Post on 13-Jan-2016
An accurate understanding of on-going malware prevalence
An accurate understanding of on-going malware prevalenceJason GarmsJason GarmsArchitect & Group PMArchitect & Group PMAnti-Malware Technology TeamAnti-Malware Technology TeamMicrosoft CorporationMicrosoft Corporation
JasonG@Microsoft.ComJasonG@Microsoft.Com
AVAR 2005Tianjin, China
AVAR 2005Tianjin, China
AgendaAgenda
Importance of data analysis and Importance of data analysis and malwaremalware
Data sources and analysis from Data sources and analysis from MicrosoftMicrosoft
Key ObservationsKey Observations
One infected personMillions of infection particles
Virus “particles” for peopleVirus “particles” for people
Virus “particles” for computersVirus “particles” for computers
Rbot-infected computer
Email infection
Vulnerability exploit File sharing
Usefulness of DataUsefulness of Data
““ First Hour”: First Hour”: Predicting how Predicting how prevalent a piece of malware will be prevalent a piece of malware will be
““Second Month”: Continued Second Month”: Continued Prevalence Prevalence
““Five Year”: HistoricalFive Year”: Historical
Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool
Ability to detect and remove prevalent Ability to detect and remove prevalent malicious softwaremalicious softwareUpdated and released monthlyUpdated and released monthlyLow execution impactLow execution impactLocalized into 24 languagesLocalized into 24 languagesProtect the InternetProtect the InternetSupports Windows XP, Windows 2000, and Supports Windows XP, Windows 2000, and Windows Server 2003, 32/64 bitWindows Server 2003, 32/64 bit
Key ObservationsKey Observations
Botnets are a BIG dealBotnets are a BIG deal
Social engineering worms and mass Social engineering worms and mass mailing worms continue to be very mailing worms continue to be very effectiveeffective
Zotob: how bad was it?Zotob: how bad was it?
Rootkit data prevalence is surprisingRootkit data prevalence is surprising
Blaster persistsBlaster persists
Antinny: Who would have thought?Antinny: Who would have thought?
Botnets are a Big DealBotnets are a Big Deal
Gaobot, Rbot, SdbotGaobot, Rbot, Sdbot
58% of malware removed are bots58% of malware removed are bots
Top 3 bot families are 85% of all bots removedTop 3 bot families are 85% of all bots removed
Order of most prevalent:Order of most prevalent:RbotRbotSdbotSdbotGaobotGaobot
10% of Rbot infections are re-infections10% of Rbot infections are re-infections
3% of Gaobot infections are re-infections3% of Gaobot infections are re-infections
Social Engineering and Mass Mailing WormsSocial Engineering and Mass Mailing Worms
Among families removed by MSRT:Among families removed by MSRT:Netsky was #4 overallNetsky was #4 overall
Bagle is #10 overallBagle is #10 overall
2,000 copies of Netsky will be removed 2,000 copies of Netsky will be removed during AVARduring AVAR
Netsky.P is 1/3 of all Netsky infectionsNetsky.P is 1/3 of all Netsky infections
WUKill is #5 for OctoberWUKill is #5 for October
Zotob: How bad?Zotob: How bad?
Zotob is #41 overallZotob is #41 overall
It was only #35 for OctoberIt was only #35 for October
Esbot was more prevalent, but Esbot was more prevalent, but received no attentionreceived no attention
Esbot was #12 in OctoberEsbot was #12 in October
Rootkit PrevalenceRootkit Prevalence
Hacker DefenderHacker Defender
FURootkitFURootkit
IsProIsPro
In order of prevalence:In order of prevalence:FURootkitFURootkit
IsProIsPro
Hacker DefenderHacker Defender
: 5: 5thth overall, 3 overall, 3rdrd in October in October
: 7: 7thth overall, 15 overall, 15thth in October in October
: 17: 17thth overall, 24 overall, 24thth in in OctoberOctober
Blaster Sure is Persistent!Blaster Sure is Persistent!
Blaster is #6 overall, and #16 in OctoberBlaster is #6 overall, and #16 in October
Almost 1,000 infections will be removed Almost 1,000 infections will be removed during AVARduring AVAR
MsBlast.A is most common variant in MsBlast.A is most common variant in familyfamily
But… Nachi.A is even more commonBut… Nachi.A is even more common
Antinny: Who would have thought?Antinny: Who would have thought?
Antinny was #2 in OctoberAntinny was #2 in October
So far, it’s #4 in NovemberSo far, it’s #4 in November
Other Interesting FactsOther Interesting Facts
Machines running Windows XP SP2 are 13-Machines running Windows XP SP2 are 13-15 times less likely to be infected with 15 times less likely to be infected with malware from the Wild Listmalware from the Wild List
Infected machines average 1.3 infectionsInfected machines average 1.3 infections
Some have 30 or more active infectionsSome have 30 or more active infections
Bottom 8 families have less than 100 Bottom 8 families have less than 100 disinfections eachdisinfections each
Top Disinfection Totals by FamilyTop Disinfection Totals by Family
Rank Since January October only
1 Rbot Rbot
2 Sdbot Antinny
3 Gaobot FURootkit
4 Netsky Sdbot
5 FURootkit Wukill
6 Msblast Gaobot
7 Ispro Netsky
8 Korgo Bagle
9 Berbew Sientok
10 Bagle Lovegate
11 Antinny Mytob
12 Mytob Esbot
Rank Since January
1 Rbot
2 Sdbot
3 Gaobot
4 Netsky
5 FURootkit
6 Msblast
7 Ispro
8 Korgo
9 Berbew
10 Bagle
11 Antinny
12 Mytob
Ranking by Family since JanuaryRanking by Family since January
Disinfections by TypeDisinfections by Type
August Disinfection BreakdownJanuary Families
August Disinfection BreakdownJanuary Families
August Disinfection BreakdownFebruary Families
August Disinfection BreakdownFebruary Families
Highest Re-infectionHighest Re-infection
Since January
LinksLinks
Anti-Malware Engineering Team blogAnti-Malware Engineering Team bloghttp://blogs.msdn.com/antimalwarehttp://blogs.msdn.com/antimalware
Windows Malicious Software Removal ToolWindows Malicious Software Removal Toolhttp://www.microsoft.com/cleanerhttp://www.microsoft.com/cleaner
Windows Live Safety CenterWindows Live Safety Centerhttp://safety.live.comhttp://safety.live.com
© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.