Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In the six or seven years that we have been publishing the Microsoft Security Intelligence Report (SIR) I have seen many trends emerge over time. The threat landscape is constantly changing as attackers try to find methods that will help them compromise the systems they target. For several years viruses (file infectors) seemed to be out of favor with attackers as they used other categories of threats to attack systems.
Viruses simply didn’t support the profit motive many attackers had in the same way that Trojan Downloaders and Droppers, Miscellaneous Trojans, and Password Stealers and Monitoring Tools all did. Viruses are threats designed in an era before ubiquitous Internet connectivity made it easier for Worms to successfully self-propagate. Worms like SQL Slammer and Blaster spread around the world in minutes. This would likely take an old fashioned file-infector much, much longer to accomplish, limiting their ability to infect large numbers of systems quickly. Additionally, Viruses tend to be relatively “noisy” threats as they typically try to infect large numbers of files (.exe, .dll, .scr) on the systems they compromise. This characteristic can make them easier to detect than other more blended threats.
Subsequently, I have rarely seen the Virus threat category found on more than 5 percent of systems with detections globally. There have been regional exceptions like Korea, Russia, and Brazil, where I have seen relative Virus levels reach between 10 and 15 percent. But more recently I have noticed that Viruses seem to be making a comeback. As seen in Figure 1, the relative prevalence of Viruses has been trending up. The prevalence worldwide for the Virus threat category was 7.8 percent in the fourth quarter of 2012 (4Q12). Read more.
This morning at the Security Development Conference in San Francisco, I am joined by hundreds of organizations that have traveled from all over the world to learn more about proven practices in security development that can help reduce an organization’s risk to threats on the Internet. As we anxiously await the two keynotes by Scott Charney and Howard Schmidt to kick off the day, I am reminded of the early days of computing when security development was an afterthought for many organizations.
The threat landscape has evolved quite a bit over the past decade and the importance of software security is more evident than ever. To see so many security professionals in attendance at this year’s conference makes me cautiously optimistic that more and more organizations are starting to take application security seriously.
Despite the growing awareness on the need for application security, adoption numbers remain low. A recent Microsoft survey found that only 37% of IT Professionals worldwide cited their organizations as building their products and services with security in mind. In that same study, 61% of developers were not taking advantage of mitigation technologies that already exist such as ASLR, SEHOP and DEP. The three biggest roadblocks cited by IT professions and developers were management approval, lack of support and training and cost. Read more
I was in Tokyo a couple of weeks back, talking to people about the latest Microsoft Security Intelligence Report. According to the report, Japan continues to have one of the lowest malware infection rates in the world, as seen in Figure 1. The Microsoft Malicious Software Removal Tool (MSRT) found just 0.7 systems infected with malware for every 1,000 systems scanned in the fourth quarter of 2012. The worldwide average was 6.0 during the same period.
Read more.
In less than two weeks, the world’s best and brightest security professionals will converge on the InterContinental Hotel San Francisco, CA for the Security Development Conference! Don’t miss this opportunity to hear from industry experts who will discuss current security topics and issues.
REGISTER NOW using this discount code: IND@SDC#12 and save $300 off current registration prices. For more information, visit the website at www.securitydevelopmentconference.com or contact sdc@eventpoint.com
Yesterday we released the latest volume of the Microsoft Security Intelligence Report. Among the ~800 pages of new threat intelligence is a new study that attempts to quantify the benefit of running up-to-date anti-virus (AV) software. The study leveraged data from over a billion systems worldwide and it turns out that systems that do not have up-to-date AV are 5.5 times more likely to be infected with malware than systems that are protected. It’s also noteworthy that almost 270 million systems worldwide did not have up-to-date AV installed in the second half of 2012; many people that could be benefiting from the protection that AV offers, are not.
Didn’t we already know this?While it might seem like common sense that AV software is a good thing to have, I think much of the evidence I have seen to support this notion has mostly been anecdotal. I have attended and spoken at numerous security industry conferences over the past couple of years where I have heard more and more industry security experts question the efficacy of AV. The typical argument against AV is the erroneous assumption that since it can’t block or detect 100% of threats, including some of the high-profile targeted attacks that have been reported over the last few years, then it’s entirely worthless and not worth running.
To me, this point of view seems less than pragmatic as part of the challenge the industry has is to protect the billions of devices that are now continuously connected to the Internet from the flood of new threats that continually emerge. Since both the number of connected devices and the number of threats will only increase in the future, how to scale protections will always be important. More and more attackers are using automation and sophisticated techniques like server-side polymorphism to generate massive numbers of threats; Figure 1 below illustrates the estimated growth of malware since 1991 and Figure 2 shows 29,451,883 computers had detections/removals of malware in the ten most active countries in the 90 days of the fourth quarter of 2012 alone. In this type of environment AV is becoming more important, not less important. Read more.
We released the latest volume of the Microsoft Security Intelligence Report today that provides a large body of new data and analysis on the threat landscape. Volume 14 focuses on what the threat landscape looked like in the second half of 2012, including trend data from previous periods. This volume of the report contains:
In addition, we have included a section in the report focused on quantifying the value of using up-to-date antimalware software. This is a must read for those Information Technology/security professionals who are grappling with the challenge of articulating why investing in antimalware software is so important to the security of their organization, possibly among those questioning its efficacy.
I encourage you to download the new SIR and take full advantage of the new research it contains as well as the hundreds of pages of new threat intelligence. We also have a shorter Key Findings Summary available, new video content, and past volumes of the report, all at www.microsoft.com/sir.
Tim RainsDirectorTrustworthy Computing
For the past three and a half years, Win32/Conficker has been the top threat found in enterprise environments. We have reported on Conficker in the Microsoft Security Intelligence Report since the second half of 2008. No new variants of Conficker have been released in years and the methods it uses to propagate are well known, but once it finds its way into an environment it can be difficult to eliminate it.
New data just published in volume 14 of the report, focused on the second half of 2012 (2H12), shows that Conficker has competition as the number one threat in enterprise environments. Figure 1 shows that JS/IframeRef was encountered by more computers than Conficker in the second (2Q12) and fourth (4Q12) quarters of 2012. IframeRef was detected almost 3.3 million times in 4Q12. JS/IframeRef is a malicious piece of JavaScript code that is presented on infected or malicious websites. The purpose of the script is to redirect your browser to other sites that attempt to download malware onto your computer, often by exploiting unpatched software vulnerabilities. Read more..
As you might be aware, Microsoft releases its Security Intelligence Report (SIR) twice a year to help inform customers on changes in the threat landscape. The report includes data from over a billion systems worldwide, regional analysis for 105 countries/regions and is designed to help customers manage risk within their environments.
One of the things we thought we would do different for this release is give you a sneak peek look at what’s coming in volume 14 of the Microsoft Security Intelligence Report (SIRv14). Check out my video below for some of the latest threat trends to emerge in the second half of 2012.
Yesterday marked the one year countdown for the end of extended support for Windows XP Service Pack 3 (SP3). I wanted to pause today and lay out some of the important security implications of end of support so that customers are informed about what this change means to them.
It has been twelve years since the release of Windows XP and the world has changed so much since then. Internet usage has grown from ~361 million to more than 2.4 billion users. We have witnessed the rise of the internet citizen with members of society connected through email, instant messaging, video-calling, social networking and a host of web-based and device-centric applications. As the internet becomes more and more woven into the fabric of society, it has also become an increasingly popular destination for malicious activity (as evidenced in the Microsoft Security Intelligence Report.) Given the rapid evolution, software security has had to evolve to stay ahead of cybercrime. To help protect users from rapid changes in the threat landscape, Microsoft typically provides support for business and developer products for 10 years after product release, and most consumer, hardware, and multimedia products for five years after product release.