Meng-Chow Kang, CISSP, CISA (ISC) 2 Asia Advisory Board. Chief Security Advisor Microsoft Greater China Region

Transcription

1 Meng-Chow Kang, CISSP, CISA (ISC) 2 Asia Advisory Board Chief Security Advisor Microsoft Greater China Region

2 Vulnerability Disclosure, Malware, and Potentially Unwanted Software Information challenges in the New Economy Evolving Cybersecurity Strategy and Approach

3 Contains data and trends observed over the past several years, but focuses on the first half of 2007 (1H07) Focuses on Software Vulnerability Disclosures Software Vulnerability Exploits Malicious Software Potentially Unwanted Software Report is successor of 2H06 and 1H06 reports and the MSRT White paper: Progress Made, Trends Observed

4 Data sources Software Vulnerability Disclosures Common Vulnerabilities and Exposures Website National Vulnerability Database (NVD) Web site Security Web sites Vendor Web sites and support sites

5 Data sources Software Exploits Variety of public sources, including exploit archives, antivirus alerts, mailing lists, security related websites Microsoft Security Bulletins SecurityFocus

6 Data sources Malicious Software and Potentially Unwanted Software Data from several hundred million computers MSRT has a user base of 350+ million unique computers During 1H07 executed 1.9 billion times Since January 2005 total executions surpass 7.4 billion Product Name Windows Malicious Software Removal Tool Main Customer Segment Consumers Business Malicious Software Scan and Remove Prevalent Malware Families Real-time Protection Spyware and Potentially Unwanted Software Scan and Remove Real-time Protection Available at No Additional Charge Windows Defender Windows Live OneCare safety scanner Windows Live OneCare Microsoft Exchange Hosted Filtering Main Distribution Methods WU/AU Download Center Download Center Windows Vista Web Web Web/Store Purchase Forefront Client Security Volume Licensing

7

8 More than 3,400 new vulnerabilities disclosed in 1H07 from ALL software vendors (not just Microsoft) A decrease from 2H06 The first period-to-period decrease in total vulnerabilities since Vulnerability Disclosures

9 By severity Growth of Low and Medium severity issues appears to be reversing High severity vulnerabilities continue to grow It appears that Medium severity issues are being identified and disclosed much more aggressively Over half of all vulnerabilities disclosed in 1H07 were rated High severity Vulnerabilities by Severity Percentage Vulnerabilities by Severity Percentage 100% 80% 60% 40% 20% 0% High Medium Low High Medium Low

10 Complexity of exploit The increase in complex vulnerabilities reached a peak in 1H06, and declined in 2H06 and 1H07 to levels similar to 2004 and previous years The large drop in complexity from 2006 may be contributing to higher severity ratings Complexity of Exploit 100% 80% 60% 40% 20% 0% Complex Easy

11 OS versus application vulnerabilities Application vulnerabilities continued to grow relative to operating system vulnerabilities as a percentage of all disclosures during 1H07 Supports the observation that security vulnerability researchers may be focusing more on applications than in the past 100% 80% 60% 40% 20% 0% OS versus Non-OS Vulnerabilities OS Vulns Non-OS Vulns

12

13 Trends Vulnerabilities Vulnerabilities where Exploit Code was available While the number of vulnerability disclosures continues to increase across the software industry, the ratio of exploit code available for these vulnerabilities in Microsoft products remains steady and is even on a slight decline

14 New products Exploit code for newer Microsoft products is harder to find 2006: 29% of Microsoft vulnerabilities had public exploit code 2007: 21% of Microsoft vulnerabilities had public exploit code Newer Microsoft products are less at risk to public exploit code than Microsoft products in the market longer Later versions of Microsoft Windows and Microsoft Office show a distinct decrease in number of exploitable vulnerabilities throughout product lifetime Product Windows Microsoft Office Version Exploits 2006 Exploits ME 0 0 NT XP Vista XP X-Mac Mac

15 Strategies, mitigations, and countermeasures Prioritize which vulnerabilities require faster mitigation by checking for availability of exploit code In a product-by-product comparison, new products are at less risk to publicly available exploit code than products that have a longer time in market Participate in IT security communities Example: Microsoft Security Bulletin Webcasts

16

17 Instant Messaging threats Backdoor Trojans were an increased threat to IM users in 1H07 The large increase from 2H06 to 1H07 was due almost exclusively to a single family Win32/IRCbot 81% of all the backdoor Trojan detections in Windows Live Messenger in 1H07 60% 50% 40% 30% 20% 10% 0% 1H06 2H06 1H07

18 Borne Malware Phishing scams and containing malicious iframe attacks accounted for 37% of malware detections in 1H07 Trojan downloaders carried in dropped from 20% in 2H06 to 7% in 1H07 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 37% 7% 7% 49% worms 1H06 2H06 1H07 Phishing and fraud Downloader Trojans Greeting card scams

19 Borne Malware The Sober worm represented 40% of the top 20 malware in 1H07 (85% in 1H06) Win32/Nuwar worm (a.k.a. Storm worm ) comprised 11% of the top 20 threats detected in during 1H07 with Win32/Bagle and Win32/Netsky closely following 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 1H06 2H06 1H07 Win32/Nuwar Win32/Sober Win32/Stration Win32/Netsky Win32/Bagle

20 Borne Malware The decrease in volume of infected correlates to an equally significant increase in the number of s filtered out prior to their reaching the virus scanners The percentage drop in June corresponds to a 155% increase in the number of s blocked for spam, content, and other policy violations EHS blocked 96 percent of all , and the percentage of scanned for malware dropped to only 4 percent 8.00% 3.00% 6.00% 4.00% 2.00% 0.00% 1H06 2H06 1H % 2.00% 1.50% 1.00% 0.50% 0.00% Jan-07 Feb-07 Mar-07 Apr-07 May-07 Jun-07

21 Borne Malware Seeded Trojan downloaders disguised as greeting cards dropped only slightly, to just over 4.8 million in 1H07 Phishing scams increased from 12.4 million in 2H06 to 31.6 million in 1H07 iframe exploits in HTML-enabled continued to decline From 3.2 million in 2H06 to 1.9 million in 2H07 35,000,000 30,000,000 25,000,000 20,000,000 15,000,000 10,000,000 5,000, H06 2H06 1H07 Downloader/Greeting Card Scams IFrame Exploits Fraud/Phishing

22 Infection and Disinfection Trends Adware and potentially unwanted software detections outpaced detections for viruses, worms, Trojans, and malware threats Password stealing (PWS) and data-theft Trojans increased slightly: 2.6% in 1H07 vs. 1.4% in 2H06 Downloader and dropper Trojan infection rates declined slightly from 12% in 2H06 to 11.5% in 1H07 This slight decrease may be due to a trend in downloaders and droppers to delete themselves after executing initial tasks 25.00% 20.00% 15.00% 10.00% 5.00% 0.00% 1H06 2H06 1H07

23 Advantages of real-time protection Detection rates highlight importance of scanners in mitigating risk of exposure and illustrate the role that real-time scanning plays in protecting users Windows Live OneCare encounters significantly higher detections, likely as a result of real-time protection 25.00% 20.00% 15.00% 10.00% 5.00% 0.00% Safety Scanner OneCare

24 Infection and disinfection trends Windows Live OneCare detections are highest for adware and potentially unwanted software, downloaders/droppers and Trojans 1H07 Windows Live OneCare % Detections Trojans 21% Viruses 1% Worms 5% Adware 24% Spyware 3% Backdoors 4% PWS/Data Theft 4% Pontentially Unwanted Software 20% Downloaders and Droppers 18%

25 Disinfections / Computers Disinfections and cleans Beginning in 2H05, MSRT began measuring number of unique computers cleaned Since then MSRT has removed 50.3 million infections from 20.5 million computers worldwide MSRT removed significantly more malware in 1H07 than in previous periods Removed malware from 1 out of every 217 computers in 1H07 (1:409 in 2006, 1:359 in 2H05) Reasons for sharp increase MSRT detection improvements Addition of highly prevalent families such as Win32/Renos, Win32/Stration, Win32/Alureon 20,000,000 18,000,000 16,000,000 14,000,000 12,000,000 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 Time Period Disinfections Computers Cleaned

26 Prevalence by category Figure below illustrates categories of malicious software removed by MSRT from infected computers Note that these percentages correspond to infected computers, not to all computers scanned In 1H07 the MSRT recorded a tremendous increase in the number of Trojan downloaders and droppers detected, with 5.9 million detections, up from 960,000 in the previous period This increase was almost entirely due to improvements for detection of Win32/Zlob, as well as the addition of Win32/Renos 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 0 Disinfections (2H05) Disinfections (1H06) Disinfections (2H06) Disinfections (1H07)

27 Prevalence by operating system The MSRT cleaned malware from 60 percent less Windows Vista computers than Windows XP SP2 computers (normalized) The MSRT cleaned malware from 91.5 percent less Windows Vista computers than from computers running Windows XP without any service pack installed H107 H107 (Normalized) Win2k3 SP2 0.1% Win Vista 1.1% Win2k SP3 0.1% Win2k SP4 3.0% Win2k3 SP1 0.4% Win2k3 Gold 0.1% WinXP Gold 3.3% WinXP SP1 4.3% Win2k3 SP1 3.4% Win2k3 Gold 5.8% Win2k3 SP2 7.3% Win Vista 2.8% Win2k SP3 13.2% Win2k SP4 6.6% WinXP SP2 7.0% WinXP SP2 87.7% WinXP SP1 20.9% WinXP Gold 32.9%

28 Top infected: Prevalence by locale The MSRT executes in almost any country/region around the world The table shows the countries/regions with the highest and lowest ratios of executions/infected computers based on MSRT data The world wide average for 1H07 was 1 computer cleaned for every 217 MSRT executions Most Infected Countries Least Infected Countries Country Normalized Disinfections - executions/removal (H107) Country Normalized Disinfections - executions/removal (H107) Mongolia 49 Albania 57 Bahrain 63 Dominican Republic 69 Turkey 70 Egypt 79 Iraq 80 Japan 631 New Zealand 491 Finland 455 Italy 446 Australia 436 Austria 433 Sweden 362

29 Prevalence by locale The figures show the infection rates determined by the MSRT from locales in Asia Pacific and Middle East Africa Malaysia 4.3% Singapore 4.9% Hong Kong SAR 5.9% Australia 2.8% Taiwan 3.5% New Zealand 2.5% 1H07 (Normalized) Asia Pacific Japan 1.9% Mongolia 25.0% Libya 4.6% Tunisia 3.9% Yemen 4.1% Kuwait 3.6% Israel 3.8% South Syria Africa 3.5% 2.0% Bahrain 8.7% 1H07 (Normalized) Middle East - Africa Egypt 7.0% Iraq 6.9% Morocco 6.7% Korea 5.9% China 6.3% India 6.4% Indonesia 6.8% Vietnam 7.5% Thailand 8.2% Macau SAR 8.1% Iran 4.9% Oman 5.0% Qatar 5.2% United Arab Emirates 5.2% Lebanon 5.9% Algeria 6.2% Jordan 6.2% Saudi Arabia 6.7%

30 Most active malware categories Trojans represented the largest number of variants that were collected during 1H07 Trojan downloaders and droppers had the second-highest number of variants for samples collected in 1H07 160, , , ,000 80,000 60,000 40,000 20,000 0

31

32 Windows Defender The standalone version of Windows Defender was released on October 23, 2006 This version of Windows Defender runs on Windows XP SP2 and Microsoft Windows Server 2003 Windows Defender is also a default component of the Windows Vista operating system

33 Windows Defender 1. Windows Defender assigns each potentially unwanted software program an alert rating Low Medium High Severe 2. Each software program has also been assigned a default recommended action from the following list of possible actions: Ignore: Users should ignore the alert for the current session Ignore Always: Users should ignore the alert from now on, even if software seen again Prompt: Users must make a decision about what to do with the software Quarantine: Removes software in such a way that it can be restored at a later point Remove: Removes software from system Software rated with alert level of High or Severe is automatically removed during scheduled scans

34 Windows Defender prevalence by category In 1H million pieces of potentially unwanted software were detected by Windows Defender Rogue security software was the largest factor in a dramatic increase in the Potentially Unwanted Software category Increases in the Trojan, downloader, and exploit categories may be indicative of greater criminal intent and an increasing botnet population Rank Category Total 1H07 Total 2H06 % Change 1 Adware 16,673,939 16,709, % 2 Potentially Unwanted Software 6,877,582 2,561, % 3 Trojan Downloader 6,554,225 2,737, % 4 Remote Control Software 3,160,543 2,755, % 5 Browser Modifier 3,117,687 1,359, % 6 Spyware 3,002,795 3,496, % 7 Trojan 2,946,479 1,352, % 8 Sofware Bundler 2,695,015 3,740, % 9 Exploit 1,072, , % 10 Setting Modifier 930,291 1,130, %

35 Windows Defender prevalence by OS Windows Defender detected 2.8 times less potentially unwanted software on computers running Windows Vista than on computers running Windows XP SP2 (normalized) The number of detections of potentially unwanted software on computers running Windows Vista was half of the number of detections of potentially unwanted software on computers running Windows Server 2003, after normalization Variation By Operating System 48% 34% Windows 2003 Windows Vista Windows XP SP2 18%

36 Geographical Differences Removals in the top 25 removal regions represent 94.9% of all removals worldwide (89% in 1H06) Region 2H06 1H07 % Change United States 21,958,236 28,125,649 28% United Kingdom 3,521,976 4,194,037 19% France 742,464 2,151, % China 527,055 2,134, % Canada 1,424,370 1,649,734 16% Netherlands 1,149,623 1,224,051 6% Australia 860,404 1,049,231 22% Germany 568, ,950 60% Japan 256, , % Italy 422, ,741 97%

37 Geographical differences Unites States United Kingdom France Canada Netherlands Australia TrojanDownloader: Win32/Zlob Program: Win32/Winfixer Adware: Win32/Claria.GAIN Settings Modifier: Win32/PossibleHostsFileHijack Program: Win32/Starware Adware: Win32/NewDotNet RemoteAccess: Win32/Rserver TrojanDownloader: Win32/Renos Adware: Win32/ZangoSearchAssistant Spyware: Win32/CnsMin SofwareBundler: Win32/BearShare Exploit: Win32/Anicmoo.A Adware: Win32/WhenU.SaveNow Trojan: Win32/Anomaly.gen SofwareBundler: Win32/NetPumper Program: Win32/SearchTool RemoteAccess: Win32/RealVNC Adware: Win32/Hotbar Adware: Win32/SurfAccuracy RemoteAccess: Win32/GhostRadmin Program: Win32/Optmedia Dialer: Win32/Riprova BrowserModifier: Win32/Matcash SoftwareBundler: Win32/KaZaA Program: Win32/Tclock All Others

38 Geographical Differences Germany Japan Turkey Italy Belgium TrojanDownloader: Win32/Zlob Program: Win32/Winfixer Adware: Win32/Claria.GAIN Settings Modifier: Win32/PossibleHostsFileHijack Program: Win32/Starware Adware: Win32/NewDotNet RemoteAccess: Win32/Rserver TrojanDownloader: Win32/Renos Adware: Win32/ZangoSearchAssistant Spyware: Win32/CnsMin SofwareBundler: Win32/BearShare Exploit: Win32/Anicmoo.A Adware: Win32/WhenU.SaveNow Trojan: Win32/Anomaly.gen SofwareBundler: Win32/NetPumper Program: Win32/SearchTool RemoteAccess: Win32/RealVNC Adware: Win32/Hotbar Adware: Win32/SurfAccuracy RemoteAccess: Win32/GhostRadmin Program: Win32/Optmedia Dialer: Win32/Riprova BrowserModifier: Win32/Matcash SoftwareBundler: Win32/KaZaA Program: Win32/Tclock All Others

39 Geographical Differences Detections in China rose 305% from 2H06, with 2.1 million in 1H07 BrowserModifier: Win/CNNIC ChineseKeywords BrowserModifier: Win/YokSearch BrowserModifier: Win/Baldu.Sobar BrowserModifier: Win/My123 BrowserModifier: Win/Kugoo Spyware: Win32/CnsMin BrowserModifier: Win/SuperUtilBar Program: Win32/PigSearch program: Win32/Sogou BrowserModifier: Win/BDPlugin

40

41 Home USB Drive Independent Consultant Mobile Devices The flow of information has no boundaries Information is shared, stored and accessed outside the control of its owner Host and network security controls not adequate to solve this problem Partner Organization

42 Regulatory Compliance Strict regulations Implications on availability People Awareness Competency Social/Culture Joint venture IT Outsourcing Branch & distributed network Mobility Information Access & Protection

43 Scenarios Testing/Drills CERTs & Industry Partnership Focus on Responsiveness Be prepared for the next incident Awareness Training Education Focus on the People Building Competency Focus on the Systems Mitigation and enablement Patch & vulnerabilities management Information security management Legal and policy foundations

44 Integrated, coordinated protection technologies across clients, server applications, and the network edge, with dynamic responses to emerging threats, including antimalware, anti-spyware, and network access protection. Comprehensive Protection Unified Management Single management console with unified security policies to protect and manage security across the entire infrastructure. Ease of deployment of configurations and updates, and collection of audit events. Critical Visibility Critical visibility into overall security state, including insights into threats and vulnerabilities. Integrated and summary reporting. What you see is what you act (WYSWYA) 45

45 Integrated security eases defense in depth architecture deployment Adoption of open standards allows cross platform integration Management System Data User Application Device Internal Network Perimeter System Center, Active Directory GPO BitLocker, EFS, RMS, SharePoint, SQL Active Directory and Identity Lifecycle Mgr SDL process, IIS, Visual Studio, and.net Forefront Client Security, Exchange MSFP Network Access Protection, IPSec Forefront Edge and Server Security, NAP

46 Services IPSec VPN Network Access Protection (NAP) Edge Server Content Client Identity Management Systems Management Guidance

47 Previously published Microsoft Security Intelligence Reports Microsoft Malware Protection Center Portal Understanding Anti-Malware Research and Response at Microsoft a fd14ef2/understanding%20malware%20research%20and%20respo nse%20at%20microsoft.pdf Anti-malware product Information for IT Professionals Windows Malicious Software Removal Tool Windows Defender

48 Windows Live OneCare Windows Live OneCare safety scanner Microsoft Exchange Hosted Services Microsoft Forefront Client Security Microsoft Forefront Security for Exchange Server Microsoft Online Safety Technologies (antispam and antiphishing) Sender ID Framework

49 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.