Security Intelligence Report

MICROSOFT SECURITY INTELLIGENCE REPORT Volume 9 (January 2010 through June 2010) www.microsoft.com/sir Security Intelligence Report Malware Malware findings coversKey (1Q10, 2Q10)(1Q10, 201 quarters two first the of focuses on years, but severa from intelligence past the and data Contains – Automated SQL Automated Injection Attacks– Sites Downloads Drive-By od Analysis – Hosts Malware of Analysis – and Sites Traffic Phishing – Websites Compromised and Malicious – Email Threats– trends Software Unwanted Potentially and Malware – Breach Trends Security – upd Usage Microsoft and Trendsupdate, Windows for – VulnerabilityDisclosures – About Security Intelligence Report volume 9 ate 0 0 l Security Intelligence Report RemovalTool Windows Malicious Software Forefront Client Security ● ● ● ● ● Volume Licensing Volume Cloud ● ● ● ● ● ● ● ● ● ● ● Security Client Forefront ● Exchange for Online Protection Forefront Essentials Security Microsoft scannersafety OneCareWindows Live Windows Defender worldwide year a messages Filter Phishing Microsoft Bing billions of web-pages scanned each month each scanned web-pages of billions Bing of MSRT base user a has bill scans Exchange for Security Online Forefront Microsoft wit browser popular most world’s the Explorer Internet users active million 280 than more - Hotmail Data sources Data Security Intelligence Report volume 9 Product NameProduct Main Customer Segment Malicious Software Malicious Segment Customer Main osmr Business Consumers ● ● ● ● ● ● more than 600 million 600 than more Prevalent Scan and and Scan Malware Families Remove Protection Real-time Scan and and Scan Spyware and Potentially and Spyware Remove Unwanted SoftwareUnwanted ● ● ● ● unique computers computers unique Protection Real-time h SmartScreen, SmartScreen, h ions of e-mail e-mail of ions Available at at Available Additional Additional Charge No No ● Cloud ● Download Download Center WU/AU Cloud Windows 7 Windows Vista/ Center Download Distribution Distribution Methods Main Security Intelligence Report Website Security Intelligence Report – – – – website MicrosoftIntelligenceSecurity Report referencedFully and updated Brand newformat Acting Acting on feedback 9volume Report IntelligenceSecurity About • • • • • FeaturedIntelligence Risk Management Risk Global ThreatGlobal Assessment onbotnets MalwareKey Findings down down by Microsoft How Waledacthe botnet was taken The Botnet Threat Botnet Botnet checklist for IT professionals Services deal with botnets How Microsoft IT and Microsoft Support regions intelligenceBotnet fromcountries and 15 www.microsoft.com/sir Security Intelligence Report MicrosoftMalware ProtectionCenter Centers Supporting TwC Security Protecting Microsoft customers throughout the Protecting customersthroughout Microsoft entir (MMPC) (indevelopment,deploymentand operations) Microsoft SecurityMicrosoft Response CenterResponse TwC Security (MSRC) Engineering Engineering Center Microsoft Microsoft Security e life cycle elife (MSEC) Security Intelligence Report

SOFTWARE VULNERABILITY DISCLOSURE TRENDS www.microsoft.com/sir Security Intelligence Report 1.000 1.500 2.000 2.500 3.000 3.500 4.000 500 0 Industry Wide Software Vulnerability Disclosures H610 H710 H810 H91H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 3450 Industry-wide vulnerability disclosures by half-yea 3474 2919 2962 3188 r, 1H06-2H09 2707 2546 2360 Security Intelligence Report 1.000 1.200 1.400 1.600 1.800 2.000 200 400 600 800 0 Software VulnerabilityDisclosures H610 H710 H810 H91H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 1693 1562 195 1494 1882 98 1208 1587 124 1447 83 1677 1402 109 1289 98 1266 1191 89 1144 1090 126 ih( 10)High - (7 6.9) Medium - (4 3.9) - (0 Low 48,5% Mediu m (4 m - 6.9) Low(0 3.9)- 5,3% (9.9 (9.9 +) 5,6% High 40,6% High 9.8) (7 - Security Intelligence Report 1.000 1.500 2.000 2.500 500 Software VulnerabilityDisclosures 0 H610 H710 H810 H91H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 2388 353 709 1225 2154 95 1486 1345 88 1279 1649 34 1271 1820 97 1151 1480 76 1127 1379 40 1187 95 Low Complexity Medium Medium Complexity High Complexity Security Intelligence Report 1.000 1.500 2.000 2.500 3.000 3.500 500 0 Operatingsystem, Browser and Application Disclosures Software VulnerabilityDisclosures H610 H710 H810 H91H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 3079 259 112 3110 242 122 2547 276 96 2573 310 79 2807 256 2351 207 2161 237 1943 196 vulnerabilities Browser vulnerabilities Application vulnerabilities Operating system Security Intelligence Report 1.000 1.500 2.000 2.500 3.000 3.500 500 much scalemuch smaller Microsoftvulnerability disclosures mirror the indu 0 Microsoftvulnerability disclosures Software VulnerabilityDisclosures H610 H710 H810 H91H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 3.280 170 3.322 152 2.822 97 2.869 93 3.042 146 2.594 113 stry totals, though on a 2.417 129 2.215 145 Non-Microsoft Microsoft Security Intelligence Report Other Coordinated Disclosure Coordinated Other Cases Broker Vulnerability Disclosure Full Microsoft VulnerabilityDetailsExploit 100% 10% 20% 30% 40% 50% 60% 70% 80% 90% 0% H620 H720 H820 H920 1H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 1H06 0 4 1 4 2 6 7 7 295 86 377 101 270 264 80 323 128 247 110 217 82 241 164 208 169 100 52 73 14 14 30 45 41 43 71 30 17 24 25 Disclosure Coordinated Other Broker Cases Vulnerability DisclosureFull Security Intelligence Report 100 120 20 40 60 80 0 Microsoft VulnerabilityDetailsExploit H620 H720 H820 H920 1H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 1H06 32 57 46 98 35 78 34 51 36 58 42 97 27 85 47 104 41 114 Unique CVEs Unique BulletinsSecurity Security Intelligence Report 0,0 0,5 1,0 1,5 2,0 2,5 3,0 3,5 Microsoft VulnerabilityDetailsExploit H620 H720 H820 H920 1H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 1H06 1,8 2,1 2,2 1,5 1,6 2,3 3,1 2,2 2,8 Security Intelligence Report 100% 120% 140% 160% 180% 20% 40% 60% 80% 0% Update UsageService Over Time H610 H710 H810 H91H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 Windows Update only Windows Update Microsoft Update Security Intelligence Report 100% 120% 140% 160% 180% 200% 220% 240% Update UsageService Over Time H610 H710 H810 H91H10 2H09 1H09 2H08 1H08 2H07 1H07 2H06 100,0% 105,1% 131,3% 120,9% 140,7% 110,6% 140,7% 162,9% 114,0% 140,4% 182,4% 118,3% 147,3% 202,0% 122,9% 149,9% 221,5% 221,5% 127,1% 160,6% 240,7% 131,8% 166,6% + Microsoft Update+Microsoft UpdateWindows WSUS Base InstalledWindows Security Intelligence Report

SECURITY BREACH TRENDS www.microsoft.com/sir Security Intelligence Report 100 150 200 250 300 350 50 0 Security Breach Trends H820 H920 1H10 2H09 1H09 2H08 1H08 299 92 103 250 232 90 156 71 121 52 Attack Negligence Security Intelligence Report “Hack” Stolen EquipmentStolen Fraud Disposal MailPostal EquipmentLost Web Accidental Email Malware Missing Security Breach Trends 100 150 200 250 300 350 400 50 0 H820 H920 1H10 2H09 1H09 2H08 1H08 4 1 96 53 69 89 113 146 15 05 24 50 40 58 61 74 31 22 21 16 13 12 6 16 15 12 28 19 13 43 38 25 36 31 11 41 10 16 51 47 13 27 28 22 31 53 15 6 0 5 0 7 2 4 0 4 4 “Hack” Fraud Disposal Mail Postal Equipment Lost AccidentalWeb Email Malware Missing Equipment Stolen Security Intelligence Report

MALICIOUS AND POTENTIALLY UNWANTED SOFTWARE www.microsoft.com/sir Security Intelligence Report The 11 locations with the most computers cleaned by 0Rsi 0,8 8,1 11.8% 783,210 700,685 Russia 10 11 Mexico 768,646 764,060 -0.6% -0.6% 764,060 768,646 Mexico 11 9 Italy 836,593 794,099 -5.1% -5.1% -2.6% 5.5% 794,099 -0.7% 925,332 1,015,173 -22.3% -13.8% 836,593 -10.4% 16.2% 1,348,683 949,625 1,510,857 1,285,570 962,624 1,943,154 2,354,709 -12.8% 1,358,584 1,943,841 1,490,594 2,168,810 9,609,215 2,026,578 Italy 9 Germany 8 Korea 7 11,025,811 United Kingdom 6 Spain 5 France 4 China 3 Brazil 2 United States 1 Malicious And Potentially Unwanted Software Country/Region Computers Cleaned (1Q10) Microsoft Microsoft desktop anti-malware products in 2Q10 Computers Cleaned (2Q10) Change ▼ ▼ ▲ ▼ ▼ ▼ ▼ ▲ ▼ ▼ ▲ Security Intelligence Report 10% 15% 20% 25% 30% 35% 40% 45% 0% 5% Significant differences in threat patterns worldwid Malicious And PotentiallyAndMalicious Unwanted Software e Viruses Backdoors Adware Monitoring & Tools StealersPassword Droppers Downloaders & Trojan Software Unwanted Misc.Potentially Worms Misc.Trojans Spyware Exploits Security Intelligence Report • Malicious And Potentially Unwanted Software Worldwideinfection rate average forCCM 9.6 2Q10 Security Intelligence Report 10,0 20,0 30,0 40,0 50,0 60,0 0,0 MSRT executions) Most Improvedbetween 1Q09 and 2Q10 by CCM (100,000 PotentiallyAndMalicious Unwanted Software Q920 Q940 Q02Q10 1Q10 4Q09 3Q09 2Q09 1Q09 Jordan Worldwide Russia Guatemala ArabiaSaudi Brazil Security Intelligence Report 10,0 20,0 30,0 40,0 50,0 60,0 0,0 executions) Highest infection rates 1Q09-2Q10 by CCM (100,000 MSR PotentiallyAndMalicious Unwanted Software Q920 Q940 Q02Q10 1Q10 4Q09 3Q09 2Q09 1Q09 Worldwide Taiwan Korea Spain Turkey Brazil T Security Intelligence Report 10% 15% 20% 25% 30% 35% 40% 0% 5% Category Category trends Malicious And Potentially Unwanted Software Represent Malware Circular Markers Q940 Q02Q10 1Q10 4Q09 3Q09 19,6% 29,5% 11,4% 16,0% 5,3% 2,5% 18,0% 35,3% 24,0% 10,9% 13,1% 4,9% 1,2% 3,1% 21,1% Unwanted Software Square Markers Represent Potentially 32,3% 24,2% 12,7% 6,0% 1,0% 21,0% 29,9% 24,4% 20,8% 13,3% 0,6% 6,1% & Password Stealers Spyware Monitoring Tools Exploits Adware Misc. Trojans Viruses Worms Backdoors Downloaders Trojan PotentiallyMisc. & Droppers SoftwareUnwanted Security Intelligence Report 0Wn2Zag ic oetal natdSfwr 54 Misc. PotentiallyUnwanted Software Win32/Zwangi 10 i3/ofce om ,9,7 1,663,349 1,496,877 1,035,0 1,482,681 1,463,885 1,015,055 1,645,851 1,256,356 1,748,260 1,42 1,807,773 1,244,353 MiscellaneousTrojans 2,320,953 1,495,286 Worms Win32/Alureon 9 Win32/Conficker 1 MiscellaneousTrojans Adware 8 2,691,987 Win32/FakeSpypro 7 Worms Win32/Hotbar 6 Worms Win32/Autorun 2 Trojan Downloaders & Droppers 5 Win32/Rimecud 4 Password Stealers & Monitoring Tools Win32/Renos Worms 3 Win32/Frethog 2 Win32/Taterf 1 Top10 Families worldwide in 2Q10 Datafrom Microsoft All Security Products aiyMs infcn aeoy11 Q01 Year Trend 2Q10 1Q10 Most Significant Category Family 00991,997,669 ,010,989 ,1 859,801 2,011 ,888,339 3,528 79 Security Intelligence Report 10,0 12,0 14,0 16,0 18,0 20,0 0,0 2,0 4,0 6,0 8,0 Windows XP RTM XP 12,9 32 Malicious Malicious And Potentially UnwantedSoftware Number of computers cleanedfor every MSRT1,000 ex Windows XP SP1 XP 32 9,3 Windows XP SP2 XP 19,2 232 32 Windows XP SP3 XP 15,6 Client Windows Vista RTM 32 8,0 Windows Vista SP1 Vista 32 8,4 64 6,6 Windows Vista SP2 Vista 32 6,4 64 5,6 Windows 7 RTM7 3,3 32 64 2,7 ecutions, byecutions,operating system, 2Q10 2003 2003 SP1 Windows Server 32 6,4 2003 2003 SP2 Windows Server 32 5,9 64 8,3 Server 2008 2008 SP2 Windows Server 2,9 32 64 6,2 Windows 2008 2008 R2 Server RTM 64 3,5 Security Intelligence Report 10,0 15,0 20,0 25,0 0,0 5,0 Malicious Malicious And Potentially UnwantedSoftware Q940 Q02Q10 1Q10 4Q09 3Q09 11,1 14,5 16,0 17,7 3,5 4,0 5,9 6,3 12,8 14,6 16,7 2,9 4,6 6,1 6,9 9,7 13,1 17,5 19,8 3,3 6,9 8,48,6 9,8 12,9 15,6 19,2 3,3 6,4 8,0 8,4 9,3 Windows Windows SP2XP Windows Windows Vista SP1 Windows Windows Windows Windows Windows Vista SP2 Windows Vista RTM Windows Windows 7 RTM XP SP1XP RTMXP SP3XP Security Intelligence Report 10 2 1 9 8 7 6 5 4 3 Malicious And PotentiallyAndMalicious Unwanted Software Top 10 familiesdetected on domain-joined computers Win32/Bredolab Win32/FakeSpypro 2Q10 Win32/Renos 1Q10 Win32/Hamweq Win32/RealVNC Win32/Frethog Win32/Taterf Category Significant Most Win32/Autorun Win32/Rimecud Win32/Conficker Family iclaeu rjn .%3.0% 2.3% 3.4% 2.7% 5.2% 2.4% TrojanDroppers Downloaders& Miscellaneous Trojans 6.0% 5.4% Miscellaneous Trojans 6.5% 5.6% Worms Software Unwanted Potentially Miscellaneous Monitoring & Tools Stealers Password Worms Worms Worms Worms in2Q10 13 22.0% 21.3% .%5.3% 7.0% 6.9% 4.1% 8.3% 7.3% 9.8% 9.0% Security Intelligence Report 10 9 7 6 5 4 3 2 1 8 Malicious And PotentiallyAndMalicious Unwanted Software Top 10 familiesdetected on non domain-joined compu Win32/Zwangi Win32/Alureon Win32/Conficker Win32/FakeSpypro Win32/Hotbar Win32/Autorun Win32/Rimecud Win32/Renos Win32/Frethog Win32/Taterf Family Worms iclaeu rjn .%3.6% 4.8% 4.9% 4.1% SoftwareUnwanted Potentially Miscellaneous Miscellaneous Trojans Worms Miscellaneous Trojans Adware Worms Worms Miscellaneous Trojans Monitoring & ToolsStealers Password CategorySignificant Most ters 2Q10in Q02Q10 1Q10 .%8.0% 4.8% .%3.1% 1.8% 4.7% 3.8% 5.3% 3.4% 5.4% 3.8% 5.7% 5.6% 6.6% 8.8% 6.9% 6.4% Security Intelligence Report 10% 15% 20% 25% 0% 5% 2Q10 1Q10 Win32/Confi Malicious And PotentiallyAndMalicious Unwanted Software 20%98%83%69%60%54%53%34%30%2,70% 2,40% 3,00% 2,30% 3,40% 5,20% 5,30% 7,00% 5,40% 5,60% 6,00% 6,50% 6,90% 4,10% 8,30% 7,30% 9,80% 9,00% 22,00% 21,30% om om om om Password Worms Worms Worms Worms cker Win32/Rime cud Win32/Autor un i3/aefWin32/Freth Win32/Taterf Monitoring Stealers &Stealers Tools og Miscellaneou Win32/RealV s s Potentially Unwanted Software NC Win32/Ham om Miscellaneou Worms weq 1Q10 Win32/Reno s s Trojans s 2Q10 Miscellaneou Win32/Fake s s Trojans Spypro Downloaders Win32/Bredo & Droppers& Trojan lab Security Intelligence0% Report1% 2% 3% 4% 5% 6% 7% 8% 9% 2Q10 1Q10 i3/aefWin32/Fretho Win32/Taterf om Password Worms ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 ,0 3,10% 1,80% 3,60% 4,80% 4,70% 3,80% 4,90% 4,10% 5,30% 3,40% 5,40% 3,80% 5,70% 5,60% 6,60% 8,80% 6,90% 6,40% 8,00% 4,80% Malicious And PotentiallyAndMalicious Unwanted Software Monitoring Stealers &Stealers Tools g i3/eo Win32/Rimec Win32/Renos Miscellaneou s s Trojans om om daeMiscellaneou Adware Worms Worms ud Win32/Autor un Win32/Hotba r Win32/FakeS s s Trojans pypro Win32/Confic om Miscellaneou Worms ker 1Q10 Win32/Alureo s s Trojans 2Q10 n Miscellaneou Win32/Zwan s s Potentially Unwanted Software gi Security Intelligence Report Malicious And PotentiallyAndMalicious Unwanted Software Security Intelligence Report 10% 12% 14% 0% 2% 4% 6% 8% E-MailThreats aur erayMrhArlMyJune May April March February January 10,3% 13,0% 9,6% Phishing Pharmacy- Material Explicit Dating/Sexually Financial Scams419 Diplomas Fraudulent Stock Image Only Gambling Sexual Security Intelligence Report Image Only Sexual Pharmacy- Fraudulent Diplomas 7,2% 5,9% Financial Explicit Material Dating/Sexually Inbound Inbound blockedmessages by FOPE contentfilters, b E-Mail E-Mail Threats 5,3% 3,3% 2,9% Gambling 7,4% Phishing Stock 2,5% 1,9% 419 Scams Malware 1,7% 8,6% Get Get Rich Quick 1,1% Software 0,9% y y category, 2Q10in Pharmacy- Nonpharmacy Nonsexual Product Product Ads 31,9% 19,3% Security Intelligence Report Edge Blocked Edge Filtered Content Delivered E-MailThreats 100% 10% 20% 30% 40% 50% 60% 70% 80% 90% 0% 76553093692820199480000738.676 21.511.33 959.428.000.000 79.798.550.868 386.982.872.081 56.616.565.058 67.655.543.019 38.258.227.962 .4.0.7 15465141.4.1.2 17.383.913 16.944.213.823 11.594.625.114 9.740.907.973 0620 0820 2010 2009 2008 2007 2006 5349442.572.855.072 .583.409 .6 10.763.446.377 0.566 3910.811.833.125 .329 Edge Edge Blocked FilteredContent Delivered Security Intelligence Report E-MailThreats Security Intelligence Report 10% 15% 20% 25% 30% 35% 40% 0% 5% E-MailThreats aur erayMrhArlMyJune May April March February January 28,2% 20,5% 27,9% 19,3% 30,5% 19,0% 29,5% 19,0% 31,1% 22,3% 36,1% 16,0% Non-Sexual Pharmacy - Product Product Ads Non-Pharmacy Security Intelligence Report 100% 150% 200% 250% 300% 350% 50% 0% Malicious WebMalicious Sites aur erayMrhArlMyJune May April March February January 101,8% 47,6% 93,6% 47,0% 91,6% 57,5% 50,8% 99,6% 115,6% 78,3% 318,7% 97,7% Sites Average Impressions Security Intelligence Report Financial Sites Financial SitesE-Commerce SitesGaming ServicesOnline Sites Networking Social Malicious WebMalicious Sites 100% 10% 20% 30% 40% 50% 60% 70% 80% 90% 0% aur erayMrhArlMyJune May April March February January 35 08 37 86 54 40,71 16,69 25,49 3,31 58,61 11,29 73,74 6,73 50,86 7,70 63,58 15,13 ,474 ,782 ,25,67 16,60 1,12 20,33 7,66 8,20 62,42 7,27 2,57 14,62 4,18 7,47 12,78 6,74 7,74 27,24 5,24 8,31 Financial SitesFinancial Sites E-Commerce SitesGaming ServicesOnline SocialSitesNetworking Security Intelligence Report Financial Sites Financial SitesE-Commerce SitesGaming ServicesOnline Sites Networking Social Malicious WebMalicious Sites 100% 10% 20% 30% 40% 50% 60% 70% 80% 90% 0% aur erayMrhArlMyJune May April March February January 04 80 83 90 58 85,07 85,84 89,00 88,35 88,06 90,49 ,858 ,638 ,82,76 6,69 4,26 6,38 1,22 3,83 3,22 3,82 0,75 4,16 2,38 5,06 0,65 3,76 1,90 5,86 0,93 2,07 2,84 4,18 1,21 2,32 1,95 1,06 Financial SitesFinancial Sites E-Commerce SitesGaming ServicesOnline SocialSitesNetworking Security Intelligence Report Malicious WebMalicious Sites Security Intelligence Report InternetExplorer 2Q10in Top 10 malwarefamilies hosted on sitesblocked by 10 9 8 7 6 5 4 3 2 1 Malicious Malicious Web Sites WinNT/Citeary Win32/Swif Win32/Bancos Win32/Small Win32/Pdfjsc Win32/Obfuscator Win32/Winwebsec Win32/VBInject Win32/FakeXPACategorySignificant Most Win32/MoneyTree Name Threat xlis1.4 1.2 1.1 Software Unwanted Potentially Misc. 1.3 Miscellaneous Trojans 2.0 1.3 Monitoring & Tools Stealers Password TrojanDroppers Downloaders& 3.3 Exploits 1.9 Software Unwanted Potentially Misc. Miscellaneous Trojans 2.3 Software Unwanted Potentially Misc. Miscellaneous Trojans 61.1 Software Unwanted Potentially Misc. h mrSre filterin SmartScreen the Impressions Malware of Percent Security Intelligence Report Misc. Misc. Trojans 18,8% Malicious WebMalicious Sites Password Stealers & Monitoring Tools 1,9% Exploits 1,8% Worms 1,1% All All Others 1,7% UnwantedSoftware Misc. Misc. Potentially 74,7% Security Intelligence Report Drive-By Drive-By Download Attacks User 1. 1. User with vulnerable Malicious Web Server Compromised or invisible IFrame computer visits Web page with compromised .Irm embedded 2. IFrame loads another page in in pagesecretly Redirector 3. 3. Thepage redirects containing an exploit to to another page Exploit Exploit Server another server to the succeeds, malware victim’s victim’s computer downloads downloads from 4. 4. If the exploit Malware Server Security Intelligence Report Malicious And PotentiallyAndMalicious Unwanted Software Security Intelligence Report

BATTLING BOTNETS FOR CONTROL OF COMPUTERS www.microsoft.com/sir Security Intelligence Report ‘MarketPlace’ 2) isAccesspurchased via Botnetaction in 3) 3) BOTNET granted use 5) 5) BOTNET also serves to ‘recruit’ additional BOTs 4) 4) BOTNET multiple seen at attacks points entry available to“buyers” grows BOTNET & makes 1) “Malware Author’ Security Intelligence Report C&C mechanisms usedbymechanisms C&Cbotnetfamilies 2Q10in 2,3% P2P 30,5% Other 29,1% HTTP 38,2% IRC Security Intelligence Report byWin32/Waledac rogue security downloaded Win32/FakeSpypro Security Intelligence Report 5Ida3,9 8941.0 5.1 3.4 5.5 3.8 0.6 3.4 38,954 3.9 39,245 2.8 5.7 39,508 5.8 40,793 43,162 52,827 1.4 2.5 37,895 4.7 54,347 2.6 37,705 62,704 51,689 66,576 1.4 68,903 33,283 71,493 38,229 63,202 52,915 87,379 77,466 98,411 87,926 130,888 India 25 72,903 Chile 83,379 24 Belgium 156,975 23 76,610 Saudi Arabia 22 Argentina 96,834 21 115,349 Japan 91,262 20 191,588 Taiwan 19 Poland 18 200,016 Australia 17 Portugal 16 Colombia 15 Netherlands 14 Canada 13 Turkey 12 Italy 11 Germany 10 usa113119294.3 1.0 4.0 11.4 2.7 14.6 12.4 5.2 199,229 230,037 5.2 271,478 331,434 354,906 243,817 381,948 550,426 181,341 227,470 344,743 2,148,169 364,554 422,663 251,406 485,603 511,002 Russia 2,163,216 China 9 8 United Kingdom 7 France Mexico 6 Korea 5 Spain 4 Brazil 3 United States 2 1 The 25locationsThe most 2Q10cleaningsbot Country/Region Computers Computers with Bot Cleanings (1Q10) Computers Computers with Bot Cleanings Cleanings (2Q10) Bot Bot Cleanings Per 1000 MSRT Executions Executions (Bot CCM) Security Intelligence Report Botnet online black markets Security Intelligence Report 25 24 23 22 21 20 19 18 17 16 15 14 13 12 10 11 9 8 7 6 5 4 3 2 1 Top bot25families 1Q10-2Q10 Win32/Trenk Win32/Prorat Win32/Waledac Win32/Bifrose Win32/Tofsee Win32/Bagle Win32/Slenfbot Win32/Rustock Win32/Pasur Win32/Rbot Win32/Ursap Win32/Zbot Win32/Bubnix Win32/Nuwar Win32/Sdbot Win32/Hupigon AutoIt/Renocide Win32/Virut Win32/FlyAgent Win32/Koobface Win32/IRCbot Win32/Pushbot Win32/Hamweq Win32/Alureon Win32/Rimecud Family PrimaryControl Mechanism HTTP 1,463,885 1,035,079 -29.3% -29.3% 1,035,079 1,463,885 HTTP HTTP 29,367 32,031 9.1% 9.1% -36.8% 32,031 52,312 22.1% 45.7% 29,367 131,078 132,771 82,712 32.4% 72.8% HTTP 107,363 91,144 293,432 383,633 HTTP HTTP 221,613 HTTP 222,041 HTTP HTTP Other 1,807,773 1,748,260 -3.3% -3.3% 1,748,260 1,807,773 Other Other 24,093 21,749 -9.7% -9.7% -4.4% 5.2% 21,749 25,726 -29.1% 30,466 -3.6% 34,240 24,093 26,913 91,612 28,966 48,326 -0.8% Other Other 95,040 177,280 Other Other Other 178,706 Other P2P 83,580 29,816 -64.3% -64.3% 29,816 83,580 1554.1% 133,951 P2P 8,098 P2P IRC 597,654 388,749 -35.0% -35.0% 24.1% -30.2% 388,749 589,248 779,731 597,654 474,761 1,117,380 IRC IRC IRC IRC 56,898 51,228 -10.0% -10.0% 51,228 -24.0% 0.1% 110,316 121,302 17.1% 56,898 7.0% 25.2% 146,922 145,107 121,239 178,816 284,519 IRC 125,466 IRC 167,041 IRC 227,272 IRC IRC IRC Cleaned (1Q10) Computers Cleaned (2Q10) Computers Change ▼ ▼ ▼ ▼ ▲ ▲ ▲ ▲ ▲ ▼ ▲ ▲ ▲ ▲ ▼ ▲ ▼ ▼ ▼ ▼ ▼ ▼ ▲ ▲ ▼ Security Intelligence Report 1.000.000 1.200.000 1.400.000 1.600.000 1.800.000 2.000.000 200.000 400.000 600.000 800.000 Topfamilies10bot detected 2Q10 0 Q920 Q940 Q02Q10 1Q10 4Q09 3Q09 2Q09 1Q09 Win32/Koobface Win32/IRCbot Win32/Pushbot Win32/Hamweq Win32/Alureon Win32/Rimecud AutoIt/Renocide Win32/Hupigon Win32/Virut Win32/FlyAgent Security Intelligence Report Computerscleaned bot-relatedof 2Q10 0,0 1,0 2,0 3,0 4,0 5,0 6,0 7,0 5,1 3,6 6,1 Client 5,0 2,9 3,2 2,2 2,5 2,2 1,2 1,2 1,4 Server 1,3 2,9 0,6 0,3 0,2 Security Intelligence Report • Worldwideinfectionbotnet rate average forCCM 3.2 Bot infectionBot rates 2Q10 2Q10 Security Intelligence Report Botnetsspamsending 100% 10% 20% 30% 40% 50% 60% 70% 80% 90% 0% botnetmessagesspam Spam Messages IP IP Addresses SpamMessages l OthersAll Rustock Cutwail Bobax Lethic Storm Grum botnetIP addresses sendingspam Security Intelligence Report botnet2Q10 ActiveIP addresses Win32/Waledacthe in Security Intelligence Report Notice posted at www.noticeofpleadings.com Security Intelligence Report Botnetthreat Germanyin Security Intelligence Report Germany, 3Q09-2Q10 CCM and Botmalware trends CCM in 10,0 12,0 0,0 2,0 4,0 6,0 8,0 Q940 Q02Q10 1Q10 4Q09 3Q09 CCM Malware Worldwide Bot CCM Worldwide Malware Bot CCMBot Security Intelligence Report 10% 20% 30% 40% 50% 60% 70% 0% Disinfected Threats by Category in 2Q10 Top BotnetThreats in Germany Q940 Q02Q10 1Q10 4Q09 3Q09 Win32/IRCbot Win32/Zbot Win32/Hamweq Win32/Pushbot Win32/Alureon Security Intelligence Report increasedtargeting of banks.German Win32/Zbot customprotocol. employ traditional a IRC–based C&C mechanism,and R removabledrives, such asUSB–connected volumes.Ha Win32/Pushbot likelycontributed toprevalence.its Rimecud, familykit a is soldvia percentin Germany. Rimecud experiencedincrease an in detections of Overpast the several quarters, most countries and language such asGermany. India, Italy, and Norway but italso appears in locations where English isa isquite prevalent Engl in detectedbotnets. Alureon over declined the firsttwoquarters 2010 of but ac dominantThe botnet familyin Germanyin 2Q10 was rvln aiis-SummaryPrevalent Families - Top Threats in Germany in 2Q10 increasedin prevalence to 6 percent, partly becaus are designed toeach spreadby copying themselvest Win32/Rimecud Win32/Hamweq significant secondary counted for 30 percent of regionshave the the Internet, which ish speaking locations, areother examples. Win32/Alureon mweq and and Pushbotmweq mcduses a imecud , which roseto 8 , , and e of e , , which o Security Intelligence Report Recommended Actions Protect Your Environment Download the Microsoftthe DownloadUpdateSecurity Guide anti-virussoftwareRun from trusted a vendor Microsoft Use Update,Windows Updatenot Keepallsoftware youron systems updated – – – – Updates all Microsoft software Third-partyas well as Microsoft www.microsoft.com/securityupdateguide Keep it updated