Tuesday, November 11, 2008

Microsoft Reveals Malware and Spam Trends

This week Microsoft has released their "Microsoft Security Intelligence Report 5". Like the previous volumes, this report gathers spam and malware information gathered by Microsoft's security-related teams for one half year, in this case January through June 2008. The 150 page report is described as "An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software, focusing on the first half of 2008".

The report shows that vulnerability disclosures by software vendors was down in 1H08, 4% less than 2H07 and 19% less than 1H07, however the percentage of vulnerabilities which were rated as "High" has increased 13%, so that 48% of all new vulnerabilities received a "High" threat rating from the Common Vulnerability Scoring System.

While we worry about vulnerabilities to hacking, one trend that is troubling is that more "data breaches" occurred due to Stolen Equipment (37.2%) than Hack Attacks (23%). We need to continue to stress proper data classification in all organizations, and then proper data handling based on that data classification.

Browser Vulnerabilities

Vista came out with high marks compared to its predecessor Windows XP. Microsoft vulnerabilities accounted for 42% of Browser exploits on XP computers, including 5 of the top 10 Browser exploits, but only 6% of the Browser Exploits on Vista were related to Microsoft products, or 0 of the top 10.

One very interesting trend revealed by the report is that hackers continue to target particular geographies. Chinese computers were twice as likely as American computers to be a victim of a Browser-based exploit -- in part because of Chinese-market toolbars which contained vulnerabilities, such as the BaoFengStorm vulnerability and the BaiduToolbar vulnerability. Chinese computers accounted for 48% of the browser based exploits, followed by 23% for American computers. Russian, Italian, British, Spanish, French, Turkish, German, and Korean trailed.

This would be an opportunity to stress the importance of timely installation of browser patches. Even though the report was for the first half of 2008, the top exploited browser vulnerabilities from the Microsoft family were:

MS06-014 (MDAC_RDS)
MS06-071 (MSXML_setRequestHeader)
MS06-057 (WebViewFolderIcon)
MS06-067 (DirectAnimation_KeyFrame)
MS06-055 (VML)

The top exploited non-Microsoft vulnerabilites for 1H08 were:

CVE-2007-0015 (Apple_Quicktime_RTSP)
CVE-2008-1309 (RealPlayer_rmoc3260_Console)
CVE-2007-3148 (Yahoo_WebcamViewer_ActiveX)
CVE-2006-5198 (WinZip_CreateNewFolderFromName)
CVE-2007-5601 (RealPlayer_IERPCtl)

Spam, Spam, Spam, and Spam

One great graphic in the report on page 67, shows the percentage of blocked spam by category.

(click to visit the Microsoft Exchange Hosted Services webpage to learn more)

Spam Categories (1H08 Microsoft Percentage given, and how we see the trend now at the UAB Spam Data Mine . . .)
(30.6%) Pharmacy-Sexual -- UP!
(20.9%) Other Pharmacy -- Slightly Down
(19.9%) Non-Pharmacy Product Ads -- DOWN
(9.6%) Stock -- DOWN - almost non-existent
(8.6%) Dating/Sexually Explicit Material -- SIGNIFICANTLY UP
(3.8%) Gambling -- UP!
(2.5%) Phishing -- Constant
(1.9%) Fraudulent Diplomas -- Down
(1.1%) 419 Scams -- Constant

To me this graphic could be labeled, "How Law Enforcement Should Spend Its Spam Fighting Resources". 51.5% of the spam Microsoft blocked during 1H08 was advertising pills! Whoever wants to take that on, please shoot me an email. We want to help. gar@cis.uab.edu


The most prevalent malware family is described in the report as being "not especially notable from either a technical or a social-engineering perspective, Win32/Zlob deserves attention due to the sheer magnitude and persistence of the threat". The malware family has lead the pack in number of infections since 1H07, and it continues to be removed by Microsoft security products more than twice as often as any other threat - around 9 million times in the first half of 2008.

Rather than recreate the entire geographic report, I thought it would be interesting to show the great difference between the Cyber Threat Experience in different geographies according to the Microsoft data.

In the United States, the top threat category was "Trojan Downloaders and Droppers" - those tiny files often encountered as "drive by infectors" on webpages whose only purpose is to download and execute additional commands. In the US, this accounted for 45.7% of the threat landscape, but in Brazil and China it was only 6.5%, while in Germany it was 39.5%. (NOTE: This is not saying 45.7% of US machines had a Trojan dropper -- this is saying 45.7% of the machines which came to Microsoft's attention as having been infected had a Trojan dropper on them.)

In the United States, only 8.4% of the threat landscape in 1H08 was made up of machines that had a Backdoor installed on them. But in Korea 14.9% of compromised machines had a Backdoor, and in Italy the number was 16.8%!

We'll run through the other categories, comparing the United States to China, Brazil, Germany, and "The World":

US (45.7%) China (6.5%) Brazil (6.5%) Germany (39.5%) World (31.7%)

Other Trojans:
US (30.7%) China (22.2%) Brazil (8.2%) Germany (23.2%) World (23.9%)

US (21.1%) China (8.3%) Brazil (9.7%) Germany (25.7%) World (20%)

Other Potentially Unwanted Software:
US (23.6%) China (43.8%) Brazil (11.6%) Germany (24%) World (25%)

US (5.5%) China (10%) Brazil (11.6%) Germany (3.7%) World (11.3%)

US (8.4%) China (9.9%) Brazil (3.7%) Germany (8.8%) World (9.2%)

Password and Monitoring Tools
US (2.5%) China (23.4%) Brazil (62.1%) Germany (1.7%) World (8.5%)

US (1.7%) China (3.1%) Brazil (2.3%) Germany (2%) World (3.3%)

US (1.5%) China (3.8%) Brazil (.5%) Germany (.7%) World (1.8%)

US (1.6%) China (.3%) Brazil (.1%) Germany (.8%) World (1%)

Another Key -- how many machines were found to be infected in the US vs. other parts of the world? That is, how many computers had SOMETHING removed by the Malicious Software Removal Tool?

United States 2H07 (8.9%) 1H08 (11.2%) +25.5%
Brazil 2H07 (13.2%) 1H08 (23.9%) +81.8%
China 2H07 (4.7%) 1H08 (6.6%) +41.1%
Germany 2H07 (4.4%) 1H08 (5.3%) +19.7%

One question about what those numbers mean though -- is this an indication that computers in the US are twice as likely to be infected as computers in Germany? Or is this an indication that computers in the US are twice as likely to be running the Malicious Software Removal Tool than computers in Germany?

Specific Geographies

The second half of the report is dedicated to giving specific numbers of computers for which Microsoft tools detected and cleaned various categories, which answers the question immediately preceding.

Some key findings in our chosen "comparison countries":


"The threat landscape in Brazil is clearly dominated by malware. The top four families in Brazil are all malware families". In Brazil, 1,294,084 machines had "Other Trojans" removed from them, while 246,470 machines were infected by "Worms".

The Top Families in Brazil were:
Win32/Bancos - 894,666 infections (a "banking Trojan", capturing banking credentials and targeting specifically Brazilian banks, in some cases able to alter transactions)
Win32/Banker - 359,933 infections (a "banking Trojan")
Win32/Rjump - 130,488 infections (a "USB-jumper" Worm)


32.5% of the computers in China are infected with "Other Potentially Unwanted Software", which can't be categorized as adware, spyware, or malware, but is still probably criminal - such as rogue security software which is purchased from criminals and has no effect on the installed computer. Almost 700,000 computers in China had Password Stealers installed on them, with Win32/Frethog and Win32/Ceekat being the biggest installations.

Only 1 of the worldwide Top 10 malware families is present in China. (Win32/Rjump, the USB jumper that was so prevalent in Brazil ranked #7 in China).


More than 500,000 computers in Geramny had a Trojan/Dropper installed. Malware rate has increased 19.7% in Germany since 2H07. Adware was Germany's #2 threat, with 327,000 computers having Adware installed, which is a 79.6% increase over 2H07. Zlob was the top "Dropper" with 427,563 installs cleaned, while ZangoSearchAssistant was the top Spyware, with 130,770 installs removed.

United States

11.2% of US computers had software cleaned by the Malicious Software Removal Tool. This is a 38% increase over 2H07. 7,044,340 computers had a Trojan/Dropper, while 5,014,874 computers had an "Other/Trojan". 3.5 Million had "Other Potentially Unwanted Software", 3.3 Million had "Adware" and 1.3 Million computers had a backdoor. 847,972 were infected with a Worm, and 265,038 had Password Stealers active.

The "Other Trojan" numbers account for a 52.6% increase from 2H07.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.