Threat Research & Response Blog
Today, Microsoft released volume 15 of the Microsoft Security Intelligence Report (SIRv15). The report analyzes malware, exploits and more based on data from more than a billion systems worldwide and some of the Internet’s busiest online services.
During the past year, as we were planning this volume of the Security Intelligence Report, and as we considered how to improve the breadth and accuracy of guidance given to our customers, we gave a lot of thought on how best to represent malware prevalence beyond the data provided in past reports.
We need to establish a metric that measured the impact of malware based on our real-time protection products.
We already report on infection rates using a metric called computers cleaned per mille (CCM), which represents the number of computers cleaned for every 1,000 executions of the Malicious Software Removal Tool (MSRT). This helps us describe how widespread an infection is.
To better understand the range of threats that affect computers today, it’s increasingly valuable to consider infection attempts, including attempts that never result in infection. This data, which can only be provided by real-time security products, is measured by our new metric – the encounter rate. The encounter rate is the percent of computers running Microsoft real-time security products that come across, or encounter malware. When viewed together, the infection rate and the encounter rate provide different lenses to look at the malware landscape, assembling a picture that can contribute to a more informed risk assessment.
For example, one key finding to surface from the analysis of platforms by encounter rate and infection rate during the past year, was that computers running Windows XP encountered about as much malware as Windows 7. However, Windows XP computers experienced many more infections than other operating systems. In fact, Windows XP had an infection rate that was six times higher than Windows 8.
Figure 1: Infection and encounter rates for Windows operating systems
Later today we will publish another blog which will dive deeper into the analysis of Windows XP, in light of the upcoming end of support date – April 8, 2014. Tim Rains also talks more about this issues in his latest blog.
In our analysis of the landscape we also separate out malware from potentially unwanted software, based on severity. This distinction is important, since high/severe threats are serious enough that our products will remove these threats from computers automatically. Moderate/low threats, which we categorize as potentially unwanted software in this SIR, depend on user action to quarantine or remove.
We also show trends for countries with the highest and lowest encounter rates for malware and potentially unwanted software. Some countries appear on highest and lowest lists for potentially unwanted software and not for malware. This helps draw conclusions about the effect of potentially unwanted software on certain regions, as well as helping zero-in on the severe threats facing different locations.
As we look at threats regionally, we see one country that rose to significance in many parts of our analysis. Between the second half of 2012 and the first half of 2013, Turkey’s encounter rate increased by more than 13 percent. Exploits, miscellaneous trojans and worms were all encountered at higher levels in Turkey when compared with other regions globally. You can read further on our findings for Turkey and other countries in SIRv15.
Figure 2: Threat category prevalence worldwide and in the 10 locations with the most computers reporting detections in 2Q13. Totals for each location may exceed 100 percent because some computers reported threats from more than one category.
We also took a peek at the growing issue of ransomware - a type of malware designed to render a computer or its files unusable until the computer user pays a certain amount of money to the hacker. Often disguised as an official-looking warning from a well-known law enforcement agency, it accuses the computer user of committing a computer-related crime and demands that the user pay a fine via electronic money transfer to regain control of the computer.
We tracked the top ransomware families and found Win32/Reveton and Win32/Tobfy trending upward globally.
These are just a few of the many key findings contained in the latest report. To download the Microsoft Security Intelligence Report Volume 15, visit www.microsoft.com/sir.
We hope you will read it, pass it on to others to read and use it as a resource to take action and help protect your computer and your organizations’ systems from malicious software.
Vidya Sekhar MMPC
Awesome great teamwork, Thank-You.
Is Malware safe to have on your computer, does it really catch bad stuff and should you delete like it states on the site?
Statistics in SIR helpful for establishing base rate for statistical detection of Windows endpoint device compromises.
"until the computer user pays a certain amount of money to the hacker. "
I take offense to using the term "hacker" in that context. Clearly, the intent is to call them a criminal, or an extortionist.
Hackers are neither.