News

Microsoft Targets Botnets in Software Security Report

• By Kurt Mackie
• 10/15/2010

Microsoft released Volume 9 of its "Security Intelligence Report" this week, which includes a section specifically honing in on the botnet problem.

The report, which can be downloaded here, catalogs software security threats worldwide from January to June 2010. It draws on data gathered from three Microsoft security efforts, namely the Microsoft Security Engineering Center, Microsoft Malware Protection Center and Microsoft Security Response Center. It also uses data from the U.S. government's National Vulnerability Database.

The botnet section of the report is extensive. It includes a historical description of how botnets arose based on the IRC protocol used for chatting activity, as well as a description of today's current criminal botnet underground. Microsoft's report defines a botnet broadly as "a network of computers that can be illicitly and secretly controlled at will by an attacker and commanded to take a variety of actions." Microsoft helped take down the Waledac botnet through legal actions earlier this year. In addition, the company claims to have "cleaned botnet infections from more than 6.5 million computers worldwide," according to a Microsoft blog post.

Oddly, the Microsoft campus itself appears to have been the scene of a botnet crime. Two Microsoft-owned IP addresses were used to deliver spam messages for pharmaceutical products and initiate a denial-of-service attack on security-related Web site, according to media reports and a Microsoft blog. The problem stemmed from two misconfigured devices in the Microsoft corporate network that were exploited by "Russian criminals."

Software Vulnerabilities Decreasing
Software vulnerabilities, which can be leveraged by attackers to compromise programs once they are known, have been on the decline since the second half of 2006, according to the SIR Volume 9 report. The report ascribed this progress to "better development practices and quality control throughout the Industry."

Vulnerabilities rated "high" and "medium" according to the Common Vulnerability Scoring System have been declining in frequency over that same four-year period. However, vulnerabilities rated "low" have shown an upward trend in recent years. The report found a 41.6 increase in "low" severity vulnerability disclosures from the second half of 2009 to the first half of this year.

Application vulnerabilities represent the greatest source for security flaws in software, but that trend has been declining over the years. The report cited an 11.2 percent decrease in such application flaws since the second half of 2006.

Operating systems and Web browsers represent a lower percentage of software vulnerabilities, and that trend has stayed relatively flat over the last four years. However, the report noted that browser vulnerabilities now exceed those of operating systems for the first time in four years.

The report described vulnerabilities in Microsoft and non-Microsoft software products over the four-year period. It found that Microsoft's software accounted for "6.5 percent of all vulnerabilities disclosed in 1H10." That figure represents an increase from 5.3 percent in the second half of 2009. Vulnerabilities in non-Microsoft software have followed a general declining trend since the second half of 2006.

Vulnerability reporting by security expects is tracked in the report. Most vulnerabilities (79.1 percent) were reported privately to Microsoft rather than being fully disclosed to the public. Microsoft now refers to the private reporting of software security flaws as "coordinated vulnerability disclosure." The traditional name was "responsible disclosure." However, Microsoft made the nomenclature switch after a spat with a security researcher employed by Google who publicly disclosed a Windows XP flaw out of frustration with alleged delays by Microsoft.

Malware and Other Maladies
The report describes malware removed worldwide, based on statistics gathered from a number of Microsoft antimalware tools. Those solutions included "MSRT [Malicious Software Removal Tool], Microsoft Security Essentials, Windows Defender, Microsoft Forefront Client Security, Windows Live OneCare, and the Windows Live OneCare safety scanner," according to the report.

The United States holds first place in malware removal stats, with 9.6 million computers cleaned in the second quarter of 2010, according to the report. The next runner up was Brazil, with 2.3 million computers cleaned in that same period.

The malware cleaned from devices fell into 10 categories, with Trojans, worms and unwanted software topping the list. The stats in the report were affected by increased detections of "worm families Win32/Taterf and Win32/Autorun," along with the "Win32/Zwangi" family of unwanted software.

Windows 7, which was released in October of 2009, was attacked less frequently than Windows Vista and Windows XP, according to the report, based on the number of computers cleaned. The biggest target appears to be 32-bit Windows XP Service Pack 2, which Microsoft no longer supports with security updates.

Windows Server 2008 versions were cleaned somewhat less frequently of malware than Windows Server 2003 versions. However, Microsoft's report noted "higher infection rates for 64-bit versions of Windows Server 2003 SP2 and Windows Server 2008 SP2." Microsoft has sometimes said in its blogs that 64-bit systems are better protected against malware than 32-bit systems. The report ascribed the greater number of attacks on 64-bit Windows Server products to the "increasing popularity of 64-bit web and database servers for web applications."

Spam continues to clog Internet e-mail traffic, but more than 90 percent of it was blocked at the network's edge in 2010, according to the report. More than half of inbound e-mail traffic is spam messages about pharmaceuticals.

SQL injections attacks in the first half of this year were mostly associated with Web sites in Turkey, followed by "commercial entities" and "nonprofit organizations." SQL injection attacks are carried out by entering code into Web-form fields. The code is designed to either steal data from the underlying database or corrupt that data.