Archive

Archive for the ‘security intelligence report’ Category

How cyber threats affect enterprise and consumer devices

Over the past decade, Microsoft has methodically studied the evolving cyber threat landscape. We share what we learn twice a year in our Security Intelligence Report, and the most recent issue reveals some important differences between consumer devices and enterprise threats.

Attackers don’t view all attack vectors equally – home computer users and enterprise users tend to be exposed to a different mix of threats due to different usage patterns. These usage patterns can influence the type of cyber-attack attempted. Typically, users in work settings perform business activities while connected to a company network. Users in these situations may also have limitations regarding use of the Internet and email for personal use.

On the other hand, consumers generally connect to the Internet directly or use a home router (a personal network). Here, consumers more often use computers for activities like social media, personal email, playing games, watching videos, consuming content, and shopping.

Active Directory Domains vs. Non-Domains

Microsoft antimalware products and tools produce telemetry data that reveal if infected computers belong to an Active Directory Domain Services (ADDS) domain. (Computers that do not belong to an ADDS are more likely to be for personal or other non-enterprise use).

By comparing the threats ADDS computers encounter with those of non-ADDS computers, we can gain compelling insights into the stark differences between personal and enterprise security attacks and can begin to understand which threats are most likely to succeed in each environment.

As the following table shows, enterprise computers encounter less malware and encounter different kinds of threats than consumer computers do.

Malware and unwanted software encounter rates by category for domain-based and non-domain computers during the second half of 2015.

Malware and unwanted software encounter rates by category for domain-based and non-domain computers during the second half of 2015.

Our analysis of related data collected over the course of 2015 reveals the following:

  • Non-domain computers encountered disproportionate amounts of unwanted software compared to domain-based computers, with Adware, Browser Modifiers, and Software Bundlers each appearing between three and six times as often on non-domain computers
  • Domain-based computers encountered exploits nearly as often as their non-domain counterparts, despite encountering less than half as much malware as non-domain computers overall
  • Six families—Win32/SupTab, Win32/Diplugem, Win32/Gamarue, Win32/Skeeyah, Win32/Peals, and Win32/OutBrowse—were common to both lists; all were more frequently encountered on non-domain computers than on domain-joined computers
  • The four families that were unique to the top ten list for domain-joined computers but not for non-domain computers are the exploit kit JS/Axpergle, the Trojan family Win32/Dorv, the worm family Win32/Conficker, and the generic detection INF/Autorun

In addition, the encounter rate for consumer computers was about 2.2 times as high as the rate for enterprise computers during the second half of 2015.

How to stay updated on emerging threats

The threat landscape has changed dramatically in recent years. Constant vigilance is needed to maintain visibility into emerging vulnerabilities so you can make the adjustments necessary to help protect your organization and customers. From big data analysis to continuous machine learning and human intelligence, security demands a holistic approach to ensure your organization is prepared to handle new attacks.

Visit www.microsoft.com/security/sir to gain a deeper understanding about the security threats that affect your environment. Learn more about Security at Microsoft Secure.

Security Intelligence Report: Discover the top cybersecurity threats by country

Security professionals know there’s no silver bullet to achieve perfect security—the volume and magnitude of cyber threats vary considerably depending on country and threat type. For example, during the second half of 2015 (2H15), encounter rates for some types of threats in Russia and Brazil were nearly three times the worldwide average. Of the ten most commonly encountered threat families in Russia in 2H15, five were trojans, including Win32/Peals, Win32/Skeeyah, Win32/Dynamer, and Win32/Spursint. And in Brazil, Suptab and the downloader/dropper families Win32/Sventore and Win32/Banload topped the threat list.

To help track the constantly shifting security terrain and meet demand for insights, twice each year Microsoft publishes the Security Intelligence Report (SIR), a comprehensive security analysis based on data we collect from around the world. The latest findings were published in May.

A relative look at the worldwide prevalence of malware

The current SIR gives an overarching view of the security situation around the world during the second half of 2015. It also provides more granular details to help you understand specific threats facing the areas you are concerned about right now.

Here are some of the country-specific malware patterns described in the SIR:

  • France and Italy both had high encounter rates for Browser Modifiers, led by Win32/SupTab and Win32/Diplugem.
  • Russia had a significantly higher encounter rate for Trojans than the other locations listed, led by Win32/Peals, Win32/Skeeyah, Win32/Dynamer, and Win32/Spursint; all four Trojans disproportionately affected computers in Russia and eastern Europe in the fourth quarter of 2015.
  • Worms were particularly prevalent in Brazil, led by VBS/Jenxcus, Win32/Gamarue, and JS/Bondat.
  • The highest encounter rates for adware were in Brazil, France, and Italy; Win32/EoRezo was the most commonly encountered adware family in all three locations.
  • Viruses were particularly prevalent in China, led by DOS/JackTheRipper and Win32/Ramnit.

The following table previews regarding the relative prevalence of various categories of malware in several locations around the world in the fourth quarter of 2015. Here are some tips for interpreting the findings:

  • Within each row, darker colors indicate more prevalent categories in each location.
  • Lighter colors signify that the threat category is less common.
  • The locations are arranged by the number of computers that reported threat detections during the second half of 2015.
The relative prevalence of different categories of malware in the fourth quarter of 2015 in several countries around the world.

The relative prevalence of different categories of malware in the fourth quarter of 2015 in several countries around the world.

Read the full report to learn more about security threats in your region and better understand what location-specific factors may affect your ability to create a secure environment for your organization.

Factors that cause high cybersecurity infection rates

Threat dissemination can be highly dependent on language and socioeconomic factors. In addition, distribution methods can play a considerable role. For instance:

  • Attackers frequently use techniques that target people based on their native language.
  • For threat vectors, attackers employ online services that are local to a specific geographic region.
  • In some situations, attackers target vulnerabilities or operating system configurations and applications that show up disproportionately in a given location.

Microsoft’s commitment to ongoing cybersecurity analysis

We are committed to help reduce cyber threat infection rates on a regional and global scale. The SIR is just one aspect of this work. Through the regularly updated insights it allows, we aim to help inform policymakers and IT professionals about malware trends, and arm them to act accordingly.

We encourage you to evaluate your security stance in the light of our latest SIR report, so you can help defend your organization against the most significant risks it faces.

Visit www.microsoft.com/security/sir today to discover the security risks that threaten your organization. To learn more about Microsoft’s Security products visit us at Microsoft Secure.

Attackers using Trojans more than other malware categories

Global cyber threat patterns are a constantly moving target. But there are ways organizations can stay ahead of threats. Beginning in 2006, Microsoft took on systematic study of the ever-shifting security landscape, and we share our latest findings twice each year in our Security Intelligence Report (SIR).

While cyber threats grow more sophisticated, our goal is simple: to help customers understand the many different types of factors that can influence malware infection rates in different parts of the world. We do this because we believe knowledge is power, and our work to partner with policymakers and IT professionals to help keep them apprised of malware trends can help make not only specific regions but also the world safer for people, business, and governments.

To help you prioritize mitigations, including training people to identify cyber threats, we believe the place to start is to understand the current threats your organization is most likely to experience. Currently, that means understanding the growing risk presented by a malware category known as Trojans.

Trojan exploits proliferated in 2015

Trojans, like worms and viruses, are among the most widespread categories of threats Microsoft detects. Between the second and third quarters of 2015, our research and analysis showed that encounters involving Trojans increased by fifty-seven percent and stayed elevated through the end of the year.

Trojans increased more rapidly than other significant malware categories in 2015.

Trojans increased more rapidly than other significant malware categories in 2015.

In the second half of 2015, Trojans accounted for five of the top ten malware families encountered by Microsoft real-time antimalware products. The increase was due in large part to Trojans known as Win32/Peals, Win32/Skeeyah, Win32/Colisi, and Win32/Dynamer. In addition, a pair of newly detected Trojans, Win32/Dorv and Win32/Spursint, helped account for the elevated threat level.

Server platforms at greater risk from Trojans

Overall, unwanted software was encountered significantly more often on client platforms than on server platforms. However, Trojans were used against server platforms slightly more than they were used against client platforms.

During the course of 2015, our data analysis uncovered the following:

  • During the fourth quarter of 2015, Trojans accounted for three of the top ten malware and unwanted software families most commonly encountered on supported Windows client platforms
  • Also during the fourth quarter of 2015, 4 of the top 10 malware and unwanted software families most commonly encountered on supported Windows server platforms were categorized as Trojans

As these examples suggest, malware doesn’t affect all platforms equally. The reasons for this vary. For instance, some exploits may have no effect on some operating system versions. In addition, in areas where specific platforms are more or less popular than elsewhere, some types of threats are just more common. In some cases, simple random variation may cause differences between platforms.

How Trojans work

Like the famous Trojan horse in Homer’s Odyssey, software Trojans hide inside something end users want, such as a work file or social media video. Through this type of social engineering, attackers get people to install malware on their system or lower security settings.

Two common Trojans work as follows:

  • Backdoor Trojans provide attackers with remote unauthorized access to and control of infected computers
  • Downloaders/droppers are Trojans that install other malicious files to a computer they have infected, either by downloading them from a remote computer or by obtaining them directly from copies contained in their own code

Mitigating the Trojan threat

Armed with knowledge about the ways top Trojans in your area of the world work can help give you the upper hand when it comes to protecting your organization. For example, be sure to educate your workforce about common Trojan tricks, such as “clickbait” – fake web headlines with provocative titles – and spoofed emails. In addition, encourage the people in your organization to use personal devices for social media and web surfing instead of using devices connected to your corporate network.

To understand security threats in your region or view the current or previous editions of the SIR, visit www.microsoft.com/security/sir.  To learn more about Security at Microsoft, visit us at Microsoft Secure.

Modern browsers are closing the door on Java exploits, but some threats remain

September 26th, 2016 No comments

Was 2015 the year the industry finally eradicated Java exploitation? Well, not quite, but the good news is we’re getting there.

It should be no surprise that encounters with Java exploits continued to decrease significantly in the second half of 2015 — All of the most commonly encountered exploits target vulnerabilities that were addressed with security updates years ago. While Java was once the vehicle of choice for attackers, modern browser technologies have rendered such exploits largely ineffective.

This is good news for IT security teams is that they can now concentrate more resources on emerging threats like those that have been targeting Adobe Flash. Despite the positive trend, it doesn’t mean organizations can ignore the threat of Java exploits entirely. As you can see in the graph below, some of the more common Java-based threats are still out there. While they are occurring much less frequently than they were years ago, organizations still need to ensure they are protected.

The fact that these numbers continue to decline is likely due to several important changes in the way web browsers evaluate and execute Java applets. The default web browser in Windows 10 is Microsoft Edge, which does not support Java or other ActiveX plug-ins at all. This in effect eliminates the possibility of Java exploits being delivered within the browser.

Other browsers are also built to eliminate or mitigate exploits:

  • As of September 1, 2015, Google Chrome stopped supporting the NPAPI plug-in architecture that many Java applets rely upon due to security concerns. Like Edge, Chrome no longer works with most Java-based plug-ins.
  • Mozilla Firefox currently allows users to disable Java applets by deselecting “Enable JavaScript” under its Content tab, and has announced that it will also discontinue NPAPI support by the end of 2016.
  • Internet Explorer 11 provides a mechanism to validate that a webpage is safe before allowing embedded Java applets. Further updates to Internet Explorer released in 2014 hardened the browser against Java exploitation by reducing use-after-free exploits and blocking out-of-date ActiveX controls.

Persistent threats

The fact that new browsers are flexing muscles in the security space is good news, but the bad news is that some threats still persist. The chart above shows that each of these exploits is in decline, but they are all risks that security teams should be aware of, especially where there are out-of-date Java installations:

  • CVE-2012-1723. This is the most common individual Java exploit we encountered in late 2015, and one we discussed way back in 2012. It works by tricking the Java Runtime Environment (JRE) into treating one type of variable like another type. Oracle confirmed the existence of the vulnerability in June 2012, and addressed it the same month with its June 2012 Critical Patch Update. The vulnerability was observed being exploited in the wild beginning in early July 2012, and has been used in a number of exploit kits.
  • CVE-2010-0840 is a JRE vulnerability that was first disclosed in March 2010 and addressed by Oracle with a security update the same month. The vulnerability was previously exploited by some versions of the Blackhole exploit kit (detected as JS/Blacole), which has been inactive in recent years.
  • CVE-2012-0507 allows an unsigned Java applet to gain elevated permissions and potentially have unrestricted access to a host system outside its sandbox environment. The vulnerability is a logic error that allows attackers to run code with the privileges of the current user, which means that an attacker can use it to perform reliable exploitation on other platforms that support the JRE, including Apple Mac OS X, Linux, VMWare, and others. Oracle released a security update in February 2012 to address the issue.
  • CVE-2013-0422 first appeared in January 2013 as a zero-day vulnerability. CVE-2013-0422 is a package access check vulnerability that allows an untrusted Java applet to access code in a trusted class, which then loads the attacker’s own class with elevated privileges. Oracle published a security update to address the vulnerability on January 13, 2013. For more information about CVE-2013-0422 is available here.
  • In addition, Obfuscator is a generic detection for programs that have been modified by malware obfuscation, often in an attempt to avoid detection by security software. Files identified as Java/Obfuscator can represent exploits that target many different Java vulnerabilities.

For a thorough analysis on the state of malware in the latter half of 2015, take a look at our latest Security Intelligence Report. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Hacks for sale: Exploit kits provide easy avenue for unskilled attackers

September 19th, 2016 No comments

One of the most common cyber-attack vehicles we’ve seen over the years involves so-called “exploit kits.” These are collections of exploits bundled together and sold as commercial software or as a service.

A typical kit includes a collection of web pages with exploits for several vulnerabilities in popular web browsers, browser add-ons, or other types of software. When an attacker installs the kit on a web server, visitors to the attacker’s malicious webpage who don’t have appropriate security updates installed are at risk of their computers being compromised through drive-by download attacks.

One reason exploit kits are so dangerous to both consumers and businesses is that an attacker needn’t be a skilled hacker to use one. Prospective attackers can buy or rent exploit kits on malicious hacker forums and other outlets. Lower skilled attackers can use the kits to perform sophisticated attacks, which contributes to the fact that they have become so widespread over time. In fact, exploit kits accounted for four of the ten most commonly encountered threats during the second half of 2015 according to our 2016 Trends in Cybersecurity e-book.

What can you do to protect your organization?

To protect your organization, it’s important that your security teams understand which exploits and exploit kits are being used most often by attackers. The graphic below shows the most frequently encountered exploits noted in our latest Security Intelligence Report, and we detail three of the more common exploits, and the kits they are a part of, below.

Most frequently encountered exploits noted in our latest Security Intelligence Report

Most frequently encountered exploits noted in our latest Security Intelligence Report

Exploit Kit: Axpergle
A.K.A.: Angler

Axpergle is the most common exploit, commonly found in the Angler exploit kit. It targets Internet Explorer, Adobe Flash Player and Java. Exploit kit authors frequently change the exploits included in their kits in an effort to stay ahead of software publishers and security software vendors. Exploits targeting zero-day vulnerabilities — those for which no security update has yet been made available by the vendor — are highly sought after by attackers, and the Axpergle authors added several zero-day Flash Player exploits to the kit in 2015.

Exploit Kit: HTML/Meadgive
A.K.A.: RIG

Other exploit kits were encountered at much lower levels. Encounters involving the RIG exploit kit (also known as Redkit, Infinity, and Goon, and detected as HTML/Meadgive) more than doubled from summer to fall of 2015, but remained far below those involving Angler.

Exploit Kit: Win32/Anogre
A.K.A.: Sweet Orange

Encounters involving the Sweet Orange kit (detected as Win32/Anogre), the second most commonly encountered exploit kit in the first quarter of 2015, decreased to negligible levels by the end of the year.

Take the first step — Keep software up to date

Keeping your software up to date is one of the most effective defenses against exploit kits and their ever-evolving attacks.

To keep up with all the latest news about exploit kits, as well as viruses, malware and other known threats, make sure to bookmark the Microsoft Malware Protection Center blog for frequent updates. And for a high-level look at the top 10 trends and stats that matter most to security professionals right now, be sure and download the 2016 Trends in Cybersecurity e-book.

Keep Microsoft software up to date — and everything else too

September 14th, 2016 No comments

Many of the CIOs and CISOs that I talk to, have, over time, developed mature vulnerability assessment methodologies and security updating processes. But frequently, I find that the focus of these processes is squarely on keeping Microsoft operating systems and browsers up to date. Of course vulnerabilities in popular operating systems or browsers have the potential to affect a broad audience. Another reason for this focus is that Microsoft has made updating relatively easy by offering updates via Windows Update, Microsoft Update, and via various tools like Windows Server Update Services and others.

But data from our latest Security Intelligence Report suggests that customers need to keep all of their software up-to-date, not just Microsoft software.

In the last half of 2015 there were nearly 3,300 vulnerability disclosures across the industry, of which 305 were in Microsoft products. With more than 90 percent of reported vulnerabilities occurring outside the Microsoft portfolio, organizations need to monitor their entire technology stack to minimize their risk.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

Microsoft products accounted for less than 10 percent of industrywide vulnerabilities in the second half of 2015.

This is consistent with previous years as well. The software industry worldwide includes thousands of vendors, and historically, vulnerabilities for Microsoft software have accounted for between three and ten percent of disclosures in any six-month period.

To find out what’s happening in the world of software vulnerabilities across your IT environment, take some time to review our latest Security Intelligence Report and the information available through the National Vulnerability Database (NVD), the U.S. government’s repository of standards-based vulnerability management data. And for a high-level look at the top ten trends and stats that matter most to security professionals right now, be sure and download our 2016 Trends in Cybersecurity e-book.

Latest Microsoft Security Intelligence Report Now Available

May 14th, 2015 No comments

Volume 18 of the Microsoft Security Intelligence Report (SIR) is now available at http://microsoft.com/sir.

SIRv18 Cover

This volume of the SIR focuses on the second half of 2014 and contains longer term trend data as well. SIR volume 18 contains data, insights and practical guidance on a range of global and regional cybersecurity threats including vulnerability disclosures, malware and unwanted software including the latest on Ransomware, malicious websites such as drive-by download sites, and exploit activity including exploits used in targeted attacks. Deep dives into the threat landscape in over 100 countries/regions are also available.

The “Featured Intelligence” section of the report is on “The life and times of an exploit.” This section explores the increased speed at which some attackers are able to reverse engineer security updates, illustrating the critical need to update systems as quickly as possible once security updates have been published by vendors.

The SIR also contains actionable guidance to help mitigate the threats reported to us from hundreds of millions of systems worldwide. This also includes guidance based on the threats that Microsoft’s IT department, MSIT, detect and mitigate in the course of protecting Microsoft’s corporate network which spans every region of the world.

Susan Hauser, Corporate Vice President, Worldwide Enterprise Partner Group highlights some of the key findings in the new SIR and guidance for enterprise customers on her blog.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

Latest Microsoft Security Intelligence Report Now Available

May 14th, 2015 No comments

Volume 18 of the Microsoft Security Intelligence Report (SIR) is now available at http://microsoft.com/sir.

SIRv18 Cover

This volume of the SIR focuses on the second half of 2014 and contains longer term trend data as well. SIR volume 18 contains data, insights and practical guidance on a range of global and regional cybersecurity threats including vulnerability disclosures, malware and unwanted software including the latest on Ransomware, malicious websites such as drive-by download sites, and exploit activity including exploits used in targeted attacks. Deep dives into the threat landscape in over 100 countries/regions are also available.

The “Featured Intelligence” section of the report is on “The life and times of an exploit.” This section explores the increased speed at which some attackers are able to reverse engineer security updates, illustrating the critical need to update systems as quickly as possible once security updates have been published by vendors.

The SIR also contains actionable guidance to help mitigate the threats reported to us from hundreds of millions of systems worldwide. This also includes guidance based on the threats that Microsoft’s IT department, MSIT, detect and mitigate in the course of protecting Microsoft’s corporate network which spans every region of the world.

Susan Hauser, Corporate Vice President, Worldwide Enterprise Partner Group highlights some of the key findings in the new SIR and guidance for enterprise customers on her blog.

Tim Rains
Chief Security Advisor
Worldwide Cybersecurity & Data Protection

New research shows rise in “deceptive downloads”

May 7th, 2014 No comments

According to the latest cybersecurity report from Microsoft, “deceptive downloads” were the top threat for 95 percent of the 110 countries surveyed.

What are deceptive downloads?

Deceptive downloads are legitimate downloadable programs (usually free) such as software, games, or music that cybercriminals bundle with malicious items.

For example, you might receive a file in email or through social networking, but when you try to open it you see a message that says you don’t have the right software to open it. You do a search online and come across a free software download that claims it can help you open the file. You download that software, but you unknowingly might also be downloading malicious software (also known as “malware”) with it. This malware might have the ability to access personal information on your computer or use your computer for cybercrime.

It could be months or even years before you notice your system has malware.

How can I avoid deceptive downloads?

What should I do if I think I’ve been a victim of a deceptive download?

Do a scan with your antivirus software. If your computer is running Windows 8 or Windows 8.1, you can use the built-in Windows Defender to check for and to help you get rid of a virus or other malware.

If your computer is running Windows 7 or Windows Vista, do the following:

What is the Security Intelligence Report?

The Microsoft Security Intelligence Report (SIR) covers research on computer security, including software vulnerabilities, exploits, and malicious and potentially unwanted software. Volume 16 of the report was released today. If you want to learn more about deceptive downloads and other key findings, please visit Microsoft.com/SIR.

Newer software can increase your computer security

October 31st, 2013 No comments

This week we released volume 15 of the Security Intelligence Report (SIR), which covers our research on computer security, including software vulnerabilities, exploits, and malicious and potentially unwanted software.

One of the key findings to surface from the latest report is the increased risk of using old, unsupported software and emphasizes the positive impact of security innovations and technologies in newer software. Advanced security technologies in modern operating systems are specifically designed to make it more difficult, more complex, more expensive, and therefore, less appealing to cybercriminals to exploit vulnerabilities.

For more information, see New cybersecurity report details risk of running unsupported software.

For more information, see our Microsoft on the Issues blog post titled “New cybersecurity report details risk of running unsupported software.”

Support for Windows XP ends in April 2014

Windows XP was released almost 12 years ago, which is an eternity in technology terms. While we are proud of the success of Windows XP in serving the needs of so many people for more than a decade, inevitably there is a tipping point where dated software and hardware can no longer defend against modern-day threats and increasingly sophisticated cybercriminals. 

If you’re still using Windows XP, you’re missing out on all kinds of enhancements to computer security, productivity, and performance that are available in Windows 7 and Windows 8.

Find out what end of support for Windows XP means to you.

Microsoft Security Intelligence Report v14: Why antivirus software matters

April 17th, 2013 No comments

The latest volume of the Security Intelligence Report (SIR) highlights the importance of using antivirus software.

Antivirus software helps protect your computer from malicious software (malware) and can be downloaded or installed inexpensively or at no charge. Still, according to the SIR v14 findings, 24 percent of computers worldwide were not running up-to-date antivirus software, leaving them 5.5 times more likely to be infected with viruses.

Possible reasons why your computer may not be protected:

This new edition of the SIR compares infections on protected and unprotected computers, offering evidence as to how many people are not using up-to-date antivirus software and are thus facing increased risk.

If you don’t have antivirus software, Microsoft recommends that you download it now from Microsoft or from another trusted vendor. If you already have Windows 8, antivirus software is included with the operating system. You are not required to do anything to set it up. If you are using older versions of Windows, Microsoft provides a free antivirus software called Microsoft Security Essentials, which can be downloaded from our website. Many of our partners also offer antivirus software.

Data used in the SIR analysis includes (but is not limited to):

  • Threat intelligence from more than 1 billion systems in more than 100 countries and regions.
  • Microsoft Security Essentials—operating globally in more than 30 languages.
  • Malicious Software Removal Tool—downloaded and executed more than 1 billion times in the second half of 2012.
  • Billions of pages scanned by Bing each day.

Learn more about the SIR findings related to antivirus protection.

Take action to help protect your computer and reduce the risk of becoming a victim to cybercrime:

Beware of deceptive downloads

October 18th, 2012 No comments

The Microsoft Security Intelligence Report (SIR) analyzes online threats using data from Internet services and over 600 million computers worldwide. Volume 13 of the SIR is now available and focuses on vulnerability disclosures from the first and second quarters of 2012.

A featured article, Deceptive Downloads: Software, Music, and Movies, highlights a growing trend of malware infection associated with unsecure supply chains, including legitimate sites that make shareware and music available for public downloads.

Download the latest report

4 signs of scareware

May 17th, 2012 No comments

 “Scareware” is fake anti-virus software (also called “rogue security software”) that cybercriminals trick you into paying for or trick you into downloading along with malicious software. According to the latest Security Intelligence Report from Microsoft, one of the most prevalent forms of scareware is called Win32/FakePAV. Learn how to help prevent Win32/FakePAV from stealing your credit card information.

 Here are some tell-tale signs that could indicate a scareware infection:

  • Your computer runs  much slower than usual
  • When you try to surf the internet to legitimate anti-virus websites, you can’t get to them
  • You see a lot of pop-up windows with false or misleading alerts
  • The anti-virus software you recently downloaded is trying to lure you into upgrading to a paid version of the program

Get more information on how to spot fake virus alerts.

If you think you might have already download scareware, you can run the Microsoft Safety Scanner for free. Also, make sure you use legitimate anti-virus software, such as Microsoft Security Essentials, which is also free.

Microsoft was recently interviewed for a local Seattle news story about scareware. Watch the video

 

Protect your PC from the Conficker worm

May 10th, 2012 No comments

The most recent Microsoft Security Intelligence Reports (SIR) describes the ongoing threat of the Conficker worm and urges businesses and individuals to apply security updates.

Microsoft first recognized the Conficker threat in November 2008 and since then the Microsoft Malware Protection Center has been regularly releasing security updates to help protect against Conficker. The worm continues to spread when businesses and individuals don’t install these patches and update their systems and the use of weak passwords in the business sector environment. The worm was also able to infect large numbers of computers when system administrators used the Autorun feature in Windows XP and Windows Vista and through the use of weak passwords.

Think you’re computer or network is infected with Conficker? Get clean up tips.

Read the latest Security Intelligence Report

May 1st, 2012 No comments

Last week Microsoft released Volume 12 of the Security Intelligence Report (SIR) which covers our research of software vulnerabilities, exploits, and malicious and potentially unwanted software from July – December 2011.

One of the main focuses of this version of the report is the ongoing threat of the Conficker worm, which threatens businesses and large organizations who use weak passwords or do not install updates to their systems.

Over the next month we’ll explore the Conficker threat and other highlights from the SIR, including how to avoid scareware and how you can prevent unwanted software with free tools from Microsoft.

Download SIR Volume 12.

Download the key findings from SIR Volume 12.

There’s more than one way to skin an orange…

October 21st, 2011 No comments

​When it comes to attacking a system, and compromising its data and/or resources, there are several different methods that an attacker can choose. One of the more effective ways to make a successful compromise is to take advantage of perceived vulnerabilities in the targeted system. A vulnerability refers to a characteristic of a system that renders it susceptible to some form of attack. Kind of like a weakness, but a weakness that does not necessarily indicate a problem with the system’s design.

Vulnerabilities may be present in any component of the targeted system. You can have vulnerabilities in the hardware that supports the system, or vulnerabilities in the software that runs on the system, but you can also have vulnerabilities that occur as people use the system, or in the people themselves.  People, both literally and figuratively, can be soft targets and attackers often try to compromise systems by attempting to exploit how people behave.

This type of attack is known as social engineering. Essentially, in social engineering, attackers attempt to exploit vulnerabilities in human behavior in order to make the victim being targeted act in a manner of the attacker’s choosing, even though that is unlikely to be in the victim’s best interest. So rather than exploiting vulnerabilities in hardware or software, social engineering attempts to exploit vulnerabilities in the ‘wetware’ (i.e. the people).

Examples of social engineering techniques used by malware for distribution or other purposes can range from the simple yet effective ("Install this codec in order to watch this amusing video"), to the elaborate and complex (most Rogue security software), to the targeted (by taking advantage of existing trust relationships using specially compromised accounts or services).

So, you can upgrade your hardware and update your software (and we absolutely recommend that you do), but how do you upgrade/update people to make them less vulnerable to attack? It’s a classic question in computer security but there are measures you can take that will make the people in your organization less likely to be compromised in this manner.

The latest issue of the Microsoft Security Intelligence Report (SIRv11) contains detailed advice for IT professionals and organizations on how to limit exposure to social engineering attacks. The section Advice to IT Professionals on Social Engineering‘ (p42) provides a number of tangible steps that can be taken to protect an organization from this most nefarious of attacks.

Highly recommended reading for any organizations that contain people…

Heather Goudey
MMPC Melbourne

SIRv11: Putting Vulnerability Exploitation into Context

October 14th, 2011 No comments

As Vinny Gullotto, our GM blogged earlier in the week, the 11th edition of the Security Intelligence Report (SIRv11) has been released. One of the new areas of research in this release is a study of the most prevalent kinds of vulnerability exploitation and how much of that exploitation is 0-day (short for zero-day, an attack or exploitation of a vulnerability without an available update). We took two paths to find this answer. The first was an analysis of how the top families found by the Microsoft Malicious Software Removal Tool (MSRT) were known to infect systems. We found that none of the top 27 families were known to use 0-day vulnerabilities in 1H11.

The second way we approached this answer was to measure all of the exploit activity tracked by the MMPC through our real-time protection products (such as Microsoft Security Essentials and Forefront Endpoint Protection) and compare the number of attacks that were 0-day at the time (no update available) versus attacks that occurred after the update was made available. We actually gave a month buffer zone (so any exploits that happened during the month in which the update was made available was still counted as 0-day). We expected the percentage to be low, and it was– 0.12 percent to be exact for 1H11. Here’s what it looks like in chart form:

Chart illustrating percentage of exploits that were 0-day in 1H11
Chart 1 – Chart illustrating percentage of exploits that were 0-day in 1H11

One question that we discussed a lot while working on this report was: How do we measure what we don’t know and therefore can’t see? (In other words, 0-day by definition means you may not know about it.) Great question! Answer: We can’t measure what we can’t see. However, what we have seen tells us that “secret 0-days” don’t stay a secret for very long. Take, for example, a few we tracked in 2010. These attacks nearly always started out as targeted – sometimes reported as affecting only one entity when they were discovered. The trend they have in common is that they broaden to more generalized use (eventually) and we find out about them sooner or later.

  • CVE-2010-0806 was a 0-day affecting Internet Explorer 6 and 7 on older operating systems (like Vista and XP) that was reported as being used in targeted attacks. A few days later, after the release of public exploit code, we saw those attacks escalate and they have remained a sizable part of exploit activity throughout 2011.
  • CVE-2010-3962, which we dubbed the Weekend Warrior for its peaks of activity in Korea on the weekends, was discovered in Nov. 2010 when it was used in targeted attacks. Attackers broadened the targets of their attacks near the end of the month.
  • Another example is CVE-2010-3962, the vulnerability that used malicious .lnk files that was found with Stuxnet. It took a matter of weeks before this one technique used in this very targeted, singular attack got picked up by many other families of malware like Sality, broadening the impact considerably.

The point here is that although it’s true that “you don’t know what you don’t know,” our experience tells us that when it comes to 0-day activity, we find out, and often, we find out quite quickly. Things start to unravel rapidly the moment the 0-day affects either a target that’s really paying attention or when the attacks start to affect a broader, less targeted audience.

So, even if our estimates for 0-day activity were off by 5 fold, the estimated activity for 1H11 would remain under 1 percent. That’s still pretty small.

Most Frequent Exploits

So, now that the question of 0-day is out of the way, let’s talk about the broader volumes of exploit activity that were revealed in SIRv11. Although there are many interesting trends in the chart below, I want to focus on a few of them in this blog: Java (and the age of vulnerabilities in general) and Operating System vulnerabilities. If you want details about the other categories in this chart, see the full Security Intelligence Report.

 

Exploit activity over a one year period

Chart 2 – Exploit activity over a one year period

Java Exploits

As we blogged a year ago, in 3Q10, the exploitation of Java vulnerabilities skyrocketed to new levels that we had never seen before. The analysis in SIRv11 shows that Java exploitation remains high and that the targeted vulnerabilities are quite old. The top four Java exploits are CVE-2010-0840, CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867. These CVEs affect the Oracle Sun Java JRE or JDK, and all of them have updates available to fix them now. The most recent, CVE-2010-0094 and CVE-2010-0840, received updates in April 2010 after following a coordinated disclosure process with an external vendor.

Operating System Exploits

The jump in operating system exploits is primarily due to one technique: CVE-2010-2568 (the vulnerability mentioned earlier that was found with Stuxnet). This exploit was picked up by a number of families that were known to abuse Autorun. And, although CVE-2010-2568 has nothing to do with Autorun itself, the behavior is quite similar: the user connects to a USB device and browses the drive, the malware automatically executes (if the user hasn’t applied the update to fix the issue, that is). Malware authors must have found this exploit technique alluring. At least, the data certainly seems to indicate that they did. It’s also possible that attackers, after Microsoft released updates to harden the Autorun feature on older systems (which did appear to put a dent in their ability to infect users), were searching for ways to broaden their infection rate.

Another interesting aspect in our exploit data on CVE-2010-2568 is the location of the targets. I recently did a talk at Virus Bulletin on the top exploits of 2011, and in that talk, I looked at geographical differences for regions that face the most exposure to exploitation attempts. Several regions that were at the top, Indonesia, Pakistan, and Vietnam, were there because of exploitation attempts for CVE-2010-2568. If you combine those three locations with two more, India and Mexico, those five together represent 52% of all the computers that have reported CVE-2010-2568 attack attempts in the first three quarters of this year. Although I don’t have update statistics for these regions, this data might indicate that there are large numbers of systems there that have not yet applied this very important update (MS10-046).

Net Net

I’ve talked about a lot of data in this post, and sometimes it’s hard to synthesize it. The key point of the exploit analysis in SIRv11 is that older vulnerabilities are what the vast majority of exploitation attempts target (90 percent are more than a year old). The special 0-day section of the report takes this concept even further – we look at how much of the malware infections are actually attributed to the exploit of vulnerabilities in general. (The answer: Less than 6 percent in 1H11.) To find out what the other 94 percent of infections are attributed to, download the report and keep your eye on this blog for more analysis to come.

– Holly Stewart, MMPC

Is your browser keeping you safer online?

October 11th, 2011 No comments

Research in the newly released Microsoft Security Intelligence Report Volume 11 reveals how social engineering techniques contribute to the spread of computer infections. Attacks that require user-interaction (social engineering) to spread accounted for 45% of the attacks analyzed in the report.    In addition, old or out-of-date browsers are easier targets for attacks than browsers that are current.

According to data from Net Applications, 25% of all browsers are not up to date. This means approximately 340 million computers worldwide might be at increased risk of infection as a result of malware spread via social engineering techniques.    

Today Microsoft launched the website, YourBrowserMatters.org, to show how updated browsers can help to keep you safer online and why a browser is the first line of defense against infection.

New: Microsoft Security Intelligence Report Volume 11- Now Available

October 11th, 2011 No comments

Hi, again everyone!

Today we released the 11th volume of the Microsoft Security Intelligence Report, also known as SIRv11.   I have to say once again we’ve outdone ourselves and launched the largest and most comprehensive version of this report to date. This time it’s over 800 pages of threat intelligence spanning 100+ countries and regions around the world.  The report provides threat trends and data analysis on topics like software vulnerabilities, exploits, malicious code and potentially unwanted software.  We also cover third party products in the report.

As part of SIRv11, we’ve included an in-depth analysis titled “Zeroing in on malware propagation.”

The purpose of this study is to help customers better understand where malware was propagating and encourage the use of this information to prioritize where and how to focus risk management efforts.  In contrast to popular belief, this study found that zero-day vulnerabilities accounted for a very small percentage of actual infections.  In fact, none of the top malware families detected through our tools like the Malicious Software Removal Tool and Microsoft Security Essentials, and others propagated through the use of a zero-day.  And while some smaller families did take advantage of these types of vulnerabilities, less than 1 percent of all vulnerability attacks were against zero-day vulnerabilities – in other words, approximately 99% of attempted attacks impacted vulnerabilities for which an update was available.

While these statistics may come as a surprise to some, the key takeaway is how malware was actually propagating and we found that to be through  user interaction-typically employing social engineering techniques, Autorun feature abuse, file-infection, various exploits (with updates available) and brute force password attacks. This study provides insight into the frequency in which these methods were being used to spread malware, and puts zero-day vulnerabilities into context against other propagation methods.

The graph below outlines the areas I’ve mentioned and gives you a good idea of where we’re seeing malware propagate from – essentially the methods.

Figure: Malware detected by the Microsoft Windows Malicious Software Removal Tool (MSRT) in the first half of 2011, categorized by propagation methods

We’ve always known the bad guys use multiple methods of malware distribution to compromise users, and they often build this functionality into the malware itself.  As an example, Conficker exploits vulnerabilities, abuses Autorun, and guesses passwords to infect users.  Other families, like Taterf, Vobfus, Ramnit, and Renocide focus on Autorun abuse and incorporate social engineering tricks that require user interaction.  However the report provides insight into the frequency in which these methods were being used to spread.  It also puts zero-day into context against the other propagation methods.

Zero-day vulnerabilities tend to strike fear in the hearts of consumers and IT professionals, and for good reason. They combine fear of the unknown and an inability to fix the vulnerability, which leaves customers feeling defenseless. It’s no surprise that zero-day vulnerabilities receive enormous coverage in the press when they happen, and should be treated with the utmost level of urgency by the affected vendor and the vendors’ customers. Despite the level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape.

The purpose of our featured story in SIRv11 was to put zero-day threats into context against the other malware propagation vectors and encourage IT Professionals to consider this information when prioritizing their security practices.  Zero-day threats are real and I don’t want to diminish the risk they represent.  However we hope that users will take this information into consideration when prioritizing their security efforts.  

The study just scratches the surface on the intelligence contained in the SIRv11.  For more information on global or regional threat trends, check out the website.  As I said the report is huge and  contains data from over 600 million systems worldwide, over 280 million Hotmail accounts, billions of pages scanned by Bing each day and more importantly the report provides prescriptive guidance to help protect against the bad guys.

I hope you enjoy this report.  If you would like to provide input on ideas for future reports, join the SIR Community where you can gain early access to upcoming announcements and SIR events, learn about early concept ideas and extended content as well as participate in feedback surveys that help to drive the direction of data analyzed.

Thanks again and stay safe!!

Vinny Gullotto 
General Manager
Microsoft Malware Protection Center

Rustock report: Stopping a major source of spam

In March we reported that Microsoft, in cooperation with industry and academic partners, had taken down the Rustock botnet, a notorious source of spam, fraud, and cybercrime.

Hard disks confiscated from Rustock command and control servers

This week Microsoft released new information that explores how Rustock works and how Microsoft defeated the botnet.