An in-depth perspective on software vulnerabilities and exploits, malware, potentially unwanted software, and malicious websites Microsoft Security Intelligence Report Volume 15 January through June, 2013 Worldwide Threat Assessment Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Copyright © 2013 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. January–June 2013 i Authors Dennis Batchelder Aneesh Kulkarni Anthony Penta Microsoft Malware Protection Windows Services Safety Platform Windows Services Safety Platform Center (MMPC) Marc Lauricella Tim Rains Joe Blackbird Microsoft Trustworthy Computing Microsoft Trustworthy Computing MMPC Russ McRee Vidya Sekhar David Felstead Online Services Security & MMPC Bing Compliance Holly Stewart Paul Henry Chad Mills MMPC Wadeware LLC Windows Services Safety Platform Matt Thomlinson Ben Hope Nam Ng Microsoft Trustworthy Computing MMPC Microsoft Trustworthy Computing Todd Thompson Jeff Jones Daryl Pecelj Microsoft IT Information Security Microsoft Trustworthy Computing Microsoft IT Information Security and Risk Management and Risk Management Terry Zink Microsoft Exchange Online Protection Contributors Danielle Alyias Satomi Hayakawa Bill Pfeifer Microsoft Trustworthy Computing CSS Japan Security Response MMPC Team Joe Faulhaber Cynthia Sandvick MMPC Aaron Hulett Microsoft Trustworthy Computing MMPC Methuselah Cebrian Ferrer Richard Saunders MMPC Jimmy Kuo Microsoft Trustworthy Computing MMPC Peter Ferrie Jasmine Sesso MMPC Hilda Larina Ragragio MMPC MMPC Tanmay Ganacharya Frank Simorjay MMPC Jenn LeMond Microsoft Trustworthy Computing Microsoft IT Information Security Kathryn Gillespie Francis Tan Seng and Risk Management Microsoft IT Information Security MMPC and Risk Management Ken Malcolmson Henk van Roest Microsoft Trustworthy Computing Enrique Gonzalez CSS Security EMEA MMPC Marianne Mallen Steve Wacker MMPC Jonathan Green Wadeware LLC MMPC Scott Molenkamp Shawn Wang MMPC Angela Gunn MMPC Microsoft Trustworthy Computing Daric Morton Bob White Microsoft Services Joe Gura Microsoft IT Information Security Microsoft Trustworthy Computing Yurika Muraki and Risk Management CSS Japan Security Response Chris Hale Iaan Wiltshire Team Microsoft Trustworthy Computing MMPC Takumi Onodera Dan Wolff Microsoft Premier Field MMPC Engineering, Japan ii Microsoft Security Intelligence Report, Volume 15 Table of contents About this report ..................................................................................................................................... v Trustworthy Computing: Security engineering at Microsoft ...................................................... vi Worldwide threat assessment 15 Vulnerabilities ......................................................................................................................................... 17 Industry-wide vulnerability disclosures ...................................................................................... 17 Vulnerability severity ....................................................................................................................... 18 Vulnerability complexity ................................................................................................................ 20 Operating system, browser, and application vulnerabilities ................................................ 21 Microsoft vulnerability disclosures .............................................................................................. 23 Guidance: Developing secure software .................................................................................... 24 Encounter rate: Introducing a new metric for analyzing malware prevalence ................... 25 Understanding infection and encounter rates ........................................................................ 26 Encounter rates around the world.............................................................................................. 28 Exploits .................................................................................................................................................... 33 Exploit families .................................................................................................................................. 35 HTML and JavaScript exploits ...................................................................................................... 36 Java exploits ...................................................................................................................................... 38 Operating system exploits ............................................................................................................ 39 Document exploits .......................................................................................................................... 42 Adobe Flash Player exploits.......................................................................................................... 43 Malware .................................................................................................................................................. 45 Malware prevalence worldwide .................................................................................................. 45 Infection and encounter rates by operating system .............................................................. 57 Threat categories ............................................................................................................................ 60 Threat families .................................................................................................................................. 64 Rogue security software ................................................................................................................ 68 Focus on ransomware ..................................................................................................................... 71 Home and enterprise threats ....................................................................................................... 74 Guidance: Defending against malware ..................................................................................... 78 Potentially unwanted software ......................................................................................................... 79 Email threats .......................................................................................................................................... 83 January–June 2013 iii Spam messages blocked .............................................................................................................. 83 Spam types ....................................................................................................................................... 85 Geographic origins of botnet spam ........................................................................................... 88 Guidance: Defending against threats in email ........................................................................ 88 Malicious websites ............................................................................................................................... 89 Phishing sites .................................................................................................................................... 90 Malware hosting sites ...................................................................................................................100 Drive-by download sites ..............................................................................................................106 Guidance: Protecting users from unsafe websites ................................................................109 iv Microsoft Security Intelligence Report, Volume 15 About this report The Microsoft Security Intelligence Report (SIR) focuses on software vulnerabilities, software vulnerability exploits, and malicious and potentially unwanted software. Past reports and related resources are available for download at www.microsoft.com/sir. We hope that readers find the data, insights, and guidance provided in this report useful in helping them protect their organizations, software, and users. Reporting period This volume of the Microsoft Security Intelligence Report focuses on the first and second quarters of 2013, with trend data for the last several quarters presented on a quarterly basis. Because vulnerability disclosures can be highly inconsistent from quarter to quarter and often occur disproportionately at certain times of the year, statistics about vulnerability disclosures are presented on a half-yearly basis. Throughout the report, half-yearly and quarterly time periods are referenced using the nHyy or nQyy formats, in which yy indicates the calendar year and n indicates the half or quarter. For example, 1H13 represents the first half of 2013 (January 1 through June 30), and 4Q12 represents the fourth quarter of 2012 (October 1 through December 31). To avoid confusion, please note the reporting period or periods being referenced when considering the statistics