microsoft security incident report
DESCRIPTION
Presentation given at the Microsoft UK Architect Council Meeting at Bletchley Park Presented by Cliff EvansTRANSCRIPT
MicrosoftSecurity Intelligence Report Briefing Presentation
Volume 6 (July through December 2008)
Security Intelligence Report volume 6(July-December 2008)
Report addresses data and trends observed over the past several years, but focuses on the second half of 2008 (2H08)Major sections cover
The Threat EcosystemSoftware Vulnerability DisclosuresSoftware Vulnerability ExploitsBrowser-Based and Document Format ExploitsSecurity and Privacy BreachesMalicious Software and Potentially Unwanted SoftwareEmail, Spam, Phishing and Drive-By Download ThreatsSpecial Focus on Rogue Security Software
Report builds on five previous editions of the SIR
Security Intelligence Report volume 6(July-December 2008) Data Sources
Software Vulnerability DisclosuresCommon Vulnerabilities and Exposures Website
http://cve.mitre.org http://www.first.org/cvss
National Vulnerability Database (NVD) Web sitehttp://nvd.nist.gov/
Security Web sitesVendor Web sites and support sites
Security Breach Notificationshttp://datalossdb.org
Security Intelligence Report volume 6(July-December 2008) Data Sources
Malicious Software and Potentially Unwanted Software
Data from several hundred million computers worldwideSome of the busiest services on the Internet (e.g. Hotmail)During 2H08 MSRT executed 2.2 billion timesSince January 2005 total MSRT executions surpass 15 billion
Product Name
Main Customer Segment Malicious Software
Spyware and Potentially Unwanted
Software Available at No
Additional Charge
Main Distribution
MethodsConsumers Business Scan and
RemoveReal-time Protection
Scan and Remove
Real-time Protection
Windows Malicious Software Removal Tool ●
Prevalent Malware Families
●WU/AU Download Center
Windows Defender ● ● ● ●Download Center Windows Vista
Windows Live OneCare safety scanner ● ● ● ● Web
Windows Live OneCare ● ● ● ● ● Web/Store Purchase
Microsoft Forefront Online
Security for Exchange● ● ● Web
Forefront Client Security ● ● ● ● ● Volume Licensing
Also data from Windows Live Search and the Microsoft Windows Safety Platform
Software Vulnerability Disclosure Trends
Industry Wide Software Vulnerability DisclosuresBy half year, industry wide
Disclosures in 2H08 down 3% from 1H08Disclosure for all of 2008 down 12% from 2007
Industry-wide vulnerability disclosures by half-year, 2H03-2H08
2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
0
500
1000
1500
2000
2500
3000
3500
Security Vulnerability DisclosuresOperating system, Browser and Application Disclosures – Industry Wide
Operating system vulnerabilities – 8.8% of the totalBrowser vulnerabilities – 4.5% of the totalOther vulnerabilities – 86.7% of the total
Industry-wide operating system, browser, and other vulnerabilities, 2H03-2H08
2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
0
500
1,000
1,500
2,000
2,500
3,000
3,500
Operating System Vulnerabilities Browser Vulnerabilities All Other
2H03 1H04 2H04 1H05 2H05 1H06 2H06 1H07 2H07 1H08 2H08
0
500
1,000
1,500
2,000
2,500
3,000
3,500
Security Vulnerability DisclosuresMicrosoft vulnerability disclosures
Microsoft vulnerability disclosures mirror the industry totals, though on a much smaller scale
Vulnerability disclosures for Microsoft and non-Microsoft products, 2H03-2H08
Non-Microsoft
Microsoft
Software Vulnerability Exploit Trends
0%
2%
4%
6%
8%
10%
Microsoft Vulnerability Exploit DetailsTop 10 browser-based exploits on Windows XP-based machines
On Windows XP-based machines Microsoft software accounted
for 6 of the top 10 vulnerabilitiesThe most commonly exploited vulnerability was disclosed and patched by Microsoft in 2006The 10 browser-based vulnerabilities exploited most often on computers running
Windows XP, 2H08
MicrosoftVulnerabilitiesThird-PartyVulnerabilities
0%
5%
10%
15%
20%
Microsoft Vulnerability Exploit DetailsTop 10 browser-based exploits on Windows Vista-based machines
On Windows Vista-based machines Microsoft software accounted for none of the top 10 vulnerabilities
The 10 browser-based vulnerabilities exploited most often on computers running Windows Vista, 2H08
Third-PartyVulnerabilities
Microsoft Office File Format ExploitsInfection Patterns by Office Update Level
RTM versions of Office suites targeted most oftenFor Office 2000, all attacks observed were against the RTM version
Breakdown of the sample set of targeted computers by Office update level for Office 2003, Office XP, and Office 2000
Office 2003 RTM; 80.1%
Of-fice
2003 SP1; 8.3%
Office 2003 SP2; 10.4%
Office XP RTM; 60.9%Of-
fice XP
SP2; 12.2%
Of-fice XP
SP3; 18.3%
Office XP + MS08-026;
8.7%
Office 2000 RTM; 100%
January
FebruaryMarch
AprilMay
JuneJuly
August
September
October
November
December
0%
50%
100%
150%
200%
250%
CVE-2007-5659 CVE-2008-2992
Adobe PDF Document ExploitsExploits against common document formats
Attacks spiked significantly in 2H08Both vulnerabilities exploited had updates available from Adobe and did not exist in the most recent version of Adobe products
Adobe Reader exploits by month in 2008, indexed to the monthly average for 2H08
PDF File Format ExploitsVulnerability of recent Adobe Reader releases
Adobe Reader Version
Vulnerable to CVE-2007-5659?
Vulnerable to CVE-2008-2992?
7.0.0.0 Yes No
7.0.8.218 Yes No
8.0.0.456 Yes Yes
8.1.0.137 Yes Yes
8.1.3 No No
9.0.0 No No
Vulnerability of recent Adobe Reader releases to CVE-2007-5659 and CVE-2008-2992
Newer versions of Adobe products are not vulnerable to these attacks
Security Breach Trends
Security Breach TrendsStudy details
Study of publicly reported security breaches worldwide Hacking and viruses less than 20% of all notifications in 2H0850% of breaches in 2H08 resulted from stolen equipment
Security breach incidents by type, expressed as percentages of the total, 2H07-2H08
Stolen
equ
ipm
ent
"Hac
k"
Lost e
quipm
ent
Acciden
tal w
eb
Frau
d
Snail m
ail
Dispos
al
Malwar
e
Miss
ing
0%
10%
20%
30%
40%
50%
2H07
1H08
2H08
Malicious and Potentially Unwanted Software
Malicious And Potentially Unwanted SoftwareInfection rates by country/region in 2H08
Worldwide malware infection rates
Location 1H08
Vietnam 1.3
Philippines 1.4
Macao S.A.R. 1.5
Japan 1.7
Morocco 2.1
Pakistan 2.2
Austria 2.3
Luxembourg 2.5
Algeria 2.6
Finland 2.6
Puerto Rico 2.7
Location 1H08
Serbia and Montenegro 77.0
Russia 21.1
Brazil 20.9
Turkey 20.5
Spain 19.2
Saudi Arabia 18.5
Korea 18.3
Egypt 16.5
Mexico 15.9
Guatemala 13.9
Portugal 13.4
Lowest Infection Rates Highest Infection Rates
UK heat map infection rate (CCM) was 5.7 in 2H08i.e. 5.7 systems infected for every 1,000 systems MSRT executed on
Worldwide average was 8.6 in 2H08
Top Threats in United KIngdomDisinfected Threats by Category in 2H08Category Infected
Computers
Trend from 1H08
Miscellaneous Trojans 831,506 + 75.7%Trojan Downloaders & Droppers 689,709 + 7.4%
Adware 650,310 - 5.2%Misc. Potentially Unwanted Software 458,168 - 26.6%
Backdoors 93,481 - 18.0%
Worms 66,956 + 10.0%
Password Stealers & Monitoring Tools 45,954 + 73.6%
Exploits 33,471 + 45.5%
Viruses 27,352 + 67.2%
Spyware 20,105 + 29.1%
TOTAL + 8.3%
Misc. Trojans28.5%
Trojan Downloaders & Droppers
23.6%Adware22.3%
Misc. Poten-tially Un-
wanted Soft-ware15.7%
Backdoors3.2%
Worms2.3%
Password Stealers & Mon-itoring Tools
1.6%Exploits
1.1%Viruses0.9%
Spyware0.7%
Data from All Microsoft Security ProductsTop 25 Families in United KingdomFamily Category
Infected computers Trend
1 Win32/ZangoSearchAssistant
Adware 400,596 + 13.3%
2 Win32/Renos Trojan Downloaders & Droppers
329,368 + 213.3%
3 Win32/Zlob Trojan Downloaders & Droppers
325,628 - 21.9%
4 Win32/Vundo Misc. Trojans 270,021 + 27.8%
5 Win32/ZangoShoppingreports
Adware 205,727 + 20.0%
6 Win32/Hotbar Adware 179,861 + 2.4%
7 Win32/FakeSecSen Misc. Trojans 125,321 New
8 Win32/FakeXPA Misc. Trojans 112,358 New
9 Win32/Antivirus2008 Misc. Potentially Unwanted Software
86,509 New
10 ASX/Wimad Trojan Downloaders & Droppers
84,944
11 Win32/Playmp3z Misc. Potentially Unwanted Software
83,190
12 Win32/Agent Misc. Trojans 74,978
Rank Family Category
Infected computers
13 Win32/SeekmoSearchAssistant
Adware 67,773
14 Win32/C2Lop Miscellaneous Trojans 60,333
15 Win32/Meredrop Miscellaneous Trojans 50,837
16 Win32/Winfixer Misc. Potentially Unwanted Software
50,750
17 Win32/Tibs Miscellaneous Trojans 48,411
18 Win32/Starware Misc. Potentially Unwanted Software
42,831
19 Win32/WinSpywareProtect
Trojan Downloader 39,107
20 Win32/ConHook Miscellaneous Trojans 36,127
21 Win32/Vapsup Misc. Potentially Unwanted Software
33,488
22 Win32/OneStepSearch
Misc. Potentially Unwanted Software
33,409
23 Win32/Alureon Miscellaneous Trojans 33,397
24 Win32/Oderoor Backdoors 32,556 25 Win32/AdRotator Adware 30,723
Malicious And Potentially Unwanted SoftwareOperating system trendsThe infection rate of
Windows Vista SP1 was 60.6% less than Windows XP SP3Windows Vista with no service pack was 89.1% less than Windows XP with no service pack installed
Windows XP RTM
Windows XP SP1
Windows XP SP2
Windows XP SP3
Windows Vista RTM
Windows Vista SP1
Windows Vista RTM (64-bit)
Windows Vista SP1 (64-bit)
Windows 2000 SP4
Windows Server 2003 SP2
Windows Server 2008 RTM
Windows Server 2008 RTM (64-bit)
0
5
10
15
20
25
30
3533.6
25.2
12.9
6.5
3.72.6 3.0
2.5 3.82.7
1.30.6
# of
Com
pute
rs C
lean
ed p
er
1000
exe
cuti
ons
Rogue Security Software
Rogue Security SoftwareProfiting from Fear and Trust
Some rogue security software families mimic genuine Windows security warningsClicking “Recommendations” initiates a registration and purchase process
Rogue Security SoftwareProfiting from Fear and Trust
Some variants of Win32/FakeXPA display fake “blue screen” error messages
Rogue Security SoftwareProfiting from Annoyance
Some rogue security software families employ intrusive pop-up messages to persuade the user to purchase
Social Engineering as a WeaponLegal Action Against Rogues
Microsoft Internet Safety Enforcement Team (ISET) partners with governments, law enforcement, and industry partners worldwideSeveral legal cases initiated against the creators and distributors of rogue security softwareFor full details of these legal actions please refer to the full Security Intelligence Report volume 6 document
E-Mail Threats
E-Mail ThreatsSpam Trends and Statistics
1H06 2H06 1H07 2H07 1H08 2H08
0%
20%
40%
60%
80%
100%
Percentage of incoming messages filtered by Forefront Online Se-curity for Exchange, 1H06-2H08
Microsoft Forefront Online Security for Exchange filtered 97.3 percent of all e-mail messages received in 2H08
E-Mail ThreatsSpam Trends and Statistics
Percentage of incoming messages blocked by Forefront Online Security for Exchange using edge-blocking and content filtering, 1H06-2H08
1H062H06
1H072H07
1H082H08
0%
20%
40%
60%
80%
100%
Edge Filtered Content Filtered Unfiltered
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.