Archive for the ‘SIR v11’ Category

Update on the Zbot spot!

October 31st, 2011 No comments

Hello Internet!

I’m back to update you on our changes to Zbot in the Malicious Software Removal Tool (MSRT). We reviewed the data coming back from MSRT in September and incorporated the findings into October’s MSRT (and beyond), which means we are now in a position to provide additional information.

As I mentioned in the previous blog post, the purpose of our special Zbot September update was to glean an insight into the effectiveness of MSRT against this prolific threat. Couple that with a focus on the Zbot family and, suffice it to say, we’re pretty happy with our findings and results!

And now, onto the numbers!

Historically, and prior to the September 2011 release, MSRT consistently detected about 90% of PWS:Win32/Zbot variants in the wild. For the month of September 2011, we detected and removed PWS:Win32/Zbot from around 185,000 distinct Windows computers, a stark increase to the months beforehand, which we can attribute the increase to additional technology added to MSRT for just such an occasion.

For October so far, we’ve removed Zbot from over 88,000 computers and we expect that number to grow to around 100,000 – again, a very good result from MSRT, illustrated in the chart below that lists October 2011 MSRT data:


MSRT Family
Threat Reports
Machines Detected


These increased numbers are also likely a result of new functionality we’ve seen in Zbot recently. It seems that some variants now automatically spread via the Windows autorun functionality; something that is very common with other prolific malware families, so it’s not very surprising we’re seeing it now – but is surprising we hadn’t seen it before now. Regarding autorun, Microsoft released a security update in February of 2011 that changed its default behavior – the result was an overall decline in threats utilizing autorun as a spreading mechanism. There is a Microsoft Knowledge Base article that discusses how to disable autorun in Windows, here.

October 25th marked the tenth anniversary of the release of Windows XP.  And what a difference a decade makes! Consumers should upgrade to the newest operating system version in order to take advantage of enhanced security features of Windows 7 including AppLocker, User Account Control (UAC), Data Execution Prevention (DEP) and Structured Exception Handling Overwrite Protection (SEHOP). The recently released Microsoft Security Intelligence Report volume 11 shows that the latest Windows 7, 32-bit OS is six times less likely to become infected than the comparable Windows XP SP3.

And finally a reminder, MSRT isn’t a replacement for a full antivirus solution. You’re already infected when MSRT detects malware – using a security application with real-time protection can help prevent you from becoming infected in the first place.


Matt McCormack
MMPC Melbourne

There’s more than one way to skin an orange…

October 21st, 2011 No comments

​When it comes to attacking a system, and compromising its data and/or resources, there are several different methods that an attacker can choose. One of the more effective ways to make a successful compromise is to take advantage of perceived vulnerabilities in the targeted system. A vulnerability refers to a characteristic of a system that renders it susceptible to some form of attack. Kind of like a weakness, but a weakness that does not necessarily indicate a problem with the system’s design.

Vulnerabilities may be present in any component of the targeted system. You can have vulnerabilities in the hardware that supports the system, or vulnerabilities in the software that runs on the system, but you can also have vulnerabilities that occur as people use the system, or in the people themselves.  People, both literally and figuratively, can be soft targets and attackers often try to compromise systems by attempting to exploit how people behave.

This type of attack is known as social engineering. Essentially, in social engineering, attackers attempt to exploit vulnerabilities in human behavior in order to make the victim being targeted act in a manner of the attacker’s choosing, even though that is unlikely to be in the victim’s best interest. So rather than exploiting vulnerabilities in hardware or software, social engineering attempts to exploit vulnerabilities in the ‘wetware’ (i.e. the people).

Examples of social engineering techniques used by malware for distribution or other purposes can range from the simple yet effective ("Install this codec in order to watch this amusing video"), to the elaborate and complex (most Rogue security software), to the targeted (by taking advantage of existing trust relationships using specially compromised accounts or services).

So, you can upgrade your hardware and update your software (and we absolutely recommend that you do), but how do you upgrade/update people to make them less vulnerable to attack? It’s a classic question in computer security but there are measures you can take that will make the people in your organization less likely to be compromised in this manner.

The latest issue of the Microsoft Security Intelligence Report (SIRv11) contains detailed advice for IT professionals and organizations on how to limit exposure to social engineering attacks. The section Advice to IT Professionals on Social Engineering‘ (p42) provides a number of tangible steps that can be taken to protect an organization from this most nefarious of attacks.

Highly recommended reading for any organizations that contain people…

Heather Goudey
MMPC Melbourne

SIRv11: Putting Vulnerability Exploitation into Context

October 14th, 2011 No comments

As Vinny Gullotto, our GM blogged earlier in the week, the 11th edition of the Security Intelligence Report (SIRv11) has been released. One of the new areas of research in this release is a study of the most prevalent kinds of vulnerability exploitation and how much of that exploitation is 0-day (short for zero-day, an attack or exploitation of a vulnerability without an available update). We took two paths to find this answer. The first was an analysis of how the top families found by the Microsoft Malicious Software Removal Tool (MSRT) were known to infect systems. We found that none of the top 27 families were known to use 0-day vulnerabilities in 1H11.

The second way we approached this answer was to measure all of the exploit activity tracked by the MMPC through our real-time protection products (such as Microsoft Security Essentials and Forefront Endpoint Protection) and compare the number of attacks that were 0-day at the time (no update available) versus attacks that occurred after the update was made available. We actually gave a month buffer zone (so any exploits that happened during the month in which the update was made available was still counted as 0-day). We expected the percentage to be low, and it was– 0.12 percent to be exact for 1H11. Here’s what it looks like in chart form:

Chart illustrating percentage of exploits that were 0-day in 1H11
Chart 1 – Chart illustrating percentage of exploits that were 0-day in 1H11

One question that we discussed a lot while working on this report was: How do we measure what we don’t know and therefore can’t see? (In other words, 0-day by definition means you may not know about it.) Great question! Answer: We can’t measure what we can’t see. However, what we have seen tells us that “secret 0-days” don’t stay a secret for very long. Take, for example, a few we tracked in 2010. These attacks nearly always started out as targeted – sometimes reported as affecting only one entity when they were discovered. The trend they have in common is that they broaden to more generalized use (eventually) and we find out about them sooner or later.

  • CVE-2010-0806 was a 0-day affecting Internet Explorer 6 and 7 on older operating systems (like Vista and XP) that was reported as being used in targeted attacks. A few days later, after the release of public exploit code, we saw those attacks escalate and they have remained a sizable part of exploit activity throughout 2011.
  • CVE-2010-3962, which we dubbed the Weekend Warrior for its peaks of activity in Korea on the weekends, was discovered in Nov. 2010 when it was used in targeted attacks. Attackers broadened the targets of their attacks near the end of the month.
  • Another example is CVE-2010-3962, the vulnerability that used malicious .lnk files that was found with Stuxnet. It took a matter of weeks before this one technique used in this very targeted, singular attack got picked up by many other families of malware like Sality, broadening the impact considerably.

The point here is that although it’s true that “you don’t know what you don’t know,” our experience tells us that when it comes to 0-day activity, we find out, and often, we find out quite quickly. Things start to unravel rapidly the moment the 0-day affects either a target that’s really paying attention or when the attacks start to affect a broader, less targeted audience.

So, even if our estimates for 0-day activity were off by 5 fold, the estimated activity for 1H11 would remain under 1 percent. That’s still pretty small.

Most Frequent Exploits

So, now that the question of 0-day is out of the way, let’s talk about the broader volumes of exploit activity that were revealed in SIRv11. Although there are many interesting trends in the chart below, I want to focus on a few of them in this blog: Java (and the age of vulnerabilities in general) and Operating System vulnerabilities. If you want details about the other categories in this chart, see the full Security Intelligence Report.


Exploit activity over a one year period

Chart 2 – Exploit activity over a one year period

Java Exploits

As we blogged a year ago, in 3Q10, the exploitation of Java vulnerabilities skyrocketed to new levels that we had never seen before. The analysis in SIRv11 shows that Java exploitation remains high and that the targeted vulnerabilities are quite old. The top four Java exploits are CVE-2010-0840, CVE-2008-5353, CVE-2010-0094, and CVE-2009-3867. These CVEs affect the Oracle Sun Java JRE or JDK, and all of them have updates available to fix them now. The most recent, CVE-2010-0094 and CVE-2010-0840, received updates in April 2010 after following a coordinated disclosure process with an external vendor.

Operating System Exploits

The jump in operating system exploits is primarily due to one technique: CVE-2010-2568 (the vulnerability mentioned earlier that was found with Stuxnet). This exploit was picked up by a number of families that were known to abuse Autorun. And, although CVE-2010-2568 has nothing to do with Autorun itself, the behavior is quite similar: the user connects to a USB device and browses the drive, the malware automatically executes (if the user hasn’t applied the update to fix the issue, that is). Malware authors must have found this exploit technique alluring. At least, the data certainly seems to indicate that they did. It’s also possible that attackers, after Microsoft released updates to harden the Autorun feature on older systems (which did appear to put a dent in their ability to infect users), were searching for ways to broaden their infection rate.

Another interesting aspect in our exploit data on CVE-2010-2568 is the location of the targets. I recently did a talk at Virus Bulletin on the top exploits of 2011, and in that talk, I looked at geographical differences for regions that face the most exposure to exploitation attempts. Several regions that were at the top, Indonesia, Pakistan, and Vietnam, were there because of exploitation attempts for CVE-2010-2568. If you combine those three locations with two more, India and Mexico, those five together represent 52% of all the computers that have reported CVE-2010-2568 attack attempts in the first three quarters of this year. Although I don’t have update statistics for these regions, this data might indicate that there are large numbers of systems there that have not yet applied this very important update (MS10-046).

Net Net

I’ve talked about a lot of data in this post, and sometimes it’s hard to synthesize it. The key point of the exploit analysis in SIRv11 is that older vulnerabilities are what the vast majority of exploitation attempts target (90 percent are more than a year old). The special 0-day section of the report takes this concept even further – we look at how much of the malware infections are actually attributed to the exploit of vulnerabilities in general. (The answer: Less than 6 percent in 1H11.) To find out what the other 94 percent of infections are attributed to, download the report and keep your eye on this blog for more analysis to come.

– Holly Stewart, MMPC

New: Microsoft Security Intelligence Report Volume 11- Now Available

October 11th, 2011 No comments

Hi, again everyone!

Today we released the 11th volume of the Microsoft Security Intelligence Report, also known as SIRv11.   I have to say once again we’ve outdone ourselves and launched the largest and most comprehensive version of this report to date. This time it’s over 800 pages of threat intelligence spanning 100+ countries and regions around the world.  The report provides threat trends and data analysis on topics like software vulnerabilities, exploits, malicious code and potentially unwanted software.  We also cover third party products in the report.

As part of SIRv11, we’ve included an in-depth analysis titled “Zeroing in on malware propagation.”

The purpose of this study is to help customers better understand where malware was propagating and encourage the use of this information to prioritize where and how to focus risk management efforts.  In contrast to popular belief, this study found that zero-day vulnerabilities accounted for a very small percentage of actual infections.  In fact, none of the top malware families detected through our tools like the Malicious Software Removal Tool and Microsoft Security Essentials, and others propagated through the use of a zero-day.  And while some smaller families did take advantage of these types of vulnerabilities, less than 1 percent of all vulnerability attacks were against zero-day vulnerabilities – in other words, approximately 99% of attempted attacks impacted vulnerabilities for which an update was available.

While these statistics may come as a surprise to some, the key takeaway is how malware was actually propagating and we found that to be through  user interaction-typically employing social engineering techniques, Autorun feature abuse, file-infection, various exploits (with updates available) and brute force password attacks. This study provides insight into the frequency in which these methods were being used to spread malware, and puts zero-day vulnerabilities into context against other propagation methods.

The graph below outlines the areas I’ve mentioned and gives you a good idea of where we’re seeing malware propagate from – essentially the methods.

Figure: Malware detected by the Microsoft Windows Malicious Software Removal Tool (MSRT) in the first half of 2011, categorized by propagation methods

We’ve always known the bad guys use multiple methods of malware distribution to compromise users, and they often build this functionality into the malware itself.  As an example, Conficker exploits vulnerabilities, abuses Autorun, and guesses passwords to infect users.  Other families, like Taterf, Vobfus, Ramnit, and Renocide focus on Autorun abuse and incorporate social engineering tricks that require user interaction.  However the report provides insight into the frequency in which these methods were being used to spread.  It also puts zero-day into context against the other propagation methods.

Zero-day vulnerabilities tend to strike fear in the hearts of consumers and IT professionals, and for good reason. They combine fear of the unknown and an inability to fix the vulnerability, which leaves customers feeling defenseless. It’s no surprise that zero-day vulnerabilities receive enormous coverage in the press when they happen, and should be treated with the utmost level of urgency by the affected vendor and the vendors’ customers. Despite the level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape.

The purpose of our featured story in SIRv11 was to put zero-day threats into context against the other malware propagation vectors and encourage IT Professionals to consider this information when prioritizing their security practices.  Zero-day threats are real and I don’t want to diminish the risk they represent.  However we hope that users will take this information into consideration when prioritizing their security efforts.  

The study just scratches the surface on the intelligence contained in the SIRv11.  For more information on global or regional threat trends, check out the website.  As I said the report is huge and  contains data from over 600 million systems worldwide, over 280 million Hotmail accounts, billions of pages scanned by Bing each day and more importantly the report provides prescriptive guidance to help protect against the bad guys.

I hope you enjoy this report.  If you would like to provide input on ideas for future reports, join the SIR Community where you can gain early access to upcoming announcements and SIR events, learn about early concept ideas and extended content as well as participate in feedback surveys that help to drive the direction of data analyzed.

Thanks again and stay safe!!

Vinny Gullotto 
General Manager
Microsoft Malware Protection Center