Archive for the ‘Vinny Gullotto’ Category

SIRv11: Putting Vulnerability Exploitation into Context

October 14th, 2011 No comments

As Vinny Gullotto, our GM blogged earlier in the week, the 11th edition of the Security Intelligence Report (SIRv11) has been released. One of the new areas of research in this release is a study of the most prevalent kinds of vulnerability exploitation and how much of that exploitation is 0-day (short for zero-day, an attack or exploitation of a vulnerability without an available update). We took two paths to find this answer. The first was an analysis of how the top families found by the Microsoft Malicious Software Removal Tool (MSRT) were known to infect systems. We found that none of the top 27 families were known to use 0-day vulnerabilities in 1H11.

The second way we approached this answer was to measure all of the exploit activity tracked by the MMPC through our real-time protection products (such as Microsoft Security Essentials and Forefront Endpoint Protection) and compare the number of attacks that were 0-day at the time (no update available) versus attacks that occurred after the update was made available. We actually gave a month buffer zone (so any exploits that happened during the month in which the update was made available was still counted as 0-day). We expected the percentage to be low, and it was– 0.12 percent to be exact for 1H11. Here’s what it looks like in chart form:

Chart illustrating percentage of exploits that were 0-day in 1H11
Chart 1 – Chart illustrating percentage of exploits that were 0-day in 1H11

One question that we discussed a lot while working on this report was: How do we measure what we don’t know and therefore can’t see? (In other words, 0-day by definition means you may not know about it.) Great question! Answer: We can’t measure what we can’t see. However, what we have seen tells us that “secret 0-days” don’t stay a secret for very long. Take, for example, a few we tracked in 2010. These attacks nearly always started out as targeted – sometimes reported as affecting only one entity when they were discovered. The trend they have in common is that they broaden to more generalized use (eventually) and we find out about them sooner or later.

  • CVE-2010-0806 was a 0-day affecting Internet Explorer 6 and 7 on older operating systems (like Vista and XP) that was reported as being used in targeted attacks. A few days later, after the release of public exploit code, we saw those attacks escalate and they have remained a sizable part of exploit activity throughout 2011.
  • CVE-2010-3962, which we dubbed the Weekend Warrior for its peaks of activity in Korea on the weekends, was discovered in Nov. 2010 when it was used in targeted attacks. Attackers broadened the targets of their attacks near the end of the month.
  • Another example is CVE-2010-3962, the vulnerability that used malicious .lnk files that was found with Stuxnet. It took a matter of weeks before this one technique used in this very targeted, singular attack got picked up by many other families of malware like Sality, broadening the impact considerably.

The point here is that although it’s true that “you don’t know what you don’t know,” our experience tells us that when it comes to 0-day activity, we find out, and often, we find out quite quickly. Things start to unravel rapidly the moment the 0-day affects either a target that’s really paying attention or when the attacks start to affect a broader, less targeted audience.

So, even if our estimates for 0-day activity were off by 5 fold, the estimated activity for 1H11 would remain under 1 percent. That’s still pretty small.

Most Frequent Exploits

So, now that the question of 0-day is out of the way, let’s talk about the broader volumes of exploit activity that were revealed in SIRv11. Although there are many interesting trends in the chart below, I want to focus on a few of them in this blog: Java (and the age of vulnerabilities in general) and Operating System vulnerabilities. If you want details about the other categories in this chart, see the full Security Intelligence Report.


Exploit activity over a one year period

Chart 2 – Exploit activity over a one year period

Java Exploits

As we blogged a year ago, in 3Q10, the exploitation of Java vulnerabilities skyrocketed to new levels that we had never seen before. The analysis in SIRv11 shows that Java exploitation remains high and that the targeted vulnerabilities are quite old. The top four Java exploits are CVE-2010-0840, CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867. These CVEs affect the Oracle Sun Java JRE or JDK, and all of them have updates available to fix them now. The most recent, CVE-2010-0094 and CVE-2010-0840, received updates in April 2010 after following a coordinated disclosure process with an external vendor.

Operating System Exploits

The jump in operating system exploits is primarily due to one technique: CVE-2010-2568 (the vulnerability mentioned earlier that was found with Stuxnet). This exploit was picked up by a number of families that were known to abuse Autorun. And, although CVE-2010-2568 has nothing to do with Autorun itself, the behavior is quite similar: the user connects to a USB device and browses the drive, the malware automatically executes (if the user hasn’t applied the update to fix the issue, that is). Malware authors must have found this exploit technique alluring. At least, the data certainly seems to indicate that they did. It’s also possible that attackers, after Microsoft released updates to harden the Autorun feature on older systems (which did appear to put a dent in their ability to infect users), were searching for ways to broaden their infection rate.

Another interesting aspect in our exploit data on CVE-2010-2568 is the location of the targets. I recently did a talk at Virus Bulletin on the top exploits of 2011, and in that talk, I looked at geographical differences for regions that face the most exposure to exploitation attempts. Several regions that were at the top, Indonesia, Pakistan, and Vietnam, were there because of exploitation attempts for CVE-2010-2568. If you combine those three locations with two more, India and Mexico, those five together represent 52% of all the computers that have reported CVE-2010-2568 attack attempts in the first three quarters of this year. Although I don’t have update statistics for these regions, this data might indicate that there are large numbers of systems there that have not yet applied this very important update (MS10-046).

Net Net

I’ve talked about a lot of data in this post, and sometimes it’s hard to synthesize it. The key point of the exploit analysis in SIRv11 is that older vulnerabilities are what the vast majority of exploitation attempts target (90 percent are more than a year old). The special 0-day section of the report takes this concept even further – we look at how much of the malware infections are actually attributed to the exploit of vulnerabilities in general. (The answer: Less than 6 percent in 1H11.) To find out what the other 94 percent of infections are attributed to, download the report and keep your eye on this blog for more analysis to come.

– Holly Stewart, MMPC

New: Microsoft Security Intelligence Report Volume 11- Now Available

October 11th, 2011 No comments

Hi, again everyone!

Today we released the 11th volume of the Microsoft Security Intelligence Report, also known as SIRv11.   I have to say once again we’ve outdone ourselves and launched the largest and most comprehensive version of this report to date. This time it’s over 800 pages of threat intelligence spanning 100+ countries and regions around the world.  The report provides threat trends and data analysis on topics like software vulnerabilities, exploits, malicious code and potentially unwanted software.  We also cover third party products in the report.

As part of SIRv11, we’ve included an in-depth analysis titled “Zeroing in on malware propagation.”

The purpose of this study is to help customers better understand where malware was propagating and encourage the use of this information to prioritize where and how to focus risk management efforts.  In contrast to popular belief, this study found that zero-day vulnerabilities accounted for a very small percentage of actual infections.  In fact, none of the top malware families detected through our tools like the Malicious Software Removal Tool and Microsoft Security Essentials, and others propagated through the use of a zero-day.  And while some smaller families did take advantage of these types of vulnerabilities, less than 1 percent of all vulnerability attacks were against zero-day vulnerabilities – in other words, approximately 99% of attempted attacks impacted vulnerabilities for which an update was available.

While these statistics may come as a surprise to some, the key takeaway is how malware was actually propagating and we found that to be through  user interaction-typically employing social engineering techniques, Autorun feature abuse, file-infection, various exploits (with updates available) and brute force password attacks. This study provides insight into the frequency in which these methods were being used to spread malware, and puts zero-day vulnerabilities into context against other propagation methods.

The graph below outlines the areas I’ve mentioned and gives you a good idea of where we’re seeing malware propagate from – essentially the methods.

Figure: Malware detected by the Microsoft Windows Malicious Software Removal Tool (MSRT) in the first half of 2011, categorized by propagation methods

We’ve always known the bad guys use multiple methods of malware distribution to compromise users, and they often build this functionality into the malware itself.  As an example, Conficker exploits vulnerabilities, abuses Autorun, and guesses passwords to infect users.  Other families, like Taterf, Vobfus, Ramnit, and Renocide focus on Autorun abuse and incorporate social engineering tricks that require user interaction.  However the report provides insight into the frequency in which these methods were being used to spread.  It also puts zero-day into context against the other propagation methods.

Zero-day vulnerabilities tend to strike fear in the hearts of consumers and IT professionals, and for good reason. They combine fear of the unknown and an inability to fix the vulnerability, which leaves customers feeling defenseless. It’s no surprise that zero-day vulnerabilities receive enormous coverage in the press when they happen, and should be treated with the utmost level of urgency by the affected vendor and the vendors’ customers. Despite the level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape.

The purpose of our featured story in SIRv11 was to put zero-day threats into context against the other malware propagation vectors and encourage IT Professionals to consider this information when prioritizing their security practices.  Zero-day threats are real and I don’t want to diminish the risk they represent.  However we hope that users will take this information into consideration when prioritizing their security efforts.  

The study just scratches the surface on the intelligence contained in the SIRv11.  For more information on global or regional threat trends, check out the website.  As I said the report is huge and  contains data from over 600 million systems worldwide, over 280 million Hotmail accounts, billions of pages scanned by Bing each day and more importantly the report provides prescriptive guidance to help protect against the bad guys.

I hope you enjoy this report.  If you would like to provide input on ideas for future reports, join the SIR Community where you can gain early access to upcoming announcements and SIR events, learn about early concept ideas and extended content as well as participate in feedback surveys that help to drive the direction of data analyzed.

Thanks again and stay safe!!

Vinny Gullotto 
General Manager
Microsoft Malware Protection Center