modifier
963,248
1,123,383
-14.3%
Password Stealer
798,642
424,978
87.9%
Monitoring Software
732,618
608,538
20.4%
Malware Creation Tool
716,300
565,984
26.6%
Dialer
494,537
718,787
-31.2%
77
2H07
Adware remained the most prevalent category in 2H07, increasing by more than 66 percent, from 20.6 million detections to 34.3 million detections. The category listed as Potentially Unwanted Software in the table encompasses a variety of software families that do not fall into the other categories listed, notably rogue security software families. (See page 82 for more information about rogue security software.) The Potentially Unwanted Software category increased by more than 67 percent in 2H07, from 10.7 million detections to 17.9 million detections. Figure 45 and Figure 46 show the trends for these categories, in absolute numbers and in percentage terms. Figure 45. Potentially unwanted software detection trends, 1H06–2H07, in total detections 35 Million
30 Million
Adware
25 Million
Trojan Downloader Trojan Potentially Unwanted Software
20 Million
Browser Modifier Spyware 15 Million
Remote Control Software Monitoring Software
10 Million
5 Million
0 1H06
78
2H06
1H07
2H07
The increases shown in Figure 45 are due at least in part to an increase in the number of computers running the detection tools worldwide, as explained earlier in this report. In terms of percentages, as Figure 46 indicates, each of the potentially unwanted software categories has remained remarkably stable relative to each other since 1H07, despite a significant increase in total detections overall. Unlike in previous periods, 2H07 did not feature any new “breakout” families that spread significantly faster than others to a degree that would significantly impact the category distribution. Figure 46. Potentially unwanted software detection trends, 1H06–2H07, by percentage 50%
40%
Adware Trojan Downloader
30%
Trojan Potentially Unwanted Software Browser Modifier Spyware
20%
Remote Control Software Monitoring Software
10%
0% 1H06
2H06
1H07
2H07
79
2H07
Variation by Operating System
The majority (60.5 percent) of computers from which Windows Defender removed potentially unwanted software in 2H07 were running Windows Vista. This is due to the fact that Windows Defender is included with Windows Vista as a component of the operating system, so Windows Vista users do not have to obtain Windows Defender separately as an add-on. Most of the rest of the computers (39.3 percent) were running Windows XP SP2, with a very small fraction (0.1 percent) running Windows Server 2003, the only other operating system with which Windows Defender is currently compatible. Windows Defender is targeted at the consumer market, so the server platform’s small share of removals is not surprising. When the data is normalized according to each operating system’s percentage of total executions, the results are much closer to being equal, ranging from 27.5 percent for Windows Server 2003 to 44.5 percent for Windows XP SP2. Figure 47. Computers cleaned by Windows Defender in 2H07, by operating system
Cleaned Computers (Pre-Normalized) Windows 2003 (0.1%)
Windows XP SP2 (39.3%)
Windows Vista (60.5%)
Cleaned Computers (Normalized) Windows 2003 (27.5%)
Windows XP SP2 (44.5%)
Windows Vista (28.0%) (Totals may not equal 100% due to rounding.)
80
Geographical Differences
Potentially unwanted software continues to target predominantly English-speaking markets, although other countries have also showed strong increases. Figure 48 shows the top 25 countries for potentially unwanted software detections by all Microsoft tools in 2H07. This data has not been normalized, so the table reflects absolute numbers of detections. Figure 48. Potentially unwanted software detections by country/region Rank
Country/Region
2H07
1H07
% Change
1
United States
63,916,808
41,146,428
55.3%
2
China
11,082,690
4,552,690
143.4%
3
United Kingdom
7,744,229
5,353,635
44.7%
4
France
5,898,466
3,134,730
88.2%
5
Spain
4,525,899
1,865,983
142.6%
6
Germany
3,353,615
1,616,276
107.5%
7
Canada
3,140,801
2,071,002
51.7%
8
Brazil
2,511,458
1,761,412
42.6%
9
Netherlands
2,474,783
1,862,850
32.9%
10
Korea
2,450,070
701,092
249.5%
11
Italy
2,171,724
1,210,313
79.4%
12
Turkey
1,873,935
900,829
108.0%
13
Australia
1,670,991
1,331,438
25.5%
14
Mexico
1,486,973
544,035
173.3%
15
Japan
1,432,108
1,417,566
1.0%
16
Poland
1,386,996
537,222
158.2%
17
Portugal
950,912
594,557
59.9%
18
Belgium
912,707
571,508
59.7%
19
Sweden
834,991
570,097
46.5%
20
Taiwan
663,334
469,470
41.3%
21
Denmark
643,370
450,518
42.8%
22
Norway
640,208
422,815
51.4%
23
Switzerland
424,270
258,058
64.4%
24
Singapore
374,346
227,380
64.6%
25
Ireland
294,722
208,073
41.6%
81
2H07
The United States was firmly in the lead in potentially unwanted software detections in 2H07 with 63.9 million detections in 2H07, nearly six times as many as any other country. The United Kingdom, Canada, and Australia rank third, seventh, and thirteenth, respectively, reflecting the predominance of English-language potentially unwanted software programs. China had the second highest number of detections with 11.1 million detections, up from 4.6 million detections in 1H07, due in part to increased adoption of Chinese-language versions of the detection tools. Rogue Security Software
Rogue security software exploits computer users’ anxieties about malicious software with fraudulent offers of “protection” for a price. Rogue security software uses a number of different techniques to attempt to trick users into installing the software and to obtain money from them. The prevalence of rogue security software continues to increase, with many common families being delivered by trojan downloaders and other malware, as well as by conventional social engineering methods. Figure 49. Top 25 rogue security software families in 2H07, by number of detections Rank 1
82
Rogue Win32/Winfixer
Volume 3,382,135
2
Win32/SpywareSecure
610,616
3
Win32/SpySheriff
569,147
4
Win32/WinSoftware
384,630
5
Win32/VirusProtectpro
219,685
6
Win32/UltimateDefender
210,970
7
Win32/Contravirus
157,798
8
Win32/DriveCleaner
153,857
9
Win32/AdvancedCleaner
134,533
10
Win32/AntivirusGold
121,954
11
Win32/AntiVirGear
120,352
12
Win32/UltimateCleaner
118,559
13
Win32/VirusRanger
97,221
14
Win32/SpyAxe
91,864
15
Win32/SpyLocked
80,898
16
Win32/SpyHeal
59,534
17
Win32/SystemDoctor
44,181
18
Win32/VirusLocker
41,081
19
Win32/SpyCrush
35,697
20
Win32/AntivirusProtection
33,156
21
Win32/AntispyStorm
32,513
22
Win32/UltimateFixer
26,408
23
Win32/EZCatch
26,219
24
Win32/SpywareStormer
20,849
25
Win32/ErrorGuard
19,314
The most prevalent rogue security software detected in 2H07 was Win32/Winfixer, with more than five times as many detections as any other single family. Win32/Winfixer displays erroneous alerts warning of severe system threats. The program then offers to remove the erroneous detections for a fee. These warnings appear under multiple false product names in several different language versions. Figure 50. False warning dialogs displayed by Win32/Winfixer variants
When prompted about rogue security software, nearly 60 percent of users choose to remove it immediately, with most of the rest electing to quarantine the software or ignore the warning temporarily. Less than 0.5 percent of users choose the Ignore Always option, indicating that very few users remain deceived about rogue security software when given information about its nature. For additional information about rogue security software, see the July–December 2006 edition of the Security Intelligence Report at http://go.microsoft.com/fwlink/?LinkID=884 36&clcid=0x409. Malicious and Potentially Unwanted Software Summary and Conclusion
The family names that have appeared repeatedly in this section—Win32/Nuwar, Win32/Zlob, Win32/Renos, and others—have different functions and goals, and they use different technical and social mechanisms for infection and distribution. By and large, however, they are all highly characteristic of a fundamental shift in the malware landscape, from flashy amateur pranks to professionally designed, extremely persistent tools for criminal activity. Correspondingly, IT security professionals are increasingly finding their jobs dominated not only by technical challenges and responsibilities, but by social and legal ones, as well.
83
2H07
Edited by Foxit Reader Copyright(C) by Foxit Software Company,2005-2007 For Evaluation Only.
Focus on Internet Safety Enforcement Tim Cranton, Associate General Counsel
“What happened in this case is a textbook example of the cooperation necessary in this new era of globalization to be successful in addressing computer intrusions and other computer-supported criminal operations. In Microsoft, we have an excellent partner and today we acknowledge them in this small way.” – FBI Cyber Division Assistant Director James E. Finch, announcing the recognition of nine Microsoft employees for “Exceptional Service in the Public Interest” related to the ZOTOB investigation (September 25, 2006)
M
icrosoft recognizes that our leadership requires a comprehensive, global approach to Internet safety enforcement. Accordingly, this “Focus on Internet Safety Enforcement” section is designed to provide an overview of our enforcement initiatives, as a complement to the data and analysis provided by our Security Response Center in the remainder of this report. The Internet Safety Enforcement Team, a division of Microsoft Legal and Corporate Affairs group, develops and implements innovative programs to combat Internet threats, such as malicious code, botnets, phishing, spyware, spam, and online child exploitation. We assist law enforcement by developing effective technology tools and by providing training and technical support for Microsoft products and services, specifically, and, more generally, on how to investigate computer-facilitated crimes. In addition to our collaboration with law enforcement, we also work on our own and through partnerships with governmental and non-governmental agencies, and with other industry leaders, to develop technology tools, implement strong laws, enforce existing laws against bad actors, and raise awareness about cybercrime threats. We believe these five fundamental pillars—technology, legislation, enforcement, education, and partnerships—are critical to promoting a safer online environment. We focus here on a few examples of Microsoft Internet security enforcement efforts in the areas of spam, phishing, and botnets that build on these five fundamental pillars. Fighting Phishing
According to the Anti-Phishing Working Group—a cross-industry association of which Microsoft is a founding member—between 75 million and 150 million phishing e-mails are sent out every day. A Gartner survey estimates that approximately 109 million people in the United States have received a phishing e-mail, with an estimated 3.6 million adults
84
losing money to phishing attacks in the 12 months ending August 2007. In these same 12 months, financial losses stemming from phishing attacks reached $3.2 billion (U.S.) in the United States alone. These are staggering statistics that demonstrate an escalation in the amount of online fraud. Microsoft believes a holistic and global approach must be used to address the growing problem of phishing. Industry leaders, law enforcement, and governments each can play an important role in creating new technology to prevent phishing attacks, by tracking down and punishing phishers, implementing strong laws, and providing the public with the knowledge and tools to protect themselves. Global Phishing Enforcement Initiative: Microsoft actively addresses the threats posed by phishing through its Global Phishing Enforcement Initiative. This initiative contains three central components: (1) proactive domain defense; (2) worldwide investigations and referrals; and (3) strong international partnerships. Domain Defense: Our Domain Defense program is intended to protect the Microsoft customer experience, brand name, and intellectual property online. To those ends, we preemptively register domains that include both the Microsoft name and common phishing terms, such as “account” or “confirm,” we monitor domain registrations for potential phishing sites, we issue “takedown notices” to quickly remove identified phishing sites, and we engage in anti-cybersquatting initiatives. To date, Microsoft has registered over 3,000 domain names and successfully taken down close to 6,200 phishing sites worldwide that targeted Windows Live and Microsoft. As of the end of 2007, we have also pursued 15 enforcement actions worldwide against cybersquatters. Enforcement: Through December 2007, Microsoft has supported more than 186 enforcement actions against phishers worldwide. These include civil lawsuits filed by Microsoft, as well as civil and criminal actions by international government and law enforcement agencies for which Microsoft made referrals and subsequently provided support. In addition, Microsoft has collaborated with global law enforcement agencies in Europe, the Middle East, and Africa to conduct 263 investigations against phishers, focusing on sites that are most likely to deceive users. These investigations have resulted in 40 phishing enforcement actions in this region alone. In one successful investigation, Microsoft provided investigative and technical support to Bulgarian authorities in January 2006, which led to the arrest of eight members of an international criminal network. Known as the Microsoft Billing Account Management (“MBAM”) Gang by Microsoft investigators, the perpetrators spoofed e-mails to look as though they were from MSN® customer service and created dozens of fake Web pages. Launching a coordinated attack in 11 countries, the phishers invited consumers to reveal their personal information by “updating” their accounts. Using this stolen data, the group made purchases valued at over $50,000 (U.S.). Another investigative success took place in May 2007. Microsoft, in conjunction with the Brazilian federal police, conducted a
85
2H07
phishing raid in Brazil against a phisher who had designed a Web site to steal Hotmail passwords. This case was the first success in Brazil with leads generated from the Global Phishing Enforcement Initiative. Partnerships: Building strong international partnerships is a critical component of Microsoft’s anti-phishing efforts. Microsoft is a key strategic partner to the National Cyber-Forensics and Training Alliance (“NCFTA”) and contributes through both non-monetary and monetary support, including funding a full-time phishing analyst. A joint public-private sector effort, NCFTA was first established by the FBI, the National White Collar Crime Center, Carnegie Mellon University, and West Virginia University to test and investigate cybercrime tactics, help fight online threats, and prepare businesses and organizations to guard against such threats. As part of our NCFTA efforts, Microsoft helped develop Digital PhishNet (“DPN”), a collaborative enforcement operation to combat phishing that unites industry leaders in technology, banking, financial services, and online retail services with law enforcement. The DPN provides a database that allows companies and law enforcement officials to share information about phishing and strengthens international partnerships for identifying and tracking phishers. Microsoft sponsors and facilitates international DPN conferences to develop partnerships, share knowledge, and expand relationships internationally among those on the front lines of the phishing threat. Through these conferences, DPN facilitates cooperation between industry and law enforcement, presents specific case studies of successful phishing enforcement actions, and provides hands-on training about how to conduct phishing investigations. Additionally, when Microsoft issues takedown notices for fraudulent Web sites, the notices request that the Web host or registrar redirect phishing sites to a DPN page for consumer education. Microsoft’s support of and participation in DPN is having a measurable, positive impact on investigations. For example, DPN members have been working with NCFTA and the FBI to understand the inside workings of the “Rock Phish,” a pervasive global phishing operation. Rock Phish attacks have targeted more than 80 global financial institutions, with a loss impact that is estimated to have exceeded $250 million (U.S.). The DPN Rock Phish Working Group has made significant breakthroughs over the past six months, much of which can be attributed to goals set during the 2007 DPN Conference held in Berlin.
86
Beating Botnets
The threats to online security have been enhanced by the prevalence of botnets, through which a series of machines under centralized control are used to launch a range of nefarious activities. Through a combination of teamwork, training, and technology, Microsoft works to identify, prosecute, and ultimately stop the developers and distributors of botnets. Recognizing Trends. As malicious code attacks evolved beyond the Blaster and Sasser worms, Microsoft noted a trend in attacks toward the surreptitious creation of botnets. Additionally, we realized that the propagators of these bots had become increasingly sophisticated in their techniques and organizational structure, inflicting unprecedented personal and commercial harm on their victims. For example, these cybercriminals were no longer working alone, but rather as a loosely affiliated enterprise of criminals with specific roles. Recognizing these developments early, Microsoft mobilized an internal team focused on understanding the botnet threat and developing technical and other solutions to address it. Enforcement Successes. Our work to combat the botnet threat has included support for a number of successful enforcement actions around the world. The Zotob investigation, which resulted in the arrest of the distributors of the Zotob and Mytob worms in 2005, served as an early example of the type of success that could be achieved through international law enforcement, industry, and the judicial system cooperating to hold cybercriminals responsible for their actions. Subsequently, Microsoft aided the Federal Bureau of Investigation in “Operation Bot Roast,” an ongoing operation announced in June 2007 that is aimed at disrupting and dismantling persons utilizing botnets. In conjunction with this coordinated initiative, approximately 1 million compromised computers throughout the United States have been identified. Additionally, as a direct result of the operation, the FBI has charged numerous individuals with cyber crimes, including a Seattle resident accused of using botnets to send tens of millions of spam messages touting his Web site; a Texas resident accused of infecting tens of thousands of computers worldwide, including some Chicago-area hospitals; and a Kentucky resident charged with using botnets to disable other systems. The Microsoft Internet Crime Investigations Team provided technical information and analytical support for a number of these actions, and led the mitigation, along with several other companies, by taking down the botnets’ command and control servers. The press release announcing Operation Bot Roast stated, “The FBI also wants to thank our industry partners, such as the Microsoft Corporation and the Botnet Task Force, in referring criminal botnet activity to law enforcement.”
87
2H07
Stopping Spam
It is now widely accepted throughout the industry that unwanted commercial solicitations account for upwards of 90 percent of all e-mail sent across cyberspace today. The sheer volume of this unsolicited e-mail can be enough to disrupt communication networks. It is also a costly problem: In 2007, Ferris Research estimated that the global cost of spam is $100 billion (U.S.) worldwide, including $35 billion (U.S.) in the United States. Moreover, spam is frequently the predicate to many other forms of online criminal activity, including phishing and other fraudulent scams, spyware programs, and malicious code. Microsoft has technologies, investigators, technical and forensic experts, and other resources to lend to worldwide efforts to combat spam. Enforcement: Through the end of 2007, Microsoft has filed nearly 250 legal actions worldwide against spammers, often working with law enforcement officials in the North America, Europe, the Asia-Pacific region, Africa, and South America. Recently, Alan Ralsky— one of the world’s most prolific spammers, whose sophisticated scheme brought in millions of dollars by manipulating Chinese stock prices—was indicted along with 10 others. Microsoft contributed to the investigation by generating much of the information leading to the arrests and indictments, and by briefing the FBI, the Postal Inspection Service, the IRS, and the U.S. Attorney’s Office on Ralsky’s operation. Additionally, in November 2007, Microsoft provided live testimony as a government witness during a federal anti-spam sentencing hearing in Denver, CO. This testimony was the primary evidence used by the Court to rule in the United States’ favor on one of the most important unresolved issues related to criminal anti-spam enforcement efforts: the appropriate measure of financial loss. The Court’s conviction and imposition of a 30-month prison sentence was a significant victory and a first-of-its-kind sentencing decision under the CAN-SPAM Act. London Action Plan: Microsoft was the first private sector participant in the London Action Plan, a coalition of international agencies that supports global cooperation on network security, law enforcement, and improved consumer awareness to combat spam. Microsoft has organized and participated in conferences around the world dedicated to facilitating public-private partnerships to combat spam. For example, Microsoft helped to sponsor the first Spam Enforcement Conference in London in November 2005. The event brought together authorities from Britain’s Office of Fair Trading, its Department of Trade and Industry, and the EU’s Contact Network of Spam Authorities (“CNSA”) in a productive exchange with industry partners to discuss ways to limit spam.
88
International Efforts: Our initiatives in Nigeria and France demonstrate the versatility of Microsoft efforts to combat spam. In October 2005, Microsoft signed a Memorandum of Understanding (“MOU”) with Nigeria’s Economic & Financial Crimes Commission (“EFCC”) to support Nigeria’s efforts to combat cybercrime. In particular, the MOU targets financial scams (known as “419 scams” after the relevant section of the Nigerian criminal code) that are propagated through spam. Under the terms of the MOU, Microsoft provides the EFCC with training, technical assistance, and investigative help to prevent and prosecute such activities. As of May 2006, Microsoft efforts had helped Nigerian officials in a dozen enforcement actions. Similarly, in France, Microsoft was the first private company to support the creation of Signal Spam, an anti-spam platform created in France in association with public and private sector entities. Signal Spam offers Internet users two methods for reporting spam. First, a user can copy and paste the spam in the platform’s online form. Second, a user can install a plug-in, which allows users to notify the platform when it receives suspected spam through the user’s e-mail client. Signal Spam then analyzes the message, and if it is confirmed as spam, will blacklist the sender’s IP address. Data collected through the platform is also shared with French law enforcement authorities, as well as ISPs, to assist in antispam investigations and prosecutions. Since it was launched in May 2007, Signal Spam has received a tremendous amount of volume—more than 4 million reports of spam from 300,000 users.
Committed to being a good corporate citizen, Microsoft dedicates our technological innovation and experience to these and numerous other initiatives in order to make the online environment safer and more secure for all users.
89
2H07
Microsoft Malware Protection Center Executive Afterword
T
hank you for taking the time to read this latest volume of the Microsoft Security Intelligence Report. Over the past two years, the report has evolved into a comprehensive assessment of the worldwide IT threat landscape from the perspective of Microsoft, including, for this volume, new content on privacy and security breaches, and our efforts in supporting law enforcement organizations worldwide. We have also provided more data and insights into spam and phishing than in past reports. Looking at the data contained in this report covering the second half of 2007 we can see that antimalware products and solutions from Microsoft and our partners have successfully detected and removed more malware and potentially unwanted software – and more variants of those threats – than ever before. During the same period we saw a continuation of the shift of malware away from an amateur phenomenon to a professional criminal tool. Taking a closer look at the data contained in this report, we can identify a number of key changes in the threat landscape. We saw a 300% increase in the number of trojan downloaders and droppers that were identified and removed by the MSRT, the vast majority coming from four families: Win32/Zlob and Win32/Renos, which were also prevalent in the first half of 2007, and newer families Win32/ConHook and Win32/RJump. Downloaders have become the delivery mechanism of choice for malware authors who rely on rapidly developing variations of a downloader in attempts to defeat anti-malware software. During the second half of 2007, we detected nearly 85,000 variants of the Win32/Zlob family, making it the most widespread malware family in the world by a large margin. Phishing attacks continue to pose a significant threat to computer users and have evolved from a predominantly e-mail based phenomenon to target social networks and takes advantage of the users place in these networks. Phishing remains a largely English-language occurrence with other European languages accounting for most of the remainder. The total number of phishing pages detected remained roughly the same during the second half of 2007. In the last Security Intelligence Report, I shared my thoughts on how the threat landscape would evolve during the second half of 2007. Let’s look back at those predictions and see how I did. I outlined some broad thoughts on how the wider threat landscape would change:
oo Criminals will continue to focus their efforts on financial gains and will continue to leverage
trojan downloaders, bots, spam, phishing, targeted attacks, and social engineering to do this. oo This is indeed the case, as we see from the dramatic rise in trojan downloaders and the
ongoing fight against the Win32/Nuwar (or storm worm) family of malware, which is used to send out huge amounts of spam from compromised machines.
oo Criminals will continue to focus on the development of malware and potentially unwanted
software that seek to violate the privacy and security of individuals and organizations.
oo Again, this is behavior that we are seeing with many families of malware and potentially
unwanted software being updated or altered by their authors many times per day; in fact, the Win32/Zlob family of downloader/droppers generated almost 85,000 unique variations during the second half of 2007.
90
I also made some bolder statements about the future: oo Windows Vista will continue to make a difference in the PC ecosystem. oo I am pleased to report that the focus put on security during the development of
Windows Vista continues to show results. In the second half of 2007, our tools proportionally removed malware from 87% fewer Windows Vista-based computers than computers running Windows XP with Service Pack 1 installed. For computers running Windows XP with no Service Pack installed, the difference was 91%.
oo Enterprises that use e-mail filtering systems and e-mail authentication systems will reduce
the number of e-mail–based attacks that make it through to users’ inboxes.
oo Microsoft Exchange Hosted Services blocked 94% of inbound messages during the sec-
ond half of 2007.
oo Enterprises and consumers that use up-to-date anti-malware solutions will be better
protected.
oo As I hope is obvious from the amount of malware and potentially unwanted software
detected and removed from computers around the world, customers who used up-todate anti-malware solutions were indeed better protected. This advice remains just as relevant for 2008.
So, what statements about the future would I make for the first half of 2008? oo Criminals will continue to use malware and potentially unwanted software as tools to attack
their targets in the hopes of financial reward. These attacks will focus increasingly on social engineering for their effectiveness and on targeting computer applications rather than operating systems.
oo We will see Windows Vista and Windows Server 2008 continue to turn up the dial on
security—the release of Service Pack 1 will enhance the security of Windows Vista even further.
As I said in my closing remarks for the last volume of this report, Microsoft and the Microsoft Malware Protection Center will continue to work to help protect customers and the PC ecosystem. We are very proud of the quality of our anti-malware technology, but rest assured we will continue to work to evolve, improve and enhance our technology and response systems to continue protecting our customers. Again, thank you for reading this report. I hope you found it informative and useful. Please help us to improve future volumes of the Microsoft Security Intelligence Report—we are always interested to hear your feedback and thoughts on how we can better address your needs. Please send your feedback to the Microsoft Security Intelligence Report team at sirfb@microsoft.com. Vinny Gullotto General Manager Microsoft Malware Protection Center Microsoft Corporation 91
2H07
Glossary Adware
A program that displays advertisements. While some adware can be beneficial by subsidizing a program or service, other adware programs may display advertisements without adequate consent. Backdoor trojan
A type of trojan that provides attackers with remote access to infected computers. Bots are a subcategory of backdoor trojans (see botnet). Botnet
A set of computers controlled by a “command and control� (C&C) computer to execute commands as directed. The C&C computer can issue commands directly (often through Internet Relay Chat, or IRC) or by using a decentralized mechanism, like peer-to-peer (P2P) networking. Browser modifier
A program that changes browser settings, such as the home page, without adequate consent. Also includes browser hijackers. Clean
To remove malware or potentially unwanted software from an infected computer. A single cleaning can involve multiple disinfections. Cybersquatting
The act of registering, trafficking in, or using a domain name with bad-faith intent to profit from the goodwill of a trademark belonging to someone else. Dialer
A program that generates unauthorized telephone calls that may have an associated cost to the individual. Disinfect
To remove a malware or potentially unwanted software component from a computer, or to restore functionality to an infected program. Compare to Clean. Exploit
Malicious code that takes advantage of software vulnerabilities to infect a computer. IM worm
Malware that spreads through instant messaging (IM) applications, such as Windows Live Messenger and AOL Instant Messenger, typically by sending IM messages that include a link to an infected copy of itself.
92
Joke program
A program that pretends to do something malicious but actually does nothing harmful (for example, pretending to delete files or format disks). Malware
Malicious software or potentially unwanted software installed without adequate user consent. Mass-mailing worm
Malware that spreads by spontaneously sending copies of itself through e-mail. Microsoft Windows Malicious Software Removal Tool (MSRT)
The MSRT is designed to help identify and remove specifically targeted, prevalent malware from customer computers, and is available at no charge to licensed Windows users. The main release mechanism of the MSRT is through Windows Update (WU), Microsoft Update (MU), or Automatic Updates (AU). A version of the tool is also available for download from the Microsoft Download Center. Additionally, the MSRT is not a replacement for an up-to-date antivirus solution because the MSRT specifically targets only a small subset of malware families that are determined to be particularly prevalent. Further, the MSRT includes no real-time protection and cannot be used for the prevention of malware. More details about the MSRT are available at http://www.microsoft.com/security/malwareremove/default.mspx. Monitoring software
Commercially available software that monitors activity, usually by capturing keystrokes or screen images. It may also include network sniffing software. P2P worm
Malware that copies itself to file shares that are associated with peer-to-peer (P2P) applications, such as KaZaA and Winny, to facilitate its spread over those networks. Password stealer/keylogger
A password stealer (PWS) is malware that is specifically used to transmit personal information, such as user names and passwords. A PWS often works in conjunction with a keylogger, which sends key strokes and/or screenshots to an attacker. Potentially unwanted software
A program with potentially unwanted behavior that is brought to the user’s attention for review. This behavior may impact the user’s privacy, security, or computing experience. Reinfection
When a computer becomes infected after having previously been cleaned or disinfected. Reinfection typically occurs when a user repeats usage patterns without completely updating the computer’s anti-malware protection during the disinfection process.
93
2H07
Remote control software
A program that provides access to a computer from a remote location. These programs are often installed by the computer owner or administrator, and are only a risk if unexpected. Rogue security software
Software that appears to be beneficial from a security perspective but which provides limited or no security capabilities, generates a significant number of erroneous or misleading alerts, or which may attempt to socially engineer the user into participating in a fraudulent transaction. Sender ID Framework
An Internet Engineering Task Force (IETF) protocol developed to authenticate e-mail to detect spoofing and forged e-mail with the typical tactic to drive users to phishing Web sites and to download malicious software. Settings modifier
A program that changes computer settings with or without the user’s knowledge. Software bundler
A program that installs other potentially unwanted software, such as adware or spyware. The license agreement of the bundling program may require these other components in order to function. Spyware
A program that collects information, such as the Web sites a user visits, without adequate consent. Installation may be without prominent notice or without the user’s knowledge. Tool
Software that may have legitimate purposes, but which may also be used by malware authors or attackers. Trojan
A generally self-contained program that does not self-replicate, but takes malicious action on the computer. Trojan downloader/dropper
A form of trojan that installs other malicious files to the infected system either by downloading them from a remote computer or by dropping them directly from a copy contained in its own code. Typosquatting
A form of cybersquatting where someone registers a domain name of a highly visited Web site, except with typographical errors (for example, microsooft.com). Virus
Malware that replicates, commonly by infecting other files in the system, thus allowing the execution of the malware code and its propagation when those files are activated. Other forms of viruses include boot sector viruses and replicating worms.
94
Appendix A: Data Sources Software Vulnerabilities
The efforts to identify and fix vulnerabilities lacked a common naming mechanism until a consortium led by The MITRE Corporation began publishing the Common Vulnerabilities and Exposures (CVE) list, which drives a common naming mechanism that can be leveraged by multiple vulnerability databases and security products. The CVE naming conventions provide the most comprehensive list of vulnerabilities worldwide, across software products of all types. This report uses the CVE naming conventions when identifying individual vulnerabilities. The analysis in this report uses a set of data that has been created by compiling, customizing, and cross-checking several sources of data available on the Internet: oo Common Vulnerabilities and Exposures Web site (http://cve.mitre.org). oo A large portion of the data analyzed originates from the CVE list maintained at
this site, which is currently sponsored by the United States Department of Homeland Security (DHS). The naming mechanisms and external references to sources for additional information were particularly valuable.
oo National Vulnerability Database (NVD) Web site (http://nvd.nist.gov). oo This database superset of the CVE list, which provides additional objective infor-
mation concerning vulnerabilities, was the source used to determine severity ratings and exploit complexity assessment. The NVD is also sponsored by the United States DHS, and their data is downloadable in an XML format at http://nvd.nist. gov/download.cfm.
oo Security Web sites. The following sites, as well as many others, were utilized for
detailed verification and validation of vulnerability specifics: oo http://www.securityfocus.com oo http://www.secunia.com oo http://www.securitytracker.com
oo Vendor Web sites and support sites. The following sites, as well as others, were utilized
for confirmation and validation of vulnerability details: oo https://rhn.redhat.com/errata oo http://support.novell.com/linux/psdb oo http://sunsolve.sun.com
oo http://www.microsoft.com/technet/security/current.aspx oo http://www.ubuntu.com/usn
95
2H07
By leveraging these sources, as well as many others, Microsoft has compiled a database of disclosure dates for vulnerabilities that can be used to determine the year, month, and day that each vulnerability was disclosed publicly and broadly for the first time. Note that, in this report, disclosure is used to mean broad and public disclosure, and not any sort of private disclosure or disclosure to a limited number of people. Malicious Software and Potentially Unwanted Software
Telemetry from several customer-focused Microsoft security products and services, including the Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, and Exchange Hosted Services, representing a total user base of several hundred million computers, was used to compile the trends and information provided in this report. Figure 1 shows the main data sources used in this report to compile data on the prevalence of malicious and potentially unwanted software. Figure 1. Data sources Main Customer Segment Product Name Consumers Windows Malicious Software Removal Tool
96
Business
Malicious Software Scan and Remove
Real-Time Protection
Spyware and Potentially Unwanted Software Scan and Remove
Real-Time Protection
Prevalent Malware Families
•
Windows Defender
•
Windows Live OneCare Safety Scanner
•
•
Windows Live OneCare
•
•
•
•
•
•
Microsoft Exchange Hosted Filtering
•
•
•
Forefront Client Security
•
•
•
•
•
Available at No Additional Charge
Main Distribution Methods
•
WU / AU, Download Center
•
Download Center Windows Vista
•
Web Web / Store Purchase
Web
•
•
Volume Licensing
The MSRT is a free tool designed to help identify and remove prevalent malware families from customer computers. The MSRT is primarily released as an important update through Windows Update (WU), Microsoft Update (MU), and Automatic Updates (AU). A version of the tool is also available from the Microsoft Download Center. The MSRT helps remove specific, prevalent malware from computers that are running Windows Vista, Windows Server 2003, Windows XP, and Windows 2000. As of December 2007, the tool detects and removes 96 different malware families, each of which is currently prevalent or was prevalent at the time it was added. The MSRT is not a replacement for an up-to-date antivirus solution because of its lack of real-time protection and also because it uses only the portion of the Microsoft antivirus signature database that enables it to target specifically selected, prevalent malicious software. By the end of 2H07, the MSRT was executing on more than 450 million computers worldwide every month. A large majority (87 percent) of these executions involved computers running Windows XP, with all but a tiny fraction of these running Windows XP SP2. This is due to the fact that SP2 encourages users to enable Windows Automatic Updates, which allows the MSRT to download and execute automatically. Among other operating systems, Windows Vista continues to rise sharply, with monthly executions more than doubling between July and December 2007. Executions on Windows 2000 and Windows Server 2003 remained flat throughout the period and together account for less than 4 percent of total executions. A major change to the Microsoft Update reporting system in October boosted reported executions by almost 90 million per month, as reflected in the data. (See Figure 18 on page 40 for a breakdown of operating system executions by month.) Windows Live OneCare is a real-time protection product that combines an antivirus and antispyware scanner with phishing and firewall protection. Unlike the MSRT, which targets a small number of currently active malware families and is issued monthly, Windows Live OneCare uses the complete Microsoft antivirus signature database, retrieving a signature file update daily from Microsoft servers. Unlike the MSRT, which can be downloaded freely by compatible versions of Windows, Windows Live OneCare is a commercial product, offered for purchased by individuals and enterprise customers on a subscription basis. The Windows Live OneCare product family also includes the Windows Live OneCare safety scanner (http://safety.live.com), which is a free, online tool that detects and removes malware and potentially unwanted software using the same signature database as the Windows Live OneCare client product. Unlike the Windows Live OneCare client product (but like the MSRT), the Windows Live OneCare safety scanner does not offer real-time protection and cannot prevent a user’s computer from becoming infected. The
97
2H07
Windows Live OneCare safety scanner is available worldwide in dozens of different languages and was used to scan computers for malware more than 8.3 million times in 2H07. Toward the end of 2H07 it was being used to perform about 1.8 million malware scans per month, as shown in Figure 2. Figure 2. Malware scans performed by Windows Live OneCare safety scanner per month, January 2006– December 2007 Safety Scanner Malware Scans 2 Million
1.5 Million
1 Million
500,000
Dec-07
Nov-07
Oct-07
Sep-07
Aug-07
Jul-07
Jun-07
May-07
Apr-07
Mar-07
Feb-07
Jan-07
Dec-06
Nov-06
Oct-06
Sep-06
Aug-06
Jul-06
Jun-06
May-06
Apr-06
Mar-06
Feb-06
Jan-06
0
Windows Defender is a free program that provides real-time protection against pop-ups, slow performance, and security threats caused by spyware and other potentially unwanted software. Windows Defender was formally released on October 23, 2006, and by the end of 2007 was installed on more than 42 million computers running Windows XP SP2, Windows Server 2003, and Windows Vista in two dozen different languages. Windows Defender is included with Windows Vista as an integrated component of the operating system rather than as a separate download, which has significantly increased the program’s installed base.
98
If you would like more information about the products, services, and tools used as data sources for this report, please use the URLs provided below. oo The Microsoft Malware Protection Center Portal
http://www.microsoft.com/av
oo Windows Malicious Software Removal Tool
http://www.microsoft.com/malwareremove
oo Windows Defender
http://www.microsoft.com/windowsdefender
oo Windows Live OneCare
http://onecare.live.com
oo Windows Live OneCare safety scanner
http://onecare.live.com/scan
oo Microsoft Exchange Hosted Services
http://www.microsoft.com/exchange/services/default.mspx
oo Microsoft Forefront Client Security
http://www.microsoft.com/clientsecurity
oo Microsoft Forefront Security for Exchange Server
http://www.microsoft.com/forefront/serversecurity/exchange/download.mspx
oo Microsoft Online Safety Technologies (anti-spam and anti-phishing)
http://www.microsoft.com/safety
oo Sender ID Framework
http://www.microsoft.com/senderid
99
2H07
Appendix B: Exploit Counts by Microsoft Security Bulletin and CVE ID
T
hese are comprehensive tallies of publicly available exploits for a range of Microsoft products, cataloged by the Microsoft Security Response Center (MSRC) and by the Common Vulnerabilities and Exposures (CVE) database at http://cve. mitre.org. See Figure 12 on page 30 and Figure 13 on page 31 for exploit tallies for Microsoft Internet Explorer, the Microsoft Office system, and Microsoft Windows. For more information about how this data was collected, see “Software Vulnerability Exploits” beginning on page 27.
Exploits by Microsoft Security Bulletin By Microsoft Security Bulletin
Product
2006
2007
Microsoft Security Bulletin Count
Exploits
5
1
0
6
3
1
Windows Vista Mail
0
0
5
8
Version
Microsoft Security Bulletin Count
Exploits
0.0%
1
0
0.0%
0.0%
33.3%
2
1
50.0%
16.7%
—
2
1
50.0%
—
4
50.0%
8
3
37.5%
-12.5%
Percentage
Percentage
Delta Microsoft Security Bulletin
Outlook Express
Internet Explorer 6
7
3
42.9%
8
3
37.5%
-5.4%
7
0
0
—
8
3
37.5%
—
5
1
0
0.0%
0
0
—
—
5.5
1
0
0.0%
0
0
—
—
2000
3
1
33.3%
1
1
100.0%
66.7%
Exchange
2003
2
1
50.0%
1
1
100.0%
50.0%
2007
0
0
—
1
1
100.0%
—
6
1
0
0.0%
0
0
—
—
7.1
2
2
100.0%
1
0
0.0%
-100.0%
9
2
2
100.0%
1
0
0.0%
-100.0%
Media Player
100
10
2
2
100.0%
1
0
0.0%
-100.0%
11
0
0
—
1
0
0.0%
—
By Microsoft Security Bulletin Product
2006
2007
Microsoft Security Bulletin Count
Exploits
Percentage
Microsoft Security Bulletin Count
Exploits
Percentage
Delta Microsoft Security Bulletin
2000
2
1
50.0%
0
0
—
—
2001
2
1
50.0%
0
0
—
—
2002
2
1
50.0%
0
0
—
—
2003
2
1
50.0%
0
0
—
—
Version
Works
2004
6
4
66.7%
3
3
100.0%
33.3%
2005
6
4
66.7%
3
3
100.0%
33.3%
2006
6
4
66.7%
2
2
100.0%
33.3%
2
2
2
100.0%
1
-100.0%
.NET IIS
—
0
0.0%
—
—
5
1
1
100.0%
1
1
100.0%
0.0%
6
1
1
100.0%
0
1
—
—
2000
4
2
50.0%
2
2
100.0%
50.0%
2002
4
2
50.0%
2
2
100.0%
50.0%
Project
Visual Studio® 2005
1
1
100.0%
1
1
100.0%
0.0%
.NET 2002
0
0
—
2
1
50.0%
—
.NET 2003
0
0
—
2
1
50.0%
—
N/A
0
0
—
1
0
0.0%
—
2004
0
0
—
1
0
0.0%
—
2001
0
0
—
1
1
100.0%
—
2002
0
0
—
1
1
100.0%
—
CAPICOM Biztalk® MCMS
101
2H07
Exploits by CVE ID By CVE ID Product
2006
2007
CVE ID Count
CVE Exploits
5
2
0
6
3
1
Windows Vista Mail
0
0
5
26
Version
CVE ID Count
CVE Exploits
0.0%
1
0
0.0%
0.0%
33.3%
5
3
60.0%
26.7%
—
5
3
60.0%
—
7
26.9%
19
3
15.8%
-11.1%
Percentage
Percentage
Delta CVE ID
Outlook Express
Internet Explorer 6
26
5
19.2%
19
3
15.8%
-3.4%
7
0
0
—
19
3
15.8%
—
5
1
0
0.0%
0
0
—
—
5.5
1
0
0.0%
0
0
—
—
2000
3
1
33.3%
4
1
25.0%
-8.3%
Exchange
2003
2
1
50.0%
4
1
25.0%
-25.0%
2007
0
0
—
4
1
25.0%
—
6
0
0
—
0
0
—
—
Media Player 7.1
2
2
100.0%
2
0
0.0%
-100.0%
9
2
2
100.0%
2
0
0.0%
-100.0%
10
2
2
100.0%
2
0
0.0%
-100.0%
11
0
0
—
2
0
0.0%
—
2000
7
3
42.9%
0
0
—
—
Works 2001
7
3
42.9%
0
0
—
—
2002
7
3
42.9%
0
0
—
—
2003
7
3
42.9%
0
0
—
—
2004
21
8
38.1%
9
5
55.6%
17.5%
2005
21
8
38.1%
9
5
55.6%
17.5%
2006
21
8
38.1%
4
3
75.0%
36.9%
2
2
2
100.0%
2
0
0.0%
-100.0%
.NET
102
By CVE ID Product
2006 Version
2007
CVE ID Count
IIS
CVE Exploits
Percentage
CVE ID Count
—
CVE Exploits
Percentage
Delta CVE ID
—
—
5
1
1
100.0%
0
1
—
—
6
1
1
100.0%
0
1
—
—
Project 2000
11
2
18.2%
3
2
66.7%
48.5%
2002
11
2
18.2%
3
2
66.7%
48.5%
2005
1
1
100.0%
1
1
100.0%
0.0%
Visual Studio® .NET 2002
0
0
—
2
1
50.0%
—
.NET 2003
0
0
—
2
1
50.0%
—
N/A
0
0
—
1
0
0.0%
—
2004
0
0
—
1
0
0.0%
—
CAPICOM Biztalk® MCMS 2001
0
0
—
1
1
100.0%
—
2002
0
0
—
1
1
100.0%
—
103