From January to July 2008 Microsoft’s technologies disinfected just over 8 million more computers than it did in the previous six month period according to their just released 5th Security Intelligence Report.

Such a statement will make many jump to the conclusion that the state of crimeware is getting worse. But such a conclusion may not be accurate. For example, the increase in distinct computers cleansed in this latest period is just under 50%, whereas in the 2H07 report the increase was just over 79%. The increase in 1H07 was 95%. So the percentage increase this time around is smaller than it has been previously. The same can be said for the number of distinct infections cleansed. 1H08 was 47% higher than 2H07, but 2H07 was 219% higher than 1H07 and 1H07 was 80% higher than 2H06.

No matter how you look at the numbers there’s no discounting the fact that Microsoft cleansed more than 23 million unique computers of some form of crimeware in the first six months of this year, and that’s a lot of computers in anyone’s book. Consider too that these were on systems that likely had 3rd party anti-virus products on them as well, so the total number of infections is likely much higher.

But even this must be caveated as Microsoft points out the geo-specific reasons that contribute to the overall totals. Lesser industrialized nations or nations with smaller per capita Internet usage are among the highest infected nations. Clearly awareness, and experience, contribute to increasing the effectiveness of security.

Of more interest to us was Figure 81 on page 134 of the report titled, “Computers cleansed by threat category, in percentages, 1H06-1H08.” For in that table is an extremely important number, namely, the “Exploits” value of 1.0%.

All other categories listed in that table, such as Trojan Downloaders and Droppers, Worms, etc., are the result of user-initiated crimeware. Exploits are the only threat category which Microsoft attributes with a patchable threat. So whether it’s an iFrame running unwanted JavaScript, or some criminal automatically installing a criminal browser helper object via MS06-014 (MDAC/RDS), if it’s happening because of a software vulnerability it’s an exploit.

So consider the fact that all of your patch-o-mania (your massive roll-out of updates instantly after Microsoft releases new patches), inquiries to us about just how bad a given Microsoft Security Bulletin vulnerability could get, or overtime weekends trying to reach out to all of your roving uses to get MS08-067 installed is all to address a threat which represents a mere 1.0% of what Microsoft cleans off of machines each month.

Think about that for a second.

Now let me throw another zinger at you. You know all that talk there’s been about phishing? Well, according to Microsoft (who not only has its Exchange Hosted Services but a small web-based email site called Hotmail! Or Windows Live) phishing represents a mere 2.5% of criminal email (which we define to include spam, viruses and any other unwanted email). Yup, that’s right, while criminal email accounts for 90% of all email you receive, only 2.5% of it is a phishing attempt. See Figure 37 on page 67 for some useful insights into the kind of email problems you should be worrying about. For example, according to Microsoft blocking out anything to do with pharmaceuticals could reduce criminal email by more than 50%. Now clearly we have been under the impression that a lot of people have succumbed to phishing scams to get their bank details, and we’ve been led to believe these activities are being carried out by gangs of highly organized criminals - heck, even Microsoft’s own report on the Threat Landscape paints this picture -but at the end of the day the criminals are spending far more time hawking fake drugs via email.

Not to beat a dead horse, but in case you didn’t know it, Windows Vista appears to be more robust than other Microsoft operating systems. For example, just compare the number of machines cleansed per 1000 instances of the Malicious Software Removal Tool (MSRT) running; Vista SP1 with XP SP3 – 4.5 to 9.2. Want to see an even better number? Then look at Vista x64 SP1 where the number drops to 2.3. Think that XP SP2 is “good enough?” Think again, 11.2 to 9.2, SP2 versus SP3. We won’t even get into numbers involving SP0 or SP1, except to say that SP0 is 33.8.

As you can see, and as we have emphasized for years, deploying service packs is actually far more important than deploying individual security bulletins.

Finally, we’ve a move afoot here to be increasingly more global…after all, we are a global company. The media tends to focus on U.S. or Euro numbers and forget about other places in the world. Brazil, for example, has had a bank login stealing Trojan (called Bancos) cleansed off of more than 60% of the systems Microsoft sees in that country…that’s ridiculous!

If you happen to have systems in countries where the population is less than familiar with being connected to the Internet (regardless the skill level of your own users) then take Microsoft’s observations about such countries to heart. Consider what the cleaning staff might do with a system that doesn’t invoke a password-protected screen saver. Think about whom else might use a roving laptop while it is at home connected via a VPN. Realize the pressure your employees might come under from friends and family to get some cool, but free, game the kids heard of from friends. In these environments you have to provide a locked down desktop, one that prohibits, or makes it extremely difficult, for users to install software (especially browser components.) Internet Explorer 7 and Windows Vista are really your friend here as the combination truly affords you easy and excellent mechanisms for desktop lockdown.

All in all, we won’t say we’re encouraged by the report’s findings, but we certainly aren’t seeing the cup as half empty either. Browser exploits are far fewer than generally thought and phishing is much less common than other kinds of criminal email. That can’t be a bad thing! It is also worth noting that despite many pundit claims to the contrary, our #1 task has to be to educate the user to make more sensible and secure choices in their actions. If you believed there was a silver bullet coming down the pipeline that would solve your users’ issues, this report should put that idea to rest for another 10 years.

Tags: Computer Attacks, Computer Crime, Information Security, InfoSec, Microsoft Security Bulletins, Patching, risk, Vulnerabilities

This entry was posted on Wednesday, November 5th, 2008 at 8:28 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.