Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States...
Transcript of Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States...
![Page 1: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/1.jpg)
Ziv Mador
Senior Program Manager and Response Coordinator
Jeff Williams
Principal Group Manager
Microsoft Malware Protection Center
![Page 2: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/2.jpg)
Trend of Malware and Potentially Unwanted Software becoming more regional
MSRT and Windows Defender telemetry collection methods
Trends demonstrated by normalized infection rates
The threat landscape in the selected countries
Breakdown by OS versions
Example of malware “without borders”
What can we do about it?
Q&A
![Page 3: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/3.jpg)
Years ago, we saw major outbreaks of self-replicating worms
They infected hosts regardless of language or location
These days attacks rely more often on social engineering
Spread and effectiveness depend upon language and culture
![Page 4: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/4.jpg)
• Malicious Software Removal Tool
• Shipped every month with Microsoft security updates
Monthly MSRT Executions—Other Operating Systems
0
100
200
300
400
500
Millions
WinXP SP2 Grand Total
0
10
20
30
40
50
60
Millions
Win2K3 SP1 Win2K SP3 Win2K3 SP2
WinXP SP1 Win2K SP4 Vista RTM
Monthly MSRT Executions —Grand Total and Windows XP SP2
![Page 5: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/5.jpg)
About 75% of users opt in to send reports
10,000,000
20,000,000
30,000,000
40,000,000
50,000,000
60,000,000
70,000,000
Jul-07Aug-07
Sep-07Oct-07
Nov-07Dec-07
Jan-08Feb-08
Mar-08Apr-08
Number of Active Windows Defender Users
![Page 6: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/6.jpg)
![Page 7: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/7.jpg)
On average, developing countries exhibit more infections than developed countries
0
5
10
15
20
25
30
Jan-07 Feb-07 Mar-07 Apr-07 May-07 Jun-07 Jul-07 Aug-07 Sep-07 Oct-07 Nov-07 Dec-07
Number of computers cleaned for every thousand MSRT Executions
Brazil
China
France
Japan
Korea
Russia
United States
Korea
Brazil
Russia
Japan
United States
France
China
![Page 8: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/8.jpg)
Showing the top 8 out of 24 categories (2H07)
0%
5%
10%
15%
20%
25%
30%
35%
China Korea France Brazil Russia US S. Africa Japan
Adware
Trojan Downloader
Trojan
Potentially Unwanted Software
Worm
Virus
Backdoor
Browser Modifier
![Page 9: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/9.jpg)
ChinaSpyware: CnsMin
Browser Modifier: Baidu
Browser Modifier: CNNIC
KoreaVirus: Virut
Spyware: RewardNetwork
Backdoor: Rbot
Virus: Parite
Virus: Jeefo
JapanSpyware: CnsMin
Trojan Downloader: Zlob
Worm: Antinny
South AfricaTrojan Downloader: Zlob
PUS: Starware
Adware: WhenU
FranceTrojan Downloader: Zlob
Adware: Slagent
Adware: Hotbar
BrazilTrojan and PWS: Banker
Trojan Downloader: Zlob
Adware: WhenU
RussiaAdware: WhenU
Virus: Jeefo
Worm: Rjump
US:Trojan Downloader: Zlob
Trojan Downloader: Renos
Adware: Hotbar
![Page 10: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/10.jpg)
Enables Chinese keyword searching in IE
Sometimes installs without user consent
Uses kernel mode driver to protect its files and registry settings
Self-updates
![Page 11: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/11.jpg)
Spreads using the Winny Peer-to-peer file sharing application
Copies itself to the Winny upload folder with a deceptive filename
Targets Japanese-speaking populations
Uses Japanese for its messages and displays additional graphics
May copy other personal files to the shared folders
![Page 12: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/12.jpg)
98.4% of detections occurred in Japan
The rest: Korea, US, Taiwan, China & others
0
10,000
20,000
30,000
40,000
50,000
60,000
Computers Cleaned by the MSRT of the Win32/Antinny Worm
Japan
Korea
US
Taiwan
China
![Page 13: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/13.jpg)
Family of data-stealing trojans that capture banking credentials
Mostly target customers of Brazilian banks
Over 11,000 samples in 2H07, many of them use Portuguese
Country / Region % Detections
Brazil 70.5%
Portugal 9.0%
Spain 7.8%
US 5.9%
France 1.5%
Italy 0.9%
UK 1.1%
Mexico 0.7%
![Page 14: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/14.jpg)
60% less malware and PUS detected on Vista compared to Windows XP SP2
The higher the Service Pack level installed, the lower the rate of infection
Server versions of Windows typically display lower infection rates than client versions
Windows XP no SP, 30.6%
Windows XP SP1, 21.5%
Windows XP SP2, 7.2%Windows
Vista, 2.8%
Windows 2K SP3, 12.2%
Windows 2K SP4, 5.0%
Windows 2K3 SP1,
19.2%
Windows 2K3 SP2,
1.5%
Computers cleaned by the MSRT,
2H07 (Normalized)
Computers cleaned by Windows Defender,
2H07 (Normalized)
Windows 200327.5%
Windows Vista28%
Windows XP SP2
44.5%
![Page 15: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/15.jpg)
Reflects on the prevalence of malware or potentially unwanted software regionally
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
US China Japan Korea France Brazil Russia South Africa
MSRT Executions
XP SP2
Vista
XP no SP
XP SP1
Win2K
Win2K3
![Page 16: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/16.jpg)
There are still some threats that are spread across many different regions
Mostly malware that may be distributed in multiple ways
Either shows no UI or uses English
![Page 17: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/17.jpg)
Major distribution methods:
Fake codec files
Rogue antispyware application
Malicious ad banners
Telemetry:
Detected over 17.5 million times in 2H07
Detected in over 240 locales
![Page 18: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/18.jpg)
Even though detected almost anywhere, it is by far more prevalent in the US
-
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
May-07 Jun-07 Jul-07 Aug-07 Sep-07 Oct-07 Nov-07 Dec-07 Jan-08 Feb-08 Mar-08 Apr-08
Computers Cleaned by the MSRT of the Win32/Zlob Downloader
WW
US
UK
Spain
Germany
France
![Page 19: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/19.jpg)
Expand the collaboration between industry and national response teams
National CERTs can lead here by:
Identifying regional threats
Working with the industry to address themCollecting and submitting samples
Sharing specific regional impact detail with vendors
Working with law enforcement to facilitate cases against attackers
Recently announced program: SCPcert
![Page 20: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/20.jpg)
Driving user educationApparent correlation between broad national outreach and reduction in infection rate
Finland
Japan
Australia
Encouraging the ISV community to adopt secure development practices
![Page 21: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/21.jpg)
Microsoft Security Intelligence Reports
http://microsoft.com/sir
Microsoft Malware Protection Center
http://www.microsoft.com/security/portal/
Windows Malicious Software Removal Tool
http://www.microsoft.com/malwareremove
Windows Defender
http://www.microsoft.com/windowsdefender
![Page 22: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/22.jpg)
![Page 23: Ziv Mador Senior Program Manager and Response ......China France Japan Korea Russia United States Korea Brazil Russia Japan United States France China Showing the top 8 out of 24 categories](https://reader034.fdocuments.us/reader034/viewer/2022050522/5fa57b131e562978077f4e2f/html5/thumbnails/23.jpg)
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.