Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Today we released a large body of new data and analysis on the threat landscape in volume 11 of the Microsoft Security Intelligence Report (SIRv11). This volume of the SIR is the largest and most in-depth report on threats that we have ever developed. SIRv11 is ~800 pages of threat intelligence that includes:
One question I frequently get asked when talking to customers about global malware threats is how exactly do the top malware families successfully spread? The reason I get asked this question often is that if customers can understand the techniques that specific successful malware families use to propagate, then they can more effectively defend against them. The challenge answering this question with enough detail to be actionable is that malware families today are highly blended, using numerous techniques to spread, and are constantly being updated by attackers (sometimes hundreds or thousands of times per day).
To help answer this question Microsoft conducted a new research study on the propagation and distribution techniques of the most prevalent and severe malware families in the first half of 2011. The study also examines exploit attempts during the same period in order to estimate the relative proportions of exploitation before and after a security update is released. The results of this study are very interesting and have the potential to help many organizations prioritize how and where they focus their risk management efforts.
I encourage you to read the background and methodology information on this study in SIRv11 so that you fully understand its scope. As seen in the graph below, the study classifies malware propagation methods into nine categories and estimates the number of infections attributed to each category.
Figure: Malware detected by the Microsoft Windows Malicious Software Removal Tool (MSRT) in the first half of 2011, categorized by propagation methods
Infections relying on user interaction to spread account for 45 percent of attacks analyzed.
More than a third of the detections that were analyzed were attributed to misuse of the AutoRun feature in Windows. I have written about this type of attack before: Defending Against Autorun Attacks. Analyzed threats were split between USB AutoRun threats (26 percent of the total) and network volume AutoRun threats (17 percent of the total).
About 6 percent of the infections were likely due to exploits.
File infectors, viruses that spread by infecting other files, accounted for 4 percent of attacks.
The password brute force (2 percent of total) and Office macro (0.3 percent of total) behaviors were each identified in just one of the families examined in the study.
The second part of the study focusing on vulnerability exploit attempts revealed that zero-day exploitation accounted for about 0.12 percent of all exploit activity in the first half of 2011, reaching a peak of 0.37 percent in June.
Figure: Percent of exploits that were 0-Day in the first half of 2011
There are many interesting aspects to this study. But there are two key takeaways that I’d like to highlight.
1. The risk associated with zero-day exploits is real and should be represented in organizations’ risk management plans. That said, the data in this study helps put that risk into perspective relative to the top malware threats and exploit attempts observed in use on the Internet. One factor that is likely helping to keep the risk of zero-day exploits relatively low is mitigation technologies built into Windows, such as DEP and ASLR. These mitigations make it very difficult and, in some cases, impossible to reliably exploit vulnerabilities that exist in software. The key is that developers need to opt into using these mitigation technologies. Organizations should demand that their software vendors develop software that uses these mitigation technologies. To verify that the software you currently have deployed or are planning to deploy in your environment, use these mitigations, you can use one of these free tools: BinScope Binary Analyzer or Attack Surface Analyzer. If you find that some of the software your organization needs does not use these mitigations, another free tool might be able to help - the Enhanced Mitigation Experience Toolkit.
2. It is easy to read headlines about targeted attacks and advanced persistent threat, and come to the conclusion that you need to re-evaluate how you are defending your organization’s IT infrastructure. You might very well need to do this. But, the data in this study helps draw a slightly different conclusion. Focusing on fundamental risk management and security practices will help organizations defend against 99.9% of the attacks observed in use on the Internet.
Again, I encourage you to download SIRv11 and read all of the details of this new research study, in addition to the hundreds of pages of threat intelligence. Please feel free to download the report and watch related videos at www.microsoft.com/sir.
Tim Rains Director, Product Management Trustworthy Computing Communications