Today we released a large body of new data and analysis on the threat landscape in volume 11 of the Microsoft Security Intelligence Report (SIRv11). This volume of the SIR is the largest and most in-depth report on threats that we have ever developed. SIRv11 is ~800 pages of threat intelligence that includes:

• New industry vulnerability disclosure trends and analysis
• New data and analysis of global vulnerability exploit activity
• Latest trends and analysis on global malware and potentially unwanted software
• New deep dive analysis of threat trends in more than 100 locations around the world
• New data and insights on how attackers are using spam and other email threats
• Latest global and regional data on malicious websites including phishing sites, malware hosting sites and drive-by download sites

One question I frequently get asked when talking to customers about global malware threats is how exactly do the top malware families successfully spread? The reason I get asked this question often is that if customers can understand the techniques that specific successful malware families use to propagate, then they can more effectively defend against them. The challenge answering this question with enough detail to be actionable is that malware families today are highly blended, using numerous techniques to spread, and are constantly being updated by attackers (sometimes hundreds or thousands of times per day).

To help answer this question Microsoft conducted a new research study on the propagation and distribution techniques of the most prevalent and severe malware families in the first half of 2011. The study also examines exploit attempts during the same period in order to estimate the relative proportions of exploitation before and after a security update is released. The results of this study are very interesting and have the potential to help many organizations prioritize how and where they focus their risk management efforts.

I encourage you to read the background and methodology information on this study in SIRv11 so that you fully understand its scope. As seen in the graph below, the study classifies malware propagation methods into nine categories and estimates the number of infections attributed to each category.

Figure: Malware detected by the Microsoft Windows Malicious Software Removal Tool (MSRT) in the first half of 2011, categorized by propagation methods

Infections relying on user interaction to spread account for 45 percent of attacks analyzed.

More than a third of the detections that were analyzed were attributed to misuse of the AutoRun feature in Windows. I have written about this type of attack before: Defending Against Autorun Attacks. Analyzed threats were split between USB AutoRun threats (26 percent of the total) and network volume AutoRun threats (17 percent of the total).

About 6 percent of the infections were likely due to exploits.

• Of this 6 percent, the majority had had security updates available for more than a year at the time of detection (classified as “Exploit Update Long Available” in the graph above)
• The remainder involved exploits for vulnerabilities for which security updates had been released less than a year before detection (classified as “Exploit Update Available” in the graph above).
• None of these major malware families were documented as using zero-day exploits (attacks on vulnerabilities with no security update available) in the first half of 2011.

File infectors, viruses that spread by infecting other files, accounted for 4 percent of attacks.

The password brute force (2 percent of total) and Office macro (0.3 percent of total) behaviors were each identified in just one of the families examined in the study.

The second part of the study focusing on vulnerability exploit attempts revealed that zero-day exploitation accounted for about 0.12 percent of all exploit activity in the first half of 2011, reaching a peak of 0.37 percent in June.

Figure: Percent of exploits that were 0-Day in the first half of 2011

There are many interesting aspects to this study. But there are two key takeaways that I’d like to highlight.

1. The risk associated with zero-day exploits is real and should be represented in organizations’ risk management plans. That said, the data in this study helps put that risk into perspective relative to the top malware threats and exploit attempts observed in use on the Internet. One factor that is likely helping to keep the risk of zero-day exploits relatively low is mitigation technologies built into Windows, such as DEP and ASLR. These mitigations make it very difficult and, in some cases, impossible to reliably exploit vulnerabilities that exist in software. The key is that developers need to opt into using these mitigation technologies. Organizations should demand that their software vendors develop software that uses these mitigation technologies. To verify that the software you currently have deployed or are planning to deploy in your environment, use these mitigations, you can use one of these free tools: BinScope Binary Analyzer or Attack Surface Analyzer. If you find that some of the software your organization needs does not use these mitigations, another free tool might be able to help - the Enhanced Mitigation Experience Toolkit.

2. It is easy to read headlines about targeted attacks and advanced persistent threat, and come to the conclusion that you need to re-evaluate how you are defending your organization’s IT infrastructure. You might very well need to do this. But, the data in this study helps draw a slightly different conclusion. Focusing on fundamental risk management and security practices will help organizations defend against 99.9% of the attacks observed in use on the Internet.

Again, I encourage you to download SIRv11 and read all of the details of this new research study, in addition to the hundreds of pages of threat intelligence. Please feel free to download the report and watch related videos at www.microsoft.com/sir.

Tim Rains
Director, Product Management
Trustworthy Computing Communications