Microsoft Security Intelligence Report Special Edition 10 Year Review
Transcript of Microsoft Security Intelligence Report Special Edition 10 Year Review
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 1/48
Theevolutionofmalware
andthethreatlandscape
–a10-yearreview
MicrosoftSecurityIntelligenceReport:SpecialEdition
February,2012
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 2/48
ii
MICROSOFT SECURITY INTELLIGENCE REPORT: SPECIAL EDITION
Thisdocumentisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESS,
IMPLIED,ORSTATUTORY,ASTOTHEINFORMATIONINTHISDOCUMENT.
Thisdocumentisprovided“as-is.”Informationandviewsexpressedinthisdocument,including
URLandotherInternetwebsitereferences,maychangewithoutnotice.Youbeartheriskofusing
it.
Copyright©2012MicrosoftCorporation.Allrightsreserved.
Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheir
respectiveowners.
Authors and contributors
BILLBARLOWE–MicrosoftSecurityResponseCenter
JOEBLACKBIRD–MicrosoftMalwareProtectionCenter
WEIJUANSHIDAVIS–WindowsProductManagementConsumer
JOEFAULHABER–MicrosoftMalwareProtectionCenter
HEATHERGOUDEY–MicrosoftMalwareProtectionCenter
PAULHENRY–WadewareLLC
JEFFJONES–MicrosoftTrustworthyComputing
JIMMYKUO–MicrosoftMalwareProtectionCenter
MARCLAURICELLA–MicrosoftTrustworthyComputing
KENMALCOMSON–MicrosoftTrustworthyComputingNAMNG–MicrosoftTrustworthyComputing
HILDALARINARAGRAGIO–MicrosoftMalwareProtectionCenter
TIMRAINS–MicrosoftTrustworthyComputing
ELIZABETHSCOTT–MicrosoftSecurityResponseCenter
JASMINESESSO–MicrosoftMalwareProtectionCenter
JOANNASHARPE–MicrosoftTrustworthyComputing
FRANKSIMORJAY–MicrosoftTrustworthyComputing
HOLLYSTEWART–MicrosoftMalwareProtectionCenter
STEVEWACKER–WadewareLLC
InmemoryofTAREQSAADE
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 3/48
iii
iii
ContentsForeword .............................................................................................................................. v
Scope ................................................................................................................................ v
Reporting period .............................................................................................................. v
Conventions ..................................................................................................................... v
Introduction ........................................................................................................................ 1
Personal computing in 2002 and today .............................................................................. 2
PCs ................................................................................................................................... 2
Mobile computing ........................................................................................................... 2
Online services (precursor to the cloud) ........................................................................ 3
The origins of malware ....................................................................................................... 4
Microsoft Trustworthy Computing ..................................................................................... 6
2002-2003 ....................................................................................................................... 6
2004 ................................................................................................................................ 7
The criminalization of malware ...................................................................................... 7
2005 ................................................................................................................................ 7
Vulnerabilities ................................................................................................................... 10
A decade of maturation ................................................................................................ 10
Industry-wide vulnerability disclosures ........................................................................ 11
Vulnerability severity .................................................................................................... 12
Hardware and software disclosures ............................................................................. 13
Operating system vulnerability disclosures .................................................................. 14
Application vulnerability disclosures ............................................................................ 15
Exploit trends and security bulletins ................................................................................ 16
The state of malware today .............................................................................................. 20
Malware and potentially unwanted software trends ....................................................... 22
How threats have evolved over time ............................................................................ 22
Different threats at different times .............................................................................. 26Threat categories by location ........................................................................................... 29
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 4/48
iv
2011 security intelligence ............................................................................................. 29
Lessons from least infected countries/regions ............................................................. 32
Windows Update and Microsoft Update .......................................................................... 34
In conclusion ..................................................................................................................... 36
Appendix A: Computer protection technologies and mitigations .................................... 37
Appendix B: Threat families referenced in this report ..................................................... 38
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 5/48
v
v
Foreword
Scope
TheMicrosoftSecurityIntelligenceReport(SIR)focusesonsoftwarevulnerabilities,software
vulnerabilityexploits,malicious,andpotentiallyunwantedsoftware.Pastreportsandrelated
resourcesareavailablefordownloadatwww.microsoft.com/sir.Wehopethatreadersfindthe
data,insights,andguidanceinthisspecialeditionoftheSIRusefulinhelpingthemprotecttheir
organizations,software,andusers.
Reporting period
ThisspecialeditionoftheSIRprovidessummarizedinformationfromthelast10years.Where
possible,thisreportincludestrenddataforthefull10-yearperiod;whendataforthefull10-year
periodisnotavailable,trenddataforshorterperiodsisprovided.Generally,becausevulnerability
disclosurescanbehighlyinconsistentfromquartertoquarterandoftenoccurdisproportionately
atcertaintimesoftheyear,statisticsaboutvulnerabilitydisclosuresarepresentedonahalf-yearly
basis,asinrecentvolumesoftheSIR.
Throughoutthereport,half-yearlyandquarterlytimeperiodsarereferencedusingthenHyyor
nQyyformats,respectively,whereyyindicatesthecalendaryearandnindicatesthehalfor
quarter.Forexample,1H11representsthefirsthalfof2011(January1throughJune30),and2Q11
representsthesecondquarterof2011(April1throughJune30).Toavoidconfusion,pleasenote
thereportingperiodorperiodsbeingreferencedwhenconsideringthestatisticsinthisreport.
Conventions
ThisreportusestheMicrosoftMalwareProtectionCenter(MMPC)namingstandardforfamilies
andvariantsofmalwareandpotentiallyunwantedsoftware.Forinformationaboutthisstandard,
seetheMicrosoftMalwareProtectionCenterNamingStandardspageontheMMPCwebsite.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 6/48
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 7/48
Introduction
AstheInternethasextendeditsreachoverthelast10years,malware(malicioussoftware)has
evolvedandbecomemorecomplex.Earlyformsofmalwaresoughttogeneratehigh-profile
nuisanceattacks,buttodayitsaimsareincreasinglypernicious,focusingontheftandotherillicit
activities.Malwarehasbecomemuchmoreofaconcernfororganizations;Internetconnectivity
wasstilltheexceptiontotheruleformanyorganizationsbefore2002,butitquicklybecamethe
normasthefirstdecadeofthe21stcenturyunfolded.
Today,inadditiontoindividualcomputersandthenetworksoforganizationsbothlargeandsmall,
Internetconnectivityalsoextendstodevicessuchasgamingconsolesandsmartphones.Andas
computingparadigmsshift,protectingorganizations,governments,andcitizensfrommalwarehas
becomeevenmoreofachallenge.
MicrosoftTrustworthyComputing,establishedin2002,publishestheMicrosoftSecurityIntelligence
Report(SIR)tohelpkeepcustomersandotherinterestedpartiesinformedaboutthechanging
threatlandscape.TheSIRprovidescomprehensivethreatintelligencefromaroundtheworld.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 8/48
2
Personal computing in 2002 and today
Evenasmalwareandothersignificantchallengesemerged,computeruserscontinuedtoenjoythe
benefitsoftechnologicalinnovationoverthelast10years.Thissectionpaintsabasic“thenand
now”portraitofthestateofcomputingin2002andtodayin2012inthreeareas:PCs,mobile
computing,andonlineservices,theprecursortothecloud.
PCs
By2002,PCCPUsusedasingle-corearchitectureandhadjustsurpassed2.0GHzinprocessing
speed.WindowsXP,whichwasreleasedinlate2001,required64MBofRAMbut128MBwas
recommended;512MBwasafairlycommonconfiguration.Harddiskdrivesrangedto120GBin
size,andLCDmonitorswerebecomingincreasinglypopular.USBconnectivityforperipheral
deviceswaswidespread,butthemuchfasterUSB2.0specificationhadonlyrecentlybeenratified
andwasthereforenotyetavailable.
Attheoutsetof2012,multi-coreCPUsarecommonandspeedshavesurpassedthe4.0GHzmark,
severaltimesfasterthansystemsavailablein2002.Windows7,releasedin2009,requires1GBof
RAMbut2GBisrecommended.Typicalharddiskdrivesrangefrom600GB,afive-foldincrease
from2002,to1TBormoreinsize.It’spossibletoobtaina23-inchmonitorforlessthan$200USD
intheUnitedStates,andmonitorsbuiltwithLEDtechnology(animprovementovertheolderLCD
technology)arewidelyavailable.USB3.0istheemergingconnectivitytechnology,butUSB2.0is
stillthemostwidelyusedstandard.
Mobile computing
In2002,thefastestlaptopCPUshadbarelybrokenthe1.0GHzmark.512MBofRAMwasa
commonconfiguration,alongwitha20GBto30GBharddiskdrive.CombinationDVD/CD-RW
driveswerestillararityandCD-ROMdriveswerestillthenorm.Soundqualityandhigh-definition
(HD)displayswerestillonusers’wishlists,andsmartphonesdidnotemergeuntil2005.
In2012,laptopPCCPUsarethreetimesasfastasthoseavailablein2002;3.0+GHzclockspeeds
arewidelyavailable.Generally,2GBto4GBofRAMisavailable—4to8timestheamountin
2002—buthigh-endlaptopsofferasmuchas8GB.Typicalharddiskdrivesrangefrom500GBto
600GB,some25timesgreaterthanlaptopdrivesavailablein2002,andnewsolid-stateharddisk
drivesaresignificantlyfaster.HDdisplayswithbuilt-inwebcamsandfacialrecognitiontechnology
(inlieuofpasswords)areareality.DVD/RWdrivesarestandard,andmanysupportthehigh-
resolutionBlu-rayDisctechnologyforvideoplayback.However,suchaccessoriesarebeing
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 9/48
3
3
sacrificedinsomemodelstocreateverythinandlightweightlaptops.High-qualityaudiooptions
arealsoincreasinglycommon.
Ethernetdatatransmissionspeedstandardshavecontinuedtoevolve.GigabitEthernet—which
supportsadatatransmissionrateof1,000megabitspersecond(Mbps)—becamewidelyavailable
duringthedecade,and10GigabitEthernetbecamecertifiedasastandardbytheInstituteofElectricalandElectronicsEngineers(IEEE).However,thesestandardsapplytocopperwire,cable
(coaxialwire),andfiberopticconnections.Thewidespreadproliferationofwirelessnetwork
connectivity,whichaccommodatesthegrowingnumberofmobiledevicesthatareavailabletoday,
alsooccurredduringthe2002–2012timeperiod.In2012,bothdesktopandlaptopcomputers
typicallyofferwiredandwirelessconnectivityoptions.
Online services (precursor to the cloud)
Fromaconsumer’sperspective,anumberofonlinepaymentserviceswereavailableby2002.
TheseservicesfacilitatedthegrowthofInternetcommerce(e-commerce)sitessuchasAmazon.comandeBay,bothofwhichhadbeenopenforbusinesssince1995.E-commerce
explodedinpopularitybetween2002and2012.
Asignificantphenomenonoccurredduringthedecadethathadaconsiderableeffectonpopular
cultureandtheentertainmentindustry.Asmusicandvideobecameavailableasdigitized
computerfiles,theyalsobecameshareableovertheInternet.Napster,perhapsthemostwell-
knownfile-sharingservice,emergedin1999andceasedtradinginJuly2001.However,otherfile-
sharingmodelsalsoemergedandbecamepopular.
ThegrowthoftheInternetandtheemergingavailabilityofbroadbandconnectivityalsoresulted
inonlineservicessuchasRhapsody,thefirststreamingon-demandmusicsubscriptionservicefora
monthlyfee,whichwaslaunchedinDecember2001.
Althoughtheconceptofcloudcomputinghadexistedforsometime,thefirstcloudcomputing
servicesbecamecommerciallyavailablein2002.Sincethattime,moreflexibleoptionshave
emergedthatmakecloudcomputingmoreattractiveandfeasibleforlargeandsmall
organizationsalike,aswellasforindividuals.Cloudcomputingarchitecturescurrentlyinclude
infrastructureasaservice(IaaS),whichprovidescomponentssuchasnetworkingandstorage;
platformasaservice(PaaS),whichprovidesaplatformsuchasadatabaseorawebserverfor
runningapplications;andsoftwareasaservice(SaaS),whichprovidesasoftwareapplicationor
solutionasafinishedorcompleteservice.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 10/48
4
In2012thereislittledisagreementaboutthelikelihoodofcloudcomputingasthenextsignificant
computingparadigm.Thetechnologyisgainingacceptancefrommanyorganizationsandcloud
computingmodelscontinuetoevolve.
The origins of malware
Malwarebecameknowntomanycomputerusersthroughwidespreadinfectionscausedby
Melissa(in1999)andLoveLetter(in2000).Bothwereemail-based,andLoveLetterspreadviaan
infectedemailattachment.Whentheattachmentwasopened,themalwareoverwroteavarietyof
differenttypesoffilesontheuser’sPCandemaileditselftoothersintheuser’semailaddress
book.
LoveLetterquicklybecamethemostcostlyincidentofitskindtothatpointintime.Despitethe
damagethatMelissaandLoveLettercaused,itcouldbearguedthattheyhadthreepositive
effects:theycausedcomputermalwaretocomeunderincreasingscrutiny;theyincreasedsocialawarenessaboutcomputermalware(throughpeerpressurefrommanyupsetmessagerecipients);
andtheyunderscoredtheimportanceofbackups(becauseLoveLetteroverwrotefileswhichwere
lostifbackupswerenotavailable).
Amoredeviousanddirectmalwarethreatemergedintoprominencein2001:malwarethatcould
spreadwithoutanyhumaninteraction.Onesuchformofmalwarewasaworm,knownasCode
Red,whichwasreleasedontheInternetinJulyof2001andwhichtargetedserversrunning
MicrosoftInternetInformationServices(IIS).Althoughwormshadbeendetectedsinceatleast
1988,CodeRedwasconsideredbyMicrosoftMalwareProtectionCenter(MMPC)researcherstobe
aperfectexampleofawormbecausetherewasnofilecomponent.CodeRedneededtobedetectedintransitorinthememoryofaninfectedcomputer;atthetime,traditionaldesktop
antimalwareproductsthatlookedforfile-basedmalwarecouldnotdetectit.
CodeRedspreadviaTCPport80,thesamechannelthatiscommonlyusedforInternetweb
queries,sowebserversneededtobesecuredagainstsuchattacks.However,othercomputers
requireaccesstoport80forwebbrowserfunctionality.CodeRedmaynothavecausedasmuch
damageasLoveLetter,althoughthisisdifficulttoascertainbecausesomecomputersinfectedwith
CodeRedweresubsequentlyinfectedwithWin32/Nimda,whichalsospreadviaTCPport80.
Win32/Nimdawaswhatsomecallamalwarecocktail,orablendedthreat—thestartofatrendin
malwaredevelopmentthatcontinuestothisday.Itusedatleastfivedifferentattackvectors,
includingmakinguseofbackdoorsleftbypreviousmalware.Becauseitfollowedsocloselyonthe
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 11/48
5
5
heelsofsuchmalware,notmuchtimewasavailableforittobedeveloped.Therefore,itwaswidely
believedthatWin32/Nimdawasdevelopedbyateamofpeople,notjustasolitarymalwarecoder.
Regardlessofwhocreatedit,Win32/Nimdademonstratedthatifnetworkedcomputersareleft
unprotectedtheycanbecommandeeredandusedagainsttheirownersinamatterofhours,
perhapsevenminutes.HundredsofthousandsofcomputerswereovercomebyWin32/Nimda,manyofwhichoperatedwell-knownwebsitesandmailserversformediumtolargecompanies.In
total,morethan50,000importantInternetsiteswereinfected.Andmorethanonepersonnoted
thatWin32/NimdawasreleasedonSept.18,justoneweekaftertheterroristattacksofSept.11,
2001,afactthatmademanysecurityexpertsuneasy.
Inaddition,2001sawtheemergenceofmalwarefromemailmessagesthatappearedtobe
innocuous.Suchmalwareemergedfrommessagesthathadnocodeorfilesattached—theyused
URLsinstead.ThesemessageswouldusesocialengineeringtacticstoenticeuserstoclicktheURLs,
whichwouldthenconnectuserstowebsitesthatwereprogrammedwithexploitsdesignedto
performundesirableactionsontheusers’PCs.
2001alsosawtheemergenceof Win32/Sircam,thefirstwidespreadmalwarethatexfiltrated
informationfromcomputers,althoughitisnotknownwhetherthiswastheintentofthemalware.
However,theUkrainianPresident’sprivateitinerarywasunexpectedlypublishedpubliclyasaresult
ofaWin32/Sircaminfection.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 12/48
6
Microsoft Trustworthy Computing
OnJanuary15,2002,thechairmanoftheboardofdirectorsatMicrosoft,BillGates,sentamemo
toallfull-timeemployeesofMicrosoftanditssubsidiaries.Thismemoproposedafundamental
shiftinthecompany’sapproachtoacentralcomponentofitsbusiness,aconceptcalled
TrustworthyComputing(TwC).
TwCisMicrosoft’scommitmenttoprovidemoresecure,private,andreliablecomputing
experiencesbasedonsoundbusinesspractices.MostoftheintelligencethatTwCpublishesinthe
SIRcomesfromthreesecuritycenters—theMicrosoftMalwareProtectionCenter(MMPC),the
MicrosoftSecurityResponseCenter(MSRC),andtheMicrosoftSecurityEngineeringCenter
(MSEC)—whichdeliverin-depththreatintelligence,threatresponse,andsecurityscience.
AdditionalinformationcomesfromproductgroupsacrossMicrosoftandfromMicrosoftIT(MSIT),
thegroupthatmanagesglobalITservicesforMicrosoft.TheSIRisdesignedtogiveMicrosoft
customers,partners,andthesoftwareindustryawell-roundedunderstandingofthethreat
landscapetohelpthemtoprotectthemselvesandtheirassetsfromcriminalactivity.
ThefollowingfigureshowssignificantactionsandmilestonesduringthefirstfiveyearsofTwC’s
existence,aswellassomesignificantmalware-relatedevents.
Figure 1. Significant events and milestones in the threat landscape from 2002 thru 2006
2002-2003
TheeraofmassmailingmalwarethatbeganwithMelissaandLoveLetterextendedtothe2002-
2003timeframeandcausedsignificantincreasesinthevolumeofspam;muchofthismalware
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 13/48
7
7
usedmacrosandMicrosoftVisualBasicscriptingfunctionality.Mostofthismalwarewasdefeated
bysecurityfeaturesintheMicrosoftOfficeXPversionofMicrosoftExcelandtheOffice2003
versionofMicrosoftWord,whentheseprogramsadoptedXMLformatsfortheirdatafiles.
In2003Microsoftstarteditsregularmonthlyprocessforissuingsecurityupdates,whichcontinues
today.Microsoftbeganthisprogramtoprovidetimelyupdatestocustomersonaregularlyscheduledbasis.Someupdatesaresecurityrelated,butnotall.Securityupdatesareprovidedon
thesecondTuesdayofeachmonth,andoptionalupdatesaswellasnon-securityupdatesare
providedonthefourthTuesdayofeachmonth.
2004
MicrosoftreleasedWindowsXPServicePack2(SP2)in2004,whichcontainedextensivesecurity
updatesandimprovements.SP2wastheresultofconsiderableeffortbyMicrosoftdevelopersand
securityexperts.ItwasperhapstheclearestindicationfromMicrosofttothatpointintimeofhow
seriouslythecompanywasconcernedaboutthegrowingproblemofmalwarethroughtheglobalconnectivityoftheInternet.SP2wasasignificantaccomplishmentandamilestoneinthejourney
thatMicrosoftandtherestoftheindustryisontoprotecttechnologyusersfromcriminals.
2004wasalsotheyearthatthefirstsignificantfor-profitmalwareemerged.Themass-mailing
wormfamilyWin32/Mydoomcreatedoneoftheearliestexamplesofabotnet —asetofcomputers
thataresecretlyandillicitlycontrolledbyanattacker,whoordersthemtoperformactivitiessuch
assendingspam,hostingpagesusedinphishingattacks,stealingpasswordsorsensitive
information,anddistributingothermalware.
The criminalization of malware
Manyoftheearlyformsofmalwareweredisruptiveandcostlyintermsofcleanupcostsandlost
productivity,butmostwerecreatedaspranksorasameansofraisingthecreators’statusinthe
onlinehackercommunity.WiththeemergenceofWin32/Mydoomin2004,itbecameapparent
thatmalwarecreatorshadseizedontheopportunitiesmalwareprovidedfortheft,blackmail,and
otherfor-profitcriminalactivities.
2005
In2005theWin32/Zotobwormwasreleased.Win32/Zotobwasnotaswidespreadasoriginally
anticipated.ItsoughttoreducethesecuritysettingsinWindowsInternetExplorerandimpedeitspop-upblockingfunctionalitytodisplayadsforwebsitesthatwouldpayhackersforhits—another
exampleofmalwareforprofit.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 14/48
8
Latein2005theWin32/Zlobtrojanbeganspreading.Itdisplayedpop-upadsthatwarnedusers
aboutspywareandencouragedthemtopurchasefakeantispyware,whichactuallyredirected
userstoothersitesandcausedotherproblems.Win32/Zlobwasyetanotherindicatorthatthe
daysofmalwarepranksterswereyieldingtocriminalsmotivatedbypotentialprofits.(Formore
informationaboutWin32/Zlob,seethe“Howthreatshaveevolvedovertime”sectionlaterinthis
paper.)
Priorto2005,Microsoftreleasedsecurityupdatestoaddressspecificformsofmalware.For
example,MicrosoftSecurityBulletinMS02-039,whichaddressedthemalwareknownasSlammer,
wasmadeavailableinJulyof2002.InJanuary2005,Microsoftreleasedthefirstversionofthe
MaliciousSoftwareRemovalTool(MSRT),whichremovesspecificprevalentmalicioussoftware
fromcomputersrunningrecentversionsofWindows.MicrosoftmakesanewversionoftheMSRT
availableeverymonthforautomaticdownloadtousers’computersviaWindowsUpdate/Microsoft
Update,afterwhichitrunsonetimetocheckforandremovemalwareinfections.
TheconsistentandautomaticavailabilityoftheMSRThelpsmaintainacleanercomputing
ecosystem.Forexample,inthefirsthalfof2011theMSRTranonanaverageofmorethan600
millionindividualcomputersaroundtheworldeachmonth.However,theMSRTdoesnotreplacea
preventiveantimalwareproduct;itisstrictlyapost-infectionremovaltool.Microsoftstrongly
recommendsuseofanup-to-datepreventiveantimalwareproduct.
Astechnicallysophisticatedandorganizedcriminalsstartedleveragingtechnologytotake
advantageoftechnologyusers,theMMPCwasestablishedin2005withatwofoldmission:tohelp
protectMicrosoftcustomersfromemergingandexistingthreats,andtoprovideworld-class
antimalwareresearchandresponsecapabilitiestosupportMicrosoftsecurityproductsand
services.
Morerecently,MicrosoftestablishedtheMicrosoftDigitalCrimesUnit(DCU),aworldwideteamof
lawyers,investigators,technicalanalysts,andotherspecialists.ThemissionoftheDCUistomake
theInternetsaferandmoresecurethroughstrongenforcement,globalpartnerships,policy,and
technologysolutionsthathelpdefendagainstfraudandotherthreatstoonlinesafetyandalsoto
protectchildrenfromtechnology-facilitatedcrimes.
ThefollowingfigureshowssomesignificantmilestonesduringthesecondfiveyearsofTwC’s
existence,aswellassomesignificantmalware-relatedevents.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 15/48
9
9
Figure 2. Significant events and milestones in the threat landscape from 2007 thru 2011
InadditiontocreatingtheMMPCandtheDCU,Microsofthasworkedtofosterdeeperindustry
collaborationandsharethelessonslearnedtohelpotherswiththeirsecurityefforts.Onesuch
exampleistheIndustryConsortiumforAdvancementofSecurityontheInternet(ICASI),which
MicrosoftcofoundedinJuneof2008withIntelCorporation,IBM,CiscoSystems,andJuniper
Networks.Sinceitsfounding,Amazon.comandNokiahavealsobecomemembers.
ICASIfosterscollaborationamongglobalcompanieswiththegoalofaddressingcomplexsecurity
threatsandbetterprotectingthecriticalITinfrastructuresthatsupporttheworld’sorganizations,
governments,andcitizens.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 16/48
10
Vulnerabilities
Vulnerabilitiesareweaknessesinsoftwarethatenableanattackertocompromisetheintegrity,
availability,orconfidentialityofthatsoftwareorthedataitprocesses.Someoftheworst
vulnerabilitiesallowattackerstoexploitacompromisedcomputer,causingittorunarbitrarycode
withouttheuser’sknowledge.
Thepast10yearsrepresentaveryinterestingtimeframeforreviewingvulnerabilitydisclosuresand
ensuingchangesthatcontinuetoaffectriskmanagementinITorganizationsaroundtheworld.
Beforeexaminingthechartsandtrends,abriefreviewofthepastdecadewithregardtoindustry
vulnerabilitiesisinorder.
A decade of maturation
In2002MITRE1presentedAProgressReportontheCVEInitiative(PDF),whichprovidedanupdate
onamulti-yearefforttocreateaconsistentandcommonsetofvulnerabilityinformation—witha
particularfocusonuniquenaming—toenabletheindustrytoeasierassess,manage,andfix
vulnerabilitiesandexposures.TheCVEeffortanddatalaterformedthecoreoftheNational
InstituteofStandards(NIST)NationalVulnerabilityDatabase(NVD),theU.S.government
repositoryofstandards-basedvulnerabilitymanagementdatathatservesastheprimary
vulnerabilityindexforindustryvulnerabilitiesreferencedintheSIR.
2002alsomarkedthebeginningofacommercialmarketforvulnerabilities;iDefensestarteda
vulnerabilitycontributorprogramthatpaidfindersforvulnerabilityinformation.
In2003,theU.S.NationalInfrastructureAdvisoryCouncil(NIAC)commissionedaproject“to
proposeanopenanduniversalvulnerabilityscoringsystemtoaddressandsolvethese
shortcomings,withtheultimategoalofpromotingacommonunderstandingofvulnerabilitiesand
theirimpact.”ThisprojectresultedinareportrecommendingtheadoptionoftheCommon
VulnerabilityandScoringSystem(PDF)(CVSSv1)inlate2004.Vulnerabilityseverity(orscoring)
informationwasabigstepforward,becauseitprovidedastandardmethodforrating
vulnerabilitiesacrosstheindustryinavendor-neutralmanner.
2007broughtanupdatetoCVSS,withchangesthataddressedissuesidentifiedbythepractical
applicationofCVSSsinceitsinception.SIRvolume4,whichprovideddataandanalysisforthe
secondhalfof2007,includedvulnerabilitytrendsusingbothCVSSv1andCVSSv2,andsincethen
1 MITRE is a not-for-profit company that works in the public interest to provide systems engineering, research and
development, and information technology support to the U. S. government.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 17/48
11
11
CVSSv2ratingshavebeenused.Asnotedatthetime,onepracticaleffectofthenewratings
formulaswasthatamuchhigherpercentageofvulnerabilitieswereratedHighorMedium
severity.
Industry-wide vulnerability disclosures
Adisclosure,asthetermisusedintheSIR,istherevelationofasoftwarevulnerabilitytothepublic
atlarge.Itdoesnotrefertoanytypeofprivatedisclosureordisclosuretoalimitednumberof
people.Disclosurescancomefromavarietyofsources,includingthesoftwarevendor,security
softwarevendors,independentsecurityresearchers,andevenmalwarecreators.
Muchoftheinformationinthissectioniscompiledfromvulnerabilitydisclosuredatathatis
publishedintheNVD.ItrepresentsalldisclosuresthathaveaCVE(CommonVulnerabilitiesand
Exposures)number.
Thepastdecadehasseendrasticgrowthinnewvulnerabilitydisclosures,whichpeakedin2006
and2007andthensteadilydeclinedoverthenextfouryearstojustover4,000in2011,whichis
stillalargenumberofvulnerabilities.
Figure 3. Industry-wide vulnerability disclosures since 2002
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 18/48
12
Vulnerabilitydisclosuretrends:
Vulnerabilitydisclosuresacrosstheindustryin2011weredown11.8percentfrom2010.
Thisdeclinecontinuesanoveralltrendofmoderatedeclines.Vulnerabilitydisclosureshave
declinedatotalof37percentsincetheirpeakin2006.
Vulnerability severity
TheCommonVulnerabilityScoringSystem(CVSS)isastandardized,platform-independentscoring
systemforratingITvulnerabilities.TheCVSSassignsanumericvaluebetween0and10to
vulnerabilitiesaccordingtoseverity,withhigherscoresrepresentinggreaterseverity.(Seethe
VulnerabilitySeveritypageontheSIRwebsiteformoreinformation.)
Figure 4. Relative severity of vulnerabilities disclosed since 2002
Vulnerabilityseveritytrends:
Theoverallvulnerabilityseveritytrendhasbeenapositiveone.MediumandHighseverity
vulnerabilitieshavesteadilydecreasedsincetheirhighpointsin2006and2007.
Evenasfewervulnerabilitiesarebeingdisclosedoverall,thenumberofLowseverityvulnerabilitiesbeingdisclosedhasbeenrelativelyflat.Lowseverityvulnerabilitiesaccounted
forapproximately8percentofallvulnerabilitiesdisclosedin2011.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 19/48
13
13
Hardware and software disclosures
TheNVDtracksbothhardwareandsoftwarevulnerabilities.Thenumberofhardware
vulnerabilitiesdisclosedeachyearremainslow,asshowninthefollowingfigure.Thepeaknumber
was198(3.4percent)hardwarevulnerabilitiesdisclosedin2009.
Figure 5. Hardware and software vulnerability disclosures since 2002
Softwarevulnerabilitiesconsistofvulnerabilitiesthataffectoperatingsystems,applications,or
both.Asinmanyotherindustries,onevendor’sproductcanbeanothervendor’scomponent.For
example,CVE-2011-1089affectsGNUlibc2.3,whichislistedasanapplicationproductfromGNU.
However,libcisalsoanintegratedcomponentinseveraloperatingsystemsandisthereforealso
anoperatingsystemvulnerability.Forthisreason,itisdifficulttodrawadistinctlinebetween
operatingsystemandapplicationvulnerabilities.Inthefollowingfigure,vulnerabilitiesthataffect
bothoperatingsystemsandapplicationsareshowninred.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 20/48
14
Figure 6. Application and operating system vulnerability disclosures since 2002
In2010and2011,approximately13percentofsoftwarevulnerabilitiesaffectedbothapplication
andoperatingsystemproducts.
Operating system vulnerability disclosures
Todeterminethenumberofvulnerabilitiesthataffectoperatingsystems(showninthefollowing
figure),vulnerabilitieswerefilteredforaffectedproductsthatweredesignatedasoperating
systemsintheNVD.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 21/48
15
15
Figure 7. Operating system vulnerability disclosures since 2002
Application vulnerability disclosures
Todeterminethenumberofvulnerabilitiesthataffectapplications(showninthefollowingfigure),
vulnerabilitieswerefilteredforaffectedproductsthatweredesignatedasapplicationsintheNVD.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 22/48
16
Figure 8. Application vulnerability disclosures since 2002
Exploit trends and security bulletins
TheMicrosoftSecurityEngineeringCenter(MSEC)isoneofthreesecuritycentersthathelps
protectcustomersfrommalware.TheMSECfocusesonfoundationalwaystodevelopmoresecure
productsandservicesfromthesoftwareengineeringperspective,througheffortssuchasthe
MicrosoftSecurityDevelopmentLifecycle(SDL)andsecurityscience.
TheMicrosoftSecurityResponseCenter(MSRC)identifies,monitors,resolves,andrespondsto
Microsoftsoftwaresecurityvulnerabilities.TheMSRCreleasessecuritybulletinseachmonthto
addressvulnerabilitiesinMicrosoftsoftware.Securitybulletinsarenumberedseriallywithineach
calendaryear.Forexample,“MS11-057”referstothe57thsecuritybulletinreleasedin2011.
SecuritybulletinsaretypicallyreleasedonthesecondTuesdayofeachmonth,althoughonrare
occasionsMicrosoftreleasesan“out-of-band”securityupdatetoaddressanurgentissue.
Microsoftreleasedoneout-of-bandupdatein2011.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 23/48
17
17
Thefollowingfigureshowsthenumberofsecuritybulletinsandout-of-bandupdatesissuedsince
2005,whichwaswhenMicrosoftreleasedthefirstversionoftheMaliciousSoftwareRemovalTool
(MSRT).
Figure 9. MSRC security bulletins released since 2005
Period Security bulletins Out-of-band updates
1H05 33 0
2H05 22 0
1H06 32 1
2H06 46 1
1H07 35 1
2H07 34 0
1H08 36 02H08 42 2
1H09 27 0
2H09 47 1
1H10 41 2
2H10 65 1
1H11 52 0
2H11 48 1
AsinglesecuritybulletinoftenaddressesmultiplevulnerabilitiesfromtheCVEdatabase,eachof
whichislistedinthebulletin,alongwithanyotherrelevantissues.Thefollowingfigureshowsthe
numberofsecuritybulletinsreleasedandthenumberofindividualCVE-identifiedvulnerabilities
thattheyhaveaddressedineachhalf-yearperiodsince1H05.(Notethatnotallvulnerabilitiesare
addressedintheperiodinwhichtheyareinitiallydisclosed.)
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 24/48
18
Figure 10. Number of MSRC security bulletins and CVE-identified vulnerabilities addressed
In2011theMSRCreleased100securitybulletinsthataddressed236individualCVE–identified
vulnerabilities,decreasesof7%and6%,respectively,from2010.Asthefollowingfigureshows,the
averagenumberofCVEsaddressedbyeachsecuritybulletinhasincreasedovertime,from1.5in
1H05to2.4in2H11.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 25/48
19
19
Figure 11. Average number of CVEs per MSRC security bulletin
Wheneverpossible,theMSRCconsolidatesmultiplevulnerabilitiesthataffectasinglebinaryor
componenttoaddresstheminasinglesecuritybulletin.Thisapproachmaximizestheeffectiveness
ofeachupdateandminimizesthepotentialdisruptionthatcustomersfacefromtestingand
integratingindividualsecurityupdatesintotheircomputingenvironments.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 26/48
20
The state of malware today
Attheendof2001,approximately60,000formsofmalwareorthreatswereknowntoexist.This
numberwasasignificantincreasefrom1996(about10,000)and1991(about1,000).
Figure 12. Approximate growth of malware since 1991
Overthelastdecade,theproliferationofmalwarehasbecomeanonlinecrimestory.Today,
estimatesofthenumberofknowncomputerthreatssuchasviruses,worms,trojans,exploits,
backdoors,passwordstealers,spyware,andothervariationsofpotentiallyunwantedsoftware
rangeintothemillions.
Eversincecriminalmalwaredevelopersbeganusingclientandserverpolymorphism(theabilityfor
malwaretodynamicallycreatedifferentformsofitselftothwartantimalwareprograms),ithas
becomeincreasinglydifficulttoanswerthequestion“Howmanythreatvariantsarethere?”
Polymorphismmeansthattherecanbeasmanythreatvariantsasinfectedcomputerscan
produce;thatis,thenumberisonlylimitedbymalware’sabilitytogeneratenewvariationsofitself.
Ithasbecomelessmeaningfultocountthenumberofthreatvariantsthanitistodetectand
eliminatetheirsources.In2011,morethan49,000differentuniquethreatfamilieswerereported
totheMMPCfromcustomers.Manyofthesereportedfamilieswereduplicates,polymorphic
versionsofkeythreatfamilies;detectingandeliminatingkeythreatfamiliesfrominfected
computersisanongoingactivity.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 27/48
21
21
In2011Microsoftaddedmorethan22,000signaturestodetectkeythreatfamilies.Ascriminal
malwaredeveloperscreatemorethreats,thesizeoftypicalantimalwaresignaturefilesincreases;
todayantimalwaresignaturefilesrangetomorethan100MBinsize.In2002,typicalantimalware
signaturefileswerelessthan1MBinsize.
Thenumberoffilessubmittedtoantimalwareorganizationshasalsoincreased.Thefollowingfigureshowshowthenumberofsubmittedfilessuspectedofcontainingmalwareorpotentially
unwantedsoftwaretotheMMPChasincreasedsince2005,anincreaseofmorethan200percent.
(SuspectedmalwarefilescanbesubmittedtotheMMPCSubmitasamplepage.)
Figure 13. Percentage increase in the number of files submitted to the MMPC since 2005
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 28/48
22
Malware and potentially unwanted software trends
Malwarecontinuestoevolve,andthefluctuationsindetectionsofdifferentformsofmalware
sometimesindicatethesuccessesatgivenpointsintimeofthesoftwareindustry’spersistent
antimalwareeffortsversustheeffortsofmalwaredevelopers.
How threats have evolved over time
Whenviewedfromamulti-yearperspective,somemalwareandpotentiallyunwantedsoftware
familiestendtopeak,orbecomequiteprevalent,forshortperiodsoftimeasantimalwarevendors
focustheireffortsondetectingandremovingthesethreats.Thesepeakperiodsarefollowedby
periodsofdeclineasattackerschangetheirtacticsandmoveon.Thefollowingfigureillustrates
thisphenomenon.(ForFigures14through18,theverticalaxisrepresentsthepercentageofall
computersthatwereinfectedwithmalware.)
Figure 14. Malware and potentially unwanted software families that have peaked and declined since 2006
Win32/Rbotwasanearlybotnetfamilythatgainednotorietyin2004and2005afteranumberof
highprofileoutbreakincidentsthataffectedmediaandgovernmentnetworks,amongothers.
Rbotisa“kit”family:RbotvariantsarebuiltfromanopensourcebotnetcreationkitcalledRxBot,whichiswidelyavailableamongmalwareoperators,andmanydifferentgroupshaveproduced
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 29/48
23
23
theirownvariantswithdifferentfunctionality.TheMSRTwasupdatedtodetectRbotinApril2005,
anddetectionsdecreasedsharplythrough2006,fallingbelow2percentofcomputerswith
detectionsby2H08.
ThetrojanfamilyWin32/Zlobwasfoundonalmostoneofeveryfourcomputersthatwasinfected
withmalwarein1H08,alevelofprevalencethatnootherfamilyhasequaledbeforeorsince.Zlobwastypicallydistributedonwebpages,posingasamediacodecthatvisitorswouldhavetoinstall
towatchvideocontentdownloadedorstreamedfromtheInternet.Afteritisinstalledonatarget
computer,Zlobdisplayspersistentpop-upadvertisementsforroguesecuritysoftware.AZlob
variantdetectedattheendof2008includedanencodedmessage,apparentlywrittenbytheZlob
authorandintendedforMMPCresearchers,indicatingthattheauthorwouldbeceasing
developmentanddistributionofthetrojan:
ForWindowsDefender'sTeam:
Isawyourpostintheblog(10-Oct-2008)aboutmypreviousmessage.
Justwanttosay'Hello'fromRussia.
Youarereallygoodguys.ItwasasurpriseformethatMicrosoftcanrespondonthreatsso
fast.
Ican'tsignherenow(he-he,sorry),howitwassomeyearsagoformoreseriously
vulnerabilityforallWindows;)
HappyNewYear,guys,andgoodluck!
P.S.BTW,weareclosingsoon.Notbecauseofyourwork.:-))
So,youwillnotseesomeofmygreat;)ideasinthatfamilyofsoftware.
Trytosearchinexploits/shellcodesandrootkits.
Also,itisfunny(probablyforyou),butMicrosoftofferedmeajobtohelpimprovesomeofVista'sprotection.It'snotinterestingforme,justalife'sirony.
Indeed,detectionsofZlobdecreasedsignificantlyin2H08,andby2010Zlobwasnolonger
amongthetop50most-detectedfamiliesworldwide.
Win32/ConfickerisawormfamilydiscoveredinNovember2008thatinitiallyspreadbyexploiting
avulnerabilityaddressedbysecurityupdateMS08-067,whichwasreleasedthepreviousmonth.
Confickerdetectionspeakedin1H09anddeclinedtoamuchlowerlevelthereafter,following
coordinatedeffortsbytheConfickerWorkingGrouptocontainthespreadofthewormandclean
infectedcomputers.Ithasbeendetectedonbetween3percentand6percentofinfected
computersineach6-monthperiodsincethen.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 30/48
24
JS/PornpopisadwarethatconsistsofspeciallycraftedJavaScript-enabledobjectsthatattemptto
displaypop-underadvertisements.FirstdetectedinAugust2010,itwasthesecondmost
commonlydetectedfamilyin2H10and1H11,andislikelytobethemostcommonlydetected
familyin2H11.
Win32/AutorunisagenericdetectionforwormsthatattempttospreadbetweenmountedcomputervolumesbymisusingtheAutoRunfeatureinWindows.DetectionsofWin32/Autorun
increasedgraduallyforseveralperiodsbeforepeakingin2H10asthemostcommonlydetected
familyduringthatperiod.
MicrosoftintroducedachangetothewaythattheAutoRunfeatureworksinWindows7and
WindowsServer2008R2inanefforttohelpprotectusersfromAutoRunthreats.Intheseversions
ofWindows,theAutoRuntaskisdisabledforallvolumesexceptopticaldrivessuchasCD-ROM
andDVD-ROMdrives,whichhavehistoricallynotbeenusedtotransmitAutoRunmalware.
Subsequently,Microsoftpublishedasetofupdatesthatback-portedthischangetoWindowsXP,
WindowsServer2003,WindowsVista,andWindowsServer2008.Theseupdateshavebeen
publishedasImportantupdatesthroughtheWindowsUpdateandMicrosoftUpdateservicessince
February2011,whichmayhavehelpedcontributetothedeclineinWin32/Autorundetections
observedthroughout2011.
Othermalwareandpotentiallyunwantedsoftwarefamiliesaren’tasprevalentasthepeakfamilies,
butexistforlongerperiodsoftime.Thefollowingfigureillustratestheprevalenceofsomeofthese
morepersistentmalwarefamilies.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 31/48
25
25
Figure 15. Malware families that have remained active at lower levels since 2007
Win32/Renos,assignedtotheTrojanDownloaders&Dropperscategoryinpreviousvolumesof
theSIR,wasoneofthefourmostcommonlydetectedmalwarefamiliesineachsix-monthperiod
from1H07to2H10,takingthetopslotin2H08and1H10,andonlydroppedoutofthetop25in
2H11.Renosisatrojandownloaderthatinstallsroguesecuritysoftwareoninfectedcomputers.
Win32/Taterf ,assignedtotheWormscategoryinpreviousvolumesoftheSIR,wasamongthefive
mostcommonlydetectedmalwarefamiliesineachperiodfrom2H08to2H10,andwasthemostcommonlydetectedfamilyin2H09.Taterfisawormthatspreadsviamappeddrivestosteallogon
andaccountdetailsforpopularonlinegames.Theincreasingpopularityofmassivelymultiplayer
onlinerole-playinggameshascreatedamarket(usuallydiscouragedbythemakersofthegames
themselves)invirtual“gold”andin-gameequipment,whichplayerstradeforreal-worldcash.This
inturnhasledtoaclassofthreatslikeTaterf,whichstealplayers’gamingpasswordsonbehalfof
thieveswhocanthenauctionthevictims’virtuallootthemselves.Taterfisamodifiedversionofa
similarthreat,Win32/Frethog,whichitselfhasbeenpersistentlyprevalentoverthesameperiodof
time.
Win32/Alureon,assignedtotheMiscellaneousTrojanscategoryinpreviousvolumesoftheSIR,isafamilyofdata-stealingtrojanswithrootkitcharacteristics.Itwasfirstdiscoveredinearly2007and
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 32/48
26
hasbeeninornearthetop25familiesineachhalf-yearperiodsincethen.Alureonvariantsallow
anattackertointerceptincomingandoutgoingInternettrafficandgatherconfidential
informationsuchasusernames,passwords,andcreditcarddata.
Different threats at different times
Anotherpointthatbecomesapparentwhenmalwareandpotentiallyunwantedsoftwareisviewed
fromamulti-yearperspectiveisthatdifferentcategoriesofmalware—thatis,differenttypesof
threats—havebeenprevalentatdifferenttimes.Thefollowingfigureillustratestherelative
prevalenceofthreedifferentcategoriesofmalware.
Figure 16. Worms, Backdoors, and Miscellaneous Potentially Unwanted Software categories since 2006
In2006and2007,themalwarelandscapewasdominatedbytheWorms,MiscellaneousPotentially
UnwantedSoftware,andBackdoorscategories.(Theterm“MiscellaneousPotentiallyUnwanted
Software”referstoprogramswithpotentiallyunwantedbehaviorthatmayaffectauser’sprivacy,
security,orcomputingexperience.)Bythistime,large-scaleoutbreaksofwormssuchas
Win32/MsblastandWin32/Sasser,whichspreadbyexploitingvulnerabilitiesinnetworkservices,
weremostlyinthepast.Themostlikelyreasonfortheirdeclinewasthehigh-profilenatureof
theseoutbreaks,whichcausedantimalwarevendorstoincreasetheirdetection,cleaning,and
blockingeffortsandultimatelyspurredwidespreadadoptionofthesecurityupdatesthat
addressedtheaffectedvulnerabilities.Mostoftheprevalentwormsin2006weremass-mailers,
suchasWin32/WukillandWin32/Bagle,whichspreadbyemailingcopiesofthemselvestoaddressesdiscoveredoninfectedcomputers.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 33/48
27
27
Prevalentbackdoorsincludedapairofrelatedbotnetfamilies,Win32/RbotandWin32/Sdbot.
Variantsinthesefamiliesarebuiltfrombotnetconstructionkitsthataretradedinthe
undergroundmarketformalware,andareusedtocontrolinfectedcomputersoverInternetRelay
Chat(IRC).RbotandSdbothavelargelybeensupplantedbynewerbotnetfamilies,butremainin
activeusenonetheless,probablybecauseoftherelativeeasewithwhichprospectivebotnet
operatorscanobtaintheconstructionkits.
Prevalenttrojanfamiliesin2006and2007includedWin32/WinFixer,anearlyroguesecurity
softwarefamily,andthebrowsertoolbarWin32/Starware.Unlikemostmodernroguefamilies,
whichtypicallyposeasantimalwarescanners,WinFixermasqueradesasautilitythatsupposedly
identifies“privacyviolations”inthecomputer’sregistryandfilesystemandoffersto“remove”
themforafee.Win32/Starwareisabrowsertoolbarthatmonitorssearchesatpopularsearch
engines,conductingitsownsearchintandemanddisplayingtheresultsinaninlineframewithin
thebrowserwindow.
Figure 17. Worms, Trojan Downloaders and Droppers, and Password Stealers and Monitoring Tools categories since 2006
TheTrojanDownloadersandDropperscategory,whichaffectedlessthan9percentofcomputers
withdetectionsin1H06,roserapidlytobecomeoneofthemostsignificantthreatcategoriesin
2007and2008,primarilybecauseofincreaseddetectionsof Win32/ZlobandWin32/Renos.
Afterdecreasingsignificantlyfromits1H06peak,theWormscategorybegantoincreaseagainin2009afterthediscoveryof Win32/Confickerandreachedasecondpeakin2Q10withincreased
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 34/48
28
detectionsof Win32/Taterf andWin32/Rimecud.Rimecudisafamilyofwormswithmultiple
componentsthatspreadsviaremovabledrivesandinstantmessaging.Italsocontainsbackdoor
functionalitythatallowsunauthorizedaccesstoanaffectedcomputer.
MalwarefamiliesinthePasswordStealersandMonitoringToolscategory,whichwereresponsible
foranegligiblepercentageofdetectionsin1H06,increasedslowlybutsteadilythrough2008and2009beforepeakingin2Q10.GamepasswordstealerssuchasWin32/Frethogwereresponsiblefor
muchofthisincrease.
Figure 18. Adware, Miscellaneous Potentially Unwanted Software, and Miscellaneous Trojans categories since 2006
TheAdware,MiscellaneousPotentiallyUnwantedSoftware,andMiscellaneousTrojanscategories
werethemostcommonlydetectedcategoriesin2010and2011.Adwaredetectionsincreased
significantlyin1H11,includingtheadwarefamiliesWin32/OpenCandyandJS/Pornpop.
OpenCandyisanadwareprogramthatmaybebundledwithcertainthird-partysoftware
installationprograms.SomeversionsoftheOpenCandyprogramsenduser-specificinformation
withoutobtainingadequateuserconsent,andtheseversionsaredetectedbyMicrosoft
antimalwareproducts.PornpopisadetectionforspeciallycraftedJavaScript-enabledobjectsthat
attempttodisplaypop-underadvertisementsinusers’webbrowsers.Initially,JS/Pornpop
appearedexclusivelyonwebsitesthatcontainedadultcontent;however,ithassincebeen
observedtoappearonwebsitesthatmaycontainnoadultcontentwhatsoever.
TheMiscellaneousPotentiallyUnwantedSoftwarecategory,whichwasthemostcommonly
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 35/48
29
29
detectedcategoryin2006,declinedinprevalencein2007and2008,thenincreasedagainto
becomethesecondmostprevalentcategoryin2Q11.Significantfamiliesinthiscategoryin2Q11
wereWin32/Keygen,agenericdetectionfortoolsthatgenerateproductkeysforillegallyobtained
versionsofvarioussoftwareproducts,andWin32/Zwangi,aprogramthatrunsasaserviceinthe
backgroundandmodifieswebbrowsersettingstovisitaspecificwebsite.
TheMiscellaneousTrojanscategoryhasconsistentlyaffectedaboutathirdofcomputersthatwere
infectedwithmalwareineachperiodsince2H08.Anumberofroguesecuritysoftwarefamiliesfall
intothiscategory,suchasWin32/FakeSpyPro,themostcommonlydetectedroguesecurity
softwarefamilyin2010.OtherprevalentfamiliesinthiscategoryincludeWin32/Alureon,thedata-
stealingtrojan,andWin32/Hiloti,whichinterfereswithanaffecteduser'sbrowsinghabitsand
downloadsandexecutesarbitraryfiles.
Threat categories by location
Themalwareecosystemhasmovedawayfromhighlyvisiblethreats,suchasself-replicating
worms,towardlessvisiblethreatsthatrelymoreonsocialengineeringfordistributionand
installation.Thisshiftmeansthatthespreadandeffectivenessofmalwarehavebecomemore
dependentonlanguageandculturalfactors.Somethreatsarespreadusingtechniquesthattarget
peoplewhospeakaparticularlanguageorwhouseservicesthatarelocaltoaparticular
geographicregion.Otherstargetvulnerabilitiesoroperatingsystemconfigurationsand
applicationsthatareunequallydistributedaroundtheglobe.InfectiondatafromseveralMicrosoft
securityproductsforsomeofthemorepopulouslocationsaroundtheworlddemonstratesthe
highlylocalizednatureofmalwareandpotentiallyunwantedsoftware.
Accordingly,thethreatlandscapeismuchmorecomplexthanasimpleexaminationofthebiggest
globalthreatswouldsuggest.
2011 security intelligence
Thefollowingfigureshowsthosecountries/regionsreportingsignificantlylargenumbersof
computerscleanedbyMicrosoftdesktopantimalwareproductssince2009.2
2 For information about how PC locations are determined, see the blog post Determining the Geolocation of Systems Infected
with Malware.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 36/48
30
Figure 19. Countries/regions with significantly large numbers of computers cleaned since 2009
Thefollowingfigureshowscountries/regionsthathavehistoricallyreportedhighinfectionratesas
comparedtotheaverageinfectionrateforallcountries/regions.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 37/48
31
31
Figure 20. Countries/regions with historically high infection rates as compared to the worldwide average since 2009
Thefollowingfigureshowscountries/regionsthathavehistoricallyreportedlowinfectionratesas
comparedtotheaverageinfectionrateforallcountries/regions.
Figure 21. Countries/regions with historically low infection rates as compared to the worldwide average since 2009
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 38/48
32
Lessons from least infected countries/regions
Austria,Finland,Germany,andJapanhaveallenjoyedrelativelylowmalwareinfectionratesover
thepastseveralyears.However,manyofthesameglobalthreatsthatareprevalentin
countries/regionswithhighmalwareinfectionrates,suchasBrazil,Korea,andTurkey,arealso
prevalentincountries/regionswithlowinfectionrates.
Adwareisamongthemostprevalentcategoriesofthreatsfoundincountries/regionswith
bothhighmalwareinfectionratesandlowmalwareinfectionrates;itwasobservedasthetop
orsecondtotopcategoryineach.BothJS/Pornpop(detectedonmorethan6.5million
uniquecomputersgloballyinthesecondhalfof2010)andWin32/ClickPotatoarevery
prevalentinthesecountries/regions.
Win32/Renoswasprimarilyresponsibleforthelevelsoftrojandownloadersanddroppers
foundincountries/regionswithbothhighmalwareinfectionratesandlowmalwareinfection
rates.Win32/Renoshasbeenaprevalentfamilyoftrojandownloadersanddroppersforanumberofyears,andwasdetectedonmorethan8millionuniquecomputersaroundthe
worldin2010.
Win32/Autorun,detectedonmorethan9millionuniquecomputersgloballyin2010,and
Win32/Conficker,detectedonmorethan6.5millionuniquecomputersgloballyin2010,arein
thetoptenlistsofthreatsforcountries/regionswithbothhighmalwareinfectionratesand
lowmalwareinfectionrates,exceptFinland.
TherelativelylowmalwareinfectionratesinAustria,Finland,Germany,andJapandoesnot
necessarilymeanthatcriminalsarenotactiveinthesecountries/regions.Forexample:
Moremalwarehostingsites(per1,000hosts)wereobservedinGermanythanintheUnited
Statesin2010.
Thepercentageofsiteshostingdrive-bydownloadsinFinlandwasalmosttwicethatofthe
UnitedStatesinthefirsthalfof2010.
InQ4of2010,thepercentageofsiteshostingdrive-bydownloadsinGermanywasobserved
tobe3.7timeshigherthanthenumberobservedintheUnitedStates.
Thepercentageofsiteshostingdrive-bydownloadsinJapanwas12percenthigherthanthat
oftheUnitedStatesduringthefirsthalfof2010.Althoughthispercentagewentdown
precipitouslyinbothlocationsbythefourthquarterof2010,thepercentageofsiteshosting
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 39/48
33
33
drive-bydownloadsinJapanwas4.7timeshigherthanthatoftheUnitedStatesinQ4.
Securityexpertsinthesecountries/regionsindicatethatthefollowingfactorscontributeto
consistentlylowmalwareinfectionratesintheircountries/regions:
Strongpublic–privatepartnershipsexistthatenableproactiveandresponsecapabilities.
Computeremergencyresponseteams(CERTs),Internetserviceproviders(ISPs),andothers
whoactivelymonitorforthreatsenablerapidresponsetoemergingthreats.
AnITcultureinwhichsystemadministratorsrespondrapidlytoreportsofsysteminfectionsor
abuseishelpful.
Enforcementpoliciesandactiveremediationofthreatsviaquarantininginfectedsystemson
networksinthecountry/regioniseffective.
Educationalcampaignsandmediaattentionthathelpimprovethepublic’sawarenessof
securityissuescanpaydividends.
LowsoftwarepiracyratesandwidespreadusageofWindowsUpdate/MicrosoftUpdatehas
helpedkeepinfectionratesrelativelylow.
ThislisthasstrikingsimilaritiestotheCollectiveDefenseconceptoutlinedinapaperwrittenby
ScottCharney,CorporateVicePresidentofTrustworthyComputingatMicrosoft,in2010.
“CollectiveDefense:ApplyingPublicHealthModelstotheInternet”(PDF)outlinesamodelto
improvethehealthofdevicesconnectedtotheInternet.Toaccomplishthis,governments,theIT
industry,andISPsshouldensurethehealthofconsumerdevicesbeforegrantingthemunfettered
accesstotheInternet.Theapproachofferedinthepaperistolookataddressingonlinesecurityissuesusingamodelsimilartotheonesocietyusestoaddresshumanillness.Thepublichealth
modelencompassesseveralinterestingconceptsthatcanbeappliedtoInternetsecurity.
Theconsistentlyleastinfectedcountries/regionsintheworldappeartobealreadydoingmanyof
thethingsthattheCollectiveDefensehealthmodelproposes.Avideothatexaminesthemodelis
availableontheTrustworthyComputingwebsitehere.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 40/48
34
Windows Update and Microsoft Update
Microsoftprovidesseveraltoolsandservicesthatenablesystemsortheiruserstodownloadand
installupdatesdirectlyfromMicrosoftor,forbusinesscustomers,fromupdateserversmanagedby
theirsystemadministrators.Theupdateclientsoftware(calledAutomaticUpdatesinWindowsXP
andWindowsServer2003,andsimplyWindowsUpdateinWindows7,WindowsVista,and
WindowsServer2008)connectstoanupdateserviceforthelistofavailableupdates.Afterthe
updateclientdetermineswhichupdatesareapplicabletoeachuniquesystem,itinstallsthe
updatesornotifiestheuserthattheyareavailable,dependingonthewaytheclientisconfigured
andthenatureofeachupdate.
Forusers,Microsoftprovidestwoupdateservicesthattheupdateclientscanuse:
WindowsUpdateprovidesupdatesforWindowscomponentsandfordevicedriversprovided
byMicrosoftandotherhardwarevendors.WindowsUpdatealsodistributessignatureupdates
forMicrosoftantimalwareproductsandthemonthlyreleaseoftheMSRT.Bydefault,whenauserenablesautomaticupdating,theupdateclientconnectstotheWindowsUpdateservice
forupdates.
MicrosoftUpdateprovidesalloftheupdatesofferedthroughWindowsUpdateaswellas
updatesforotherMicrosoftsoftware,suchastheMicrosoftOfficesystem,MicrosoftSQL
Server,andMicrosoftExchangeServer.Userscanoptintotheservicewheninstallingsoftware
thatisservicedthroughMicrosoftUpdateorattheMicrosoftUpdatewebsite.
EnterprisecustomerscanalsouseWindowsServerUpdateServices(WSUS)ortheMicrosoft
SystemCenter2012familyofmanagementproductstoprovideupdateservicesfortheirmanaged
computers.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 41/48
35
35
Figure 22. Usage of Windows Update and Microsoft Update, 2H06-2H11, indexed to 2H06 total usage
Sinceitsintroductionin2005,usageofMicrosoftUpdatehasincreaseddramatically.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 42/48
36
In conclusion
ThisspecialeditionoftheSIRprovidesinformationabouthowmalwareandotherformsof
potentiallyunwantedsoftwarehaveevolvedoverthelast10years.
Computinghasbecomepartofthefabricofoureverydaylives,andthefoundationsofmodernsocietyarebecomingmoredigitaleveryday.Informationandcommunicationstechnology(ICT)
hastransformedforthebetterhowwelive,butsocietystillconfrontssomelong-standingand
evolvingchallenges.
Asthenumberofpeople,computers,anddevicesthatconnecttotheInternetcontinuesto
increase,cyberthreatsarebecomingmoresophisticatedintheirabilitytogathersensitivedata,
disruptcriticaloperations,andconductfraud.
Cyberthreatstodayareoftencharacterizedastechnicallyadvanced,persistent,well-funded,and
motivatedbyprofitorstrategicadvantage.SecurityintelligenceisavaluableassettoallInternet
users,organizations,governments,andconsumersalike,whofaceamyriadofthreatsthatare
anythingbutstatic.BecauseweliveinaworldthatissodependentonIT,Microsoft’sdedicationto
security,privacy,andreliabilitymightbemoreimportanttodaythanitwasthanwhenTrustworthy
Computingwasestablishedin2002.
Manyindustriesandorganizations,includingMicrosoft,areinvestinginresearchintelligence,
softwaredevelopmentmethods,andtoolstohelpgovernments,industry,andindividualsbetter
reduceandmanagetherisksthatresultfromtheuncertaintyoftherapidlychangingthreat
landscape.MicrosoftTrustworthyComputingcontinuestocontributetothecomputingecosystem
aswefaceanewworldofdevices,services,andcommunicationstechnologiesthatcontinueto
evolve.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 43/48
37
37
Appendix A: Computer protection technologies and mitigations
Addressingthreatsandrisksrequiresaconcertedeffortonthepartofpeople,organizations,and
governmentsaroundtheworld.The“ManagingRisk”sectionoftheMicrosoftSecurityIntelligence
Report(SIR)websitepresentsmanysuggestionsforpreventingharmfulactionsfrommalware,
breaches,andothersecuritythreats,andfordetectingandmitigatingproblemswhentheyoccur.
Topicsinthissectionofthewebsiteinclude:
“ProtectingYourOrganization,”whichoffersguidanceforITadministratorsinsmall,medium-
sized,andlargeorganizationsseekingtoimprovetheirsecuritypracticesandtostaycurrent
onthelatestdevelopments.
“ProtectingYourSoftware,”whichofferssoftwaredevelopersinformationaboutdeveloping
securesoftware,includingin-housesoftware,andsecuringInternet-facingsystemsfrom
attack.
“ProtectingYourPeople,”whichoffersguidanceforpromotingawarenessofsecuritythreats
andsafeInternetusagehabitswithinanorganization.
Additionalhelpfulinformationaboutvulnerabilityandmalwareprotectioneffortsisavailablein
thefollowingdocuments:
InformationSharingandMSRC2010,areportbytheMicrosoftSecurityResponseCenter
MitigatingSoftwareVulnerabilitieswhitepaper
MalwareresearchandresponseatMicrosoft.Thisreportfocusesontheroleandactivitiesof
theMicrosoftMalwareProtectionCenterandourvisiontoprovidethorough,ongoing
malwareresearchandresponse.
IntroducingMicrosoftAntimalwareTechnologies.ThiswhitepaperhelpsITprofessionalsto
understandtheoverallmalwarelandscapeandhowtotakeadvantageofthefeaturesintheir
antimalwaretechnology.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 44/48
38
Appendix B: Threat families referenced in this report
ThedefinitionsforthethreatfamiliesreferencedinthisreportareadaptedfromtheMicrosoft
MalwareProtectionCenterMalwareencyclopedia,whichcontainsdetailedinformationabouta
largenumberofmalwareandpotentiallyunwantedsoftwarefamilies.Seetheencyclopediafor
morein-depthinformationandguidanceforthefamilieslistedhereandthroughoutthereport.
Win32/Alureon.Adata-stealingtrojanthatgathersconfidentialinformationsuchasusernames,
passwords,andcreditcarddatafromincomingandoutgoingInternettraffic.Itmayalsodownload
maliciousdataandmodifyDNSsettings.
Win32/Autorun.Afamilyofwormsthatspreadsbycopyingitselftothemappeddrivesofan
infectedcomputer.Themappeddrivesmayincludenetworkorremovabledrives.
Win32/Bagle.Awormthatspreadsbyemailingitselftoaddressesfoundonaninfected
computer.SomevariantsalsospreadthroughP2Pnetworks.Bagleactsasabackdoortrojanand
canbeusedtodistributeothermalicioussoftware.
Win32/ClickPotato.Aprogramthatdisplayspop-upandnotification-styleadvertisementsbased
ontheuser’sbrowsinghabits.
Win32/Conficker.AwormthatspreadsbyexploitingavulnerabilityaddressedbySecurityBulletin
MS08-067.Somevariantsalsospreadviaremovabledrivesandbyexploitingweakpasswords.It
disablesseveralimportantsystemservicesandsecurityproducts,anddownloadsarbitraryfiles.
Win32/FakeSpyPro.AroguesecuritysoftwarefamilydistributedunderthenamesAntivirus
SystemPRO,SpywareProtect2009,andothers.
Win32/Fixer.Malwarethatlocatesvariousregistryentriesandothertypesofdata,misidentifies
themasprivacyviolations,andpromptstheusertopurchaseaproducttoremovethealleged
violations.
Win32/Frethog.Alargefamilyofpassword-stealingtrojansthattargetconfidentialdata,suchas
accountinformation,frommassivelymultiplayeronlinegames.
Win32/Hiloti.Afamilyoftrojansthatinterfereswithanaffecteduser'sbrowsinghabitsand
downloadsandexecutesarbitraryfiles.
Win32/Keygen.Agenericdetectionfortoolsthatgenerateproductkeysforillegallyobtained
versionsofvarioussoftwareproducts.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 45/48
39
39
Win32/Msblast.AfamilyofnetworkwormsthatexploitsavulnerabilityinMicrosoftWindows
2000andWindowsXP,andmayalsoattemptdenialofservice(DoS)attacksonsomeserversites
orcreatebackdoorprogramsthatallowattackerstoaccessinfectedcomputers.
Win32/Mydoom.Afamilyofmass-mailingwormsthatactasbackdoortrojansandallow
attackerstoaccessinfectedsystems.Win32/Mydoommaybeusedtodistributeothermalicioussoftware,andsomevariantslaunchDoSattacksagainstspecificwebsites.
Win32/Nimda.AfamilyofwormsthattargetscomputersrunningcertainversionsofWindows
andexploitsthevulnerabilitydescribedinMicrosoftSecurityBulletinMS01-020tospreadby
infectingweb-contentdocumentsandattachingitselftoemailmessages.
Win32/OpenCandy.Anadwareprogramthatmaybebundledwithcertainthird-partysoftware
installationprograms.Someversionsmaysenduser-specificinformation,includingaunique
machinecode,operatingsysteminformation,locale,andcertainotherinformationtoaremote
serverwithoutobtainingadequateuserconsent.
JS/Pornpop.Agenericdetectionforspecially-craftedJavaScript-enabledobjectsthatattemptto
displaypop-underadvertisements,usuallywithadultcontent.
Win32/Rbot.AfamilyofbackdoortrojansthattargetscertainversionsofWindowsandallows
attackerstocontrolinfectedcomputersthroughanIRCchannel.
Win32/Renos.Afamilyoftrojandownloadersthatinstallroguesecuritysoftware.
Win32/Rimecud.Afamilyofwormswithmultiplecomponentsthatspreadviafixedand
removabledrivesandviainstantmessaging.Italsocontainsbackdoorfunctionalitythatallows
unauthorizedaccesstoanaffectedsystem.
Win32/Rustock .Amulti-componentfamilyofrootkit-enabledbackdoortrojansthatwerefirst
developedaround2006toaidinthedistributionofspamemail.
Win32/Sasser.AfamilyofnetworkwormsthatexploittheLocalSecurityAuthoritySubsystem
Service(LSASS)vulnerabilityfixedinMicrosoftSecurityUpdateMS04-011.
Win32/Sdbot.Afamilyofbackdoortrojansthatallowattackerstocontrolinfectedcomputers.
Win32/Sircam.Afamilyofmass-mailingnetworkwormsthattargetscertainversionsofWindows
andspreadsbysendingacopyofitselfasanemailattachmenttoemailaddressesfoundon
infectedcomputers.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 46/48
40
Win32/Starware.Awebbrowsertoolbarthatmonitorssearchesatpopularsearchengines,
conductsitsownsearchintandem,anddisplaystheresultsinanIFramewithinthebrowser
window.
Win32/Taterf .Afamilyofwormsthatspreadthroughmappeddrivestostealloginandaccount
detailsforpopularonlinegames.
Win32/Wukill.Afamilyofmass-mailingemailandnetworkwormsthatspreadstorootdirectories
oncertainlocalandmappeddrives.Italsospreadsbysendingacopyofitselfasanemail
attachmenttoemailaddressesfoundoninfectedcomputers.
Win32/Zlob.AlargemulticomponentfamilyofmalwarethatmodifiesWindowsInternetExplorer
settings,altersandredirectsusers’defaultInternetsearchandhomepages,andattemptsto
downloadandexecutearbitraryfiles(includingadditionalmalicioussoftware).
Win32/Zotob.AnetworkwormthatprimarilytargetscomputersrunningWindows2000thatdo
nothaveMicrosoftSecurityBulletinMS05-039installed;itexploitstheWindowsPlug-and-Play
bufferoverflowvulnerability.
Win32/Zwangi.Aprogramthatrunsasaserviceinthebackgroundandmodifieswebbrowser
settingstovisitaparticularwebsite.
8/2/2019 Microsoft Security Intelligence Report Special Edition 10 Year Review
http://slidepdf.com/reader/full/microsoft-security-intelligence-report-special-edition-10-year-review 47/48
41
41