DOCSLIB.ORG

Microsoft Security Intelligence Report 2010

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Microsoft Security Intelligence Report 2010 Microsoft Security Intelligence Report Volume 10 An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software in 2010. With new data covering July through December Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Copyright © 2011 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1 Authors Doug Cavit Michelle Meyer Javier Salido Jossie Tirado Arroyo Microsoft Trustworthy Microsoft Trustworthy Microsoft Trustworthy Microsoft IT Information Computing Computing Computing Security and Risk Management Joe Faulhaber Daryl Pecelj Christian Seifert Microsoft Malware Protection Microsoft IT Information Bing Scott Wu Center Security and Risk Microsoft Malware Protection Management Frank Simorjay Center Vinny Gullotto Microsoft Trustworthy Microsoft Malware Protection Anthony Penta Computing Jeff Williams Center Microsoft Windows Safety Microsoft Malware Protection Platform Holly Stewart Center Jeff Jones Microsoft Malware Protection Microsoft Trustworthy Tim Rains Center Terry Zink Computing Microsoft Trustworthy Microsoft Forefront Online Computing Matt Thomlinson Protection for Exchange Jimmy Kuo Microsoft Security Response Microsoft Malware Protection Center Center Contributors Lawren Ahuna Yuhui Huang Don Nguyen Marc Seinfeld Microsoft IT Information Microsoft Malware Protection Microsoft IT Information Microsoft Malware Protection Security and Risk Center Security and Risk Center Management Management CSS Japan Security Jasmine Sesso Eva Chow Response Team Price Oden Microsoft Malware Protection Microsoft IT Information Microsoft Japan Microsoft IT Information Center Security and Risk Security and Risk Management John Lambert Management Norie Tamura (GOMI) Microsoft Security CSS Japan Security Response Enrique Gonzalez Engineering Center Kathy Phillips Team Microsoft Malware Protection Microsoft Legal and Center Eric Leonard Corporate Affairs Gilou Tenebro Microsoft IT Information Microsoft Malware Protection Cristin Goodwin Security and Risk Hilda Larina Ragragio Center Microsoft Legal and Management Microsoft Malware Protection Corporate Affairs Center Laura Lemire Satomi Hayakawa Microsoft Legal and Tareq Saade CSS Japan Security Response Corporate Affairs Microsoft Malware Protection Team Center Ken Malcolmson Microsoft Trustworthy Richard Saunders Computing Microsoft Trustworthy Computing Charles McColgan Microsoft ISD 2 Table of Contents About This Report .............................................................................................. 5 Scope ............................................................................................................. 5 Reporting Period ............................................................................................ 5 Conventions ................................................................................................... 5 Key Findings Summary ...................................................................................... 6 Vulnerability Disclosures ................................................................................ 6 Exploits .......................................................................................................... 6 Malware and Potentially Unwanted Software .................................................. 7 Operating System Infection Rates .................................................................... 7 Threat Families ............................................................................................... 7 Home and Enterprise Threats ......................................................................... 8 Email Threats ................................................................................................. 8 Spam Types .................................................................................................... 9 Malicious Websites ......................................................................................... 9 Trustworthy Computing: Security Engineering at Microsoft .............................. 11 Vulnerabilities .................................................................................................. 12 Vulnerability Severity ................................................................................... 12 Vulnerability Complexity .............................................................................. 14 Operating System, Browser, and Application Vulnerabilities ......................... 15 Vulnerability Disclosures .............................................................................. 16 Exploits ............................................................................................................ 18 HTML and JScript/JavaScript Exploits ........................................................... 20 Document Exploits ....................................................................................... 21 Operating System Exploits ............................................................................ 22 3 Security Breach Trends ................................................................................. 24 Malware and Potentially Unwanted Software .................................................... 27 Global Infection Rates ................................................................................... 27 Operating System Infection Rates .................................................................. 33 Threat Categories .......................................................................................... 36 Threat Categories by Location ................................................................... 37 Threat Families ............................................................................................. 39 Rogue Security Software ............................................................................... 41 Home and Enterprise Threats ....................................................................... 45 Email Threats ................................................................................................... 49 Spam Messages Blocked ................................................................................ 49 Spam Types .................................................................................................. 52 Malicious Websites ........................................................................................... 55 Phishing Sites ............................................................................................... 56 Target Institutions..................................................................................... 57 Global Distribution of Phishing Sites ......................................................... 59 Malware Hosting Sites .................................................................................. 61 Malware Categories ................................................................................... 62 Global Distribution of Malware Hosting Sites ............................................ 65 Drive-By Download Sites .............................................................................. 66 Appendix A: Threat Naming Conventions ........................................................ 69 Appendix B: Data Sources ................................................................................ 71 Microsoft Products and Services ................................................................ 71 Appendix C: Worldwide Infection Rates ........................................................... 73 Glossary ........................................................................................................... 78 Threat Families Referenced in This Report ........................................................ 83 4 About This Report Scope The Microsoft® Security Intelligence Report (SIR) focuses on software vulnerabilities, software vulnerability exploits, malicious and potentially unwanted software, and security breaches. Past reports and related resources are available for download at www.microsoft.com/sir. We hope that readers find the data, insights, and guidance provided in this report useful in helping them protect their organizations, software, and users. Reporting Period In this volume of the Microsoft Security Intelligence Report, statistics about malware families and infections are reported on a quarterly basis and other statistics continue to be reported on a half-yearly basis, with a focus on 2010. Throughout the report, half-yearly and quarterly time periods are referenced using the nHyy or nQyy formats, respectively, where yy indicates the calendar year and n indicates the half or quarter. For example, 1H10 represents the first half of 2010 (January 1 through June 30), and 2Q10 represents the second quarter of 2010 (April 1 through June 30). To avoid confusion, please pay attention to the reporting period or periods being referenced when considering the statistics in this report. Conventions This report uses the Microsoft Malware Protection Center (MMPC) naming standard for families and variants of malware
Load more

Recommended publications
  • Unified, Easy-To-Manage Endpoint Security
    Unified, Easy-to-Manage Endpoint Security Microsoft® Forefront™ Protect Business Continuity with Improved Management Client Security protects of Endpoint Security laptops, desktops, and file The release of the next generation of on Windows firewall activities. The agent servers with integrated Forefront client security protects business incorporates proven technologies already protection against laptops, desktops, and file servers against in use on millions of computers worldwide malware. It simplifies viruses, spyware, rootkits, and other and is backed by efficient and effective control of endpoint malware. The solution includes: threat response from the Microsoft security and provides n A single agent that provides antivirus Malware Protection Center. better visibility into the and antispyware protection, vulnerability Forefront Client Security is designed to overall protection of the assessment and remediation, and host simplify administration and save valuable environment. Defenses firewall management. time through its single management are easily managed from n A central management server that console and policy configuration, the Microsoft Forefront enables administrators to configure, central update infrastructure, and Management Console update, and report on agent activity automated endpoint discovery. It also code-named “Stirling.” across the enterprise. integrates with existing investments in Microsoft technologies. The two components work together to www.microsoft.com/ provide unmatched visibility and control To reduce risk,
    [Show full text]
  • Microsoft Security Intelligence Report
    Microsoft Security Intelligence Report Volume 12 July through December, 2011 www.microsoft.com/sir Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Copyright © 2012 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. JULY–DECEMBER 2011 i Authors Dennis Batchelder David Felstead Ken Malcolmson Tim Rains Microsoft Protection Bing Microsoft Trustworthy Microsoft Trustworthy Technologies Computing Computing Paul Henry Shah Bawany Wadeware LLC Nam Ng Frank Simorjay Microsoft Windows Safety Microsoft Trustworthy Microsoft Trustworthy Platform Nitin Kumar Goel Computing Computing Microsoft Security Joe Blackbird Response Center Mark Oram Holly Stewart Microsoft Malware Microsoft Trustworthy Microsoft Malware Protection Center Jeff Jones Computing Protection Center Microsoft Trustworthy Eve Blakemore Computing Daryl Pecelj Matt Thomlinson Microsoft Trustworthy Microsoft IT Information Microsoft Trustworthy Computing Jimmy Kuo Security and Risk Computing Microsoft Malware Management Joe Faulhaber Protection Center Scott Wu Microsoft Malware Dave Probert Microsoft Malware Protection Center Marc Lauricella Microsoft
    [Show full text]
  • Hypervisor-Based Active Data Protection for Integrity And
    The 13th Annual ADFSL Conference on Digital Forensics, Security and Law, 2018 HYPERVISOR-BASED ACTIVE DATA PROTECTION FOR INTEGRITY AND CONFIDENTIALITY OF DYNAMICALLY ALLOCATED MEMORY IN WINDOWS KERNEL Igor Korkin, PhD Security Researcher Moscow, Russia [email protected] ABSTRACT One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64. Keywords: hypervisor-based protection, Windows kernel, Intel, CNC security, rootkits, dynamic data protection. 1. INTRODUCTION The vulnerable VirtualBox driver (VBoxDrv.sys) Currently, protection of data in computer memory has been exploited by Turla rootkit and allows to is becoming essential. Growing integration of write arbitrary values to any kernel memory (Singh, ubiquitous Windows-based computers into 2015; Kirda, 2015). industrial automation makes this security issue critically important.
    [Show full text]
  • Kernel Integrity Analysis
    Project CS2 AAVR Kernel Integrity Analysis Major Qualifying Project Submitted to the Faculty of Worcester Polytechnic Institute in partial fulfillment of the requirements for the Degree in Bachelor of Science in Computer Science By Caleb Stepanian [email protected] Submitted On: October 27, 2015 Project Advisor: Professor Craig Shue [email protected] This report represents work of WPI undergraduate students submitted to the faculty as evidence of a degree requirement. WPI routinely publishes these reports on its web site without editorial or peer review. For more information about the projects program at WPI, see http: // www. wpi. edu/ Academics/ Projects . Abstract Rootkits are dangerous and hard to detect. A rootkit is malware specifically de- signed to be stealthy and maintain control of a computer without alerting users or administrators. Existing detection mechanisms are insufficient to reliably detect rootkits, due to fundamental problems with the way they do detection. To gain control of an operating system kernel, a rootkit edits certain parts of the kernel data structures to route execution to its code or to hide files that it has placed on the file system. Each of the existing detector tools only monitors a subset of those data structures. This MQP has two major contributions. The first contribution is a Red Team analysis of WinKIM, a rootkit detection tool. The analysis shows my attempts to find flaws in WinKIM's ability to detect rootkits. WinKIM monitors a particular set of Windows data structures; I attempt to show that this set is insufficient to detect all possible rootkits. The second is the enumeration of data structures in the Windows kernel which can possibly be targeted by a rootkit.
    [Show full text]
  • Microsoft Forefront Client Security FAQ
    Microsoft Forefront Client Security FAQ Q. What is Microsoft Forefront? A. The Microsoft Forefront comprehensive family of business security products provides greater protection and control over the security of your network infrastructure. Microsoft Forefront security products easily integrate with each other and with your organization’s IT infrastructure; they can be supplemented through interoperable third-party solutions, enabling end-to-end, defense-in-depth security solutions. Microsoft Forefront includes: Microsoft Internet Security and Acceleration Server (ISA) 2006. Intelligent Application Gateway (IAG). Forefront Security for Exchange Server. Forefront Security for SharePoint. Forefront Security for Office Communications Server. Forefront Client Security. Simplified management, analysis, and deployment enable you to efficiently protect your organization’s information resources, and help secure access to applications and servers. With highly responsive protection supported by Microsoft technical guidance, Microsoft Forefront helps you confidently meet ever-changing threats and increased business demands. For more information, please visit the Microsoft Forefront Web site. Q. What is Microsoft Forefront Client Security? A. Microsoft Forefront Client Security provides unified malware protection for business desktops, laptops, and server operating systems that is easier to manage and control. Built on the same highly successful Microsoft protection technology already used by millions of people worldwide, Forefront Client Security helps guard against emerging threats, such as spyware and rootkits, as well as traditional threats, such as viruses, worms, and Trojan horses. Forefront Client Security integrates with your existing infrastructure software, such as Active Directory, and complements other Microsoft security technologies for enhanced protection and greater control. Q. What value does Microsoft Forefront Client Security deliver to customers? A.
    [Show full text]
  • Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms
    Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling Laboratory for Dependable Distributed Systems University of Mannheim, Germany [email protected], fholz,[email protected] Abstract In recent years, several mechanism to protect the in- tegrity of the kernel were introduced [6, 9, 15, 19, 22], Protecting the kernel of an operating system against at- as we now explain. The main idea behind all of these tacks, especially injection of malicious code, is an impor- approaches is that the memory of the kernel should be tant factor for implementing secure operating systems. protected against unauthorized injection of code, such as Several kernel integrity protection mechanism were pro- rootkits. Note that we focus in this work on kernel in- posed recently that all have a particular shortcoming: tegrity protection mechanisms and not on control-flow They cannot protect against attacks in which the attacker integrity [1, 7, 14, 18] or data-flow integrity [5] mech- re-uses existing code within the kernel to perform mali- anisms, which are orthogonal to the techniques we de- cious computations. In this paper, we present the design scribe in the following. and implementation of a system that fully automates the process of constructing instruction sequences that can be 1.1 Kernel Integrity Protection Mecha- used by an attacker for malicious computations. We eval- uate the system on different commodity operating sys- nisms tems and show the portability and universality of our Kernel Module Signing. Kernel module signing is a approach. Finally, we describe the implementation of a simple approach to achieve kernel code integrity.
    [Show full text]
  • Progress Made, Trends Observed a White Paper from the Microsoft Antimalware Team Msrwindows Malicious Software Removalt Tool
    Progress Made, Trends Observed A White Paper from the Microsoft Antimalware Team MSRWindows Malicious Software RemovalT Tool Matthew Braverman Program Manager Microsoft Antimalware Team Acknowledgements I would like to thank the following individuals for their contribution to this paper: Mike Chan, Brendan Foley, Jason Garms, Robert Hensing, Ziv Mador, Mady Marinescu, Michael Mitchell, Adam Overton, Matt Thomlinson, and Jeff Williams The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photo- copying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Copyright © 2006 Microsoft Corporation. All rights reserved.
    [Show full text]
  • Integrity Checking of Function Pointers in Kernel Pools Via Virtual Machine Introspection
    Integrity Checking of Function Pointers in Kernel Pools via Virtual Machine Introspection Irfan Ahmed, Golden G. Richard III, Aleksandar Zoranic, Vassil Roussev Department of Computer Science, University of New Orleans Lakefront Campus, New Orleans, LA 70148, United States [email protected], [email protected], [email protected], [email protected] Abstract. With the introduction of kernel integrity checking mecha- nisms in modern operating systems, such as PatchGuard on Windows OS, malware developers can no longer easily install stealthy hooks in kernel code and well-known data structures. Instead, they must target other areas of the kernel, such as the heap, which stores a large number of function pointers that are potentially prone to malicious exploits. These areas of kernel memory are currently not monitored by kernel integrity checkers. We present a novel approach to monitoring the integrity of Windows ker- nel pools, based entirely on virtual machine introspection, called Hook- Locator. Unlike prior efforts to maintain kernel integrity, our implemen- tation runs entirely outside the monitored system, which makes it inher- ently more difficult to detect and subvert. Our system also scales easily to protect multiple virtualized targets. Unlike other kernel integrity check- ing mechanisms, HookLocator does not require the source code of the operating system, complex reverse engineering efforts, or the debugging map files. Our empirical analysis of kernel heap behavior shows that in- tegrity monitoring needs to focus only on a small fraction of it to be effective; this allows our prototype to provide effective real-time moni- toring of the protected system. Keywords: virtual machine introspection; malware; operating systems.
    [Show full text]
  • Microsoft Security Intelligence Report
    Microsoft Security Intelligence Report Volume 11 An in-depth perspective on software vulnerabilities and exploits, malicious code threats, and potentially unwanted software in the first half of 2011 Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Copyright © 2011 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. ii Authors Joe Faulhaber John Lambert Dave Probert Hemanth Srinivasan Microsoft Malware Protection Microsoft Security Microsoft Security Microsoft Malware Protection Center Engineering Center Engineering Center Center David Felstead Marc Lauricella Tim Rains Holly Stewart Bing Microsoft Trustworthy Microsoft Trustworthy Microsoft Malware Protection Computing Computing Center Paul Henry Wadeware LLC Aaron Margosis Mark E. Russinovich Matt Thomlinson Microsoft Public Sector Microsoft Technical Fellow Microsoft Security Response Jeff Jones Services Center Microsoft Trustworthy Weijuan Shi Computing Michelle Meyer Windows Business Group Jeff Williams Microsoft Trustworthy Microsoft Malware Protection Ellen Cram Kowalczyk Computing Adam Shostack Center Microsoft Trustworthy Microsoft Trustworthy
    [Show full text]
  • Microsoft Windows Common Criteria Evaluation Security Target
    Microsoft Common Criteria Security Target Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 (Creators Update) Security Target Document Information Version Number 0.06 Updated On June 14, 2018 Microsoft © 2017 Page 1 of 102 Microsoft Common Criteria Security Target This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious.
    [Show full text]
  • POSTER: Hooklocator: Function Pointer Integrity Check- Ing in Kernel Pools Via Virtual Machine Introspection
    POSTER: HookLocator: Function Pointer Integrity Check- ing in Kernel Pools via Virtual Machine Introspection Irfan Ahmed, Aleksandar Zoranic Computer Science Department University of New Orleans, LA USA iahmed, [email protected] ABSTRACT simply modifying function pointers corresponding to a keyboard With the introduction of kernel integrity checking mechanisms in driver in a kernel pool. Moreover, there are thousands of func- modern operating systems, such as PatchGuard on Windows tion pointers in the Windows kernel pools, which provides an OS, malware developers can no longer easily install stealthy attractive opportunity for an attacker to install stealthy hooks hooks in kernel code and well-known data structures. Instead, [2]. they must target other areas of the kernel, such as the heap, Current solutions such as SBCFI [3], Gibraltar [4], SFPD [5], which stores a large number of function pointers that are poten- and HookSafe [6] check the integrity of function pointers by tially prone to malicious exploits. These areas of kernel memory generating hook detection policy and extracting information are currently not monitored by kernel integrity checkers. about function pointers by performing static analysis of the ker- nel source code. Unfortunately, these solutions are dependent on Our novel approach to monitoring the integrity of Windows the availability of kernel source code and thus not appropriate kernel pools called HookLocator is based entirely on virtual for closed source OS’s such as MS Windows. machine introspection and is the only system of its kind to allow both 32 and 64-bit versions of the Windows kernel to be moni- More recently, Yin et al.
    [Show full text]
  • Windows SMEP Bypass U=S
    Windows SMEP Bypass U=S Nicolas A. Economou Enrique E. Nissim PAGE Schedule - Reviewing Modern Kernel Protections - Introducing SMEP - Windows SMEP bypass techniques – Part 1 - Windows Paging Mechanism - Windows SMEP bypass techniques – Part 2 - DEMO - Conclusions PAGE 2 Reviewing Modern Protections - DEP/NX: is a security feature included in modern operating systems. It marks areas of memory as either "executable" or "nonexecutable". - NonPagedPoolNX: new type of pool introduced in Windows 8 - KASLR: Address-space layout randomization (ASLR) is a well- known technique to make exploits harder by placing various objects at random, rather than fixed, memory addresses. - NULL Dereference Protection: cannot alloc the null page. PAGE 3 Reviewing Modern Protections - Integrity Levels: call restrictions for applications running in low integrity level – since Windows 8.1. - KMCS: Kernel-mode software must be digitally signed to be loaded on x64-based versions of Windows Vista and later versions of the Windows family of operating systems. - KPP: Kernel Patch Protection (informally known as PatchGuard): is a feature of x64 editions of Windows that prevents patching common structures of the kernel.(Hooking IDT, SSDT, GDT, LDT is out of the table). PAGE 4 Reviewing Modern Protections - SMAP: allows pages to be protected from supervisor-mode data accesses. If SMAP = 1, software operating in supervisor mode cannot access data at linear addresses that are accessible in user mode. - SMEP: Supervisor Mode Execution Prevention allows pages to be protected
    [Show full text]