Microsoft Security Intelligence Report

Volume 10 An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software in 2010. With new data covering July through December

Microsoft Security Intelligence Report
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Copyright © 2011 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

1

Authors
Doug Cavit Microsoft Trustworthy Computing Joe Faulhaber Microsoft Malware Protection Center Vinny Gullotto Microsoft Malware Protection Center Jeff Jones Microsoft Trustworthy Computing Jimmy Kuo Microsoft Malware Protection Center Michelle Meyer Microsoft Trustworthy Computing Daryl Pecelj Microsoft IT Information Security and Risk Management Anthony Penta Microsoft Windows Safety Platform Tim Rains Microsoft Trustworthy Computing Javier Salido Microsoft Trustworthy Computing Christian Seifert Bing Frank Simorjay Microsoft Trustworthy Computing Holly Stewart Microsoft Malware Protection Center Matt Thomlinson Microsoft Security Response Center Jossie Tirado Arroyo Microsoft IT Information Security and Risk Management Scott Wu Microsoft Malware Protection Center Jeff Williams Microsoft Malware Protection Center Terry Zink Microsoft Forefront Online Protection for Exchange

Contributors
Lawren Ahuna Microsoft IT Information Security and Risk Management Eva Chow Microsoft IT Information Security and Risk Management Enrique Gonzalez Microsoft Malware Protection Center Cristin Goodwin Microsoft Legal and Corporate Affairs Satomi Hayakawa CSS Japan Security Response Team Yuhui Huang Microsoft Malware Protection Center CSS Japan Security Response Team Microsoft Japan John Lambert Microsoft Security Engineering Center Eric Leonard Microsoft IT Information Security and Risk Management Laura Lemire Microsoft Legal and Corporate Affairs Ken Malcolmson Microsoft Trustworthy Computing Charles McColgan Microsoft ISD Don Nguyen Microsoft IT Information Security and Risk Management Price Oden Microsoft IT Information Security and Risk Management Kathy Phillips Microsoft Legal and Corporate Affairs Hilda Larina Ragragio Microsoft Malware Protection Center Tareq Saade Microsoft Malware Protection Center Richard Saunders Microsoft Trustworthy Computing Marc Seinfeld Microsoft Malware Protection Center Jasmine Sesso Microsoft Malware Protection Center Norie Tamura (GOMI) CSS Japan Security Response Team Gilou Tenebro Microsoft Malware Protection Center

2

Table of Contents

About This Report ..............................................................................................5 Scope .............................................................................................................5 Reporting Period ............................................................................................5 Conventions ...................................................................................................5 Key Findings Summary ......................................................................................6 Vulnerability Disclosures ................................................................................6 Exploits ..........................................................................................................6 Malware and Potentially Unwanted Software ..................................................7 Operating System Infection Rates....................................................................7 Threat Families ...............................................................................................7 Home and Enterprise Threats .........................................................................8 Email Threats .................................................................................................8 Spam Types ....................................................................................................9 Malicious Websites .........................................................................................9 Trustworthy Computing: Security Engineering at Microsoft .............................. 11 Vulnerabilities .................................................................................................. 12 Vulnerability Severity ................................................................................... 12 Vulnerability Complexity .............................................................................. 14 Operating System, Browser, and Application Vulnerabilities ......................... 15 Vulnerability Disclosures .............................................................................. 16 Exploits ............................................................................................................ 18 HTML and JScript/JavaScript Exploits ........................................................... 20 Document Exploits ....................................................................................... 21 Operating System Exploits ............................................................................ 22

3

.............................................................................................. 59 Malware Hosting Sites ...................................................................................................................................................................................... 73 Glossary ............................................................................................................................................................................................. 49 Spam Messages Blocked .... 33 Threat Categories........... 27 Global Infection Rates ................. 56 Target Institutions............................................................................. 71 Microsoft Products and Services ...... 71 Appendix C: Worldwide Infection Rates ... 57 Global Distribution of Phishing Sites ........................................... 37 Threat Families ................. 62 Global Distribution of Malware Hosting Sites . 69 Appendix B: Data Sources ........................................... 45 Email Threats . 27 Operating System Infection Rates.................................................................................................................... 24 Malware and Potentially Unwanted Software . 39 Rogue Security Software ............................................... 55 Phishing Sites ................................................................................................................................................................................................................................................ 61 Malware Categories ...............................................................Security Breach Trends ...................................................................................... 66 Appendix A: Threat Naming Conventions ............................................................................ 83 4 ......................................................................................................................................................................................................................................................................................................... 49 Spam Types ............................................................................... 36 Threat Categories by Location ............................................ 65 Drive-By Download Sites .......................................... 51 Malicious Websites ................................................................................................................................................................... 41 Home and Enterprise Threats ........................... 78 Threat Families Referenced in This Report ............................

see “Microsoft Malware Protection Center Naming Standard” on the MMPC website. 5 . half-yearly and quarterly time periods are referenced using the nHyy or nQyy formats. and guidance provided in this report useful in helping them protect their organizations.About This Report Scope The Microsoft® Security Intelligence Report (SIR) focuses on software vulnerabilities. For example.microsoft. statistics about malware families and infections are reported on a quarterly basis and other statistics continue to be reported on a half-yearly basis. Conventions This report uses the Microsoft Malware Protection Center (MMPC) naming standard for families and variants of malware and potentially unwanted software. please pay attention to the reporting period or periods being referenced when considering the statistics in this report. respectively. and security breaches. Past reports and related resources are available for download at www. Throughout the report. software. 1H10 represents the first half of 2010 (January 1 through June 30). For information about this standard. where yy indicates the calendar year and n indicates the half or quarter. and users. To avoid confusion. malicious and potentially unwanted software. insights. and 2Q10 represents the second quarter of 2010 (April 1 through June 30). with a focus on 2010. We hope that readers find the data. software vulnerability exploits.com/sir. Reporting Period In this volume of the Microsoft Security Intelligence Report.

Microsoft developed these perspectives based on detailed trend analysis over the past several years. Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods. Vulnerability Disclosures  Vulnerabilities in applications versus operating systems or web browsers continued to account for a large majority of all vulnerabilities in 2010.microsoft. malicious and potentially unwanted software. which result in more secure software and fewer vulnerabilities. software.2 percent from 2009. The full SIRv10 also includes deep analysis of trends found in 117 countries/regions around the world and offers ways to manage risks to your organization. This trend is likely because of better development practices and quality control throughout the industry. Industry vulnerability disclosure trends continue an overall trend of moderate declines since 2006.Key Findings Summary Volume 10 of the Microsoft® Security Intelligence Report (SIRv10) provides indepth perspectives on software vulnerabilities. software vulnerability exploits. and people.   Exploits  The exploitation of Java vulnerabilities sharply increased in the third quarter of 2010 and surpassed every other exploitation category that the 6 . This document summarizes the key findings of the report.com/sir. and security breaches in both Microsoft and third party software. can be downloaded from www. The full SIRv10. as well as previous volumes of the report and related videos. with a focus on 2010. although the total number of application vulnerabilities declined 22.

Exploits that use HTML and JavaScript steadily increased throughout the year and continue to represent a large portion of exploits. The number of Adobe Acrobat and Adobe Reader exploits dropped by more than half after the first quarter and remained near this reduced level throughout the remainder of the year. a feature of 64-bit versions of Windows that protects the kernel from unauthorized modification.  Threat Families  JS/Pornpop. The most prevalent type of attack in this category involved malicious IFrames. the most commonly detected family in 4Q10. may also contribute to the difference by preventing certain types of malware from operating. despite increasing sales of 64-bit Windows versions among the general computing population. and document exploits. infection rates for more recently released Microsoft operating systems and service packs are consistently lower than older ones. One reason may be that 64-bit versions of Windows still appeal to a more technically savvy audience than their 32-bit counterparts. is a detection for specially crafted JavaScript-enabled objects that attempt to display 7 . Windows 7 and Windows Server 2008 R2. the most recently released Windows client and server versions. the information in this section was compiled from telemetry data that was generated from more than 600 million computers worldwide and some of the busiest online services on the Internet. including generic HTML/scripting exploits.  MMPC tracks. have the lowest infection rates. for both client and server platforms. Operating System Infection Rates  As in previous periods. Kernel Patch Protection (KPP). operating system exploits. Infection rates for the 64-bit versions of Windows Vista® and Windows 7 are lower than for the corresponding 32-bit versions of those operating systems. Malware and Potentially Unwanted Software  Except where specified. respectively.

although Autorun dropped to second place because of the spread of Pornpop. leads the domain-joined list by a significant margin.pop-under advertisements in users’ web browsers. this family was detected much less often on domain-joined computers. JS/Pornpop was the most commonly detected family in 4Q10 and the fourth most commonly detected family in 2010 overall. but ranks ninth on the non-domain list. On non-domain computers.  Email Threats  After increasing gradually and then reaching a plateau through the first eight months of 2010. See “Online Gaming-Related Families” on page 62 of Microsoft Security Intelligence Report. which users in domain environments are often restricted from accessing by organizational policy or blocking software. These 8 . a generic detection for worms that spread between mounted volumes using the Autorun feature of Windows.  Detections and removals of Win32/Autorun. By contrast. Taterf belongs to a category of threats that are designed to steal passwords for popular online computer games and transmit them to the attackers. increased significantly in 4Q10. The worm family Win32/Conficker. which uses several methods of propagation that work more effectively within a typical enterprise network environment than they do over the public Internet. Volume 5 (January through June 2008) for more information about these threats. the number of spam messages received and blocked by Microsoft Forefront® Online Protection for Exchange (FOPE) dropped abruptly in September. although they are ordered differently and in different proportions. and again in December. usually with adult content. dropped to third by 4Q10.  Home and Enterprise Threats  Seven malware families are common to home and enterprise network environments. the most prevalent threat in 2Q10. Pornpop is often found on websites that host illegal or illicit content. Win32/Taterf.

2 percent a year ago. which is down from 69. spam researchers around the world recorded an almost complete cessation of spam originating from the large Rustock botnet. The reasons for this hiatus are still being investigated. with some spam trackers reporting a drop in the global spam rate as high as 50 percent or more.3 percent).0 percent of spam in 2010.4 percent of the spam messages blocked by FOPE content filters in 2010. o Spam Types  Advertisements for nonsexual pharmaceutical products accounted for 32.3 percent of the total) and advertisements for sexual performance products (3.drops can be correlated with events involving two of the world’s most significant spam-sending botnets: o During the last week of August 2010. researchers affiliated with the security firm LastLine spearheaded a coordinated takedown of command-and-control (C&C) servers associated with the Win32/Cutwail spambot. In the days following the takedown. and the number of messages blocked by FOPE has risen accordingly. compared to a drop of less than two percent between the final two weeks of 2009.  Malicious Websites  In the first half of 2010. although this push appeared to have dwindled as social networks came under increased attack. Together with nonpharmaceutical product ads (18. phishers showed signs of targeting online gaming sites with increasing frequency. During the final week of December. On or about December 25. product advertisements accounted for 54. Impressions that targeted gaming sites reached a high of 16. The Rustock botnet subsequently began sending spam again in midJanuary.7 percent of 9 . the number of messages blocked by FOPE was almost 30 percent less than in the prior week. 2010. FOPE recorded a significant drop in the average daily volume of messages blocked.

10 . despite receiving 84.2 percent of active sites in December. Nevertheless.  Phishing sites that target social networks routinely receive the highest number of impressions per active phishing site. the number of active sites targeting gaming sites remained relatively high during the second half of the year. The percentage of active phishing sites that targeted social networks increased during the final months of the year. which suggests that more campaigns may be coming.1 percent in December. but still only accounted for 4.all impressions in June before dropping to a more typical 2.5 percent of impressions that month.

Microsoft collaborates with partners. partners.Trustworthy Computing: Security Engineering at Microsoft Amid the increasing complexity of today’s computing threat landscape and the growing sophistication of criminal attacks. The report is designed to give our customers. and security science. and reliable computing experiences based on sound business practices. The intelligence provided in this report comes from Trustworthy Computing security centers that deliver in-depth threat intelligence. threat response. private. With more than a billion systems using its products and services worldwide. and governments to help create a safer. as well as information from product groups across Microsoft. and the industry a better understanding of the threat landscape so that they will be in a better position to protect themselves and their assets from criminal activity. enterprises and governments are more focused than ever on protecting their computing environments so that they and their constituents can feel safer online. industry. more trusted Internet. Trustworthy Computing (TwC). formed in 2002. is Microsoft’s commitment to creating and delivering secure. 11 .

availability. Vulnerability Severity The Common Vulnerability Scoring System (CVSS) is a standardized. with higher scores representing greater severity. platformindependent scoring system for rating IT vulnerabilities. on the compromised system.) 12 . See Industry-Wide Vulnerability Reports in the “Reference Guide” section of the Security Intelligence Report website for more information about vulnerabilities.Vulnerabilities Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity. or confidentiality of that software or the data it processes. (See Vulnerability Severity in the “Reference Guide” section of the Security Intelligence Report website for more information. called exploits. The CVSS assigns a numeric value between 0 and 10 to vulnerabilities according to severity. Some of the worst vulnerabilities allow attackers to run arbitrary code.

2006–2010  Although the number of Medium and High severity vulnerabilities disclosed is routinely much greater than the number of Low severity vulnerability disclosures. Mitigating the most severe vulnerabilities first is a security best practice. This percentage is down from 6. as Figure 2 illustrates. Industry-wide vulnerability disclosures by severity.5 percent and 20.8 percent. respectively. the trend in 2010 is a positive one. High severity vulnerabilities that scored 9. Low severity vulnerability disclosures increased 45.   13 .2 percent from 2009.7 percent in 2009. with Medium and High disclosures declining by 17.Figure 1. from 190 in 2009 to 277 in 2010.5 percent of all vulnerabilities disclosed in 2010.9 or greater represent 5.

A High severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower severity vulnerability that can be exploited more easily. just as High severity indicates greater danger in Figure 2. Industry-wide vulnerability disclosures in 2010. The CVSS gives each vulnerability a complexity ranking of Low.Figure 2. 14 . Medium. and vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. by severity Vulnerability Complexity Some vulnerabilities are easier to exploit than others. (See Vulnerability Complexity in the “Reference Guide” section of the Security Intelligence Report website for more information about the CVSS complexity ranking system. Note that Low complexity indicates greater danger.) Figure 3 shows the complexity mix for vulnerabilities disclosed each year since 2006. or High.

the trend here is a positive one. Industry-wide vulnerabilities by access complexity. 2006–2010  As with vulnerability severity. from 120 in 2009 to 172 in 2010.  Operating System.) 15 . and applications since 2006. and Application Vulnerabilities Figure 4 shows industry-wide vulnerabilities for operating systems.Figure 3. and application vulnerabilities are distinguished. browser. Browser.0 percent from 2009.3 percent. Browser. High complexity vulnerability disclosures increased 43.3 percent and 5. browsers. and Application Vulnerabilities in the “Reference Guide” section of the Security Intelligence Report website for an explanation of how operating system. respectively. (See Operating System. with Low and Medium complexity vulnerability disclosures declining 28.

Disclosures can come from a variety of sources. and even malware creators. It does not refer to any sort of private disclosure or disclosure to a limited number of people. with each type accounting for a small fraction of the total. government repository of standards-based vulnerability management.gov).2 percent from 2009. 2006–2010  Application vulnerabilities continued to account for a large majority of all vulnerabilities in 2010.  Vulnerability Disclosures A disclosure.S. The information in this section is compiled from vulnerability disclosure data that is published in the National Vulnerability Database (http://nvd. Industry-wide operating system. the U. independent security researchers. browser. although the total number of application vulnerabilities declined 22. security software vendors. 16 .nist. is the revelation of a software vulnerability to the public at large.Figure 4. as the term is used in the SIR. including the software vendor itself. Operating system and browser vulnerabilities remained relatively stable by comparison. and application vulnerabilities.

Vulnerability disclosures for Microsoft and non-Microsoft products. 2006–2010  Vulnerability disclosures across the industry were down 16. Figure 5. Vulnerabilities in Microsoft products accounted for 7.Figure 5 charts vulnerability disclosures for Microsoft and non-Microsoft products since 2006. This decline continues an overall trend of moderate declines since 2006.    17 . (See Protecting Your Software in the “Managing Risk” section of the Security Intelligence Report website for additional details and guidance about secure development practices. which result in more secure software and fewer vulnerabilities. This trend is likely because of better development practices and quality control throughout the industry.5 percent in 2010 from 2009.) Vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods. primarily because of the overall decline in vulnerability disclosures across the industry during that time.2 percent of all vulnerabilities disclosed in 2010. This percentage is up from 4.5 percent in 2009.

microsoft.com/technet/security/Current. targeted components are add-ons that are pre-installed by the computer manufacturer before the computer is sold. web browsers.Exploits An exploit is malicious code that takes advantage of software vulnerabilities to infect a computer. A user may not even use the vulnerable add-on or be aware that it is installed. or software components that are installed on the computer. a standardized repository of vulnerability information. if applicable.1 Figure 6 shows the prevalence of different types of exploits for each quarter in 2010. In some scenarios.aspx to search and read Microsoft Security Bulletins.org). 18 . 1 See www. without the user’s consent and usually without the user’s knowledge. if applicable. the user may not know that the update is available or how to obtain it. In addition. Some software has no facility for updating itself. Here and throughout this report. applications. and therefore remains vulnerable to attack. exploits are labeled with the CVE identifier that pertains to the affected vulnerability. exploits that affect vulnerabilities in Microsoft software are labeled with the Microsoft Security Bulletin number that pertains to the vulnerability.mitre. Exploits target vulnerabilities in the operating system. so even if the software vendor publishes an update that fixes the vulnerability. Software vulnerabilities are enumerated and documented in the Common Vulnerabilities and Exposures list (CVE) (http://cve.

In 3Q10. by targeted platform or technology  Malware written in Java has existed for many years. driven mostly by the exploitation of a pair of vulnerabilities in versions of the Sun (now Oracle) JVM.Figure 6. increased significantly in 3Q10. such as Microsoft® Word and Adobe Reader. Exploits that target document editors and readers. which have been less prevalent than other types of exploits for several years. primarily because of exploitation of two Windows® vulnerabilities. the number of Java attacks increased to fourteen times the number of attacks recorded in 2Q10.   19 . declined in 2Q10 and remained at a lower level thereafter. Exploits detected by Microsoft desktop antimalware products in 2010. CVE-2008-5353 and CVE-2009-3867. these two vulnerabilities accounted for 85 percent of the Java exploits detected in the second half of 2010. Together. but attackers had not focused significant attention on exploiting Java vulnerabilities until somewhat recently. Operating system exploits.

Exploits that target Windows Internet Explorer® vulnerabilities accounted for between 19 and 36 percent of HTML-related exploits each quarter. a vulnerability that affects Internet Explorer versions 6 and 7 running on versions of Windows earlier than Windows 7 and Windows Server 2008 R2. 2010) on the MMPC blog (http://blogs. For more information. Most of these exploits targeted CVE-2010-0806. Microsoft has issued Security Bulletin MS10-018 to address this vulnerability. Figure 7.  20 . see the post “Active Exploitation of CVE-2010-0806” (March 30.technet.com/mmpc).HTML and JScript/JavaScript Exploits Figure 7 shows the prevalence of different types of HTML and Jscript®/JavaScript exploits each quarter in 2010. Types of HTML and JScript/JavaScript exploits detected by Microsoft desktop antimalware products in 2010  Most of the exploits observed involved malicious HTML inline frames (IFrames) that surreptitiously open pages hosting malicious code in users’ web browsers.

8 percent of the document format exploits that were detected each quarter in 2010.   Microsoft also detected a very small number of exploits that affect JustSystems Ichitaro.2 Figure 8.Document Exploits Figure 8 shows the prevalence of different types of document format exploits by quarter in 2010.5 and 2. Adobe Acrobat and Adobe Reader exploits dropped by more than half after the first quarter and remained near this reduced level throughout the remainder of the year. Microsoft Office file format exploits accounted for between 0. a Japanese-language word processing program. Almost all of these exploits involved the generic exploit family Win32/Pdfjsc. These exploits affected fewer than 200 computers each quarter and are not shown in the figure. Types of document exploits detected by Microsoft desktop antimalware products in 2010  Exploits that affected Adobe Acrobat and Adobe Reader accounted for most document format exploits detected throughout 2010. 2 21 .

CVE-2010-1885 and CVE-2010-2568. Operating system exploits had been declining for several years prior to 2010. about three weeks before the end of the second quarter.   22 . in addition to the total number of detections. and detections numbered less than 200. to address the vulnerability on July 13. and shows the number of individual computers that reported exploit attempts for several of these exploits. Figure 9. and Microsoft issued an “out-ofband” Security Bulletin. This decline changed in 3Q10 with the discovery and publication of two zero-day exploits (exploits that take advantage of undisclosed or newly disclosed vulnerabilities before the vendor releases security updates for them) for two vulnerabilities that affect Windows.000 in each of the first two quarters of the year. CVE-2010-1885 is a vulnerability that affects the Windows Help and Support Center in Windows XP and Windows Server® 2003. MS10-042. 2010.Operating System Exploits Figure 9 shows the prevalence of different operating system exploits by quarter in 2010. Figure 9 provides another perspective on these statistics. Operating system exploits detected by Microsoft desktop antimalware products in 2010  Several of the operating system exploits with the most detections in 2010 were caused by worms that spread in ways that result in large numbers of detections on each computer they try to infect. Details of the vulnerability were made public on June 10.

Microsoft detected a relatively small number of exploits targeting CVE2010-1885 (fewer than 14,000 worldwide) in 2Q10, followed by a steep rise to more than 250,000 detections in the third quarter. By the end of the year, exploitation had declined significantly, with fewer than 65,000 detections in 4Q10. For additional information, see the post Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885) (June 30, 2010) on the MMPC blog, http://blogs.technet.com/mmpc.  CVE-2010-2568 is a vulnerability that involves the way Windows Shell handles shortcut files. This vulnerability was first discovered in mid-July 2010 following analysis of the Win32/Stuxnet worm, which uses the vulnerability as a means of propagation. Microsoft issued an out-of-band Security Bulletin, MS10-046, to address the vulnerability on August 2. Initially, Stuxnet was the only family found to be making significant use of CVE-2010-2568 exploits, but detections and removals rose as authors of other malware families, including Win32/Vobfus and Win32/Sality, began releasing new variants that exploited the vulnerability. For additional information, see the post Stuxnet, malicious .LNKs, ...and then there was Sality (July 30, 2010) on the MMPC blog, http://blogs.technet.com/mmpc. CVE-2010-2568 exploits affected about as many computers in 3Q10 as CVE-2010-1885 exploits, but the number of detections per infected computer was much higher (12.9 detections per infected computer, compared to 1.5 for CVE-2010-1885). The Stuxnet worm uses USB storage devices as its primary transmission vector, and the nature of the shortcut vulnerability caused some computers to log large numbers of detections as the Windows Shell repeatedly attempted to process the same malicious shortcut file.  CVE-2006-3439 is a vulnerability that affects the Server service in Windows 2000, pre-Service Pack 3 versions of Windows XP, and preService Pack 2 versions of Windows Server 2003. Microsoft issued Security Bulletin MS06-040 to address the vulnerability in August 2006. In this case, although Microsoft detected significant numbers of infection attempts targeting CVE-2006-3439, the actual number of computers involved was quite small (fewer than 3,000 worldwide each quarter). Exploits targeting network services, such as the Server service, can generate large numbers of detections by real-time antimalware products:

23

a worm traversing a network may make repeated attempts to infect an individual computer using the exploit, with each unsuccessful attempt logged as a separate detection. In general, successful exploitation of operating system vulnerabilities as old as CVE-2006-3439 should be rare, as most of the Windows installations that were initially affected have since been updated with the appropriate security updates or service packs or replaced by newer versions of Windows that are not affected by the vulnerability. In 2010, detections of CVE-2006-3439 exploits were strongly correlated with detections of the uncommon Trojan family Win32/ServStart, suggesting a possible connection between the two.

Security Breach Trends
In recent years, laws have been passed in a number of jurisdictions around the world that require affected individuals to be notified when an organization loses control of personally identifiable information (PII) with which it has been entrusted. These mandatory notifications offer unique insights into how information security efforts need to address issues of negligence as well as technology. The information in this section was generated from worldwide data security breach reports from news media outlets and other information sources that volunteers have recorded in the Data Loss Database (DataLossDB) at http://datalossdb.org. (See Security Breach Trends in the “Reference Guide” section of the Security Intelligence Report website for more information about the DataLossDB and the breach types referenced here.)

24

Figure 10. Security breach incidents by incident type, 3Q09–4Q10

The largest single category of incidents in each of the past six quarters involved stolen equipment, ranging from a high of 34.5 percent of the total in 3Q09 to a low of 18.6 percent of the total in 4Q10. Malicious incidents (those involving “hacking” incidents, malware, and fraud) routinely account for less than half as many incidents as negligence (involving lost, stolen, or missing equipment; accidental disclosure; or improper disposal), as Figure 11 illustrates. Improper disposal of business records accounts for a significant portion of incidents and is relatively easy for organizations to address by developing and enforcing effective policies regarding the destruction of paper and electronic records that contain sensitive information.

25

Figure 11. Breach incidents resulting from attacks and negligence, 3Q09–4Q10

26

340.2% ▲ -2.1% ▲ 56.460 1.) Global Infection Rates The telemetry data generated by Microsoft® security products from users who choose to opt in to data collection includes information about the location of the computer.368 1.570 1.905 1.578 2.943.786 1.609.163 1.490.070.354.794.6% ▼ 18.9% ▼ 27 . This data makes it possible to compare infection rates. as determined by the setting of the Location tab or menu in Regional and Language Options in Control Panel. and trends in different locations around the world.695 1.052 1.168.563.015.215 2.173 1.922.841 962.285.102 1.510.526.025. the information in this section was compiled from telemetry data that was generated from more than 600 million computers worldwide and some of the busiest Internet online services.Malware and Potentially Unwanted Software Except where specified.953 1.437 2.9% ▲ 12.678.026.8% ▲ -3. 3Q to 4Q 4.588.882.712 4Q10 11.810 1.683 3Q10 11.059.857 1.999 2.624 1.709 1.857.943.348.584 2Q10 9.491 Chg.358.751 2.601.985. The locations with the most computers reporting detections and removals by Microsoft desktop antimalware products in 2010 Country/Region 1 2 3 5 4 7 6 United States Brazil China United Kingdom France Korea Spain 1Q10 11.817.594 1. patterns. (See “Appendix B: Data Sources” on page 71 for more information about the telemetry used in this report.811 2. Figure 12.154 1.1% ▼ -8.

see “Rogue Security Software” on page 41. Onescan.099 3Q10 928.964 4Q10 1. Win32/Parite. and Win32/Nbar— representing 77 percent of the 3Q–4Q increase.593 2Q10 783. with three families—Win32/Onescan.Country/Region 9 8 10 Russia Germany Italy 1Q10 700.311.625 836.3% ▲ 10. was itself responsible for about 32 percent of all detections in Korea.665 1.210 925.332 794.177.8 percent from 3Q10 to 4Q10.406 998. 3Q to 4Q 41. a Koreanlanguage rogue security software family first detected in 4Q10.) Figure 13. a Korean-language rogue security software family 28 .458 Chg.8% ▲  Detections in Korea rose 56.6% ▲ 10.414 900. (For more information.302.066 1.685 949. False malware detections by Win32/Onescan.

3 29 . Infection rates by country/region in 1H10 (top) and 2H10 (bottom).) Figure 14. by CCM For the maps in Figure 14. Figure 14 shows the infection rates in locations around the world using a metric called computers cleaned per mille (thousand). primarily because of a significant increase in the number of computers running Microsoft Security Essentials there. the CCM totals are averaged for the first two and last two quarters of 2010. which represents the number of reported computers cleaned in a quarter for every 1. to produce CCM totals for 1H10 and 2H10.3 (See the Security Intelligence Report website for more information about the CCM metric. respectively.000 executions of the Microsoft Windows® Malicious Software Removal Tool (MSRT). the locations with the most computers reporting detections tend to be ones with large populations and large numbers of computers. Detections in Russia rose 41. To control for this effect. or CCM. In absolute terms.3 percent from 3Q to 4Q.

Locations with low infection rates include Mongolia (1.1).8).3). Turkey had the highest average quarterly CCM at 36. Turkey (32.8).000 MSRT executions (CCM 40. Among locations with at least 100.4). These five locations have consistently had the highest infection rates among large countries and regions for most of the past six quarters. The next two figures illustrate infection rate trends for specific locations around the world. For the entire year. Taiwan (29.3 computers cleaned for every 1. Korea (34.8). Large countries and regions with low infection rates include the Philippines (3. Korea had the highest infection rate. Following Korea were Spain (33. Large numbers of new antimalware installations in a location also typically increase the number of computers cleaned in that location.000 executions of MSRT in 4Q10. Taiwan (24. as shown in Figure 15 on page 31.6).000 MSRT executions each quarter in 2010. relative to the trends for all locations with at least 100.7). Bangladesh (1.8.3). with 40. Austria (3.4). and Brazil (24.7).2). and Belarus (1. India (3. followed by Spain (36. (See Infection Trends Worldwide in the “Key 30 .1). and Japan (4.4). Increases in the number of computers with detections can be caused not only by increased prevalence of malware in that country but also by improvements in the ability of Microsoft antimalware solutions to detect malware.8).3 average CCM for 2010). and Brazil (20.   Detections and removals in individual countries/regions can vary significantly from period to period.

) Korea.  31 .Findings” section of the Security Intelligence Report website for additional details about this information.3 a year later. Spain.000 MSRT executions minimum per quarter in 2010)  Korea has come under sustained attack in recent quarters. and Brazil have occupied the top five spots among large countries and regions with the highest infection rates in all but one of the last six quarters (the sole exception being 4Q09.1 percent—the largest such increase over the past year. when Portugal edged Korea for 5th place). Taiwan.7 points.) Figure 15. an increase of 16. Turkey. Trends for the five locations with the highest infection rates in 4Q10. The CCM in Korea rose from 23. by CCM (100. or 71.6 in 4Q09 to 40. (See the “Global Threat Assessment” section of the Security Intelligence Report website for more information about threats in Korea. resulting in a dramatic rise from 4th place in 3Q10 to 1st place in 4Q10.

Infection rates in Portugal and Bahrain fluctuated over the past six quarters. but both locations ended 4Q10 showing significant improvements over 3Q09.) Although the total number of detections and removals in Russia increased through 2010.3 CCM in 3Q09 to 10. though still one of the locations with the highest infection rates. dropping from 30. has improved significantly over the past six quarters.Figure 16. Hamweq. This decrease was primarily because of decreases in Conficker.1 CCM in 3Q09 to 20.000 MSRT executions minimum in 4Q10)  The most improved locations are those that showed the greatest decline in CCM between 4Q09 and 4Q10. (See “Threat Families” on page 39 for more information about these and other malware families.6. followed by declines in Win32/Conficker and Win32/Rimecud. a 37. Portugal went from 25. by CCM (100.8 in 4Q10. Declines in Win32/Frethog and Win32/Hamweq were chiefly responsible for this improvement.0 CCM to 15.6    32 . the actual infection rate declined significantly. from 17. Infection rate trends for the five most improved locations between 4Q09 and 4Q10. as explained on page 28. and Win32/Taterf. Brazil.1 in 4Q10.

along with the differences in the way people and organizations use each version. we have not targeted families specific to China with. Bahrain dropped from 13. 33 . affect the infection rates for the different versions and service packs. Figure 17 shows the infection rate for each Windows operating system/service pack combination that accounted for at least 0.6 to 9. Although this makes China one of the locations with the lowest infection rates worldwide as measured by CCM.0. a number of factors that are unique to China are important to consider when assessing the state of computer security there.9 in 4Q10. which targets global malware families. 92 to 94 percent of the threats reported by computers running Microsoft Security Essentials in China would not have been detected by MSRT. In 2010. The CCM figures are calculated based on telemetry from MSRT. for example.1 percent of total MSRT executions in 2010. see the “Global Threat Assessment” section of the Security Intelligence Report website.5 in 3Q09 to 2. a decline of 33. For a more in-depth perspective on the threat landscape in China.percent decrease.language threats that are not prevalent anywhere else. To date.  The CCM in China decreased from 9.8 percent. Operating System Infection Rates The features and updates that are available with different versions of the Windows operating system. The malware ecosystem in China is dominated by a number of Chinese.

000 Windows 7 RTM computers).1 percent of total executions shown.   34 . As in previous periods. 1.  This data is normalized: the infection rate for each version of Windows is calculated by comparing an equal number of computers per version (for example.000 Windows XP SP2 computers to 1. Average quarterly infection rate (CCM) by operating system and service pack in 2010 “32” = 32-bit. may also contribute to the discrepancy by preventing certain types of malware from operating. infection rates for more recently released operating systems and service packs are consistently lower than earlier ones. Supported systems with at least 0. have the lowest infection rates on the chart. Windows 7 and Windows Server® 2008 R2. despite increasing sales of 64-bit Windows versions among the general computing population. for both client and server platforms. the most recently released Windows client and server versions. One reason may be that 64-bit versions of Windows still appeal to a more technically savvy audience than their 32-bit counterparts. Infection rates for the 64-bit versions of Windows Vista® and Windows 7 are lower than for the corresponding 32-bit versions of those operating systems. Kernel Patch Protection (KPP).Figure 17. respectively. a feature of 64-bit versions of Windows that protects the kernel from unauthorized modification. “64” = 64-bit.

3Q09-4Q10  As Figure 18 shows.Figure 18. and Windows 7. CCM trends for supported 32-bit versions of Windows XP. 35 . Windows 7 has consistently had the lowest infection rate of any 32-bit client operating system/service pack combination over the past six quarters. Windows Vista.

7 percent in 1Q10.Threat Categories The Microsoft Malware Protection Center (MMPC) classifies individual threats into types based on a number of factors. with detections on 20. the SIR groups these types into 10 categories based on similarities in function and purpose.0 percent of all infected computers in 4Q10. Detections of adware increased significantly during the second half of the year. Figure 19. To simplify the presentation of this information and make it easier to understand. rising from 8. The miscellaneous trojans category. square markers indicate potentially unwanted software categories. JS/Pornpop and   36 . by percentage of all computers reporting detections Round markers indicate malware categories.  Totals for each time period may exceed 100 percent because some computers have more than one category of threat detected and removed from them in each time period.9 percent of infected computers in 2Q10 to 15.1 percent in 4Q10. This increase was almost completely caused by the appearance of a pair of new adware families. which consists of all trojans that are not categorized as trojan downloaders & droppers. down from 22. Detections by threat category each quarter in 2010. including how the threat spreads and what it is designed to do. was the most prevalent category each quarter in 2010.

A 61.6 percent.) The miscellaneous potentially unwanted software and trojan downloaders & droppers categories began the year at similar levels of prevalence. with MSRT removing it from fewer than 300.   Threat Categories by Location There are significant differences in the types of threats that affect users in different parts of the world. and then diverged. The spread and effectiveness of malware are highly dependent on language and cultural factors. which targets passwords for online games.2 percent of infected computers to 13. Some threats are spread using techniques that target people who speak a particular language or who use services that are local to a particular geographic region.2 percent of infected computers in the fourth quarter.1 percent of infected computers to 18.000 computers in 4Q10. in addition to the methods used for distribution. in the third quarter. trojan downloaders & droppers declined from 14. in part because of a decline in detections of Win32/Renos. By the end of the year.Win32/ClickPotato. from a second-quarter high of 19.)  After increasing from 1Q10 to 2Q10.5 percent in 4Q10. 37 . (See “Threat Families” on page 39 for more information about these and other families. Other threats target vulnerabilities or operating system configurations and applications that are unequally distributed around the globe. (Hamweq was added to MSRT in December 2009. combined with increases in other categories. worms declined significantly through the end of the year. and was detected by the tool on more than 1 million computers by the end of 1Q10. Password Stealers & Monitoring Tools declined to 6. declined even more in 2010 to just 0.7 percent to 11. a perennially common family.3 percent decrease in detections and removals of the worm family Win32/Hamweq between 1Q10 and 4Q10 is partially responsible for this relative decline.1 percent. Hamweq detections had declined significantly. miscellaneous potentially unwanted software rose from 16.6 percent of infected computers in 4Q10 following a decrease in detections of Win32/Frethog. Each of the other categories was detected on fewer than 10 percent of infected computers. with increased detections of the potentially unwanted software families Win32/Zwangi and Win32/Keygen accounting for much of the increase (the increase in detections of the latter family was caused more by improved detection than by increased prevalence). which has never been very common. Spyware.

4 % 6.9 % 10.1 % 8. and Worms.4 % 24.3% 5.7 % 3.5 % 18. two predominantly Englishspeaking locations that also share a number of other cultural similarities. Exceptions include Adware.2% 2.3 % 8.2% 0.4% 20. 28.2% 12. Brazil has an unusually high concentration of Password Stealers & Monitoring Tools.4% 11.0 % 8.5 % 5.0% 8. Threat category prevalence worldwide and in nine individual locations in 2010 Category Misc.6% 5.1% 6.1% 3. a darker color indicates that the category is more prevalent in the specified location than in the others. Potentially Unwanted Software Worms Trojan Downloaders & Droppers Adware Password Stealers & Monitoring Tools Exploits Backdoors Viruses Spyware World 31.5% Totals for each location exceed 100 percent because some computers reported threats from more than one category.3 % 21.2 % 21.5 % 14.7 % 33.6 % 24.   38 .3% Spain 20.5% 24.0 % 19.7% 0.3 % 40.5 % 10.5% Ger.7% 4.8 % 20.7% 5.7% 10. The United States and the United Kingdom.3% 5.0% 8.3 % 33.2 % 35.0% 12.7 % 20.4% 10.7% Brazil 23.9 % 10. 21. Trojans Misc.4 % 28. and a lighter color indicates that the category is less prevalent.  Within each row of Figure 20.5 % 23.2% Russi a 40.5 % 3.2% 10. which targets customers of Brazilian banks. which are more common in the US.3 % 0.5% 7.8 % 0.1 % 14.6% US 43.6 % 26.6 % 40.3 % 29.9 % 16.3% 7.2 % 9.6% 5.4% 0. have similar threat mixes in most categories.1 % 0.2 % 31.7% Korea 17.2% 3.3% 4.0 % 9.4% Fr.6% 25.8 % 32. which is more common in the UK.1% 0.4% 3.7 % 13.0 % 52. primarily because of the prevalence of Win32/Bancos.1 % 13. Figure 20.1 % 22.6 % 11.4% 3.2 % 16.8 % 17.3 % 7.3 % 6.6 % 20.Figure 20 shows the relative prevalence of different categories of malware and potentially unwanted software in several locations around the world in 2010.6 % 16.8 % 3.1% 17.3 % 10.1% 9.4% 27.3 % 9.1% 2.2% China 28.3% UK 36.7% 7.1% 13.4 % 22.3% 0.9% 0.

Two of the most common threats in China. led by Win32/Renos. Korea has a large concentration of viruses. Backdoors. perhaps because of the popularity of public Internet gaming centers there where viruses are easily transmitted between computers and removable volumes. with the exception of an unusually low concentration of Adware. The top six families detected in Spain in 2010 were worms. are Chinese-language potentially unwanted software families that are uncommon elsewhere. led by Win32/ClickPotato. Trojan Downloaders & Droppers are nearly twice as common as in the rest of the world. and a relatively low concentration of Worms and Adware. and worms. 39 . Worms and Backdoors are unusually common in Spain. In Germany. Exploits. China routinely exhibits a threat mix that is much different than those of other large countries and regions. Viruses and worms have long been unusually common in Korea. The threat mix in Russia resembles that of the world as a whole. JS/CVE-2010-0806 and JS/ShellCode. led by Win32/Parite. Win32/BaiduSobar and Win32/Sogou.      See “Appendix C: Worldwide Infection Rates” on page 73 for more information about malware around the world. Adware dominates in France. that were less prevalent elsewhere. The most common families in China also include a pair of exploits. Threat Families Figure 21 lists the top 10 malware and potentially unwanted software families that were detected on computers by Microsoft desktop security products in the second half of 2010. and Spyware. China has a relatively high concentration of Miscellaneous Potentially Unwanted Software. perhaps because of the highly language-dependent nature of online advertising.

281 451.398 2.061 2.631 1.244.498.975 1. usually with adult content.299.680 1.780 542.640.109.646.323.903 1.Figure 21. The families that increased the most in prevalence in 2010  JS/Pornpop. is a detection for specially crafted JavaScript-enabled objects that attempt to display pop-under advertisements in users’ web browsers.892.749. the most commonly detected family in 4Q10.615.860.231 1.093 1.365 3.420 942.638.708 1.649 1.534 2.238 2.338.277 1. 40 .805.649.889.314.809.256 1.664.660 4Q10 3. Potentially Unwanted Software Trojan Downloaders & Droppers Worms Worms Miscellaneous Trojans Adware Adware 1Q10 — 1.015.693.152 1.117 Figure 22.750 860.934 1. Quarterly trends for the top 10 malware and potentially unwanted software families detected by Microsoft desktop security products in 2H10 Family 1 2 3 4 5 6 7 8 9 10 JS/Pornpop Win32/Autorun Win32/Taterf Win32/Zwangi Win32/Renos Win32/Rimecud Win32/Conficker Win32/FakeSpypro Win32/Hotbar Win32/ClickPotato Most Significant Category Adware Worms Worms Misc.659 — 2Q10 — 1.289 — 3Q10 2.919 1.496.110.483.092 1.744.424.660.941 1.210 1.585 2.747 1.674.517 1.655.986 889.256.649 2.897.532 2.865 1.

it has consistently been one of the threats most commonly detected and removed by Microsoft antimalware desktop products and services. Zwangi is a program that runs as a service in the background and modifies web browser settings to visit a particular website. Since 2006. the most prevalent threat in 2Q10. increased significantly in 4Q10. Rogue security software. See “Online Gaming-Related Families” on page 62 of Microsoft Security Intelligence Report.     Rogue Security Software Rogue security software has become one of the most common methods that attackers use to swindle money from victims. also known as scareware. or attempts to lure users into participating in fraudulent transactions. These programs typically mimic the general look and feel of 41 .Pornpop is one of the fastest spreading malware families seen in several years. First detected in August 2010. a generic detection for worms that spread between mounted volumes using the Autorun feature of Windows. dropped to fifth by 4Q10.  Detections and removals of Win32/Autorun. The adware family Win32/ClickPotato. it quickly grew to become the second most prevalent family in 3Q10. rose quickly to become the tenth most prevalent family in 4Q10. Win32/Renos. although Autorun dropped to second place because of the spread of Pornpop. is software that appears to be beneficial from a security perspective but provides limited or no security. Renos is a family of Trojan downloaders that is often used to install rogue security software. The potentially unwanted software family Win32/Zwangi rose from tenth in 2Q10 to fourth in 4Q10. dropped to third by 4Q10. first detected in August 2010. Taterf belongs to a category of threats that are designed to steal passwords for popular online computer games and transmit them to the attackers. Volume 5 (January through June 2008) for more information about these threats. ClickPotato is a program that displays pop-up and notification-style advertisements based on the user’s browsing habits. generates erroneous or misleading alerts. Win32/Taterf. and the most prevalent family in 4Q10 and in the second half of the year as a whole. the most prevalent threat in 1Q10.

(See Rogue Security Software in the “Reference Guide” section of the Security Intelligence Report website for more information about this kind of threat. Also see www. Some versions emulate the appearance of the Windows Security Center or unlawfully use trademarks and icons to misrepresent themselves.com/security/antivirus/rogue. Some of the “brands” used by different versions of the rogue security software family Win32/FakeXPA Figure 24 shows detection trends for the most common rogue security software families detected in 2010.aspx for an informative series of videos about rogue security software aimed at a general audience. 42 .) Figure 23.microsoft. Attackers typically install rogue security software programs through exploits or other malware or use social engineering to trick users into believing the programs are legitimate and useful.legitimate security software programs and claim to detect a large number of nonexistent threats while urging users to pay for the “full version” of the software to remove the threats.

Detections for FakeXPA were added to MSRT in December 2008. by quarter  Win32/FakeSpypro was the most commonly detected rogue security software family in each quarter of 2010. FakeXPA is a persistent. FakePAV is one of several rogue security software families that masquerade as Microsoft Security Essentials. Names under which FakeSpypro is distributed include AntispywareSoft. It is distributed under a large number of names. and Antivirus System PRO. fell from a near tie with FakeSpypro in 1Q10 to sixth place in 4Q10. Win32/FakePAV was first detected in 3Q10 and rose quickly to become the second most commonly detected rogue security software family in the fourth quarter. Win32/FakeXPA. Detections for FakeSpypro were added to MSRT in July 2009. with more than twice as many detections and removals overall as the next most prevalent family.Figure 24. some of which are shown in Figure 23. listing one or more nonexistent infections that it claims it cannot remove. It presents a dialog box that is similar in appearance to a Security Essentials alert. Spyware Protect 2009. frequently updated threat that uses a variety of techniques to evade detection and removal by legitimate security products. It then offers to “install” a trial version of a different security program   43 . Trends for the most commonly detected rogue security software families in 2010. the second most commonly detected rogue security software family overall in 2010.

Privacy Guard 2010. Peak Protection 2010. For additional information. Pest Detector.(actually another part of FakePAV itself). Palladium Pro. after which it proceeds in a manner similar to other rogue security software programs. Detections for FakePAV were added to MSRT in November 2010. A genuine Microsoft Security Essentials alert (top) and a fake alert generated by Win32/FakePAV (bottom) Names under which FakePAV is distributed include Red Cross Antivirus. Major Defense Kit. see the post MSRT Tackles Fake Microsoft Security Essentials (November 9.com/mmpc. ThinkPoint. http://blogs. Figure 25. AntiSpy Safeguard. 2010) on the MMPC blog. and others. 44 .technet.

These different usage patterns mean that home users tend to be exposed to a different mix of computer threats than enterprise users. such as playing games. The infection telemetry produced by Microsoft desktop antimalware products and tools includes information about whether the infected computer belongs to an Active Directory® Domain Services domain. and may have limitations placed on their Internet and email usage. watching videos. Enterprise users typically use computers to perform business functions while connected to a network. Home users are more likely to connect to the Internet directly or through a home router and to use their computers for entertainment purposes. Comparing the threats encountered by domain computers and non-domain computers can provide insights into the different ways attackers target enterprise and home users and which threats are more likely to succeed in each environment. and computers that do not belong to a domain are more likely to be used at home or in other non-enterprise contexts. Domains are used almost exclusively in enterprise environments.Home and Enterprise Threats The usage patterns of home users and enterprise users tend to be very different. Figure 26 and Figure 27 list the top 10 families detected on domain-joined and non-domain computers in 4Q10. and communicating with friends. 45 .

1% 4.3% 2. by percentage of domain-joined computers reporting detections Family 1 2 3 4 5 6 7 8 9 10 Win32/Conficker Win32/Autorun Win32/Rimecud Win32/Taterf Win32/RealVNC Win32/Hamweq Win32/Frethog Win32/Renos Win32/Alureon Win32/FakeSpypro Most Significant Category Worms Worms Worms Worms Miscellaneous Potentially Unwanted Software Worms Password Stealers & Monitoring Tools Trojan Downloaders & Droppers Miscellaneous Trojans Miscellaneous Trojans 1Q10 21.0% 4.1% 5.3% 4.4% 2.9% 3.0% 3.4% 3.9% 4.3% 9.3% 6.7% 2.5% 5.3% 9.2% 2.0% 8.8% 6.3% 7.8% 2.6% 10.4% 2. Top 10 families detected on domain-joined computers in 2010.9% 46 .8% 0.0% 8.0% 3Q10 19.8% 4.8% 4Q10 18.0% 8.2% 2.6% 7.4% 2.0% 5.4% 5.8% 1.9% 5.Figure 26.3% 2Q10 22.9% 10.0% 6.0% 2.

The worm family Win32/Conficker.8% 4.9% 4.8% Q4 4.1% 5.6% 3.6% 6.4% 2.4% 10.8% 1. leads the domain-joined list by a significant margin.4% 5.0% 3. 47 .4% Q2 6. which uses several methods of propagation that work more effectively within a typical enterprise network environment than they do over the public Internet.7% 4.7% 6.5% 3.4% — 4.6% 5.8% 5.6% 8.4% 8.8% 6.1% 7.3% Q3 6.0% 5. by percentage of all infected non-domain computers reporting detections Family 1 2 3 4 5 6 7 8 9 1 0 Win32/Renos Win32/Autorun Win32/Taterf Win32/Rimecud Win32/Frethog JS/Pornpop Win32/FakeSpypro Win32/Conficker Win32/Zwangi Win32/Hotbar Category Trojan Downloaders & Droppers Worms Worms Worms Password Stealers & Monitoring Tools Adware Miscellaneous Trojans Worms Miscellaneous Potentially Unwanted Software Adware Q1 8. but ranks ninth on the non-domain list.6% 3. although they are ordered differently and in different proportions.9% 4.8% 3.1% 3.6% 7.8% 6.9% 2.8% 3.6%  Seven families are common to both lists.7% 4.7% 3. Top 10 families detected on non-domain computers in 2010.4% 4.Figure 27.8% 5.9% — 4.

yet both families were detected with similar frequency on both domain-joined and non-domain computers. Such games are not common in the workplace. Pornpop is an adware family that attempts to display pop-under advertisements that usually contain adult content in users’ web browsers. By contrast. which users in domain environments are often restricted from accessing by organizational policy or blocking software. but one that has had the effect of spreading them efficiently in enterprise environments as well. Win32/Autorun. including Conficker. JS/Pornpop was the most commonly detected family in 4Q10 and the fourth most commonly detected family in 2010 overall. and Win32/Taterf.   48 . are designed to propagate via network shares. Worms accounted for five of the top 10 families detected on domainjoined computers. Taterf and Win32/Frethog are two related families that are designed to steal the passwords of users who play massively multiplayer online roleplaying games (MMORPGs). On non-domain computers. which was perhaps unexpected. this family was detected much less often on domain-joined computers. Several of these worms. which are common in domain environments. It is often found on websites that host illegal or illicit content. Taterf and Frethog both rely heavily on removable drives to propagate—a technique that was probably developed to help spread them in Internet cafés and public gaming centers.

Not only does all this unwanted email tax recipients’ inboxes and the resources of email providers. Messages blocked by FOPE each month in 2010 49 . social networks. and malware filtering services for thousands of enterprise customers and tens of billions of messages per month. phishing. (See Spam Trends in the “Reference Guide” section of the Security Intelligence Report website for more information. phishing.) Figure 28. Spam Messages Blocked The information in this section is compiled from telemetry data provided by Microsoft Forefront® Online Protection for Exchange (FOPE). and other online communities have made blocking spam. and other email threats a top priority. Email providers. which provides spam.Email Threats Most of the email messages sent over the Internet are unwanted. but it also creates an environment in which emailed malware attacks and phishing attempts can proliferate.

compared to a drop of less than two percent between the final two weeks of 2009. the number of messages blocked by FOPE was almost 30 percent less than in the prior week. These drops can be correlated with events involving two of the world’s most significant spam-sending botnets: o During the last week of August. the number of spam messages received and blocked by FOPE dropped abruptly in September. The Rustock botnet subsequently began sending spam again in midJanuary. Most spam is blocked by servers at the network edge. FOPE recorded a significant drop in the average daily volume of messages blocked. During the final week of December. spam researchers around the world recorded an almost complete cessation of spam originating from the large Rustock botnet. with some spam trackers reporting a drop in the global spam rate as high as 50 percent or more. Messages that are not blocked at the first stage are scanned using content-based rules. researchers affiliated with the security firm LastLine spearheaded a coordinated takedown of command-and-control (C&C) servers associated with the Win32/Cutwail spambot. 50 . Around December 25. which use reputation filtering and other non-content-based rules to block spam or other unwanted messages. o FOPE performs spam filtering in two stages. The reasons for this hiatus are still being investigated. which detect and filter many additional email threats. including attachments that contain malware. and the number of messages blocked by FOPE has risen accordingly. In the days following the takedown. After increasing gradually and then reaching a plateau through the first eight months of 2010. and again in December.

only about one out of every 38.Figure 29. The effectiveness of edge-filtering techniques such as IP address reputation checking. Figure 30 shows the relative prevalence of these spam types in 2010. SMTP connection analysis.   Spam Types The FOPE content filters recognize several different common types of spam messages. and recipient validation have increased dramatically over the past several years.5 incoming messages made it to recipients’ inboxes. Approximately 95. 51 . Percentage of incoming messages blocked by FOPE using edge-blocking and content filtering in 2010  In 2010 overall.3 percent of all incoming messages were blocked at the network edge. which means that only 4. The rest were blocked at the network edge or through content filtering. which enables mail-filtering services to provide better protection to users even as the total amount of unwanted message traffic on the Internet remains very high.7 percent of incoming messages had to be subjected to the more resource-intensive content filtering process.

Figure 30.3 percent of the total) and advertisements for sexual performance products (3.3 percent). product advertisements accounted for 54. by category  Advertisements for nonsexual pharmaceutical products accounted for 32. with no text in the body of the message. In an effort to evade content filters.   52 . Together with nonpharmaceutical product ads (18.3 percent in 2009. Image-only spam messages accounted for 8.2 percent a year ago. up from 6.4 percent of the spam messages blocked by FOPE content filters in 2010. which is down from 69.7 percent of the total in 2010. spammers often send messages that consist only of one or more images.0 percent of spam in 2010. Inbound messages blocked by FOPE filters in 2010.

by category 53 . Inbound messages blocked by FOPE content filters each month in 2010.Figure 31.

suddenly began rising in prominence in June. As Figure 31 illustrates. image-only ads. increased nearly six fold between February and March and was actually the third most prevalent category in March and April before declining to last place in June. Similarly. Spam that advertises fraudulent university diplomas. spam categories can vary considerably from month to month as spammers conduct time-based campaigns. and then returned to more typical levels through the end of the year. briefly eclipsed nonpharmaceutical product ads in August. typically a low-volume category. much like legitimate advertisers do. Nonsexual pharmaceutical ads and nonpharmaceutical product ads were the most highly ranked categories by a significant margin throughout most of 2010. which accounted for a small and declining percentage of spam through May.  54 .

To help protect users from malicious webpages.Malicious Websites Attackers often use websites to conduct phishing attacks or distribute malware. Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. (See Phishing and Malware Hosts in the “Reference Guide” section of the Security Intelligence Report website for more information. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature. the Phishing Filter (in Internet Explorer 7).) 55 . including telemetry data produced by the SmartScreen® filter (in Windows® Internet Explorer® 8 and 9). from a database of known active phishing and malware hosting sites reported by users of Internet Explorer and other Microsoft® products and services. The information in this section is compiled from a variety of internal and external sources. and from malware data provided by Microsoft antimalware technologies. even to experienced computer users.

The SmartScreen filter in Internet Explorer 8 and 9 blocks reported phishing and malware distribution sites Phishing Sites Figure 33 compares the volume of active phishing sites in the SmartScreen database each month with the volume of phishing impressions tracked by Internet Explorer. 56 . A phishing impression is a single instance of a user attempting to visit a known phishing site with Internet Explorer and being blocked.Figure 32.

Figure 33. respectively. relative to the monthly average for each  Sudden sharp spikes in impressions like the one shown in June are not unusual. In this case. Phishing impressions and active phishing pages rarely correlate strongly with each other. with no month deviating by more than about 15 percent from the six-month average. Phishers often engage in discrete campaigns that are intended to drive more traffic to each phishing page. The total number of active phishing pages tracked by Microsoft remained very stable from month to month. without necessarily increasing the total number of active phishing pages they are maintaining at the same time. the June increase is not strongly correlated with increases in any particular type of target institution. 57 . Phishing sites and impressions tracked each month in 2010. recorded by Microsoft during each month in 2010 for the most frequently targeted types of institutions.  Target Institutions Figure 34 and Figure 35 show the percentage of phishing impressions and active phishing sites.

but 2010 showed evidence of a shift to social networks. the final four months of the year 58 .3 percent of all impressions in January to a high of 84. Impressions for each type of phishing site each month in 2010 Figure 35. Active phishing sites tracked each month in 2010. Phishing impressions that targeted social networks increased from a low of 8.5 percent of impressions in December. by type of target  Phishers have traditionally targeted financial sites more than other types of sites. In particular.Figure 34.

phishing sites that targeted financial institutions accounted for the majority of active phishing sites. phishers showed signs of targeting online gaming sites with increased frequency. As in previous periods. despite receiving 84.   Global Distribution of Phishing Sites Phishing sites are hosted all over the world on free hosting sites. the potential for direct illicit access to victims’ bank accounts means that financial institutions remain perennially popular phishing targets. and in numerous other contexts. By contrast. Phishing sites that target social networks routinely receive the highest number of impressions per active phishing site. Still. Impressions that targeted gaming sites reached a high of 16. on compromised web servers. the number of active sites targeting gaming sites remained relatively high during the second half of the year.show signs of a strong and sustained phishing campaign or campaigns against social networks. although this push appears to have dwindled as social networks came under increased attack. 59 . so phishers can effectively target many more people per site.7 percent of all impressions in June before dropping to a more typical 2. and customized phishing approaches are required for each one. Performing geographic lookups of IP addresses in the database of reported phishing sites makes it possible to create maps that show the geographic distribution of sites and to analyze patterns. just a handful of popular sites account for the bulk of the social network and online service usage on the Internet.5 percent of impressions that month. and they continue to receive the largest or second-largest number of impressions each month.2 percent of active sites in December. which suggests that more campaigns may be coming.1 percent in December. Financial institutions targeted by phishers can number in the hundreds. Nevertheless.  Early in 2010. ranging from 78 to 91 percent of sites each month. but still only accounted for 4. The percentage of active phishing sites that targeted social networks increased during the final months of the year.

Phishing sites per 1. Phishing sites are concentrated in a few locations but have been detected on every inhabited continent. although in absolute terms most   60 .Figure 36.000 Internet hosts for locations around the world in 1H10 (top) and 2H10 (bottom)  The worldwide distribution of phishing sites remained largely consistent between the first and second halves of the year. Locations with smaller populations and fewer Internet hosts tend to have higher concentrations of phishing pages.

The SmartScreen filter in Internet Explorer 8 (top) and Internet Explorer 9 (bottom) displays a warning when a user attempts to download an unsafe file Figure 38 compares the volume of active malware hosting sites in the SmartScreen database each month with the volume of malware impressions tracked by Internet Explorer. Microsoft keeps track of how many people visit each malware hosting site and uses the information to improve the SmartScreen filter and to better combat malware distribution. The SmartScreen antimalware feature uses URL reputation data and Microsoft antimalware technologies to determine whether those servers distribute unsafe content. (See Malware Hosts in the “Reference Guide” section of the Security Intelligence Report website for more information. 61 . Malware Hosting Sites The SmartScreen filter in Internet Explorer 8 and 9 helps provide protection against sites that are known to host malware.) Figure 37. in addition to phishing sites. As with phishing sites. industrialized countries/regions with large numbers of Internet hosts.phishing pages are located in large.

After a rising trend during the first five months.Figure 38. mostly because of improved detection. Malware hosting sites and impressions tracked each month in 2010.  Malware Categories Figure 39 and Figure 40 show the types of threats hosted at URLs that were blocked by the SmartScreen filter in 2H10. Malware host protection in browsers is a relatively new development compared to phishing protection. relative to the monthly average for each  The number of active malware hosting sites tracked each month increased gradually through the year. 62 . the number of malware hosting impressions decreased each month for the rest of the year. and it is possible that attackers are reacting by moving away from this method of distribution to other techniques.

Figure 39. Threats hosted at URLs blocked by the SmartScreen filter in 2010. by category 63 .

Potentially Unwanted Software Trojan Downloaders & Droppers Password Stealers & Monitoring Tools Miscellaneous Trojans Trojan Downloaders & Droppers Trojan Downloaders & Droppers Percent 47. by percent of all such sites 1H10 Rank 1 2 3 4 5 6 7 8 9 10 Threat Name Win32/MoneyTree Win32/FakeXPA Win32/VBInject Win32/Winwebsec Win32/Obfuscator Win32/Pdfjsc Win32/Small Win32/Bancos Win32/Swif WinNT/Citeary Most Significant Category Misc.1 1.Figure 40.2 3.2 1. Potentially Unwanted Software Percent 61.3 2. Win32/VBInject.1 2H10 Rank 1 2 3 4 5 6 7 8 9 10 Threat Name Win32/MoneyTree Win32/Small Win32/Delf Win32/Startpage Win32/Obfuscator Win32/Banload Win32/Bancos Win32/Agent Win32/Microjoin Win32/Ciucio Most Significant Category Misc. Miscellaneous Potentially Unwanted Software consistently accounts for between two-thirds and three-fourths of all malware impressions in most periods. This decrease correlates with the decline in document exploit detections in favor of Java exploits. The top 10 malware families hosted on sites blocked by the SmartScreen filter in 1H10 and 2H10. sites that hosted the top 10 families constituted 76. Potentially Unwanted Software Miscellaneous Trojans Misc. Potentially Unwanted Software Miscellaneous Trojans Misc.9 percent of the total in 1H10 to 0.0 1. Win32/Obfuscator. as shown in Figure 6 on page 19. Potentially Unwanted Software Trojan Downloaders & Droppers Trojan Downloaders & Droppers Miscellaneous Trojans Misc. primarily because of Win32/MoneyTree.6 percent in the second half.9 1.3 1. and Win32/Swif are all generic detections for    64 .1 4.0  Overall. Potentially Unwanted Software Exploits Trojan Downloaders & Droppers Password Stealers & Monitoring Tools Miscellaneous Trojans Misc. Document exploit downloads blocked by the SmartScreen filter decreased from 1.3 5.3 1.1 1.96 percent in 2H10.8 2.0 1. MoneyTree has been the malware family responsible for the largest number of malware impressions during every six-month period since 1H09. Win32/Startpage.3 2. Win32/Pdfjsc.9 percent of all malware impressions in the first half of the year and 71. Win32/Small.4 1.8 5.2 2.1 3.

Malware distribution sites per 1. Figure 41. Global Distribution of Malware Hosting Sites Figure 41 shows the geographic distribution of malware hosting sites reported to Microsoft in 2010.collections of unrelated threats that share certain identifiable characteristics.000 Internet hosts for locations around the world in 1H10 (top) and 2H10 (bottom) 65 .

66 . (See Drive-By Download Sites in the “Reference Guide” section of the Security Intelligence Report website for more information about how drive-by downloads work and the steps Bing takes to protect users from them. Search engines such as Microsoft Bing™ have taken a number of measures to help protect users from drive-by downloads. Bing analyzes websites for exploits as they are indexed and displays warning messages when listings for drive-by download pages appear in the list of search results. As with phishing sites. Drive-By Download Sites A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. the worldwide distribution of sites that host malware remained largely consistent between periods. even without attempting to download anything.) The information in this section was generated from an analysis of the country code top-level domains (ccTLDs) of the websites in the Bing index that hosted drive-by download pages in 2010. Users with vulnerable computers can be infected with malware simply by visiting such a website.

000 search results pages displayed to users during that time.  67 . Percentage of websites in each country-code top-level domain (ccTLD) that hosted drive-by pages in 2Q10 (top) and 4Q10 (bottom)  In 2H10. Overall. a large percentage of the domains in the associated ccTLD could be affected. if a major ISP in a small country or region were to become compromised by an attacker. For example. drive-by download pages appeared on about 2.4 of every 1. Small TLDs are susceptible to large swings in infection rates because of their size.Figure 42. the most heavily infected ccTLDs were small ones.

 Figure 42 does not reflect the physical locations of hosted sites. so Figure 42 can be considered a reasonable indicator of how users in different parts of the world are more or less at risk of encountering drive-by download pages. not all ccTLD sites are hosted in the locations to which the ccTLDs themselves are assigned. However. 68 . most ccTLD sites are targeted at Internet users in a particular country/region and are typically written in an appropriate language.

which are given unique names to distinguish them from others. originally published in 1991 and revised in 2002.) Platforms can include programming languages and file formats. called Trojan Downloaders & Droppers. in addition to operating systems. For most of the threats described in this report. To simplify the presentation of this information and make it easier to understand. however. regardless of operating system. The MMPC assigns each individual threat to one of a few dozen different types based on a number of factors. the TrojanDownloader and TrojanDropper types are combined into a single category. including how the threat spreads and what it is designed to do. threats in the ASX/Wimad family are designed for programs that parse the Advanced Stream Redirector (ASX) file format.Appendix A: Threat Naming Conventions The MMPC malware naming standard is derived from the Computer Antivirus Research Organization (CARO) Malware Naming Scheme. Figure 43. the Security Intelligence Report groups these types into 10 categories. The Microsoft malware naming convention The type indicates the primary function or intent of the threat. For example. The platform indicates the operating environment in which the threat is designed to run and spread. Most security vendors use naming conventions that are based on the CARO scheme. The family name is usually not 69 . with minor variations. For example. A threat name can contain some or all of the components seen in Figure 43. although family and variant names for the same threat can differ between vendors. (Not all Win32 threats can run on every version of Windows.” for the Win32 API used by 32-bit and 64-bit versions of Windows desktop and server operating systems. the platform is listed as “Win32. Groups of closely related threats are organized into families.

In the Security Intelligence Report.K.C.” 70 . the Win32/Frethog family includes variants designated PWS:Win32/Frethog. Any additional characters that appear after the variant provide comments or additional information. the category listed for a particular family is the one that Microsoft security analysts have determined to be the most significant category for the family (which. a threat name consisting of a platform and family name (for example. Malware creators often release multiple variants for a family. Security vendors usually try to adopt the name used by the first vendor to positively identify a new family. For example.C and TrojanDownloader:Win32/Frethog. which can happen when two or more vendors discover a new family independently. Researchers use a variety of techniques to name new families.related to anything the malware author has chosen to call the threat. Variants are designated by letters. then AA through AZ. although sometimes different vendors use completely different names for the same threat. In the Security Intelligence Report. among others. it is a reference to a more specific signature or to an individual variant. which are assigned in order of discovery—A through Z.com/mmpc) lists the names used by other major security vendors to identify each threat. “Worm:Win32/Taterf. The MMPC Encyclopedia (www. when known. such as excerpting and modifying strings of alphabetic characters found in the malware file. “Win32/Taterf”) is a reference to a family.microsoft. family and variant names have occasionally been abbreviated in contexts where confusion is unlikely. in the case of Frethog.K!dll”). is Password Stealers & Monitoring Tools).K simply as “Taterf. A variant designation of “gen” indicates that the threat was detected by a generic signature for the family rather than as a specific variant. Some malware families include multiple components that perform different tasks and are assigned different types. To make the report easier to read. and Worm:Win32/Taterf. and so on. Thus. When a longer threat name is given (for example. typically in an effort to avoid being detected by security software. Win32/Taterf is referred to simply as “Taterf” on subsequent mention in some places. then BA through BZ.

contains technology that performs billions of webpage scans per year to seek out malicious content.Appendix B: Data Sources Microsoft Products and Services Data included in the Microsoft Security Intelligence Report is gathered from a wide range of Microsoft products and services. and Automatic Updates. and security threats caused by spyware and other potentially unwanted software. The scale and scope of this telemetry allows the Security Intelligence Report to deliver the most comprehensive and detailed perspective on the threat landscape available in the software industry:  Bing. MSRT was downloaded and executed 3. The Malicious Software Removal Tool (MSRT) is a free tool that Microsoft designed to help identify and remove prevalent malware families from customer computers. the search and decision engine from Microsoft. Bing displays warnings to users about the malicious content to help prevent infection. MSRT is primarily released as an important update through Windows Update. A version of the tool is also available from the Microsoft Download Center. Microsoft Update. FOPE scans billions of email messages every year to identify and block spam and malware. Forefront Online Protection for Exchange (FOPE) protects the networks of thousands of enterprise customers worldwide by helping to prevent malware from spreading through email. or nearly 600 million times each month on average. Windows Defender runs on more than 100 million computers worldwide. Windows Live® Hotmail® has hundreds of millions of active email users in more than 30 countries/regions around the world.2 billion times in 1H10. Once detected. slow performance. Windows Defender is a program that is available at no cost to licensed users of Windows that provides real-time protection against pop-ups. MSRT is not a replacement for an up-to-date antivirus solution     71 .

because of its lack of real-time protection and because it uses only the portion of the Microsoft antivirus signature database that enables it to target specifically selected. spyware. The Windows Live OneCare safety scanner (http://safety. scheduled. and other harmful software. which provides real-time protection against viruses. Microsoft maintains a database of phishing and malware sites reported by users of Internet Explorer and other Microsoft products and services. laptops. The Windows Live OneCare safety scanner is not a replacement for an up-to-date antivirus solution. Microsoft Security Essentials is a real-time protection product that combines an antivirus and antispyware scanner with phishing and firewall protection. offered at no charge to licensed users of Windows. it uses the Microsoft Malware Protection Engine and the Microsoft antivirus signature database to provide real-time. consumer-oriented anti-malware product.  Microsoft Forefront Endpoint Protection (formerly Forefront Client Security) is a unified product that provides protection from malware and potentially unwanted software for enterprise desktops. because it does not offer real-time protection and cannot prevent a user’s computer from becoming infected. Internet Explorer displays a warning and blocks navigation to the page. and server operating systems. and on-demand protection.live. The SmartScreen filter in Internet Explorer 8 and 9 offers Internet Explorer users protection against phishing sites and sites that host malware. Like Windows Live OneCare. prevalent malicious software. When a user attempts to visit a site in the database with the filter enabled. Microsoft Security Essentials is a basic.     72 .com) is a free online tool that uses the same definition database as the Microsoft desktop anti-malware products to detect and remove malware and potentially unwanted software.

3 20.1 4.8 7.1 7.5 6.7 8. Figure 44 shows the infection rates in locations with at least 100.2 3. by quarter Country/Region Albania Algeria Angola Argentina Armenia Australia Austria Azerbaijan Bahamas.6 2.4 9.0 7.9 3.9 1. The Bahrain Bangladesh Barbados Belarus Belgium Bolivia Bosnia and Herzegovina Brazil Brunei Bulgaria Cambodia 1Q10 5.8 6.6 26.0 — 3Q10 3.2 2.8 2.5 2.3 8.8 5.” on page 27.5 3.7 3.1 7.0 1.4 9.6 9.5 73 . explains how threat patterns differ significantly in different parts of the world.5 7.) Figure 44.7 25. Infection rates (CCM) for locations around the world in 2010.2 15.6 1.4 5.1 5. See the Security Intelligence Report website for more information about the CCM metric.0 2.000 executions of MSRT.5 1.8 10.7 26.5 1.0 10.1 — 4Q10 2.7 — 5.3 7.6 1.3 2.5 7.7 10.1 10.6 9.2 2.Appendix C: Worldwide Infection Rates “Global Infection Rates. (CCM is the number of computers cleaned for every 1.5 11.2 5.9 13.0 — 2Q10 3.2 1.9 9.000 quarterly MSRT executions in 2010.3 — 7.3 14.2 6.2 3.3 2.6 7.0 9.1 2.3 1.5 4.0 10.4 — 6.6 2.5 2.9 7.4 5.9 1.7 13.6 2.

1 8.6 13.0 6.0 — 2.A.6 1.9 8.4 3.7 5.8 7.2 7.8 7.6 2.2 1.0 74 .9 3.0 2.2 3Q10 3.7 6.2 11.R.9 9.9 8.1 15.4 15.3 13.1 6.8 13.1 14.0 10.6 15.1 5.3 9.3 11.4 12.8 7.3 3.4 14.0 16.2 2Q10 3.1 9.9 20.6 4Q10 2.1 7.9 12.1 16.9 7.9 10.3 15.0 6.6 1.4 19.1 1.9 8.2 5.0 6.Country/Region Cameroon Canada Chile China Colombia Costa Rica Côte d’Ivoire Croatia Cyprus Czech Republic Denmark Dominican Republic Ecuador Egypt El Salvador Estonia Ethiopia Finland France Georgia Germany Ghana Greece Guadeloupe Guatemala Honduras Hong Kong S.9 17.7 3.5 17.3 5.7 20.0 2.7 15.8 9.8 14.9 4.9 2.9 14.2 4.1 10.6 11.2 14.4 9.0 20.8 10.8 4.1 10.3 9.9 8.3 4. Hungary Iceland India Indonesia Iraq Ireland Israel 1Q10 3.5 12.8 9.8 12.0 3.4 7.5 2.9 — 3.0 13.5 2.9 11.9 18.5 7.6 3.5 3.9 5.9 1.0 19.5 4.9 7.3 12.5 16.8 9.9 7.6 15.4 12.7 3.1 4.3 5.7 6.9 5.1 4.5 6.9 5.2 12.2 13.0 13.2 4.6 11.2 7.0 8.4 12.2 7.4 3.2 12.5 4.4 2.6 9.5 12.4 7.9 6.2 7.1 12.5 13.3 1.5 12.2 11.

0 3.7 4.0 4.1 1.1 3Q10 10.7 3.4 2.5 2.7 7.5 3.4 2.2 7.9 1.1 2.9 2.3 3.5 10.0 10.2 9.4 7.2 2.6 10.3 5.4 13.6 6.8 9.2 3.6 13.Y.1 2.7 2.7 11.0 4.4 2Q10 9.O.2 4.8 3.6 1.1 2.0 2.8 3.0 1.9 2.5 3.1 4.3 8.6 6.4 1.4 5.8 5. Malaysia Malta Martinique Mauritius Mexico Moldova Mongolia Montenegro Morocco Mozambique Nepal Netherlands Netherlands Antilles New Zealand Nicaragua Nigeria Norway Oman Pakistan 1Q10 12.6 5.4 10.7 5.7 23.9 17.9 — 2.7 2.1 8.5 40.9 3.4 2.5 4.7 7.8 4.1 10.5 6.6 13.2 12.7 11.R.0 6.7 34.3 3.4 6.0 7.0 5.9 8.6 4.8 2.8 5.6 2.A.3 2.0 6.0 5.7 10.4 11. F.7 4.2 5.4 4.1 2.3 3. Macedonia.1 4Q10 8.6 7.4 13.9 9.Country/Region Italy Jamaica Japan Jordan Kazakhstan Kenya Korea Kuwait Latvia Lebanon Libya Lithuania Luxembourg Macao S.5 6.5 3.7 3.3 2.1 7.9 3.4 34.1 14.8 8.3 1.8 6.5 4.7 6.9 4.7 4.7 1.9 2.8 5.8 75 .0 6.9 13.5 5.8 2.0 1.3 1.4 2.3 12.1 5.R.7 — 2.6 1.6 4.2 2.3 9.0 21.2 4.9 30.6 8.8 5.0 9.8 21.1 6.4 8.

6 2.9 2.2 2.1 4.4 13.0 5.5 8.8 12.9 16.4 4.8 2.3 2.7 11.6 1.8 36.5 9.5 3.9 3Q10 5.8 6.5 2.0 33.6 23.3 8.3 9.0 8.3 4.Country/Region Palestinian Authority Panama Paraguay Peru Philippines Poland Portugal Puerto Rico Qatar Réunion Romania Russia Saudi Arabia Senegal Serbia Singapore Slovakia Slovenia South Africa Spain Sri Lanka Sweden Switzerland Taiwan Tanzania Thailand Trinidad and Tobago Tunisia Turkey Uganda Ukraine United Arab Emirates United Kingdom United States 1Q10 5.1 8.0 7.9 42.3 17.0 9.4 6.9 2.8 33.6 4.6 32.4 10.8 2Q10 4.5 4.9 14.7 12.9 35.6 — 3.0 5.3 14.3 5.3 15.9 16.5 4Q10 4.1 1.8 3.4 17.0 8.6 4.4 3.3 9.6 6.3 21.3 3.8 11.2 8.8 12.8 18.1 14.2 3.4 13.8 36.4 6.4 4.7 11.4 3.1 15.0 13.0 11.6 5.5 22.0 7.8 39.3 4.1 24.4 5.1 1.7 9.0 5.6 76 .3 3.7 31.0 7.5 5.0 23.0 7.8 11.8 2.9 2.1 9.6 11.9 4.1 17.3 8.2 4.9 15.8 1.5 — 4.7 4.8 17.5 7.5 11.1 14.6 5.4 7.5 4.5 35.4 7.5 16.9 4.6 8.7 11.1 19.8 5.0 29.0 11.2 1.1 7.7 4.6 10.6 3.8 14.2 3.7 3.7 1.7 5.7 3.0 5.6 19.

Country/Region Uruguay Venezuela Vietnam Worldwide 1Q10 3.6 3Q10 5.7 9.7 77 .9 4Q10 3.7 1.1 9.5 2.6 8.4 9.9 2.8 2Q10 4.1 9.1 9.8 2.1 9.2 10.

The C&C computer can issue commands directly (often through Internet Relay Chat [IRC]) or by using a decentralized mechanism. such as peer-to-peer (P2P) networking.0 (200 ÷ 50. the CCM for that location in the first quarter of the year is 4.000). See botnet. The number of computers cleaned for every 1.category of backdoor trojans. other adware programs may display advertisements without adequate consent. CCM Short for computers cleaned per mille (thousand). 78 .000 executions of MSRT. botnet A set of computers controlled by a “command-and-control” (C&C) computer to execute commands as directed. command and control See botnet. Also see botnet.000 executions in a particular location in the first quarter of the year and removes infections from 200 computers. if MSRT has 50. clean To remove malware or potentially unwanted software from an infected computer. C&C Short for command and control.000 × 1. Bots are a sub. Computers in a botnet are often called nodes or zombies. Although some adware can be beneficial by subsidizing a program or service.Glossary adware A program that displays advertisements. For example. backdoor trojan A type of trojan that provides attackers with remote access to infected computers. A single cleaning can involve multiple disinfections.

or antivirus databases. Also see password stealer (PWS). firewall A program or device that monitors and regulates traffic between two points. IFrame Short for inline frame. such as a single computer and the network server. such as a script that downloads and installs spyware. generic A type of signature that is capable of detecting a variety of malware samples from a specific family. pattern files. Because the IFrame loads another webpage. or of a specific type. Compare with clean. disinfect To remove a malware or potentially unwanted software component from a computer or to restore functionality to an infected program. 79 . Many botnets use the IRC protocol for C&C. exploit Malicious code that takes advantage of software vulnerabilities to infect a computer or perform other harmful actions. into non-malicious HTML pages that are hosted by trusted websites. disclosure Revelation of the existence of a vulnerability to a third party. downloader/dropper See trojan downloader/dropper. it can be used by criminals to place malicious HTML content. keylogger A program that sends keystrokes or screen shots to an attacker. identity files. An IFrame is an HTML document that is embedded in another HTML document.definition A set of signatures that can be used to identify malware by using antivirus or antispyware products. Internet Relay Chat (IRC) A distributed real-time Internet chat protocol that is designed for group communication. or one server to another. Other vendors may refer to definitions as DAT files.

trojans. Microsoft Update (MU).Malicious Software Removal Tool The Microsoft Windows Malicious Software Removal Tool (MSRT) is designed to help identify and remove specifically targeted. server. passwords. A version of the tool is also available for download from the Microsoft Download Center. More details about MSRT are available at www. worms. Also see monitoring tool. changing system settings.mspx. Also see password stealer (PWS). 80 . but are not limited to. credit card numbers. MSRT includes no real-time protection and cannot be used to prevent malware from initially infecting a computer. because it specifically targets only a small subset of malware families that are determined to be especially prevalent. It may also include network sniffing software. and logging keystrokes. or network. monitoring tool Software that monitors activity. phishing A method of credential theft that tricks Internet users into revealing personal or financial information online. The main release mechanism of MSRT is through Windows Update (WU). displaying messages. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands to steal personally identifiable information (PII). such as user names and passwords. Viruses.microsoft. prevalent malware from customer computers and is available at no charge to licensed Windows users. such as user names. Payloads can include. or Automatic Updates (AU). and identification numbers. and spyware are all types of malware. downloading files. A PWS often works in conjunction with a keylogger.com/security/malwareremove/default. In addition. password stealer (PWS) Malware that is specifically used to transmit personal information. payload The actions conducted by a piece of malware for which it was created. usually by capturing keystrokes or screen images. malware Malware is any software that’s been designed specifically to cause damage to a user’s computer. MSRT is not a replacement for an up-to-date antivirus solution.

This functionality may affect the user’s privacy. such as hiding itself or other malware. and being blocked by the Phishing Filter or SmartScreen filter. potentially unwanted software A program with potentially unwanted functionality that is brought to the user’s attention for review. generates a significant number of erroneous or misleading alerts. Such programs are often installed by the computer owner or administrator and are only a risk if unexpected. Social engineering scams can be both online (such as receiving email messages that ask the recipient to click the attachment. Regardless of the method 81 . social engineering A technique that defeats security precautions by exploiting human vulnerabilities. Also see definition. which is actually malware) and offline (such as receiving a phone call from someone posing as a representative from one’s credit card company). signature A set of characteristics that can identify a malware family or variant. pop-under A webpage that opens in a separate window that appears beneath the active browser window. remote control software A program that provides access to a computer from a remote location. rootkit A program whose main purpose is to perform certain functions that cannot be easily detected or undone by a system administrator. rogue security software Software that appears to be beneficial from a security perspective but that provides limited or no security capabilities. security. or 9. or computing experience. Signatures are used by antivirus and antispyware products to determine whether a file is malicious or not. Also see malware impression. Pop-under windows are commonly used to display advertisements. or attempts to socially engineer the user into participating in a fraudulent transaction.phishing impression A single instance of a user attempting to visit a known phishing page with Internet Explorer 7. 8.

the purpose of a social engineering attack remains the same—to get the targeted user to perform an action of the attacker's choice. tool Software that may have legitimate purposes but may also be used by malware authors or attackers. Installation may be without prominent notice or without the user’s knowledge. trojan A generally self-contained program that does not self-replicate but takes malicious action on the computer. worm Malware that spreads by spontaneously sending copies of itself through email or by using other communication mechanisms. without adequate consent.selected. error. spyware A program that collects information. to allow the execution of the malware code and its propagation when those files are activated. either by attaching the malware to email messages or by sending a message containing a link to the malware. trojan downloader/dropper A form of trojan that installs other malicious files to a computer that it has infected. typically by infecting other files in the computer. Malware authors may use spam to distribute malware. such as the websites a user visits. virus Malware that replicates. vulnerability A weakness. or poor coding technique in a program that may allow an attacker to exploit it for a malicious purpose. Malware may also harvest email addresses for spamming from compromised machines or may use compromised machines to send spam. spam Bulk unsolicited email. 82 . such as instant messaging (IM) or peer-to-peer (P2P) applications. either by downloading them from a remote computer or by obtaining them directly from a copy contained in its own code.

microsoft. See the encyclopedia for more in-depth information and guidance for the families listed here and throughout the report. Most variants target customers of Brazilian banks. Win32/Autorun. blocks certain other advertisements.Threat Families Referenced in This Report The definitions for the threat families referenced in this report are adapted from the Microsoft Malware Protection Center encyclopedia (www. Win32/Alureon. Win32/BaiduSobar. and changes the Internet Explorer search page. Banload usually downloads Win32/Banker. Win32/Bancos. It may also download malicious data and modify DNS settings. A Chinese-language Web browser toolbar that delivers popup and contextual advertisements. which steals banking credentials and other sensitive data and sends it back to a remote attacker. The mapped drives may include network or removable drives. which contains detailed information about a large number of malware and potentially unwanted software families. A family of trojans that download other malware. passwords. The functionality exhibited by this family is highly variable. A data-stealing trojan that captures online banking credentials and relays them to the attacker. Win32/Agent. Win32/Ciucio. Win32/Banload. A family of worms that spreads by copying itself to the mapped drives of an infected computer. 83 .com/security/portal). A data-stealing trojan that gathers confidential information such as user names. A generic detection for a number of trojans that may perform different malicious functions. A family of trojans that connect to certain websites in order to download arbitrary files. and credit card data from incoming and outgoing Internet traffic.

and many others. 84 . The behaviors displayed by this malware family are highly variable. A detection for various threats written in the Delphi programming language. JS/CVE-2010-0806. and many others. A worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. a worm that spreads to all available drives including the local drive. XP Guardian. Win32/Cutwail has also been observed to download the attacker tool Win32/Newacc. Some variants also spread via removable drives and by exploiting weak passwords. A rogue security software family distributed under the names Ultra Antivir 2009. MaCatte. AntiVir2010. and others. and many others. and many others. A rogue security software family distributed under the names Antivirus System PRO. A detection for malicious JavaScript that attempts to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-018. Win32/Delf. Extra Antivirus. Win32/ClickPotato. A program that displays popup and notification-style advertisements based on the user’s browsing habits. A rogue security software family distributed under the names Antivirus 7. It disables several important system services and security products. Personal Security. Win32/FakePAV. including Win 7 Internet Security 2010. usually to send spam. Win32/Cutwail. installs device drivers and attempts to download other malware from a predefined website.WinNT/Citeary. Green AV. Vista Antivirus Pro. A rogue security software family distributed under the names Defense Center. Win32/FakeXPA. Win32/FakeRean. Win32/Conficker. A rogue security software family distributed under a variety of randomly generated names. Win32/FakeCog. A rogue security software family that masquerades as Microsoft Security Essentials. A kernel mode driver installed by Win32/Citeary. Win32/FakeSpypro. Spyware Protect 2009. Virus Melt. Antivirus BEST. and downloads arbitrary files. A trojan that downloads and executes arbitrary files. AntiMalware. Win32/FakeVimes.

A generic detection for programs that have had their purpose disguised to hinder analysis or detection by anti-virus scanners. A generic detection for tools that generate product keys for illegally obtained versions of various software products. A generic detection for tools that bundle malware files with clean files in an effort to deploy malware without being detected by security software. It may also install other potentially unwanted software.scr executable files on the local file system and on writeable network shares. A Korean-language rogue security software family distributed under the names One Scan. Win32/Pdfjsc.Win32/Frethog. such as account information. A family of viruses that infect . A worm that spreads through removable drives. anti-debugging and anti-emulation techniques. 85 . It may contain an IRC-based backdoor that enables the computer to be controlled remotely by an attacker. A generic detection for specially-crafted JavaScript-enabled objects that attempt to display pop-under advertisements. usually with adult content. Win32/MoneyTree. EnPrivacy. such as USB memory sticks. A program that may display advertisements and redirect user searches to a certain website. Such files contain malicious JavaScript that executes when the file is opened. A large family of password-stealing trojans that target confidential data. Win32/Keygen. Win32/Obfuscator. Such programs commonly employ a combination of methods. Win32/Nbar. PC Trouble. Win32/Parite. including encryption. Adware that displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity.exe and . from massively multiplayer online games. and others. Win32/Microjoin. JS/Pornpop. A family of software that provides the ability to search for adult content on local disks. such as programs that display pop-up ads. A family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. compression. Win32/Hotbar. Siren114. My Vaccine. It may also download malicious or unwanted content into the system without user consent. Win32/Hamweq. Win32/Onescan.

A generic detection for maliciously-crafted SWF (Small Web Format) files. which may have virtually any purpose. JS/ShellCode. The loader is written in Microsoft Visual Basic® and the malicious code. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. Win32/Sogou. A management tool that allows a computer to be controlled remotely. A detection for various threats that change the configured start page of the affected user’s web browser. It also contains backdoor functionality that allows unauthorized access to an affected system.exe. Malicious websites and malformed PDF documents may contain JavaScript that attempts to execute code without the affected user's consent. A Chinese-language browser toolbar that may display popup advertisements and may download and install additional components without user consent. A generic detection for obfuscated malware. A family of worms with multiple components that spread via fixed and removable drives and via instant messaging. Win32/Startpage. A multi-component family of rootkit-enabled backdoor trojans that were first developed around 2006 to aid in the distribution of spam email. and may also perform other malicious actions. 86 .scr or . A family of trojan downloaders that install rogue security software. Win32/Renos. A generic detection for JavaScript-enabled objects that contain exploit code and may exhibit suspicious behavior. Win32/Small. A generic detection for a variety of threats. is encrypted. Win32/Taterf.Win32/RealVNC. A family of worms that spread through mapped drives to steal login and account details for popular online games. SWF files are commonly used for graphics and video online and are developed for the Adobe Flash platform. Win32/Rustock. Win32/Sality. Win32/Rimecud. Win32/Swif. A family of polymorphic file infectors that target executable files with the extensions . It can be installed for legitimate purposes but can also be installed from a remote location by an attacker. Win32/VBInject.

A rogue security software family distributed under the names Winweb Security. Win32/Winwebsec. 87 . A family of worms that spreads via network drives and removable drives and download/executes arbitrary files. A program that runs as a service in the background and modifies Web browser settings to visit a particular website.Win32/Vobfus. and others. System Security. Win32/Zwangi. Downloaded files may include additional malware.

One Microsoft Way Redmond. WA 98052-6399 microsoft.com/security 88 .

Sign up to vote on this title
UsefulNot useful