The new Security Intelligence Report (SIR) is out from the Microsoft Malware Protection Center (MMPC) – the folks who make Forefront’s anti-malware engine.  Vinnie Gullotto writes on the MMPC blog:

The SIR shares the conclusions drawn by our research team using data gathered from the Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, Windows Live OneCare safety scanner, Exchange Hosted Services, and Forefront Client Security (FCS).  The net of this, is threat related data from several hundred million Windows based systems.

From the data in the SIR we can see that the trends continue in a direction that indicates attackers are financially motivated and are adjusting their tactics along with constantly modifying the threats, both malicious and potentially unwanted (you can read more about what distinguishes each of these in the report)  they use to support this goal.  Some examples of findings in the new SIR:

·         Significant increases in categories, such as Trojan downloaders, potentially unwanted software (which includes rogue security software), and exploits, suggest that distribution of potentially unwanted software is less and less a matter of a normal affiliate model and more often malicious and/or criminal in method and intent.

·         We found 65% less Potentially Unwanted Software and 60% less malware on computers running Windows Vista than on computers running Windows XP SP2.

There’s more on the MMPC blog.
You can read the SIR at  www.microsoft.com/sir

Paul Smith, a designer and retailer of clothing and luxury goods, wanted a client security solution that would be easier to manage. The current solution had to be maintained separately, which conflicted with the company goal of a more streamlined, integrated IT environment. To improve efficiency, Paul Smith chose a solution based on Microsoft Forefront Client Security. Although still in the early stages of implementation, the company reports that integration with familiar tools like Microsoft Systems Management Server and Operations Manager are simplifying management. The IT team has better control over client security through detailed reporting and more effective administration of software and virus definition updates. The company also plans to expand its security solution by deploying Microsoft Forefront Security for Exchange Server and Forefront Security for SharePoint.

 There’s more...

Or, to be more precise, it sure looks like they do.

In my other post on the publicly available spam tool, I mentioned that I came across a page that allowed people to verify whether or not an email address is actually live.  The question naturally arises: do spammers clean up their email contact lists based upon whether or not the address is legitimate?

Spammers would have an incentive to do this - the fewer mails they have to send, the fewer resources they have to consume.  Spam blitzes depend on spammers sending out as much as possible in as small a window as possible.  The fewer the bots sending mail, the smaller the rate of spam detection.

Do we actually observe spammers changing their sending patterns?  I believe that we have evidence that they do.  Our customers have the option of doing Directory Services blocks.  The way that this works is that customers upload a list of legitimate email addresses to us.  When a message hits our network, we look up to see whether or not that email address is available (live).  If no such email address exists on the domain, we send back a 554 - Recipient Address Not Available.  These are called Directory Service Blocks, or DS blocks for short.

Recently, some customers have started using our DS services more actively.  When they do, they have said that the number of total spam blocks in their statistics drop dramatically, sometimes by a factor of 10.  Whereas before they were seeing 10 million spam blocks prior to using DS, now they are seeing only 1 million spam blocks.  That's a huge drop.  What gives?  (It's not a problem with our reporting mechanism, btw).

As it turns out, it looks like spammers are changing their behaviour based upon return codes.  DS blocks are our first level of spam blocks and then IP blocklists (which send 550s) are our second level.  What appears to be happening is the following:

• If a spammer or bot gets 550'ed, they don't give up right away.  They move onto a different bot and continue to try to send the same spam.  The theory is that the bot is rejected but the email address is still good.
  
• If a spammer gets 554'ed, they stop sending mail to that email address.  The theory is that the email address is not legitimate, so why bother sending mail?

If this is indeed what is going on, it shows a clever resilience amongst the spam and bot community that allow them to learn what is going on in response to their tactics, and  then change their tactics appropriately.  This doesn't surprise me, I have stated in the past (somewhere) that spammers are like antibiotic-resistant bacteria, evolving to deal with new threats and figuring out ways to survive.

Of course, if this hypothesis is correct, then it means that spammers are using very polluted lists, that is, emails to no where.  Looks like whoever sold them those lists didn't give them much quality.  That makes me feel a little better, taking the time to engage in a little schadenfreude.

The Forefront server security products provide several key security capabilities to Exchange and SharePoint customers, including an advanced multiple anti-virus engine manager that allows you to concurrently run up to 5 of the included Microsoft and third-party anti-malware engines. Using multiple scan engines delivers several critical advantages:

• It increases the chances that emerging threats will be quickly caught.
• It provides redundancy to help protect against scan failures or defects in individual engines; if an engine fails, other engines continue scanning messages.
• It gives administrators an effective way to choose the most appropriate level of protection for their environment given their security needs and server performance capabilities.
• It allows engines to be taken offline for updates or reconfiguration without forcing messages to be queued.

A recent set of tests performed by the independent AV-Test.org group found some surprising differences in signature update times from various vendors. The tests compared AV lab response times for eighty-two “in the wild” viruses and variants. Twenty-six of the viruses were quickly detected by all the scan engines, but some engines didn’t detect viruses for more than twenty-four hours. In a few cases (notably 0506 Banwarum.C@mm), some vendors didn’t update their signatures to provide a block until nearly five days had elapsed! Because Forefront Security for Exchange Server and Forefront Security for SharePoint combine multiple engines, the odds that a virus will go unblocked or undetected for long periods are greatly reduced. Organizations benefit from all updates for the set of engines you use, not just from updates to a single engine.

For a larger version of this chart go here

There is a new spam outbreak that hit today, spam in mp3's.  The filenames of the spam varies, and includes some of the following:

• Emotional ties, for example: dadsong.mp3, oursong.mp3, weddingsong.mp3
  
• Well-known artists and songs, for example: santana.mp3, sayyousayme.mp3, smashingpumpkins.mp3, bbrown.mp3, bspears.mp3, gloriaestefan.mp3, beatles.mp3
  
• Other "sounds" that people might want to listen to, for example: answeringmachine.mp3, coolringtone.mp3, listentothis.mp3

We've got some spam rules out there to catch these things, we'll know in the next couple of days how effective they are.