Tag Archives: Malware

Microsoft Security Intelligence Report v14–South Africa’s Perspective

Posted on April 17, 2013 | Leave a comment

imageMicrosoft is again providing comprehensive global threat intelligence and guidance to help enterprises manage risk and address security challenges. This morning, we released Volume 14 of the Microsoft Security Intelligence Report (SIRv14). This new report studies our findings on trends in the threat landscape based on data from more than 1 billion systems worldwide, focusing on data collected in the second half of 2012. The infection trends is continually going down in South Africa (download report here  South Africa SIRv14) while the worms are stubbornly remaining just above 40% of the computers reporting detections. Worms, Miscellaneous Potentially Unwanted Software and Miscellaneous Trojans detected in the fourth quarter of 2012 (4Q12) have all increased in percentage compared to 3Q12. South Africans have increased their trends of downloading tools that generate product keys for various software products eventually infecting their computers with win32/Keygen.  Detections of Win32/Keygen, the most common detection overall in 2H12, increased each quarter, from 4.8 million computers in 2Q12 to 6.8 million in 4Q12 worldwide.

Running unprotected: Measuring the benefits of real-time security software

Practicing safe browsing habits, such as using a web browser with built-in safety features and paying attention to alerts and warnings encountered while browsing, is one of the most important steps Internet users can take to protect themselves from malicious software (malware). Nevertheless, it can sometimes be difficult for even experienced Internet users to avoid coming into contact with malware. The cybercriminals who publish and distribute malware devote significant effort to convincing or tricking Internet users into clicking links that lead to malware, or that download malicious attachments or applications. Even familiar and trusted websites can sometimes be exploited by attackers to distribute malware using tactics such as drive-by downloads.

image

An antivirus or antimalware product that offers real-time protection is one of the most crucial defenses a computer user has against these and other malware distribution tactics. Unfortunately, many computers are not protected by real-time antimalware software, either because no such software has been installed, because it has expired, or because it has been disabled intentionally by the user or secretly by malware. New data analysed by Microsoft (see the figure above) reveals the magnitude of the additional risk that such computers and their users face: in the second half of 2012 (2H12), computers that did not have real-time antimalware protection were more than 5 times as likely to be infected with malware and potentially unwanted software as computers that did have protection.

To find out if they are using valid and up-to-date Antivirus, Microsoft recommends that people go to their system control panel to check their computer’s security settings. If they do not have Antivirus installed, they can download it from a trusted vendor. If you have Windows 8, then Microsoft’s Antivirus is already built into the system.

South Africa’s Threat Intelligence

Except where specified, this information was compiled from telemetry data that was generated from more than 600 million computers worldwide and some of the busiest online services on the Internet. Infection rates are given in computers cleaned per mille (CCM), or thousand, and represent the number of reported computers cleaned in a quarter for every 1,000 executions of the Windows® Malicious Software Removal Tool, which is available through Microsoft Update and the Microsoft Safety & Security Center website.

Metric

1Q12

2Q12

3Q12

4Q12

Computers cleaned per 1,000 executions (CCM) for South Africa

7.9

6.9

6.4

6.5

Worldwide average CCM

6.6

7.0

5.3

6.0

The table above shows the infection trends in South Africa. We detected malware on 6.5 of every 1,000 computers scanned in South Africa in 4Q12. The below shows the infection rate (CCM) by operating system and service pack in 4Q12. This data is normalized; that is, the infection rate for each version of Windows is calculated by comparing an equal number of computers per version (for example, 1,000 Windows XP SP3 computers to 1,000 Windows 8 RTM computers).

image

The figure below shows the computers cleaned per mile (CCM) of malicious and potentially unwanted software trend for South Africa over the last six quarters, compared to the world as a whole. While the graph shows a promising decrease in infections both locally and worldwide, our infection rate is consistently above the worldwide average.

image

Threat categories

image

The figure above shows the threat categories in SA in 4Q12. Worms are still the most common category in South Africa, which affected 41.2% of all computers with detections, up from 39.9% in 3Q12. The second most common category was Miscellaneous Potentially Unwanted Software, which affected 36.1% of all computers with detections, up from 32.9% in 3Q12. The third most common category was Miscellaneous Trojans, which affected 26.8% of all computers with detections, up from 26.0% in 3Q12

Threat families

Family

Most Significant Category

% of Computers With Detections

1

INF/Autorun

Misc. Potentially Unwanted Software

18.0%

2

Win32/Vobfus

Worms

12.9%

3

Win32/Keygen

Misc. Potentially Unwanted Software

12.4%

4

Win32/Rimecud

Misc. Trojans

6.7%

5

Win32/Dorkbot

Worms

5.6%

6

Win32/Nuqel

Worms

5.5%

7

Win32/Virut

Viruses

5.2%

8

JS/IframeRef

Misc. Trojans

5.2%

9

Win32/Folstart

Worms

4.7%

10

Win32/Sality

Viruses

4.7%

The table above shows the top 10 malware and potentially unwanted software families in South Africa in 4Q12. The most common threat family in SA in 4Q12 was INF/Autorun, which affected 18% of computers with detections. INf/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. The second most common threat family in SA in 4Q12 was still Win32/Vobfus, which affected 12.9% of computers with detections. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in SA in 4Q12 was still Win32/Keygen, which affected 12.4% of computers. A notable increase compared to 9.2% in 2Q12. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in SA in 4Q12 was still Win32/Rimecud, which affected 6.7% of computers with detections. A notable decrease compared to 8.5% in 2Q12.  Win32/Rimecud is a family of worms with multiple components that spread via fixed and removable drives and via instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected system.

Malicious Websites

image

The figure above shows phishing sites per 1,000 Internet hosts for locations around the world in 4Q12. Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks. Detections of the generic family JS/IframeRef increased fivefold in 4Q12 after falling off significantly between 2Q12 and 3Q12 worldwide. IframeRef is a generic detection for specially formed HTML inline frame (IFrame) tags that redirect to remote websites that contain malicious content. The increased IframeRef detections in 2Q12 and 4Q12 resulted from the discovery of a pair of widely used new variants in April and November 2012. (In January 2013, these variants were reclassified as Trojan:JS/Seedabutor.A and Trojan:JS/Seedabutor.B, respectively.)

Metric

3Q12

4Q12

Phishing sites per 1000 hosts
(Worldwide)

8.26
(5.41)

8.98
(5.10)

Malware hosting sites per 1000 hosts
(Worldwide)

12.18
(9.46)

13.68
(10.85)

Drive-by download sites per 1000 URLs
(Worldwide)

0.50

(0.56)

0.36

(0.33)

Note: To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes. Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing. The figure below shows malware distribution sites per 1,000 Internet hosts for locations around the world in 4Q12. SmartScreen Filter detected 10.8 malware hosting sites per 1,000 Internet hosts worldwide in 4Q12.

image

Protecting the Enterprise.

Effective Mitigations

The good news is that enterprises can protect themselves using a number of mitigations, including:

  1. Keep all software up-to-date: attackers are trying to use vulnerabilities in all sorts of software from different vendors, so organizations need to keep all of the software in their environment up to date, and run the latest versions of software whenever possible. This will make it harder for the types of threats we now see in the enterprise to be successful.
  2. Demand software that was developed with a security development lifecycle: until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities. A very effective way for software vendors to help you do this is by using security mitigations built into the platform, such as ASLR, DEP, SEHOP and others. These mitigations can make it much harder for attackers to successfully exploit vulnerabilities. Demand software from your vendors that use these mitigations. You can check if the software you have in your environment have these mitigations turned on, using a tools like Binscope or EMET. In cases where you have software deployed in your environment that do not use these mitigations, in some cases EMET might be able to turn them on for you. These mitigations can help you manage risk by giving you more time to test and deploy security updates or new versions of software.
  3. Restrict websites: limiting the web sites that enterprise information workers can surf to, will reduce the chances of being exposed to the types of attackers we now see in the enterprise. This likely won’t be popular in the office, but given that 70% of the top threats found in the enterprise are delivered via malicious websites, you might have the data you need to make the business case. Restricting web access from servers has been a best practice for a long time.
  4. Manage security of your websites: many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks. Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
  5. Leverage network security technologies: technologies like Network Access Protection (NAP), IPS, and content filtering can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.

image

Response Process

It is important that organizations also take the time to assess their response processes to help ensure they are prepared should their systems become compromised or attacked.  In order to assist organizations with this evaluation, Microsoft just released a free Security Response Readiness Assessment.This resource also helps identify next steps that can be taken to improve security response processes and help to identify, monitor, respond, and resolve security incidents and vulnerabilities in the IT environment. You should also have a look at  Microsoft’s Free Security Tools – Microsoft Assessment and Planning (MAP) ToolkitIt to facilitate platform migration.

It is Microsoft’s hope that this report serves as a helpful resource for IT professionals when working to better the security efforts of their company, government departments and organizations.

→ Leave a comment

Posted in Education, Information Security

Tagged , , , , , , , , , , , , , , , , , , ,

Microsoft Security Intelligence Report v13–South Africa’s Perspective

Posted on October 31, 2012 | 1 Comment

Adrienne Hall, general manager, Trustworthy Computing (TwC) announced the release of our bi-annual Security Intelligence Report (SIRv13) and a new free Cloud Security Readiness Tool at RSA Europe in London on the 9th of October 2012. The global threat landscape is evolving. Malware and potentially unwanted soft-ware have become more regional, and different locations around the world exhibit different threat patterns. The Security Intelligence Report website at www.microsoft.com/sir has more information about threats in South Africa and around the world, and explains the methods and terms used. Tim Rains, Director, Trustworthy Computing, Microsoft Corporation provides a summary of the SIR v13 findings below.

Tim Rains, Director, Trustworthy Computing, Microsoft Corporation provides a summary of the SIR v13 findings.

Worldwide trends

    imageCybercriminals are gravitating towards Software Activation Key Generators as a way to trick users into installing malware. This emerging social engineering tactic was the number one threat facing consumers worldwide during the 1st half of 2012. Application vulnerabilities accounted for 71.6% of all disclosures in 1H12. An alarming trend we observed was the increasing rate that attackers are using software activation key generators to distribute their evil wares to the unsuspecting. Detection of malware connected to key generators was seen over five million times in the first six months of this year.

    Blacole was the most commonly detected exploit family in 1H12 with almost 6 million detections. Blacole, a family of exploits, is commonly referred to as the “Blackhole” exploit kit that is used to deliver malicious software through infected webpages. Windows 7 users were 20% more likely than Windows XP users to have Windows updates installed, 40% more likely to have Microsoft Word security updates installed, 37% more likely to have Adobe Reader updates installed, and 60% more likely to have Oracle Java updates installed. This may be one reason why the number of computers cleaned per thousand (CCM) is lower in Windows 7 when compared to previous versions of Windows.

    The number of threats detected/blocked in the US spiked over 32% from Q1 to Q2 2012. This was primarily driven by rogue security software called Win32/FakePAV. Detections of Win32/FakePAV increased by 30% between 1Q12 and 2Q12, making it the most commonly detected rogue security software family overall during the first half of the year.

    Korea’s CCM increase from 27.5 in 1Q12 to 70.4 in 2Q12 is one of the largest quarter-to-quarter increases ever reported for a large country or region in the Microsoft Security Intelligence Report. The change was primarily caused by increased detection of the trojan downloader family Win32/Pluzoks. Conficker was the number one threat facing enterprises/businesses for the past few years. It has since moved to the number two threat facing enterprises/businesses and the threat JS/IframeRef has moved to the number one spot.

    Since 2008, worldwide usage of Windows Update and Microsoft Update has increased by 60%.

This report is accompanied by a release in late July at Black Hat USA 2012, of the latest MSRC Progress Report –“Building a Safer, More Trusted Internet Through Information Sharing”  which includes:

  • Updated Microsoft Security Bulletin statistics covering the past year
  • A behind-the-scenes look at what goes into an out-of-band security bulletin
  • Year over year progress within the Microsoft Active Protections Program, Microsoft Exploitability Index, and Microsoft Vulnerability Research initiatives
  • An update on the Microsoft BlueHat Prize Contest announced last year
  • Results of a study on the efficacy of the Enhanced Mitigation Experience Toolkit (EMET)

Introduction to Designing Reliable Cloud Services

In mid-September, Microsoft released An introduction to designing reliable cloud services—a new white paper outlining a process to help organizations create, deploy and/or consume cloud services, This paper aims to be a catalyst for further discussions among services teams, organizations, and the industry itself. The Cloud Security Readiness Tool helps companies start a conversation about effective cloud services with a very small time investment to get results. The Cloud Security Readiness Tool moves the conversation from feature comparison, to critical base issues that must be addressed for success. The tool helps takes a process frequently performed as a pre-consulting effort that can take anywhere from several days to weeks and converts it into a short 15 minute effort. The results can help ensure that customers have information they need to able to conduct intelligent well-formed discussions from day one.

South Africa’s Threat Intelligence



Metric

3Q11

4Q11

1Q12

2Q12

Computers cleaned per 1,000 executions (CCM) for South Africa

9.4

8.1

7.9

6.9

Worldwide average CCM

7.7

7.1

6.6

7.0

The Microsoft Malicious Software Removal Tool (MSRT) detected malware on 6.9 of every 1,000 computers scanned in South Africa in 2Q12. The figure below shows the computers cleaned per mile (CCM) trend for South Africa over the last four quarters, compared to the world as a whole. The MSRT detected malware with a CCM score of 6.9, compared to the 2Q12 worldwide average CCM of 7.0.

image

Threat categories

image

The figure above shows the malware and potentially unwanted software categories in SA in the second quarter of 2012 (2Q12). Worms are still the most common category in SA in 2Q12. It affected 42.5% of all computers with detections, down from 43.1% in 1Q12. The second most common category was Miscellaneous Potentially Unwanted Software. It affected 31.3% of all computers with detections, up from 30.2% in 1Q12. The third most common category was Miscellaneous Trojans, which affected 28.1% of all computers with detections, up from 24.9% in 1Q12. Totals exceed 100 percent because some computers are affected by more than one kind of threat.

Threat families

Family

Most Significant Category

% of computers with detections

1

Win32/Autorun

Worms

17.9%

2

Win32/Vobfus

Worms

12.8%

3

Win32/Keygen

Misc. Potentially Unwanted Software

9.2%

4

Win32/Rimecud

Worms

8.5%

5

Win32/Virut

Viruses

5.7%

6

Win32/Nuqel

Worms

5.5%

7

JS/Pornpop

Adware

5.3%

8

Win32/Sality

Viruses

5.2%

9

Win32/Dorkbot

Worms

4.7%

10

Win32/Mabezat

Viruses

4.1%

The figure above shows the top 10 malware and potentially unwanted software families in South Africa in 2Q12. The most common threat family in SA in 2Q12 was Win32/Autorun, which affected 17.9% of computers with detections here. Win32/Autorun is a family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include net-work or removable drives. The second most common threat family in SA in 2Q12 was Win32/Vobfus, which affected 12.8% of computers with detections in SA. Win32/Vobfus is a family of worms that spreads via network drives and removable drives and download/executes arbitrary files. Downloaded files may include additional malware. The third most common threat family in SA in 2Q12 was Win32/Keygen, which affected 9.2% of computers here. Win32/Keygen is a generic detection for tools that generate product keys for various software products. The fourth most common threat family in SA in 2Q12 was Win32/Rimecud, which affected 8.5% of computers with detections in South Africa. Win32/Rimecud is a family of worms with multiple components that spread via fixed and removable drives and via instant messaging. It also contains backdoor functionality that allows unauthorized access to an affected system.

Malicious Websites

Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear completely legitimate and often provide no outward indicators of their malicious nature, even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques, in an effort by attackers to take advantage of the trust users have invested in them. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks.



Metric

1Q12

2Q12

Phishing sites per 1000 hosts
(Worldwide)

1.95

(1.6)

2.48

(1.8)

Malware hosting sites per 1000 hosts
(Worldwide)

3.38

(3.9)

3.67

(4.4)

Drive-by download per 1000 URLs

(Worldwide)

0.17

(0.7)

0.55

(0.9)

Note: To provide a more accurate perspective on the phishing and malware landscape, the methodology used to calculate the number of Internet hosts in each country or region has been revised. For this reason, the statistics presented here should not be directly compared to findings in previous volumes.

Web browsers such as Windows Internet Explorer and search engines such as Bing use lists of known phishing and malware hosting websites to warn users about malicious websites before they can do any harm. The information presented in this section has been generated from telemetry data produced by Internet Explorer and Bing.

Update Service Usage

Microsoft provides several tools and services that enable users to download and install updates directly from Microsoft or from update servers designated by their system administrators. The update client software (called Automatic Updates in Windows XP and Windows Server 2003, and simply Windows Update in other currently supported versions of Windows) connects to an update service for the list of available updates. After the update client determines which updates are applicable to the user’s computer, it installs the updates or notifies the user that they are available, depending on the way the client is configured and the nature of each update.

For end users, Microsoft provides two update services that the update clients can use:

  • Windows Update provides updates for Windows components and for device drivers provided by Microsoft and other hardware vendors. Windows Update also distributes signature updates for Microsoft antimalware products and the monthly release of the MSRT. By default, when a user enables automatic updating, the update client connects to the Windows Update service for updates.
  • Microsoft Update provides all of the updates offered through Windows Update and provides updates for other Microsoft software, such as the Microsoft Office system, Microsoft SQL Server, and Microsoft Exchange Server. Users can opt in to the service when installing software that is serviced through Microsoft Update or at the Microsoft Update Web site (update.microsoft.com/microsoftupdate). Microsoft recommends configuring computers to use Microsoft Update instead of Windows Update to help ensure they receive timely security updates for Microsoft products.

Enterprise customers can also use Windows Server Update Services (WSUS) or the Microsoft System Center family of management products to provide update services for their managed computers.

image

This chart above shows the growth in the number of computers connecting to Windows Update and Microsoft Update in South Africa over the last four years, indexed to the total usage for both services in SA in 2008.  In 2012, the number of computers connecting to Windows Update and Microsoft Update in SA was up 7.0% from 2011, and up 56.5% from 2008. By comparison, worldwide use of the two services increased 18.3% between 2011 and 2012, and 59.7% from 2008 to 2012. Of the computers using the two update services in SA in 2012, 61.1% were configured to use Microsoft Update, compared to 58.5% worldwide.

In Conclusion

  • Avoid downloading Pirated Software
  • When browsing for software, audio or video files, do so from a trusted source. When getting software updates, get them from a trusted source. In the event a trusted vendor has automatic updating, take advantage of the services. For Microsoft products, turn on Microsoft Update. Using Internet Explorer with SmartScreen enabled can protect from malicious downloads. You can save yourself, your coworkers, and your family and friends a lot of hassle and money by procuring software from the original manufacturer.
  • When browsing for software, audio or video files, do so from a trusted source. In particular,make sure to download any free software only from the original vendor. When getting software updates, get them from a trusted source. In the event a trusted vendor has automatic updating, take advantage of the services. For Microsoft products, turn on Microsoft Update. Using Internet Explorer with SmartScreen enabled can protect from malicious downloads. You can save yourself, your coworkers, and your family and friends a lot of hassle and money by procuring software from the original manufacturer.
  • Use Microsoft Update, not Windows Update
  • Implement Secure Development Practices
  • Educate Yourself & Your Customers; Keep Your Systems Up to Date
  • Consider the Cloud
  • Establish National and Cluster CSIRTs

In addition to above practices, we also recommend:

Prevention

  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Limit user privileges on the computer.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to web pages.
  • Use a trusted supply chain to obtain your software, music or videos.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.

Recovery

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:

If you suspect a site may contain pirated software, report the site to the manufacturer for investigation.

→ 1 Comment

Posted in Education, Information Security

Tagged , , , , , , ,

Malware Trends in South Africa –MS SIRv11

Posted on October 31, 2011 | 7 Comments

On the 11th October 2011, volume 11 of the Microsoft Security Intelligence Report (SIRv11) was released, covering the period January to June 2011. With detailed analysis on 105 countries, it is the largest and most in-depth report on cyber-threats ever developed thus far. One of the SIRv11 Key Finding - less than 1% of all vulnerability attacks were against zero-day vulnerabilities; 99% of attempted attacks impacted vulnerabilities for which an update was available. image

Customers had a good sense of what zero-days are (situations where an exploit is released before the vendor has issued a security update), but don’t always know how to prioritize them. Zero-days are real, and we don’t want to diminish the risk they represent. But this data suggests that IT professionals can prioritize their security work on the more prevalent threats that they already know how to defend.

Malware detection

Looking at the malware detection regionally or per country and zooming specifically into South African whose report can be found here, consider the heat map below:

image

Second Quarter of 2011 (2Q2011) – April, May June 2011

As noted in Tim Rains blog “The Threat Landscape in Africa & the Internet Governance Forum”, Africa is one area where it has been difficult to obtain reliable, long-term trend data on the threat landscape for specific locations. The heat maps above, shows that insufficient data exists for many regions in Africa.  Microsoft Windows Malicious Software Removal Tool (MSRT) was downloaded and executed over 4.7 billion times in the first half of 2011 (1H11) alone. The number of systems that runs this tool changes from month to month, although there has being some consistency in some countries like South Africa, Egypt and Kenya on the African continent.

The most common category in South Africa in 2Q11 was Worms, which affected 45.4% of all infected computers, down from 46.3%  in 1Q11. The second most common category in South Africa in 2Q11 was Miscellaneous Potentially Unwanted Software, which affected 28.3% of all infected computers, up from 27.0% in 1Q11. The third most common category in South Africa in 2Q11 was Adware, which affected 23.1% of all infected computers, down from 26.5 % in 1Q11

image

South Africa generally performed below the worldwide average with the exception of exploits, adware and spyware.  The top two identified malware families driving worms were Win32/Autorun (20.3% of detected computers) and Win32/Rimecud (a.k.a. Mariposa botnet – 15.5%). Both of these threats spread using multiple techniques and have been observed spreading via mapped drives, removable media like USB drives, instant messaging and by abusing the Autorun feature in Windows.

image

Worldwide cybercriminals abuse Autorun to install malware such as malicious and potentially unwanted software.  Autorun was the 2nd most common malware propagation method cybercriminals were using to swindle money from their victims. Some of the most prevalent malware threats over the past couple of years have misused a feature in Windows commonly called Autorun to execute code and attack systems.

  • To protect users, AutoRun is more locked down now by default in Windows 7.
  • For users of Windows XP and Windows Vista we released updates in February to make the AutoRun feature more locked-down from being enabled automatically for most media.
  • By May, the number of infections related to the most prolific Autorun-abusing families found by the MSRT per scanned computer was reduced by almost 60% on XP and by 74% on Vista in comparison to the 2010 infection rates.

But it’s still a problem that persists for those that have not turned off the feature or click unknown things on their USB drives. Threats that use Autorun-feature abuse, like Win32/Autorun and Win32/Rimecud, have being addressed in this blog post: Defending Against Autorun Attacks.  

Cybercriminals are also trying to do business in South Africa using the following:

  • Phishing sites (per 1000 hosts) has increased from 0.06 in 1Q11 to 0.07 in 2Q11 – worldwide 0.38
  • Malware hosting sites (per 1000 hosts) has increased from 0.04 in 1Q11 to 0.06 in 2Q11 – worldwide 2.02
  • Percentage of sites hosting  drive-by downloads has increased from 0.056% in 3Q10 to 0.726% in the second quarter of 2011 (2Q11) way above the worldwide rate of 0.273%.
  • In 2Q11, Forefront Online Protection for Exchange (FOPE ) determined that 0.519% of all spambot IP addresses were located in South Africa; this figure is down from 0.554% in 1Q11.

Protect Your Environment

Challenges and constraints

So the obvious question is if the majority of threats can be mitigated against, why do they still exist? The reality is that although the sophistication of cybercriminals continues to be a challenge, old techniques of infecting users continue to succeed. For consumers and corporations alike, creating and maintaining a fully-threat proof system is not easy.

Consumers -For the vast majority of people, the scope of the security problem far exceeds their will and ability to keep up with it. People want to spend their time and money on using the technology for enjoyment and to help them be productive. Generally, they want to spend minimal time and money keeping pace with the latest security threats.

Businesses – On the other hand, for the vast majority of businesses, the scope of the problem has become exceedingly complex. Businesses have many competing security challenges. Regulatory compliance, application testing and compatibility, incident response and expectations around the everyday threat-du-jour. There may also be competing demands for resources, budget, or skill. That can be a hard call for many companies to make.

Despite these challenges and constraints, this data shows us that, in most cases, with a “back to basics” kind of approach customers can be more secure.

So, what can we do?

Build products and services with security in mind – from the ground up

  • Microsoft has to work harder to continue to make our products and services more secure – our unique responsibility in that regard is never far from our minds. But so too has the broader industry. And there is progress.
  • SIRv11 shows the number of vulnerabilities tracked by CVE declined ~24% when comparing the past 12 months to the year prior – a trend that has been declining since we started tracking it in 2006. Progress, but more work to be done.
  • See the following blog – “Science inside the SDL” – Microsoft SDL Progress Report (2004 – 2010).

Education and Best Practices

  • IT PROFESSIONALS – Companies need to look at educating their employees on their responsibility to security and back that up by developing and enforcing strong security policies around things like passwords.
  • CONSUMERS - Leverage best practices to protect your PC:
Install updates regularly
(February 2011 – Updates released for XP and Vista to make the Autorun feature more locked-down, as it is by default in Windows 7.)
Use strong passwords for security
Install and enable anti-malware software
Click links after verifying the source
Avoid downloading pirated software
Use caution with attachments and file transfers
Protect yourself from social engineering attacks

Improving Security. Newer Products, Better Protections

In the video below Tim Rains, Frank Simorjay and Vinny Gullotto discuss how newer products and services offer better protection.

Newer Software is Better Protection

You can better protect yourself from malicious attacks by upgrading to the latest software version available irrespective of the vendor.

Infection rate (CCM) by operating system and service pack in 2Q11

SIRv11 shows that people who use Windows 7 and IE9 are significantly less likely to be the victim of an attack. It’s a simple matter of innovation. Years ago banks put big padlocks on their safes. As robbers became more advanced so too did the locks and security measures used by banks. When it comes to keeping your data safe from cyber criminals, don’t put your faith in old technology.

For example, Windows 7 and Windows Server 2008 R2, the most recently released Windows client and server versions, respectively, have the lowest infection rates of any prior operating systems. Additionally, Office 2010 proved to be the most effective at blocking exploits when compared to all prior versions.

Security and Privacy Technologies

Internet Explorer 7

Internet Explorer 8

Internet Explorer  9

Security by default

X

X

X

SmartScreen – Phishing Filter

X

X

X

SmartScreen – Antimalware protection

 

X

X

InPrivate Browsing

 

X

X

Cross-site scripting filter

 

X

X

SmartScreen – Application Reputation

 

 

X

Tracking Protection

 

 

X

ActiveX Filtering

 

 

X

Newer products have less computers cleaned per thousand. In fact, the latest version of Windows 7 32 bit is three times less likely to get infected than Vista and 6 times less than XP. As you can see from the chart above, IE incorporates the latest security and privacy technologies. In fact, according to NSS labs, IE9 blocked 96% of socially engineered malware worldwide. More than 7 times any other browser measured. I blogged about this earlier here  – Windows Internet Explorer 9 (IE9) caught an exceptional 99.2% of live threats.

It is important to migrate to the latest products and services to keep protected from the changing threat landscape. Download the Windows 7 Security Deep Dive Report here:  Windows 7 Security Deep Dive

In conclusion, South Africa might need to look into the lessons learned from some of the least malware infected countries in the world. This information was blogged  here. Implementation of the national CSIRT as one of the recommendation by the Cybersecurity policy of South Africa will bring a lot of improvement in how we can respond to this threats. While zero-days do pose a serious risk, it’s important that organizations know that the vast majority of attacks can be mitigated by following the best security practices.

→ 7 Comments

Posted in Cybercrime and Fraud, Education, Information Security

Tagged , , , , , , , , , , , , , , ,

Windows Internet Explorer 9 (IE9) caught an exceptional 99.2% of live threats.

Posted on August 16, 2011 | 1 Comment

NSS Labs, an independent security research and testing organization, that publishes respected reports on a range of security related topics, and is well known for their previous browser security reports. Most recently, they released a report specific to the EU in July that demonstrated IE8 and IE9 offered industry-leading protection against socially-engineered malware.

The new reports (one focused on data from across the globe, the other specific to Asia Pacific),  shows that SmartScreen continues to offer the industry leading protection against socially engineered malware. According to the global NSS report, “IE9 caught an exceptional 96% of the live threats with SmartScreen URL reputation, and an additional 3.2% with Application Reputation.” The graph below compares the test results from various browsers and shows that Internet Explorer blocks 5X more malware than competitive browsers.



NSS: Mean Block Rate for Socially Engineered Malware Worldwide Data

 

clip_image002[20]

Source: NSS Labs, August 2010 – Global Socially Engineered Malware Protection

The other reports looked at socially engineered malware targeted towards people living in the Asia Pacific region and in Europe. As you can see below, in each region the results remained consistent – Internet Explorer 9 maintains a lead in protecting users from live threats.



NSS: Mean Block Rate for Socially Engineered Malware By Region

 

clip_image002[16]

Source: NSS Labs, Asia, Global, Europe

We continue to improve the quality and protection SmartScreen technology offers; this is evident in how much faster SmartScreen is in blocking malware. Since the October 2010 NSS report, the average time taken by SmartScreen filter to block a threat has gotten 28% faster, if Application Reputation is considered, then the average time has improved by 85%.

Not only has the effectiveness of the technology improved, but so has the speed at which it is able to identify socially engineered malware. For our customers this translates into fewer infections and headaches.

Internet Explorer is designed with your security and privacy in mind. Innovative features such as SmartScreen and Application Reputation are examples of technologies that help protect you as you browse from an increasingly prevalent threat – socially engineered malware. According to Bruce Hughes from AVG Technologies, “Users are 4 times more likely to come into contact with social engineering tactics as opposed to a site serving an exploit.” As this threat becomes more common consumers need better protection and the SmartScreen filter in Internet Explorer is designed to directly address this threat.

When it comes to browsing the web safely, your browser choice matters. If you haven’t already done so, download Internet Explorer 9 and experience a safer browsing experience.

→ 1 Comment

Posted in Identity and Privacy, Information Security, Technology

Tagged , , , ,

Microsoft Security Intelligence Report V10

Posted on May 12, 2011 | Leave a comment

This morning 9:00 am South African time, the 10th version of Microsoft Security Intelligence Report (SIR) was released.This is an investigation of the 2010 threat landscape. It analyses exploits, vulnerabilities, and malware based on data from over 600 million systems worldwide, as well as internet services, and three Microsoft Security Centers.

The result of the earlier reports were cited, discussed and analysed by various speakers including Wolfgang Kandek -Vulnerabilities and malware- The sorry state of malware identification and Rik Ferguson yesterday at the ITWeb Security Summit 2011. I zoomed into South African threat landscape during my presentation and the conversation, when one look into the opportunities brought by the increase in bandwidth – undersea cables amongst others, is quite awakening.

SIRv10Volume 10 (SIR v10) is the most current edition covering 2010 and contains five sections:

  1. Key Findings provides data and analysis produced by Microsoft security teams.
  2. Reference Guide gives additional information for topics covered in the Key Findings.
  3. Featured Intelligence spotlights the latest threat topic.
  4. Global Threat Assessment provides deep dive telemetry by specific country or region.
  5. Managing Risk offers methods for protecting your organization, software, and people.

This version is 25 times larger than SIRv1 and 60% larger than SIRv8 with nearly 60% more regional data.  Malware Key findings covers

  • Vulnerability Disclosures
  • Security Breach Trends
  • Email Threats
  • Malicious and Compromised Websites
  • Phishing Sites and Traffic
  • Analysis of Malware Hosts
  • Analysis of Drive-By Downloads Sites

It contains data and intelligence from the past several years, but focuses on the last two quarters of 2010.

→ Leave a comment

Posted in Cybercrime and Fraud, Identity and Privacy, Information Security

Tagged , , , , , , , ,

Windows Phone 7 developed with security in mind.

Posted on March 10, 2011 | 2 Comments

As a follow up to the TheTimes article: Be smart with that phone, and Canalysis Report: Canalys reports that 86% of SMBs surveyed in the United States are not investing in mobile phone security I thought I should be zooming into the Windows Phone 7 features around security.

Windows Phone 7 has being developed from the ground up with security in mind. Security has being thought about holistically, and is being addressed in Windows Phone 7 in the following areas:

  1. Operating System
  2. Access to the Device
  3. File System and Apps
  4. Data transmission
  5. Malware threat

Windows Phone 7 addresses the top needs of IT departments by providing an Exchange ActiveSync (EAS) compliant phone, delivering an exceptional email and collaboration experience and features to apply corporate management and security policies:

· Helps protect corporate information by securing the device through PINs and passwords, while limiting the unwanted transfer of data by no longer allowing access to data via PC tethering or support for removable SD cards. In addition, Windows Phone 7 supports IT managed EAS policies such as Require Password; Password Policies; Remote Wipe and Reset to Factory Settings with multiple failed unlock attempts.

Further, in looking at the whole picture, the platform is designed to:

  • Help ensure data reliability and integrity through application sandboxing and managed code. Windows Phone 7 ensures communications channels between applications cannot be opened and critical system resources cannot be accessed. To protect against malware threats that are introduced through the browser, IE Mobile ensures that malicious code cannot be launched from web sites, thus reducing this threat.
  • Enable secure data transmission through SSL Encryption 128/256 Bit.
  • Support secure access to on-premise applications using Forefront Universal Access Gateway (UAG).
  • Most importantly is signing of applications at Zune Marketplace. This limits the ability of a worm to propagate by directly installing executable code on a mobile device. It also adds a layer of review that software is subject to before it can be deployed on a device.

With all this, it’s in your hands, same as desktop, the use of Exchange policies, pin, password, certificates (need manual installation at the moment), Windows Rights Management Services (RMS) is still very key to a secure phone. A policy enforcement technology that allows you to protect content at the file level, confidential information (not readable on Windows Phone) and training of your employees (increase awareness) will keep at bay the threats and exploits that will emerge over the next few years

Here are the 4 tips to help secure your phone

→ 2 Comments

Posted in Identity and Privacy, Information Security, Technology

Tagged , , , , ,