Hi, again everyone!

Today we released the 11th volume of the Microsoft Security Intelligence Report, also known as SIRv11.   I have to say once again we’ve outdone ourselves and launched the largest and most comprehensive version of this report to date. This time it’s over 800 pages of threat intelligence spanning 100+ countries and regions around the world.  The report provides threat trends and data analysis on topics like software vulnerabilities, exploits, malicious code and potentially unwanted software.  We also cover third party products in the report.

As part of SIRv11, we’ve included an in-depth analysis titled “Zeroing in on malware propagation.”

The purpose of this study is to help customers better understand where malware was propagating and encourage the use of this information to prioritize where and how to focus risk management efforts.  In contrast to popular belief, this study found that zero-day vulnerabilities accounted for a very small percentage of actual infections.  In fact, none of the top malware families detected through our tools like the Malicious Software Removal Tool and Microsoft Security Essentials, and others propagated through the use of a zero-day.  And while some smaller families did take advantage of these types of vulnerabilities, less than 1 percent of all vulnerability attacks were against zero-day vulnerabilities – in other words, approximately 99% of attempted attacks impacted vulnerabilities for which an update was available.

While these statistics may come as a surprise to some, the key takeaway is how malware was actually propagating and we found that to be through  user interaction-typically employing social engineering techniques, Autorun feature abuse, file-infection, various exploits (with updates available) and brute force password attacks. This study provides insight into the frequency in which these methods were being used to spread malware, and puts zero-day vulnerabilities into context against other propagation methods.

The graph below outlines the areas I’ve mentioned and gives you a good idea of where we’re seeing malware propagate from – essentially the methods.

Figure: Malware detected by the Microsoft Windows Malicious Software Removal Tool (MSRT) in the first half of 2011, categorized by propagation methods

We’ve always known the bad guys use multiple methods of malware distribution to compromise users, and they often build this functionality into the malware itself.  As an example, Conficker exploits vulnerabilities, abuses Autorun, and guesses passwords to infect users.  Other families, like Taterf, Vobfus, Ramnit, and Renocide focus on Autorun abuse and incorporate social engineering tricks that require user interaction.  However the report provides insight into the frequency in which these methods were being used to spread.  It also puts zero-day into context against the other propagation methods.

Zero-day vulnerabilities tend to strike fear in the hearts of consumers and IT professionals, and for good reason. They combine fear of the unknown and an inability to fix the vulnerability, which leaves customers feeling defenseless. It’s no surprise that zero-day vulnerabilities receive enormous coverage in the press when they happen, and should be treated with the utmost level of urgency by the affected vendor and the vendors’ customers. Despite the level of concern, there has been little measurement of the zero-day threat in the context of the broader threat landscape.

The purpose of our featured story in SIRv11 was to put zero-day threats into context against the other malware propagation vectors and encourage IT Professionals to consider this information when prioritizing their security practices.  Zero-day threats are real and I don’t want to diminish the risk they represent.  However we hope that users will take this information into consideration when prioritizing their security efforts.  

The study just scratches the surface on the intelligence contained in the SIRv11.  For more information on global or regional threat trends, check out the website.  As I said the report is huge and  contains data from over 600 million systems worldwide, over 280 million Hotmail accounts, billions of pages scanned by Bing each day and more importantly the report provides prescriptive guidance to help protect against the bad guys.

I hope you enjoy this report.  If you would like to provide input on ideas for future reports, join the SIR Community where you can gain early access to upcoming announcements and SIR events, learn about early concept ideas and extended content as well as participate in feedback surveys that help to drive the direction of data analyzed.

Thanks again and stay safe!!

Vinny Gullotto 
General Manager
Microsoft Malware Protection Center