An accurate understanding of on-going malware prevalence

An accurate understanding of on-going malware prevalenceJason GarmsJason GarmsArchitect & Group PMArchitect & Group PMAnti-Malware Technology TeamAnti-Malware Technology TeamMicrosoft CorporationMicrosoft Corporation

JasonG@Microsoft.ComJasonG@Microsoft.Com

AVAR 2005Tianjin, China

AVAR 2005Tianjin, China

AgendaAgenda

Importance of data analysis and Importance of data analysis and malwaremalware

Data sources and analysis from Data sources and analysis from MicrosoftMicrosoft

Key ObservationsKey Observations

One infected personMillions of infection particles

Virus “particles” for peopleVirus “particles” for people

Virus “particles” for computersVirus “particles” for computers

Rbot-infected computer

Email infection

Vulnerability exploit File sharing

Usefulness of DataUsefulness of Data

““ First Hour”: First Hour”: Predicting how Predicting how prevalent a piece of malware will be prevalent a piece of malware will be

““Second Month”: Continued Second Month”: Continued Prevalence Prevalence

““Five Year”: HistoricalFive Year”: Historical

Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool

Ability to detect and remove prevalent Ability to detect and remove prevalent malicious softwaremalicious softwareUpdated and released monthlyUpdated and released monthlyLow execution impactLow execution impactLocalized into 24 languagesLocalized into 24 languagesProtect the InternetProtect the InternetSupports Windows XP, Windows 2000, and Supports Windows XP, Windows 2000, and Windows Server 2003, 32/64 bitWindows Server 2003, 32/64 bit

Key ObservationsKey Observations

Botnets are a BIG dealBotnets are a BIG deal

Social engineering worms and mass Social engineering worms and mass mailing worms continue to be very mailing worms continue to be very effectiveeffective

Zotob: how bad was it?Zotob: how bad was it?

Rootkit data prevalence is surprisingRootkit data prevalence is surprising

Blaster persistsBlaster persists

Antinny: Who would have thought?Antinny: Who would have thought?

Botnets are a Big DealBotnets are a Big Deal

Gaobot, Rbot, SdbotGaobot, Rbot, Sdbot

58% of malware removed are bots58% of malware removed are bots

Top 3 bot families are 85% of all bots removedTop 3 bot families are 85% of all bots removed

Order of most prevalent:Order of most prevalent:RbotRbotSdbotSdbotGaobotGaobot

10% of Rbot infections are re-infections10% of Rbot infections are re-infections

3% of Gaobot infections are re-infections3% of Gaobot infections are re-infections

Social Engineering and Mass Mailing WormsSocial Engineering and Mass Mailing Worms

Among families removed by MSRT:Among families removed by MSRT:Netsky was #4 overallNetsky was #4 overall

Bagle is #10 overallBagle is #10 overall

2,000 copies of Netsky will be removed 2,000 copies of Netsky will be removed during AVARduring AVAR

Netsky.P is 1/3 of all Netsky infectionsNetsky.P is 1/3 of all Netsky infections

WUKill is #5 for OctoberWUKill is #5 for October

Zotob: How bad?Zotob: How bad?

Zotob is #41 overallZotob is #41 overall

It was only #35 for OctoberIt was only #35 for October

Esbot was more prevalent, but Esbot was more prevalent, but received no attentionreceived no attention

Esbot was #12 in OctoberEsbot was #12 in October

Rootkit PrevalenceRootkit Prevalence

Hacker DefenderHacker Defender

FURootkitFURootkit

IsProIsPro

In order of prevalence:In order of prevalence:FURootkitFURootkit

IsProIsPro

Hacker DefenderHacker Defender

: 5: 5thth overall, 3 overall, 3rdrd in October in October

: 7: 7thth overall, 15 overall, 15thth in October in October

: 17: 17thth overall, 24 overall, 24thth in in OctoberOctober

Blaster Sure is Persistent!Blaster Sure is Persistent!

Blaster is #6 overall, and #16 in OctoberBlaster is #6 overall, and #16 in October

Almost 1,000 infections will be removed Almost 1,000 infections will be removed during AVARduring AVAR

MsBlast.A is most common variant in MsBlast.A is most common variant in familyfamily

But… Nachi.A is even more commonBut… Nachi.A is even more common

Antinny: Who would have thought?Antinny: Who would have thought?

Antinny was #2 in OctoberAntinny was #2 in October

So far, it’s #4 in NovemberSo far, it’s #4 in November

Other Interesting FactsOther Interesting Facts

Machines running Windows XP SP2 are 13-Machines running Windows XP SP2 are 13-15 times less likely to be infected with 15 times less likely to be infected with malware from the Wild Listmalware from the Wild List

Infected machines average 1.3 infectionsInfected machines average 1.3 infections

Some have 30 or more active infectionsSome have 30 or more active infections

Bottom 8 families have less than 100 Bottom 8 families have less than 100 disinfections eachdisinfections each

Top Disinfection Totals by FamilyTop Disinfection Totals by Family

Rank Since January October only

1 Rbot Rbot

2 Sdbot Antinny

3 Gaobot FURootkit

4 Netsky Sdbot

5 FURootkit Wukill

6 Msblast Gaobot

7 Ispro Netsky

8 Korgo Bagle

9 Berbew Sientok

10 Bagle Lovegate

11 Antinny Mytob

12 Mytob Esbot

Rank Since January

1 Rbot

2 Sdbot

3 Gaobot

4 Netsky

5 FURootkit

6 Msblast

7 Ispro

8 Korgo

9 Berbew

10 Bagle

11 Antinny

12 Mytob

Ranking by Family since JanuaryRanking by Family since January

Disinfections by TypeDisinfections by Type

August Disinfection BreakdownJanuary Families

August Disinfection BreakdownJanuary Families

August Disinfection BreakdownFebruary Families

August Disinfection BreakdownFebruary Families

Highest Re-infectionHighest Re-infection

Since January

LinksLinks

Anti-Malware Engineering Team blogAnti-Malware Engineering Team bloghttp://blogs.msdn.com/antimalwarehttp://blogs.msdn.com/antimalware

Windows Malicious Software Removal ToolWindows Malicious Software Removal Toolhttp://www.microsoft.com/cleanerhttp://www.microsoft.com/cleaner

Windows Live Safety CenterWindows Live Safety Centerhttp://safety.live.comhttp://safety.live.com

© 2005 Microsoft Corporation. All rights reserved.© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.