Microsoft Security Intelligence ReportVolume 13January through June,

Microsoft Security Intelligence ReportThis document is for informational purposes only. MICROSOFT MAKES NOWARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THEINFORMATION IN THIS DOCUMENT.This document is provided “as-is.” Information and views expressed in thisdocument, including URL and other Internet Web site references, may changewithout notice. You bear the risk of using it.Copyright 2012 Microsoft Corporation. All rights reserved.Microsoft, the Microsoft logo, Active Directory, ActiveX, AppLocker, Bing,DirectX, Forefront, Hotmail, Internet Explorer, MSDN, Outlook, PowerPoint, theSecurity Shield logo, SQL Server, Visual Basic, Win32, Windows, WindowsMedia, Windows PowerShell, Windows Server, and Windows Vista aretrademarks of the Microsoft group of companies. The names of actual companiesand products mentioned herein may be the trademarks of their respective owners.JANUARY–JUNE 2012i

AuthorsDanielle AlyiasMicrosoft Trustworthy ComputingJeff JonesMicrosoft Trustworthy ComputingTim RainsMicrosoft Trustworthy ComputingDennis BatchelderMicrosoft Protection TechnologiesJimmy KuoMicrosoft Malware Protection CenterDavid RossMicrosoft Trustworthy ComputingJoe BlackbirdMicrosoft Malware Protection CenterMarc LauricellaMicrosoft Trustworthy ComputingDavid SeidmanMicrosoft Trustworthy ComputingJoe FaulhaberMicrosoft Malware Protection CenterJenn LeMondMicrosoft IT Security and RiskManagementWeijuan Shi DavisWindows Business GroupDavid FelsteadBingRoger A. GrimesMicrosoft IT Information Securityand Risk ManagementPaul HenryWadeware LLCNam NgMicrosoft Trustworthy ComputingDaryl PeceljMicrosoft IT Information Securityand Risk ManagementAnthony PentaMicrosoft Windows Safety PlatformHolly StewartMicrosoft Malware Protection CenterMatt ThomlinsonMicrosoft Trustworthy ComputingTerry ZinkMicrosoft Exchange Online ProtectionContributorsDoug CavitMicrosoft Trustworthy ComputingHideya MatsudaCSS Japan Security Response TeamMark SimosMicrosoft Consulting ServicesEnrique GonzalezMicrosoft Malware Protection CenterTakumi OnoderaMicrosoft Premier Field Engineering,JapanNorie TamuraCSS Japan Security Response TeamHeather GoudeyMicrosoft Malware Protection CenterAngela GunnMicrosoft Trustworthy ComputingSatomi HayakawaCSS Japan Security Response TeamGreg LentiCSS Security Readiness & ResponseTeamLe LiMicrosoft Windows Safety PlatformKen MalcolmsonMicrosoft Trustworthy ComputingKathy PhillipsMicrosoft Legal and CorporateAffairsHilda Larina RagragioMicrosoft Malware Protection CenterLaura A. RobinsonMicrosoft Information Security &Risk ManagementRichard SaundersMicrosoft Trustworthy ComputingJasmine SessoMicrosoft Malware Protection CenterFrank SimorjayMicrosoft Trustworthy ComputingiiKurt TontiMicrosoft Information Security &Risk ManagementHenk van RoestCSS Security EMEAPatrik VicolMicrosoft Malware Protection CenterSteve WackerWadeware LLCIaan WiltshireMicrosoft Malware Protection CenterDan WolffMicrosoft Malware Protection CenterThe Microsoft Pass-the-HashWorking GroupMICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 13

Table of ContentsAbout this report . viTrustworthy Computing: Security engineering at Microsoft . viiDeceptive downloads: Software, music, and movies1Detecting malware associated with unsecure supply chains . 3Malware and unsecure software distribution . 4Music, movies, and malware . 6Malware statistics . 7Regional variations . 9Guidance: Defending against supply chain threats . 10Worldwide threat assessment11Vulnerabilities . 13Industry-wide vulnerability disclosures . 13Vulnerability severity . 14Vulnerability complexity . 16Operating system, browser, and application vulnerabilities . 17Microsoft vulnerability disclosures . 19Guidance: Developing secure software . 20Exploits . 21Exploit families . 22Defending against Blacole exploits . 25JANUARY–JUNE 2012iii

Java exploits . 26HTML and JavaScript exploits . 27Document parser exploits . 29Operating system exploits . 30Adobe Flash Player exploits . 34Security update adoption rates . 35Malware and potentially unwanted software . 39Global infection rates . 39Operating system infection rates . 46Threat categories . 49Threat families . 53Rogue security software . 57Home and enterprise threats . 62Windows Update and Microsoft Update usage . 65Guidance: Defending against malware . 67Email threats . 68Spam messages blocked . 68Spam types . 71Guidance: Defending against threats in email . 74Malicious websites . 75Phishing sites . 76Malware hosting sites . 83Drive-by download sites . 89Guidance: Protecting users from unsafe websites . 91Mitigating risk93Cross-site scripting . 95ivMICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 13

XSS trends . 96Mitigating XSS with Windows Internet Explorer . 97Defending against Pass-the-Hash attacks . 99How password hashes work . 99Pass-the-hash attacks . 102Pass-the-hash defenses . 103Summary . 109Appendixes111Appendix A: Threat naming conventions . 113Appendix B: Data sources. 115Appendix C: Worldwide infection rates . 117Glossary . 122Threat families referenced in this report . 129JANUARY–JUNE 2012v

About this reportThe Microsoft Security Intelligence Report (SIR) focuses on software vulnerabilities,software vulnerability exploits, and malicious and potentially unwanted software.Past reports and related resources are available for download We hope that readers find the data, insights, andguidance provided in this report useful in helping them protect theirorganizations, software, and users.Reporting periodThis volume of the Microsoft Security Intelligence Report focuses on the first andsecond quarters of 2012, with trend data for the last several years presented on aquarterly basis. Because vulnerability disclosures can be highly inconsistent fromquarter to quarter and often occur disproportionately at certain times of the year,statistics about vulnerability disclosures are presented on a half-yearly basis.Throughout the report, half-yearly and quarterly time periods are referenced usingthe nHyy or nQyy formats, where yy indicates the calendar year and n indicates thehalf or quarter. For example, 1H12 represents the first half of 2012 (January 1through June 30), and 4Q11 represents the fourth quarter of 2011 (October 1through December 31). To avoid confusion, please note the reporting period orperiods being referenced when considering the statistics in this report.ConventionsThis report uses the Microsoft Malware Protection Center (MMPC) namingstandard for families and variants of malware and potentially unwanted software.For information about this standard, see “Microsoft Malware Protection CenterNaming Standard” on the MMPC website.viMICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 13

Trustworthy Computing: Securityengineering at MicrosoftAmid the increasing complexity of today’s computing threat landscape and thegrowing sophistication of criminal attacks, enterprise organizations andgovernments are more focused than ever on protecting their computingenvironments so that they and their constituents are safer online. With more thana billion systems using its products and services worldwide, Microsoft collaborateswith partners, industry, and governments to help create a safer, more trustedInternet.Microsoft’s Trustworthy Computing organization focuses on creating anddelivering secure, private, and reliable computing experiences based on soundbusiness practices. Most of the intelligence provided in this report comes fromTrustworthy Computing security centers—the Microsoft Malware ProtectionCenter (MMPC), Microsoft Security Response Center (MSRC), and MicrosoftSecurity Engineering Center (MSEC)—which deliver in-depth threat intelligence,threat response, and security science. Additional information comes from productgroups across Microsoft and from Microsoft IT (MSIT), the group that managesglobal IT services for Microsoft. The report is designed to give Microsoftcustomers, partners, and the software industry a well-rounded understanding ofthe threat landscape so that they will be in a better position to protect themselvesand their assets from criminal activity.JANUARY–JUNE 2012vii

Deceptive downloads:Software, music, and moviesJANUARY–JUNE 20121


Malware authors go to great lengths to distribute their wares, and they investsignificant resources into finding victims and avoiding detection by antimalwareproducts. Attackers experiment with different methods and mechanisms fordistributing malware, ranging from exploits to pure social-engineering–basedapproaches. Recently, the Microsoft Malware Protection Center (MMPC) hasobserved a growing trend of malware infection associated with unsecure supplychains—the websites, protocols, and other channels by which software and mediafiles are informally distributed, both legally and illegally. Unsecure distributionmechanisms range from underground sites where pirated software and media areopenly exchanged, to legitimate websites that make shareware or free music filesavailable for public download. In some cases, malware has even been discoveredpreinstalled on computers sold at retail.1 Any mechanism by which untrustedparties can distribute files to a wider audience without sufficient safeguards inplace is a potential vehicle for malware dissemination.This section of the Microsoft Security Intelligence Report examines how attackerstake advantage of these unsecure supply chains to distribute malware to victimsaround the world, with data and analysis about the problem based on Microsoftantimalware telemetry. It also provides guidance that computer users andadministrators can use to help protect themselves from malware distributedthrough unsecure supply chains.Detecting malware associated with unsecure supplychainsThrough analysis of the data reported by Microsoft antimalware products runningon computers that have been opted in to data collection,2 it is possible to discernpatterns of activity that show a correlation between unsecure supply chains andmalware. In some cases, this correlation may simply involve malware samples thathave the same names as certain files that are known to be disseminated on filedistribution sites and networks—spreading malware by claiming it is somethingelse is a time-honored tactic used by attackers.In other cases, a correlation can be drawn from the presence on the reportingcomputer of other threat families—including Win32/Keygen, Win32/Pameseg,See “Operation b70: Nitol Malware Research and Analysis,” a report by the Microsoft Digital Crimes Unit, foradditional details about one such incident.2 See “Appendix B: Data sources” on page 113 for links to privacy statements for the products and services thatprovided the data for this report.1JANUARY–JUNE 20123

and Win32/Gendows—that are strongly associated with file distribution activity.These indicator families were detected on 16.8 percent of all computers reportingdetections in the first quarter of 2012, increasing to 17.2 percent of computers inthe second quarter. Some of these indicator families are considered potentiallyunwanted software rather than malware, but all can be taken as evidence that filedistribution activity has probably occurred. By looking at malware detectedalongside the indicator families and comparing it with malware detectionsreported by computers that don’t also report detections of indicator families,MMPC researchers can estimate the extent and impact of attackers’ abuse of thefile distribution supply chain.Malware and unsecure software distributionThe most commonly reported threat family in 1H12 was Win32/Keygen, adetection for tools that generate keys for various software products. Softwarepirates often bundle a key-generator utility with a well-known application andthen distribute the package using a torrent client or by uploading the package to afile distribution site. A user who downloads the package runs the key-generatorutility to create a product key that will supposedly allow the software to be usedillegally. Its widespread impact—of the 105 countries or regions covered in thisreport, 98 percent listed Keygen as one of the top 10 families detected in 1H12—and its strong association with unsecure file distribution activity make it a goodindicator family to use to examine how attackers exploit such activity to distributemalware.An examination of Keygen reports shows a diverse list of popular softwareproducts being targeted, as indicated by some of the file names used by theKeygen executable:4MICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 13

keygen.exe Windows Loader.exe mini-KMS Activator v1.1 Office.2010.VL.ENG.exe AutoCAD-2008-keygen.exe SonyVegasPro Patch.exe Nero Multimedia Suite 10 - Keygen.exe E.exe 7z Guitar Pro v6.0.7 Soundbanks Keygen(Registered) [ kk ].rar Half Life CDkeygen.exeInstalling pirated software bears significant risks. In many cases, the distributedpackages contain malware alongside (or instead of) the pirated software, whichtakes advantage of the download and install process to infect the computers ofusers who download the bundles. More than 76 percent of computers reportingKeygen detections in 1H12 also reported detections of other threat families, whichis 10 percent higher than the average co-infection rate for other families. (See“Malware statistics” on page 7 for additional information.)The tactic of bundling malware with software on unsecure file distribution sitesand networks is not limited to pirated commercial software—attackers sometimestake advantage of traffic in freely distributed software as well. In 1H12, the MMPCobserved 35 different threat families being distributed using the file nameinstall adobeflash.exe, which purports to be an installation package for the freelydistributed Adobe Flash Player. Threats that make use of this technique in 1H12included notable families such as Win32/Sirefef, Win32/Bancos, andWin32/FakeRean. (See “Threat families” beginning on page 53 for moreinformation about these and other threats.)Similar tactics are used by attackers who engage in so-called paid archive schemes,in which users are convinced or tricked into paying for software that mightotherwise be available for free. The most commonly detected threat family in1H12 in Russia, Ukraine, and several other countries and regions in easternEurope and western Asia was Win32/Pameseg, a family of programs that claim toinstall various popular software packages. A user who launches a Pameseg installeris instructed to send an SMS text message to a premium number (typically at acost of between 5 and 20 US dollars, although the installer usually claims that itwill be free of charge) to successfully install the program. Among the top filenames used by Pameseg installers in 1H12 were several that resembled the namesJANUARY–JUNE 20125

of programs that can be legally downloaded and installed for free, in addition topaid commercial programs: Adobe Photoshop CS5 key-rus.exe avast free.exe DirectX11.exe kb909241x.exe LoviVkontakte.exe powerpoint-setup.exe Skype.exe SkypeSetup.exe vksaver.exe willarchive.exeFor more information about Pameseg and paid archive schemes, see the followingentries in the MMPC blog ( Easy Money: Program:Win32/Pameseg (part one) (November 14, 2011)Easy Money: Program:Win32/Pameseg (part two) (November 21, 2011)Other hacking tools that are frequently used to distribute malware with shared orpirated software include: Win32/Gendows. A tool that attempts to activate Windows 7 and WindowsVista operating system installations. Win32/Patch. A family of tools intended to modify, or “patch,” programs thatmay be evaluation copies or unregistered versions with limited features, forthe purpose of removing the limitations. Win32/Wpakill. A family of tools that attempt to disable or bypass WPA(Windows Product Activation), WGA (Windows Genuine Advantage) checks,or WAT (Windows Activation Technologies) by altering Windows operatingsystem files, terminating processes, or stopping services.Music, movies, and malwareLike software, popular movies and music are often traded on unsecure filedistribution sites and networks. As with software, attackers have taken advantageof the illegal trafficking in media files to spread malware.6MICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 13

The ASX/Wimad family is a generic detection for malicious URL script commandsfound in Advanced Systems Format (ASF) (a file format used by Windows Media)that download arbitrary files. Several of the file names used by Wimad filessuggest a global hit parade of popular music: - - 1 Alejate De Mi - Camila.mp3 - Lady Gaga - Telephone (feat. Beyonce).mp3 - - Alexandra Stan - - - Mr. Saxobeat.mp3 0 Merche - Si Te Marchas.mp3 09. Pitbull - Back In Time (From Men In Black III).mp3 09 Back In Time - Pitbull.mp3 Oasis - Stop Crying Your Heart Out.mp3 - - Moves Like Jagger - Maroon 5 Christina Aguilera.mp3 עמיר בן עיון עומד בשער .mp3 [Amir Benayun, “Standing at the Gate”] Rumer - Slow.mp3Current popular films are also well-represented in the list of Wimad file names: The Avengers 2012 720p BDRip QEBS7 AAC20 MP4-FASM.avi Prometheus 2012 DVDRip.avi Wrath of the Titans 2012 DVDRip aXXo.avi Battleship 2012 DVDRip.avi What to Expect When You're Expecting 2012.BRRip.XviD-KAZAN.avi The Hunger Games 2012 TRUE FRENCH DVDRIP XViD FiCTiON L S79.avi iD-26K-0123.avi The Five-Year Engagement 2012 HDRip XviD-HOPE.avi Project X 2012 TRUE FRENCH DVDRIP XViD FiCTiON L S79.avi Amazing SpiderMan 2012 DVDRiP XviD.aviMalware statisticsComputers reporting detections of the six indicator families mentioned (Keygen,Wimad, Pameseg, Wpakill, Gendows, and Patch) have a higher malware detectionrate than those that don’t.3 Figure 1 lists the families that were most commonlydetected alongside the indicator families in 1H12.3See “Appendix B: Data sources” on page 113 for information about the Microsoft products andJANUARY–JUNE 20127

Figure 1. Threat families most commonly detected on computers displaying evidence of unsecure filedistribution in 1H12, by absolute number of computers and by percentage of all computers displayingsuch evidenceFamilyMost significant category1Q121Q12 %2Q122Q12 c. Potentially Unwanted 6176.3% Win32/Autorun is a generic detection for worms that spread betweenmounted volumes using the Autorun feature of Windows. Recent changes tothe feature in Windows XP and Windows Vista have made this technique lesseffective,4 but attackers continue to distribute malware that attempts to targetit. JS/Pornpop is a detection for specially crafted JavaScript-enabled objects thatattempt to display pop-under advertisements in users’ web browsers. Initially,Pornpop appeared exclusively on websites that contained adult content;however, it has since been observed to appear on websites that may containno adult content whatsoever. Win32/Obfuscator is a generic detection for programs that have had theirpurpose disguised to hinder analysis or detection by antivirus scanners. Suchprograms commonly employ a combination of methods, includingencryption, compression, anti-debugging and anti-emulation techniques. Blacole is a multiplatform family of exploits that target vulnerabilities inpopular products and components and are delivered through malicious orcompromised webpages. (See page 23 for more information about Blacole.) Win32/Dorkbot is a worm that spreads via instant messaging and removabledrives. It also contains backdoor functionality that allows unauthorized accessand control of the affected computer. Dorkbot may be distributed fromcompromised or malicious websites using PDF or browser exploits.See “Malware and potentially unwanted software” beginning on page 39 for moreinformation about threat detection patterns around the that generated the telemetry used for this analysis.48See for more information about these changes.MICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 13

Regional variationsDetections of the indicator families described in this section vary between differentcountries and regions. In Russia, Pameseg is detected far more often than theothers; in some other locations, such as Italy and France, Wimad is in the topposition. Figure 2 illustrates how these families are detected in differentproportions in several different locations.Figure 2. Relative detections of the indicator families discussed in this section in the 10 countries/regions with the mostdetections in akillWin32/GendowsWin32/PatchJANUARY–JUNE 20129

Guidance: Defending against supply chain threatsOrganizations and IT departments can use various processes and technologicalsolutions to minimize the risk they face from malware transmitted throughunsecure supply chains. Processes include the following: Create policies that state what constitutes acceptable and unacceptabledownloading and use of third-party tools and media. Institute policies thatgovern the download and execution of music, movies, and game media.Create and enforce disciplinary actions for repeat policy offenders. Block peer-to-peer (P2P) applications from communicating into or out of theorganization’s internal network. Ensure that all new hardware is purchased by an internal procurement team.Procurement processes might include formatting computers and devices uponreceipt and reinstalling the operating systems from known good images. Suchimages should include antimalware software, intrusion detection tools,software firewalls, monitoring and reporting tools, and other securitysoftware, all of which should be enabled by default.Technology solutions to implement include the following: Use the AppLocker feature in Windows to create blacklists for potentiallyunsafe applications, programs, and scripts on client computers. On proxy servers, implement rules to block known malicious websites as wellas other websites that violate the organization’s acceptable media usage policyfor content such as music, movies, games, shopping, pornography, and so on. Regularly update the organization’s hardware and software standards, andlimit the amount of old hardware and software. A 64-bit computer runningWindows 7 and Internet Explorer 9, for example, is inherently more securethan a 32-bit computer running Windows XP and Internet Explorer 6 becauseof technologies such as ASLR, DEP, and SmartScreen Filter.Vendors should use code signing and digital rights management to ensurecustomers can trust and confirm the authenticity of downloads.Individual users can protect themselves by running antimalware software from areputable vendor and keeping it up to date, and by only downloading softwareand content from trustworthy sources. Software updates and free software shouldonly be obtained from the original vendors or from known, reputable sources.Using Internet Explorer with SmartScreen Filter enabled can help provideprotection from malicious downloads.10MICROSOFT SECURITY INTELLIGENCE REPORT, VOLUME 13

Worldwide threat assessmentJANUARY–JUNE 201211


VulnerabilitiesVulnerabilities are weaknesses in software that enable an attacker to compromisethe integrity, availability, or confidentiality of the software or the data that itprocesses. Some of the worst vulnerabilities allow attackers to exploit thecompromised system by causing it to run malicious code without the user’sknowledge.Industry-wide vulnerability disclosuresA disclosure, as the term is used in the Microsoft Security Intelligence Report, is therevelation of a software vulnerability to the public at large. Disclosures can comefrom a variety of sources, including the software vendor, security softwarevendors, independent security researchers, and even malware creators.The information in this section is compiled from vulnerability disclosure data thatis published in the National Vulner

Le Li Microsoft Windows Safety Platform Ken Malcolmson Microsoft Trustworthy Computing . This volume of the Microsoft Security Intelligence Report focuses on the first and . Microsoft’s Trustworthy Computing organization focuses on creating and delivering secure, priva