# Microsoft Security Intelligence Report ###### Volume 19 | January through June, 2015 ----- ----- This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Copyright © 2015 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. ----- **Authors** Charlie Anthe _Cloud and Enterprise Security_ Patti Chrzan _Microsoft Digital Crimes Unit_ Elia Florio _Microsoft Malware Protection_ _Center_ Chad Foster _Bing_ Paul Henry _Wadeware LLC_ **Contributors** Peter Cap _Microsoft Malware Protection_ _Center_ Bulent Egilmez _Office 365 - Information_ _Protection_ Tanmay Ganacharya _Microsoft Malware Protection_ _Center_ Kathryn Gillespie _Microsoft IT_ Jeff Glover _Microsoft IT_ Roger Grimes _Microsoft IT_ Satomi Hayakawa _CSS Japan Security Response_ _Team_ Jeff Jones _Corporate Communications_ Nam Ng _Worldwide Cybersecurity &_ _Data Protection_ Niall O'Sullivan _Microsoft Digital Crimes Unit_ Daryl Pecelj _Microsoft IT Information_ _Security and Risk_ _Management_ Ben Hope _Microsoft Malware Protection_ _Center_ Yurika Kakiuchi _CSS Japan Security Response_ _Team_ Jenn LeMond _Microsoft IT_ Alisha Mark _Corporate Communications_ Dolcita Montemayor _Microsoft Malware Protection_ _Center_ Daric Morton _Microsoft Services_ Jeong Mun _Microsoft Malware Protection_ _Center_ Anthony Penta _Safety Platform_ Ina Ragragio _Microsoft Malware Protection_ _Center_ Tim Rains _Worldwide Cybersecurity &_ _Data Protection_ Paul Rebriy _Bing_ Cody Nicewanner _Operating Systems Group_ Wendi Okun _Legal & Corporate Affairs_ Ferdinand Plazo _Microsoft Malware Protection_ _Center_ Laura A. Robinson _Microsoft IT_ Norie Tamura _CSS Japan Security Response_ _Team_ Steve Wacker _Wadeware LLC_ Vladimir Zubko _Microsoft Malware Protection_ _Center_ ----- ## Table of contents **About this report .......................................................................................................................... v** **Foreword ........................................................................................................................................ vi** ###### Featured intelligence 1 **STRONTIUM: A profile of a persistent and motivated adversary .................................. 3** Adversary profile ............................................................................................................................... 3 How STRONTIUM attacks a target ............................................................................................... 4 Establishing control .......................................................................................................................... 10 Taking action ..................................................................................................................................... 13 Guidance ............................................................................................................................................. 16 **Focus on Brazil: Win32/Banload and Banking Malware ................................................ 21** Distribution and trends ................................................................................................................... 21 Propagation and technical details .............................................................................................. 23 Guidance ............................................................................................................................................ 26 ###### Worldwide threat assessment 29 **Vulnerabilities .............................................................................................................................. 31** Industry-wide vulnerability disclosures ...................................................................................... 31 Vulnerability severity ...................................................................................................................... 33 Vulnerability complexity ................................................................................................................ 34 Operating system, browser, and application vulnerabilities................................................ 35 Microsoft vulnerability disclosures .............................................................................................. 37 Guidance: Developing secure software .................................................................................... 38 **Exploits ........................................................................................................................................... 40** Exploit families .................................................................................................................................. 42 Exploit kits .......................................................................................................................................... 44 Java exploits ...................................................................................................................................... 47 Operating system exploits ............................................................................................................ 50 Document exploits .......................................................................................................................... 52 Adobe Flash Player exploits .......................................................................................................... 52 Browser exploits ............................................................................................................................... 53 Exploit detection with Internet Explorer and IExtensionValidation .................................... 55 Exploits used in targeted attacks ................................................................................................. 56 ----- **Malware and unwanted software ......................................................................................... 58** Brantall, Rotbrow, and Filcout...................................................................................................... 60 Malware and unwanted software worldwide .......................................................................... 60 Microsoft and partners disrupt the Simda.AT botnet ........................................................... 68 Threat categories ............................................................................................................................ 69 Threat families .................................................................................................................................. 74 Home and enterprise threats ....................................................................................................... 82 Security software use ..................................................................................................................... 87 Advanced Threat Protection takes malware defense to the next level ............................ 94 Guidance: Defending against malware ..................................................................................... 98 **Malicious websites..................................................................................................................... 99** Phishing sites ...................................................................................................................................100 Malware hosting sites ...................................................................................................................103 Drive-by download sites ..............................................................................................................105 Guidance: Protecting users from unsafe websites ................................................................108 ###### Mitigating risk 109 **Malware at Microsoft: Dealing with threats in the Microsoft environment ........... 111** Antimalware usage ......................................................................................................................... 111 Malware detections ....................................................................................................................... 112 Malware infections ......................................................................................................................... 115 What IT departments can do to protect their users ............................................................. 117 ###### Appendixes 121 **Appendix A: Threat naming conventions ......................................................................... 123** **Appendix B: Data sources ....................................................................................................... 125** **Appendix C: Worldwide encounter and infection rates ............................................... 127** **Glossary ........................................................................................................................................ 132** **Threat families referenced in this report ........................................................................... 141** **Index ............................................................................................................................................. 148** ----- ## About this report The Microsoft Security Intelligence Report (SIR) focuses on software vulnerabilities, software vulnerability exploits, malware, and unwanted software. Past reports and related resources are available for download at [www.microsoft.com/sir. We hope that readers find the data, insights, and](http://www.microsoft.com/sir) guidance provided in this report useful in helping them protect their organizations, software, and users. **Reporting period** This volume of the Microsoft Security Intelligence Report focuses on the first and second quarters of 2015, with trend data for the last several quarters presented on a quarterly basis. Because vulnerability disclosures can be highly inconsistent from quarter to quarter and often occur disproportionately at certain times of the year, statistics about vulnerability disclosures are presented on a half-yearly basis. Throughout the report, half-yearly and quarterly time periods are referenced using the nHyy or nQyy formats, in which yy indicates the calendar year and n indicates the half or quarter. For example, 1H15 represents the first half of 2015 (January 1 through June 30), and 4Q14 represents the fourth quarter of 2014 (October 1 through December 31). To avoid confusion, please note the reporting period or periods being referenced when considering the statistics in this report. **Conventions** [This report uses the Microsoft Malware Protection Center (MMPC) naming](http://www.microsoft.com/mmpc) standard for families and variants of malware. For information about this standard, see “Appendix A: Threat naming conventions” on page 123. In this report, any threat or group of threats that share a common unique base name is considered a family for the sake of presentation. This consideration includes threats that may not otherwise be considered families according to common industry practices, such as generic detections. For the purposes of this report, a threat is defined as a malware or unwanted software family or variant that is detected by the Microsoft Malware Protection Engine. ----- ## Foreword Welcome to Volume 19 of the Microsoft Security Intelligence Report (SIR). I’ve contributed to the SIR for almost ten years now. If I had to describe how the threat landscape has changed during that time using only one word, I’d say it’s “cumulative.” Ten years ago we reported on a range of threats that included trojans, worms, trojan downloaders & droppers, exploits, bots (backdoor trojans), among others. These types of threats were primarily motivated by a desire to disrupt networks, as worms did years earlier, or to seek profit. Fast forward ten years and we still see the same categories of threats and even some of the same threat families employed. During this time, attackers have had to evolve their tactics to get malware onto computers that have also been evolving with continuously elevating security levels. As vulnerabilities in operating systems have become harder to find and exploit, attackers have relied increasingly on social engineering to compromise computer systems. In addition to these types of attacks, we have seen more threat actors with different motivations emerge over the years, including hacktivists and practitioners of military and economic espionage. Rogue security software or fake antivirus software that was used to trick people into installing malware and disclosing credit card information to attackers has been replaced by ransomware that seeks to extort victims by encrypting their data. Commercial exploit kits now dominate the list of top exploits we see trying to compromise unpatched computers, which means the exploits that computers are exposed to on the Internet are professionally managed and constantly optimized at an increasingly quick rate. Targeted attacks have become common as opposed to the exception. Attackers continue to try to use the tactics that they did years ago, and have added to their repertoire of dirty tricks. This is why I use the word “cumulative” to describe how things have changed. If I could use a second word to describe how they have changed I would use “accelerated.” The focus and pace that some attackers have been demonstrating recently have certainly increased over time. ----- Notice I didn’t use the word “advanced.” Although attackers have accumulated more tricks and tactics and seem to be using them in a more focused, fastpaced way, they still focus on a relatively small number of ways to compromise computers, including: - Unpatched vulnerabilities - Misconfigured computers - Weak passwords - Social engineering The great news if you are a CISO or security professional is that you’ve never had so much information and so many security capabilities and tools as you do today to defend your organization’s data. Please enjoy the report. Tim Rains Chief Security Advisor Enterprise Cybersecurity Group Microsoft ----- ----- ### Featured intelligence **STRONTIUM: A profile of a persistent and motivated** **adversary .......................................................................................... 3** **Focus on Brazil: Win32/Banload and Banking Malware .. 21** ----- ----- ## STRONTIUM: A profile of a persistent and motivated adversary A research team at the Microsoft Malware Protection Center (MMPC) proactively monitors the threat landscape for emerging threats. Part of this job involves keeping tabs on targeted attack groups, which are often the first ones to introduce new exploits and techniques that are later used widely by other attackers. One such group, which Microsoft has code-named STRONTIUM, is of particular interest because of its aggressive, persistent tactics and techniques, and its repeated use of new zero-day exploits to attack its targets. Microsoft is sharing some of the information it has gathered on this prominent attack group in the hope that it will raise awareness of the group’s activities and help organizations take immediate advantage of available mitigations that can significantly reduce the risks that they face from this and similar groups. **Adversary profile** STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is Microsoft’s code name for this group, following its internal practice of assigning chemical element names to activity groups; other researchers have used code names such as APT28,[1] _Sednit,[2]_ _Sofacy,[3] and Fancy Bear as labels for a group or groups that have displayed_ 1 _APT28: A Window into Russia’s Cyber Espionage Operations?, FireEye, Inc., October 14, 2014,_ [https://www2.fireeye.com/apt28.html.](https://www2.fireeye.com/apt28.html) 2 Loucif Kharouni et al., Operation Pawn Storm: Using Decoys to Evade Detection, Trend Micro, October 22, [2014, www.trendmicro.com/vinfo/us/security/news/cyber-attacks/pawn-storm-espionage-attacks-use-](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/pawn-storm-espionage-attacks-use-decoys-deliver-sednit) [decoys-deliver-sednit.](http://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/pawn-storm-espionage-attacks-use-decoys-deliver-sednit) 3 _[Tactical Intelligence Bulletin: Sofacy Phishing, PwC, October 22, 2014, pwc.blogs.com/files/tactical-](http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf)_ [intelligence-bulletin---sofacy-phishing-.pdf.](http://pwc.blogs.com/files/tactical-intelligence-bulletin---sofacy-phishing-.pdf) ----- activity similar to the activity observed from STRONTIUM. The group’s persistent use of spear phishing tactics and access to previously undiscovered zero-day exploits have made it a highly resilient threat. **How STRONTIUM attacks a target** STRONTIUM primarily uses two kinds of attack. It uses spear phishing—phishing attempts targeted at specific individuals—to perform reconnaissance and steal ##### Whereas most modern untargeted malware is ultimately profit login credentials to gather information about potential highvalue targets associated with the institution under attack. Following the reconnaissance phase, it uses a variety of methods to infect the computers of high-value targets with malware, often by exploiting previously unknown vulnerabilities in browser add-ons and other software. Reconnaissance and target identification ##### oriented, STRONTIUM typically begins its attack on an institution by identifying and profiling potential victims with connections to ##### STRONTIUM the institution. Microsoft has seen indications that STRONTIUM ##### mainly seeks relies on open-source intelligence (OSINT), such as email lists sensitive and information harvested from public forums or social networking sites, to identify targets for spear phishing. Microsoft ##### information. also believes that STRONTIUM relies on past successful phishing attacks to augment its dataset, by making use of any email communications it can identify between prior targets and the current target. STRONTIUM casts a wide net with its reconnaissance activities, seeking login credentials for email and other systems from a large number of people, which it then weeds through to assess its value. Microsoft believes STRONTIUM used its spear phishing attacks to target several thousand individuals during the first half of 2015. Although STRONTIUM isn’t choosy with its targets, it is persistent. When STRONTIUM identifies an individual to target, the group will repeatedly conduct spear phishing attacks against it over a long duration, possibly a year or more, until one of the attempts succeeds. STRONTIUM’s spear phishing modus operandi focuses on making the recipient concerned about unauthorized use of an account. A recent attack campaign involved sending messages with the subject line “Privacy alert” purporting to originate from a well-known email service, informing the user that their account ----- has been accessed from an unrecognized device in a different country. Because the targeted individuals are often professionals who have access to sensitive information, this can be an effective way to entice users to click a “change password” link that actually leads to a webpage under the attacker’s control. Figure 1. An example of a credential-stealing spear phishing message sent by STRONTIUM Typically, the link will lead to a domain name that is similar to a legitimate domain name used by the service in an effort to fool the user into thinking the message is legitimate. Figure 2 lists some examples. Figure 2. Examples of domain names spoofed by STRONTIUM in recent attacks **Legitimate domain name** **Spoofed domain name controlled by STRONTIUM** accounts.google.com accounts.g00qle.com us-mg6.mail.yahoo.com us-mg6mailyahoo.com profile.live.com privacy-live.com mail.ukr.net mail-ukr.net www.nato.int nato-news.com www.bbc.com bbc-press.org www.osce.org osce-press.com www.eff.org electronicfrontierfoundation.org If the attack is successful, STRONTIUM uses the captured credentials to access the victim’s email account to identify additional targets and for additional analysis and attacks. Even if the recipient doesn’t enter their login credentials |Legitimate domain name|Spoofed domain name controlled by STRONTIUM| |---|---| |accounts.google.com|accounts.g00qle.com| |us-mg6.mail.yahoo.com|us-mg6mailyahoo.com| |profile.live.com|privacy-live.com| |mail.ukr.net|mail-ukr.net| |www.nato.int|nato-news.com| |www.bbc.com|bbc-press.org| |www.osce.org|osce-press.com| |www.eff.org|electronicfrontierfoundation.org| ----- into the malicious webpage, the act of clicking the link can provide STRONTIUM with valuable information. In addition to providing STRONTIUM with the recipient’s IP address, clicking the link transmits a user-agent string to the web server that typically includes details about the recipient’s browser and operating system versions, and sometimes includes information about the browser addons the recipient is using. This can provide STRONTIUM with insight into what software is deployed in the organization, and possibly help it plan future driveby download activities. Figure 3. JavaScript is used to collect information about the visitor’s browser for drive-by download attacks Attacking the target The ultimate goal of the reconnaissance phase is to compile a list of high-value individuals who have information or access that STRONTIUM wants. With this list at hand, the group moves to the next phase of operations: installing malware on ----- the high-value targets’ computers, and thereby gaining access to the institution’s network. STRONTIUM primarily uses email to deliver malware to targeted individuals, although some researchers have reported delivery through social networking channels as well. Typical messages, such as the one shown in Figure 4, are tied to current events: an upcoming conference, for example, or a real world news event in which the recipient might be interested. STRONTIUM’s email senders are usually associated with well-known email providers, and use plausibleseeming names and titles that are designed to give the messages credibility. Depending on the specific attack used, the message typically includes a link for “additional information,” which will launch a drive-by download or social engineering attack when clicked. Other messages include malicious attachments instead of links, typically a document file containing an exploit. Figure 4. An example of a lure email message sent by STRONTIUM ``` Subject: Mission_In_Central_African_Republic *Dear Sir!* Please be advised that The Spanish Army personnel and a large number of the Spanish Guardia Civil officers currently deployed in the Central African Republic (CAR) as part of the European EUFOR RCA mission will return to Spain in early March as the mission draws to a close. Visit http://eurasiaglobalnews.com/YYY-spains-armed-forces-conclude-mission-centralafrican-republic/ for the addition info. *Best regards,* *Capt. John Smith, Defence Adviser, Public Diplomacy Division NATO, Brussels defence.adviser.smith@gmail.com * ``` Little is known about how and what information STRONTIUM gathers to tailor its attacks to specific high-value individuals. As discussed earlier, the user-agent and potential fingerprinting information gathered from phishing victims may play a part in planning the individual attacks by giving the group insight into what software may be in widespread use within the institution. In general, ----- STRONTIUM can take advantage of a variety of attacks that span general tactics and cover a wide range of technologies, including zero-day exploits. Zero-day exploits—exploits that target vulnerabilities for which the affected software vendor has not yet released a security update—form a significant part of STRONTIUM’s arsenal. It is not yet clear whether the group researches vulnerabilities and develops the exploits themselves, or purchases them on the black market. Microsoft researchers have observed STRONTIUM moving swiftly to take ##### Zero-day exploits form a significant part of STRONTIUM’s arsenal. advantage of newly disclosed vulnerabilities; notably, the group deployed a number of zero-day exploits disclosed in a July 2015 leak of information from the security company Hacking Team. In other cases, STRONTIUM deployed exploits within days of a vendor releasing a security update that addressed the associated vulnerability, relying on the fact that not everyone installs security updates immediately after they are published. The exploits used by STRONTIUM include a wide range of products from multiple vendors, including Adobe Flash Player, the Oracle Java Runtime Environment (JRE), Microsoft Word and Internet Explorer, and some components of the Windows kernel. Figure 5 lists some of the exploits used by STRONTIUM in recent campaigns, including a number of zero-day exploits (shaded). All of the vulnerabilities listed in Figure 5 were quickly addressed by security updates as part of the vendors’ rapid response processes. (See “Guidance” on page 16 for information about how organizations can use up-todate software to defend against targeted attacks.) Figure 5. Some of the exploits used by STRONTIUM in attack campaigns in 2014 and 2015 **Security feature** **bypass** **Social engineering-** **based attack** |Col1|Java CVE-2015-4902 (0-day)| |---|---| ||| |Col1|Firefox Bootstrapped Add-on (XPI)| |---|---| ||| |Col1|Microsoft Word CVE-2015-2424 (0-day)| |---|---| ||| |Col1|ATMFD CVE-2015-2387 (0-day)| |---|---| ||| |Col1|Internet Explorer CVE-2014-1776 CVE-2014-6332 CVE-2014-3897| |---|---| ||| ----- In addition to using zero-day exploits, STRONTIUM also makes use of exploits that target older vulnerabilities for which security updates have been available for a long time. Microsoft believes that in some cases, the group learns during the reconnaissance phase that the targeted institution may be exposed to risks by running older or out-of-support platforms and software, by not testing and applying security updates quickly, or by not taking advantage of the latest mitigations and defense mechanisms shipped with more recent product versions—and then acts accordingly. In a development observed in October 2015, the shellcode that executes after a successful memory corruption exploit displayed a number of characteristics that researchers had not observed from the malware previously: - API resolution: ROR 0x0D hashing, resolution made just before using the API - Downloader: usage of HttpQueryInfo and WININET to fetch remote payloads in memory - Compression: usage of ntdll!RtlDecompressBuffer()LZNT1 compression for remote payloads - Privilege escalation: executed as DLL, but in-memory (diskless) Figure 6. In-memory decompression and execution of remote payloads performed by STRONTIUM shellcode In addition to relying on exploits, STRONTIUM also uses social engineering to trick victims into installing malware. Since March of 2015, for example, Microsoft has observed STRONTIUM successfully compromising Mozilla Firefox users by convincing them to install a malicious browser add-on based on a publicly available module (“Bootstrapped Addon Social Engineering Code Execution”) developed for the Metasploit security testing framework. ----- Figure 7. STRONTIUM installs malware via a malicious bootstrapped add-on in Mozilla Firefox **Establishing control** After gaining administrative privileges on the computer through an exploit or social engineering, STRONTIUM uses a dropper to deploy a backdoor component, CORESHELL, which eventually downloads other modules. (Microsoft products sometimes detect the primary components as variants in [the Win32/Foosace family, although the group has used other malware in the](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Foosace) past.) The DLL backdoor is installed via execution of rundll32 with an export named “init” or “InitW.” The dropper deletes itself after execution, while the DLL backdoor and any additional components are typically copied under the following folders: - C:\Program Files\Common Files\Microsoft Shared\MSInfo\ - C:\Users\\AppData\Local\Microsoft Help\ - C:\ProgramData\ The dropper also writes the command and control (C&C) configuration information to the registry or an encrypted file. This strategy complicates forensic discovery of the attacker’s infrastructure if the backdoor DLL is discovered, because the configuration information must be located separately. ----- Figure 8. Command & control configuration locations used by STRONTIUM **Format** **Path** HKEY_CURRENT_USER\ Registry Software\Microsoft\Windows\CurrentVersion\Explorer\ File (Windows XP) %ALLUSERSPROFILE%\msd File (other Windows) %PROGRAMDATA%\msd STRONTIUM ensures that its backdoor will run every time the computer starts by creating autostart extensibility point (ASEP) registry entries and shortcuts, which differ depending on what the attacker has chosen for the victim and which backdoor variant is used. (See “Advanced Malware Cleaning Techniques for the [IT Professional” on page 96 of Microsoft Security Intelligence Report, Volume 11](http://www.microsoft.com/download/details.aspx?id=27605) _[(January–June 2011), available from the Microsoft Download Center, for](http://www.microsoft.com/download/details.aspx?id=27605)_ guidance on using Sysinternals tools to monitor ASEPs for signs of malware infection.) The most common ASEPs used by STRONTIUM for its malware include the following: - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Explorer\Shell Folders\ - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Explorer\ShellServiceObjectDelayLoad\ - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\Shell Folders\ - HKEY_CURRENT_USER\Environment\UserInitMprLogonScript = - %ALLUSERSPROFILE%\Application Data\Microsoft\Internet Explorer\ Quick Launch\ - %USERPROFILE%\Application Data\Microsoft\Internet Explorer\ Quick Launch\ The STRONTIUM backdoor is composed of several pieces with different functions. The attacker can deploy a large set of tools to perform tasks including key logging, email address and file harvesting, information gathering about the local computer, and remote communication with C&C servers. STRONTIUM also uses a component that is designed to infect connected USB storage devices, so that information can be captured from air-gapped computers that are not on |Format|Path| |---|---| |Registry|HKEY_CURRENT_USER\ Software\Microsoft\Windows\CurrentVersion\Explorer\| |File (Windows XP)|%ALLUSERSPROFILE%\msd| |File (other Windows)|%PROGRAMDATA%\msd| ----- the network when a user transfers the USB device to the air-gapped computer and then back to the network again. Figure 9. Different types of STRONTIUM components and filenames used during recently observed incidents **USB air gap** **backdoor** |Col1|SupUpNvidia.exe| |---|---| ||| |Col1|psw.exe| |---|---| ||| |Col1|servicehost.exe| |---|---| ||| |Col1|MicrosoftSup.dll| |---|---| ||| |Col1|api-ms-win- [random].dll| |---|---| ||| The STRONTIUM group also appears to be active on non-Windows systems. Microsoft has seen solid indicators that STRONTIUM used malicious backdoors to take control of proxy servers, mail servers, and other systems ##### The STRONTIUM running the Linux operating system. Microsoft also observed the group also appears group using domains that seem to be customized for different operating systems, including mac.softupdates.info and ##### to be active on _linux.softupdates.info. Although Microsoft does not generally_ ##### non-Windows study attacks on non-Windows systems, a multiplatform attack systems. strategy is very much in line with what has been observed about STRONTIUM in general—that they have capabilities that cover a wide range of technologies—and any incident response against this adversary should take both Windows and non-Windows computers into consideration. ----- **Taking action** The STRONTIUM backdoor can communicate over different network protocols, including HTTP, SMTP, and POP3. Typically, the backdoor tests its connectivity with a series of HTTP POST requests to legitimate websites, and then establishes communication with its C&C servers. The domains STRONTIUM uses for its C&C servers are typically designed The domains to avoid attracting attention if administrators notice them ##### STRONTIUM uses when reviewing network traffic, such as softupdates.info and _malwarecheck.info, suggestive of software update and_ are designed to malware reputation services. avoid attracting In recent incidents during 2015, Microsoft observed attention. STRONTIUM using a tunnel component designed to provide a remote encrypted interactive shell to a pre-configured IP address using proxy software on the victim’s computer, such as the popular open-source Squid proxy. The tunneling module, which is customized for different targets, is slightly larger than 1 MB and is statically linked with an OpenSSL library. Based on debug information left in some samples, some researchers have reported that the name of the component may be “XAPS OBJECTIVE” or “XTUNNEL.”[4] The C&C server for this tunnel could be either hardcoded in the binary or passed as a command-line parameter at startup. Figure 10. "XAPS" in the STRONTIUM tunnel module binary Samples for this component include the items in the following table: 4 Gastbeitrag, “Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party [Infrastructure in Bundestag,” Netzpolitik.org, June 19, 2015, https://netzpolitik.org/2015/digital-attack-on-](https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/) [german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/.](https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/) ----- Figure 11. Known samples for the STRONTIUM XAPS tunnelling component **MD5 hash** **SHA-1 hash** **File name** 800af1c9d341b846a856a1e686be6a3e 0450aaf8ed309ca6baf303837701b5b23aac6f05 svehost.dll 9d86ba47a0b876cdc7fb0c9ad471cd67 64515c7ce8bcc656d54182675bd2d9ffceffe845 svchosl.exe 1957f5370d584a2acd74179340ef3005 3ec270193815fa2bd853ea251d93fdfffcbc40d6 svehost.exe f5a54476d3d05c8f0804f3d2d5818928 e5039bb420f9a3a23aaa9ee7392bd05dfee42540 svehost.exe 4ac8d16ff796e825625ad1861546e2e8 1535d85bee8a9adb52e8179af20983fb0558ccb3 servicehost.exe After gaining a foothold on one computer, STRONTIUM attempts to move laterally through the organization by compromising additional computers to gain access to more data and high-value targets. STRONTIUM uses publicly available tools such as WinExe (a remote command-line execution tool) and Mimikatz (a Windows credential gathering tool) to move between computers via methods such as Pass the Hash (PtH). In recent incidents Microsoft observed STRONTIUM using a customized version of Mimikatz that was recompiled with a [privilege escalation exploit (CVE-2015-1701, addressed by Security Bulletin](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701) [MS15-051) and stored captured credential information in a dedicated file, pi.log.](https://technet.microsoft.com/library/security/ms15-051.aspx) Figure 12. A customized version of Mimikatz storing passwords in the file pi.log STRONTIUM has displayed an advanced understanding of military and classified government networks, and uses a component that is designed to extract information from air-gapped computers. This module registers a device callback |MD5 hash|SHA-1 hash|File name| |---|---|---| |800af1c9d341b846a856a1e686be6a3e|0450aaf8ed309ca6baf303837701b5b23aac6f05|svehost.dll| |9d86ba47a0b876cdc7fb0c9ad471cd67|64515c7ce8bcc656d54182675bd2d9ffceffe845|svchosl.exe| |1957f5370d584a2acd74179340ef3005|3ec270193815fa2bd853ea251d93fdfffcbc40d6|svehost.exe| |f5a54476d3d05c8f0804f3d2d5818928|e5039bb420f9a3a23aaa9ee7392bd05dfee42540|svehost.exe| |4ac8d16ff796e825625ad1861546e2e8|1535d85bee8a9adb52e8179af20983fb0558ccb3|servicehost.exe| ----- via RegisterDeviceNotification[5] and receives a notification every time a USB mass storage device is inserted into a compromised computer. Depending on the variant deployed, the backdoor may simply harvest the entire contents of the USB device and save it on the local computer for later extraction, or it may [also use Autorun malware to transfer itself to the device so that it can attempt to](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=INF/Autorun) compromise any other computers it is later inserted into, including air-gapped computers.[6] Figure 13. The device notification routine registered by a STRONTIUM USB module Some STRONTIUM victims have reported the presence of computers running Kali Linux on their networks. Kali Linux is a Linux distribution that combines a variety of tools for the purpose of penetration testing and security assessment. It contains tools for password attacks, sniffing & spoofing, maintaining access, hardware hacking, reverse engineering, information gathering, vulnerability analysis, wireless attacks, web application attacks, stress testing, and forensic and [5 See msdn.microsoft.com/library/windows/desktop/aa363431%28v=vs.85%29.aspx for more information](http://msdn.microsoft.com/library/windows/desktop/aa363431%28v=vs.85%29.aspx) about this function. 6 Changes to the way the AutoRun feature works make it more difficult for this technique to succeed in recent [versions of Windows. See blogs.technet.com/b/security/archive/2011/06/27/defending-against-autorun-](http://blogs.technet.com/b/security/archive/2011/06/27/defending-against-autorun-attacks.aspx) [attacks.aspx for more information.](http://blogs.technet.com/b/security/archive/2011/06/27/defending-against-autorun-attacks.aspx) ----- exploitation analysis. The tool lists within each category are quite extensive and the distribution is actively maintained, so that STRONTIUM can always take advantage of the latest open-source tools. STRONTIUM does not deploy this Linux distribution on an existing computer that belongs to the targeted institution; rather, it uses a VPN connection to join one of its own Kali Linux computers to the victim’s network, possibly using the tunnel component that was previously deployed. This approach allows STRONTIUM to only ephemerally expose its toolset to the victim’s network. **Guidance** STRONTIUM is a very challenging adversary for a targeted institution to defend against: it possesses a broad range of technical exploitation capabilities, significant access to resources such as previously undiscovered zero-day exploits, and the determination to keep up an attack for months or years until it succeeds. Nevertheless, there are steps an organization can take to significantly reduce its attack surface and decrease the probability of a successful compromise. ##### STRONTIUM is a challenging adversary for a targeted institution to defend against. - Stay up-to-date on vendor security updates and deploy them quickly after they are released. All of the exploits discussed in this section have been addressed by security updates from Microsoft and other vendors. STRONTIUM depends heavily on the presence of out-of-date software installations inside target institutions, so keeping software up-to-date denies the group the use of some of its most effective tools. - Take advantage of the mitigations built into your software. Recent versions of Windows and other software include critical mitigations that render many of STRONTIUM’s exploits ineffective when deployed. Figure 5 on page 8 lists a number of zero-day exploits that STRONTIUM has used in recent campaigns. Most of these exploits will fail if tried on a computer running the latest versions of Windows and Office, even without security updates that address the vulnerabilities: - [The STRONTIUM exploits that target CVE-2015-1641 and CVE-2015-](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1641) 2424, which affect Microsoft Word and have been addressed by Security [Bulletins MS15-033 and MS15-070 respectively, depend on static hard-](https://technet.microsoft.com/library/security/ms15-033) coded ROP chains that fail when address space layout randomization ----- (ASLR) is enabled. Office 2013 and Office 2016 both run with ASLR enabled by default, rendering these exploits ineffective. Figure 14. Snippet of the ROP chain used in the CVE-2015-2424 exploit; it fails against Office installations with ASLR enabled - [The exploit targeting CVE-2015-3043, a vulnerability in Adobe Flash](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3043) [Player addressed by Adobe Security Bulletin APSB15-06, fails in Internet](https://helpx.adobe.com/security/products/flash-player/apsb15-06.html) Explorer running on an up-to-date installation of Windows 8.1 or Windows 10 because of Control Flow Guard, a mitigation introduced in a Windows 8.1 security update in November 2014. Control Flow Guard mitigates virtual function hijacking attempts such as the one involving the cancel() method shown in Figure 15. ----- Figure 15. Snippet from the STRONTIUM ActionScript exploit code targeting CVE-2015-3043 in Adobe Flash Player, which fails against CFG mitigation - [The kernel vulnerabilities exploited by STRONTIUM (CVE-2015-1701,](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701) [addressed by Security Bulletin MS15-051, and CVE-2015-2387,](https://technet.microsoft.com/library/security/ms15-051) [addressed by Security Bulletin MS15-077) could not work in Windows 8](https://technet.microsoft.com/library/security/ms15-077) and newer platforms running on hardware that supports Supervisor Mode Execution Protection (SMEP) and other kernel mitigations.[7] In fact, the exploit is coded to abort execution if running on an operating system other than Windows 7. [7 See “Exploit Mitigation Improvements in Windows 8” (https://media.blackhat.com/bh-us-](https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf) [12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf) for more information.](https://media.blackhat.com/bh-us-12/Briefings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_Slides.pdf) ----- Figure 16. STRONTIUM's CVE-2015-1701 exploit terminates execution on the newest versions of Windows - Enforce segregation of privileges on user accounts and apply all possible safety measures to protect Admin accounts from being compromised; STRONTIUM relies on pass-the-hash techniques and elevation of privileges [to successfully move laterally across networks. See “Mitigating Pass-the-](http://www.microsoft.com/download/details.aspx?id=36036) [Hash (PtH) Attacks and Other Credential Theft, Version 2,” available at the](http://www.microsoft.com/download/details.aspx?id=36036) Microsoft Download Center, for more information. - In enterprise environments in which isolated computer networks (airgapped) and Internet connected networks co-exist, enforce strong policies to prevent sharing and usage of removable media across the air gap. - Conduct enterprise software security awareness training, and build [awareness about malware infection prevention. STRONTIUM heavily relies](http://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx) on social engineering to entice individual targets into clicking links to malware. Security training can raise awareness around this attack vector. - Institute multi-factor authentication. As STRONTIUM extensively uses credential-stealing spear phishing attacks, multi-factor authentication can be an effective tool to prevent unauthorized access even if credentials are stolen. ----- - Prepare your network to be forensically ready, so that you can achieve containment and recovery if a compromise occurs. A forensically ready network that records authentications, password changes, and other significant network events can help to quickly identify affected systems. - Keep personnel and personal data private. STRONTIUM uses open-source intelligence (OSINT) to obtain its initial lists of victims, which might include things like name and email address, but can expand into employment information and other items of interest. These are all pieces of information STRONTIUM can use to devise a realistic attack. The more information STRONTIUM has available, the better they can target you. Make sure your email is kept confidential and privacy settings on social media don’t disclose sensitive information publicly. ----- #### Focus on Brazil: ## Win32/Banload and Banking Malware ###### Online banking is big business in Brazil, where more than half of all banking transactions have been made using Internet- connected devices in recent years.[8] Unfortunately, the popularity of online banking in Brazil has drawn the attention of criminals, who have made the country a world capital for banking malware for the last several years. [Win32/Banload, the most commonly encountered malware family in Brazil in](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Banload) 2Q15, is a generic detection for threats that download malware designed to steal banking credentials, which themselves are usually identified as other threats. (Encounter rates for these related threats are generally much lower than for Banload, in part because Microsoft real-time security products block Banload variants before they can download additional malware; therefore, examining Banload encounter rates is a useful proxy for understanding the banking malware problem in general.) Together, Banload Criminals have and its related families have been a major part of the ##### made Brazil a malware problem in Brazil for nearly ten years. ##### world capital for **Distribution and trends** ##### banking malware Although some variants have been found to target banks ##### for the last several elsewhere, Banload remains an almost exclusively Brazilian threat. More than 93 percent of Banload encounters in 2Q15 years. occurred in Brazil, and the encounter rate for Banload in Brazil was 2.1 percent in 2Q15, compared to 0.16 percent in Portugal, the location with the second highest Banload encounter rate. While Banload was the 8 Michael Oleaga, “Online Banking Growing in Brazil: More Than Half Made Digital Transactions in 2013,” Latin _[Post, April 2, 2014, http://www.latinpost.com/articles/9959/20140402/online-banking-growing-brazil-more-](http://www.latinpost.com/articles/9959/20140402/online-banking-growing-brazil-more-half-made-digital-transactions.htm)_ [half-made-digital-transactions.htm.](http://www.latinpost.com/articles/9959/20140402/online-banking-growing-brazil-more-half-made-digital-transactions.htm) ----- most commonly encountered threat family in Brazil in 2Q15, it ranked just 39th worldwide. Figure 17. The top ten countries/regions encountering Win32/Banload in 2Q15 2.5% 2.0% 1.5% 1.0% 0.5% 0.0% Brazil Portugal Turkey Bolivia Uruguay Sweden Argentina El Salvador Colombia Azerbaijan Worldwide Banload has consistently been encountered at much higher rates in Brazil than in the rest of the world. Over the past six quarters the encounter rate for Banload in Brazil has fluctuated between 1.0 percent and 2.1 percent, while the worldwide Banload encounter rate has ranged between 0.06 percent and 0.11 percent. Despite a generally rising trend that accelerated in 2Q15, the fluctuations shown in Figure 18 are fairly typical for Banload and do not necessarily presage significantly increased encounter rates in the future. ----- Figure 18. Banload encounter rate trends worldwide and in Brazil, 1Q14–2Q15 2.5% **Brazil** 2.0% 1.5% 1.0% 0.5% **Worldwide** 0.0% 1Q14 2Q14 3Q14 4Q14 1Q15 2Q15 **Propagation and technical details** Threats detected as Banload are created and distributed by many different parties, who may have little or no connection to each other. Most variants operate in similar ways. Banload might be installed by other malware, or use social engineering to trick the user into launching it. After it is installed, it contacts a remote host and downloads additional files, which then attempt to steal banking credentials and transmit them back to the attacker. Banload variants have been observed to connect to many different remote hosts, including malicious sites as well as legitimate Many Banload sites that have been compromised. As with many other variants attempt to malware families, the hosts are not confined to any particular ##### disable security region; attackers typically establish malicious hosts wherever a vulnerable server can be found to compromise. products installed ##### on the computer. Some Banload variants check the configured system language upon installation and only download additional files if it is set to Portuguese. Although Banload usually does not attempt to steal banking credentials itself, many variants transmit other details about the computer environment to the attacker, such as the computer name, user name, and Windows version. ----- Many Banload variants attempt to disable security products installed on the computer, including G-Buster Browser Defense, a browser add-on that many large Brazilian banks provide to their customers to protect banking sessions from malware. Some variants modify the registry so that Banload will automatically launch each time the computer is started. Win32/Banker and credential stealers The malware threats downloaded by Banload variants are often detected as [Win32/Banker and Win32/Bancos. Banker and Bancos are generic detections for](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Banker) data-stealing trojans that capture online banking credentials, such as account names and passwords, and relay the captured information to a remote attacker. As with Banload, these threats are created by many different people who often have no connection to each other apart from their common purpose of stealing banking credentials. Banker and Bancos variants typically monitor browser activity for banking sessions involving large and well-known Brazilian banks, including: - Banco Bradesco (bradesco.com.br) - Banco do Brasil (bb.com.br) - Banco do Estado do Rio Grande do Sul (banrisul.com.br) - Banco Itaú (itau.com.br) - Banco Safra (safra.com.br) - Banco Santander (santander.com.br) - Caixa Econômica Federal (caixa.gov.br) - Citibank (citibank.com.br) - HSBC (hsbc.com.br) As with Banload, many Banker and Bancos variants attempt to disable security products installed on the computer, including G-Buster Browser Defense, and modify the registry so the malware will automatically launch each time the computer is started. Win32/BrobanDel and boleto malware Another type of banking malware that has affected Brazil recently targets _boletos bancários, a popular payment method there. A boleto bancário, usually_ simply called a boleto, is a payment order generated by a merchant or other ----- payee, similar to an invoice. Boletos are popular in Brazil because they provide a mechanism for people to pay bills or other debts without having a bank account; they can be paid in cash at a wide range of locations, including banks, post offices, and supermarkets. In recent years, online boletos have become popular: payers receive them over the Internet and can either pay them electronically from a bank account or can print them out for payment like conventional paper boletos. It is these online boletos that have been targeted by a new type of banking malware. Figure 19. An example of a boleto bancário, a popular method of payment in Brazil Every boleto has a unique identification number that specifies the bank, payee, and amount to be paid, among other information. The identification number is printed at the top of the boleto and encoded as a barcode at the bottom. A [typical boleto malware variant (often detected as Win32/BrobanDel) installs itself](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/BrobanDel) as a browser add-on and monitors webpages for patterns that match a boleto. When it identifies a boleto, it alters the identification number so that when the recipient pays it, the money will be paid into an account controlled by the attacker, rather than the payee’s account. The malware may re-encode the barcode to match the altered number, or simply corrupt it so that it cannot be optically scanned, requiring the cashier to enter the identification number by hand. ----- Figure 20. A malicious extension installed by Win32/BrobanDel to detect and alter boletos New variants of Banload and the other families discussed in this section are discovered every day, and variants discovered in the future may exhibit different behaviors than those described here. Visit the Microsoft Malware Protection [Center encyclopedia at https://www.microsoft.com/mmpc for the latest](https://www.microsoft.com/mmpc) information about this and other threats. **Guidance** Effectively protecting users from malware requires an active effort on the part of [organizations and individuals. For in-depth guidance, see “Top security](http://www.microsoft.com/security/pc-security/solutions.aspx) [solutions” at the Microsoft Malware Protection Center website at](http://www.microsoft.com/security/pc-security/solutions.aspx) www.microsoft.com/mmpc. Specific steps that IT administrators and individual users can take to protect themselves from malware include the following: - Install security updates for all software as soon as is practical. Promptly installing security updates remains one of the best ways to defend against newly discovered threats. - Configure computers to use Microsoft Update rather than Windows Update to automatically receive updates for a wide range of Microsoft products. Ensure that security updates from other software vendors are distributed automatically when possible. ----- - Install a comprehensive, real-time antimalware product from a reputable vendor on all of your organization’s computers, and ensure that they receive frequent, regular definition or signature file updates. - Take advantage of advanced Windows security features such as User Account Control and AppLocker to prevent unauthorized programs from running without permission. - Use caution when clicking links to webpages and when opening attachments to email messages. - Use a web browser such as Internet Explorer or Microsoft Edge that offers advanced protection against phishing and malicious webpages. ----- ----- ## Worldwide threat assessment **Vulnerabilities ............................................................................. 31** **Exploits ......................................................................................... 40** **Malware and unwanted software ........................................ 58** **Malicious websites ................................................................... 99** ----- ----- ## Vulnerabilities ###### Vulnerabilities, in the context of computer security, are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the software. Some of the worst vulnerabilities allow attackers to exploit the compromised system by causing it to run malicious code without the user’s knowledge. **Industry-wide vulnerability disclosures** A disclosure, as the term is used in the Microsoft Security Intelligence Report, is the revelation of a software vulnerability to the public at large. Disclosures can come from a variety of sources, including publishers of the affected software, security software vendors, independent security researchers, and even malware creators. The information in this section is compiled from vulnerability disclosure data that [is published in the National Vulnerability Database (NVD), the US government’s](http://nvd.nist.gov/) repository of standards-based vulnerability management data at nvd.nist.gov. The NVD represents all disclosures that have a published CVE (Common Vulnerabilities and Exposures) identifier.[9] Figure 21 illustrates the number of vulnerability disclosures across the software industry for each half-year period since 2H12. (See “About this report” on page v for an explanation of the reporting period nomenclature used in this report.) 9 CVE entries are subject to ongoing revision as software vendors and security researchers publish more information about vulnerabilities. For this reason, the statistics presented here may differ slightly from comparable statistics published in previous volumes of the Microsoft Security Intelligence Report. ----- Figure 21. Industrywide vulnerability disclosures, 2H12–1H15 5,000 4,500 4,000 3,500 3,000 2,500 2,000 1,500 1,000 500 0 2H12 1H13 2H13 1H14 2H14 1H15 - After increasing significantly in 2H14, vulnerability disclosures across the industry decreased 34.7 percent in 1H15 to just under 3,000, very close to the level seen a year previously in 1H14. - The large increase in disclosures in 2H14 was predominantly the result of work performed by the Computer Emergency Response Team (CERT) Coordination Center (CERT/CC) in September and October 2014 to scan Android applications in the Google Play Store for man-in-the-middle vulnerabilities using an automated tool.[10] CERT/CC determined that thousands of Android apps fail to properly validate SSL certificates provided by HTTPS connections, which could allow an attacker on the same network as an Android device to perform a man-in-the-middle attack on the device.[11] This project resulted in the creation of almost 1400 individual CVEs affecting thousands of different publishers of Android apps and code libraries. With no comparable research projects having been undertaken in 1H15, the total number of disclosures returned to a more typical level, as expected. 10 Will Dormann, “Finding Android SSL Vulnerabilities with CERT Tapioca,” Cert/CC Blog, September 3, 2014, [www.cert.org/blogs/certcc/post.cfm?EntryID=204.](http://www.cert.org/blogs/certcc/post.cfm?EntryID=204) 11 CERT Coordination Center, “Vulnerability Note VU#582497: Multiple Android applications fail to properly [validate SSL certificates,” Vulnerability Notes Database, www.kb.cert.org/vuls/id/582497.](http://www.kb.cert.org/vuls/id/582497) ----- **Vulnerability severity** The Common Vulnerability Scoring System (CVSS) is a standardized, platformindependent scoring system for rating IT vulnerabilities. The CVSS base metric assigns a numeric value between 0 and 10 to vulnerabilities according to [severity, with higher scores representing greater severity. (See A Complete](https://www.first.org/cvss/cvss-v2-guide.pdf) [Guide to the Common Vulnerability Scoring System Version 2.0 at first.org for](https://www.first.org/cvss/cvss-v2-guide.pdf) more information.) Figure 22. Industrywide vulnerability disclosures by severity, 2H12–1H15 3,500 3,000 2,500 2,000 1,500 1,000 500 0 2H12 1H13 2H13 1H14 2H14 1H15 - Disclosures of medium-severity vulnerabilities—those with CVSS scores from 4 to 7.9—dropped by nearly half from 2H14, but remained the most common type of vulnerability in 1H15. A research project in 2H14 uncovered SSL vulnerabilities in a large number of Android apps in the Google Play store, explaining the rise and subsequent fall of medium-severity vulnerabilities. (See page 32 for more information about this project.) - By contrast, the number of disclosures of high-severity and low-severity vulnerabilities remained mostly stable, with both categories increasing by less than 2 percent from 1H14 to 2H14. High-severity vulnerabilities accounted for the second-highest share of vulnerability disclosures in 1H15, at 32.5 percent, and low-severity vulnerabilities accounted for the smallest share, at 10.4 percent. ----- - As shown in Figure 23, the highest-severity vulnerabilities—those scoring 9.9 or higher on the CVSS scale—accounted for 7.6 percent of all vulnerabilities in 1H15. Figure 23. Industrywide vulnerability disclosures in 1H15, by severity Medium (4–6.9) 57.1% High (7–9.8) 24.9% High Low (0–3.9) (9.9 +) 10.4% 7.6% **Vulnerability complexity** Some vulnerabilities are easier to exploit than others, and vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily. The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or [High. (See A Complete Guide to the Common Vulnerability Scoring System](https://www.first.org/cvss/cvss-v2-guide.pdf) [Version 2.0 at first.org for more information about the CVSS complexity ranking](https://www.first.org/cvss/cvss-v2-guide.pdf) system.) Figure 24 shows complexity trends for vulnerabilities disclosed since 2H12. Note that Low complexity in Figure 24 indicates greater risk, just as High severity indicates greater risk in Figure 22. ----- Figure 24. Industrywide vulnerability disclosures by access complexity, 2H12–1H15 3,000 2,500 2,000 1,500 1,000 500 0 2H12 1H13 2H13 1H14 2H14 1H15 - Disclosures of low-complexity vulnerabilities—those that are the easiest to exploit—decreased slightly in 1H15, but accounted for the largest category of disclosures, at 56.3 percent of all disclosures. - Medium-complexity vulnerabilities decreased 54.9 percent from 2H14 to 1H15 to account for 42.4 percent of all vulnerabilities for the period. A research project in 2H14 uncovered SSL vulnerabilities in a large number of Android apps in the Google Play Store, explaining the increase and subsequent decrease of mediumcomplexity vulnerabilities. (See page 32 for more information about this project.) ##### A research project in 2H14 uncovered SSL vulnerabilities in a large number of Android apps. - Disclosures of high-complexity vulnerabilities decreased slightly in 1H15, and accounted for 1.0 percent of all disclosures for the period. **Operating system, browser, and application vulnerabilities** Comparing vulnerabilities that affect a computer’s operating system to vulnerabilities that affect other components, such as applications and utilities, requires a determination of whether the affected component is considered part of the operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems. ----- Some programs (media players, for example) ship by default with some operating system software but can also be downloaded from the software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing. To facilitate analysis of operating system and browser vulnerabilities, the _Microsoft Security Intelligence Report distinguishes among four different kinds of_ vulnerabilities: - _Core operating system vulnerabilities are those with at least one operating_ system platform enumeration (“/o”) in the NVD that do not also have any application platform enumerations (“/a”).[12] - _Operating system application vulnerabilities are those with at least one /o_ platform enumeration and at least one /a platform enumeration listed in the NVD, except as described in the next bullet point. - _Browser vulnerabilities are those that affect components defined as part of a_ web browser, including web browsers such as Internet Explorer and Apple’s Safari that ship with operating systems, along with third-party browsers such as Mozilla Firefox and Google Chrome. - _Other application vulnerabilities are those with at least one /a platform_ enumeration in the NVD that do not have any /o platform enumerations, except as described in the previous bullet point. Figure 25 shows industrywide vulnerabilities for operating systems, browsers, and applications since 2H12. [12 See nvd.nist.gov/cpe.cfm for information about the Common Platform Enumeration (CPE) standard for](http://nvd.nist.gov/cpe.cfm) naming information technology systems, software, and packages. ----- Figure 25. Industrywide operating system, browser, and application vulnerabilities, 2H12–1H15 3,500 3,000 2,500 2,000 1,500 1,000 500 0 2H12 1H13 2H13 1H14 2H14 1H15 - Disclosures of vulnerabilities in applications other than web browsers and operating system applications decreased by nearly half from 2H14 to 1H15, but remained the most common type of vulnerability in 1H15, accounting for 55.6 percent of all disclosures for the period. A research project in 2H14 uncovered SSL vulnerabilities in a large number of Android apps in the Google Play Store, explaining the increase and subsequent decrease of application vulnerabilities. (See page 32 for more information about this project.) - Operating system application vulnerability disclosures decreased 1.5 percent from 2H14, and accounted for 19.7 percent of all disclosures in 1H15. - Core operating system vulnerability disclosures increased 1.7 percent from 2H14, and accounted for 14.1 percent of all disclosures in 1H15. - Browser vulnerability disclosures increased 13.2 percent from 2H14, and accounted for 10.6 percent of all disclosures in 1H15. **Microsoft vulnerability disclosures** Figure 26 shows trends for vulnerability disclosures affecting Microsoft products compared to the rest of the industry. ----- Figure 26. Vulnerability disclosures for Microsoft and non-Microsoft products, 2H12–1H15 5,000 4,500 4,000 3,500 3,000 **Non-Microsoft** 2,500 2,000 1,500 1,000 500 **Microsoft** 0 2H12 1H13 2H13 1H14 2H14 1H15 - Microsoft vulnerability disclosures increased from 209 disclosures in 2H14 to 266 in 1H15, an increase of 27.3 percent. **Guidance: Developing secure software** [The Security Development Lifecycle (SDL) (www.microsoft.com/sdl) is a free](http://www.microsoft.com/sdl) software development methodology that incorporates security and privacy best practices throughout all phases of the development process, with the goal of protecting software users. Using such a methodology can help reduce the number and severity of vulnerabilities in software and help manage vulnerabilities that might be discovered after deployment. [“Life in the Digital Crosshairs,” at sdlstory.com, is a multimedia presentation that](http://sdlstory.com/) explores the genesis and development of the SDL from its origins in the Windows team’s well-documented all-hands security push in the early 2000s. It includes interviews with several of the pivotal figures in the history of the SDL and Microsoft’s focus on secure software. Security professionals and anyone else with an interest in secure development are likely to find the site invaluable for putting the SDL into historical context and understanding what the future holds. [To learn more about how the SDL is applied in the present day, see “State of](http://go.microsoft.com/?linkid=9758989) [Application Security: Immature Practices Fuel Inefficiencies, but Positive ROI Is](http://go.microsoft.com/?linkid=9758989) [Attainable - A Forrester Consulting Thought Leadership Paper Commissioned](http://go.microsoft.com/?linkid=9758989) ----- [by Microsoft” to learn how organizations are putting SDL techniques to work for](http://go.microsoft.com/?linkid=9758989) [them, and “Secure Software Development Trends in the Oil & Gas Sectors” for](http://aka.ms/A6offt) an example of how the SDL has helped one critical industry. Both papers are [available from the Microsoft Download Center (www.microsoft.com/download).](http://www.microsoft.com/download) ----- ## Exploits ###### An exploit is a piece of code that uses software vulnerabilities to access information on a computer or install malware. Exploits target vulnerabilities in operating systems, web browsers, applications, or software components that are installed on a computer. In some scenarios, targeted components are add-ons that may be pre-installed by the computer manufacturer before the computer is sold. A user may not even use the vulnerable add-on or be aware that it is installed. In addition, some software has no facility for updating itself, so even if the software vendor publishes an update that fixes the vulnerability, the user may not know that the update is available or how to obtain it and therefore remains vulnerable to attack.[13] ##### Encounter rate is the percentage of computers running Microsoft real-time security products that report a mal Software vulnerabilities are enumerated and documented in the [Common Vulnerabilities and Exposures (CVE) list (cve.mitre.org),](http://cve.mitre.org/) a standardized repository of vulnerability information. Here and throughout this report, exploits are labeled with the CVE identifier that pertains to the affected vulnerability, if applicable. In addition, exploits that affect vulnerabilities in Microsoft software are labeled with the Microsoft Security Bulletin number that pertains to the vulnerability, if applicable.[14] ##### ware encounter. Microsoft real-time security products can detect and block attempts to exploit known vulnerabilities whether the computer [is affected by the vulnerabilities or not. For example, the CVE-2010-2568 CplLnk](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568) vulnerability has never affected Windows 8, but if a Windows 8 user receives a malicious file that attempts to exploit that vulnerability, Windows Defender is designed to detect and block it anyway. Encounter data provides important information about which products and vulnerabilities are being targeted by [13 See the Microsoft Security Update Guide, Second Edition at the Microsoft Download Center](http://www.microsoft.com/en-us/download/details.aspx?id=559) (www.microsoft.com/download) for guidance to help protect your IT infrastructure while creating a safer, more secure computing and Internet environment. [14 See technet.microsoft.com/security/bulletin to search and read Microsoft Security Bulletins.](http://technet.microsoft.com/security/bulletin) ----- attackers, and by what means. However, the statistics presented in this report should not be interpreted as evidence of successful exploit attempts, or of the relative vulnerability of computers to different exploits. Figure 27 shows the prevalence of different types of exploits detected by Microsoft antimalware products from 3Q14 to 2Q15, by encounter rate. _Encounter rate is the percentage of computers running Microsoft real-time_ security products that report a malware encounter. For example, the encounter rate for Java exploit attempts in 2Q15 was 0.35 percent, meaning that 0.35 percent of computers running Microsoft real-time security software in 2Q15 encountered Java exploit attempts, and 99.65 percent did not. In other words, a computer selected at random would have had about a 0.35 percent chance of encountering a Java exploit attempt in 2Q15. Only computers whose users have opted in to provide data to Microsoft are considered when calculating encounter rates.[15] See page 58 for more information about the encounter rate metric. Figure 27. Encounter rates for different types of exploit attempts, 3Q14–2Q15 2.0% 1.5% 1.0% **Exploit kits*** **Operating system** 0.5% **Other** **Java*** **HTML/JavaScript** **Adobe Flash** **Player*** 0.0% **Documents** 3Q14 4Q14 1Q15 2Q15 **Browser** - Figures for exploit kits, Java, and Adobe Flash Player exploits are affected by IExtensionValidation in Internet Explorer, which blocks many threats before they are encountered. See page 55 for more information. 15 For information about the products and services that provide data for this report, see “Appendix B: Data sources” on page 129. ----- - Computers that report more than one type of exploit are counted for each type detected. - Encounters with exploit kits decreased by more than a third between 4Q14 and 2Q15, but remained the most commonly encountered type of exploit in the second half of the year, with an encounter rate more than three times as high as the next most common type of exploit. See “Exploit kits” on page 44 for more information about these exploits. ##### Encounters with exploit kits decreased by more than a third, but remained the most - The number of encounters with exploits that target operating systems remained mostly stable in 1H15, becoming the second most commonly encountered type of exploits during the period. See “Operating system exploits” on page 49 for more information. - Encounters with Java exploits decreased each quarter, becoming the third most commonly encountered type of exploit in 1H15. See “Java exploits” on page 47 for more information. ##### commonly in 1H15. See “Java exploits” on page 47 for more information. encountered type  The “Other” category increased from very low levels in of exploit in 2H15. 1Q15 and previous periods to become the third most commonly encountered exploit category in 2Q15, mostly because of [encounters involving Win32/Sdbby. Sdbby is a generic](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Sdbby) detection for malware that bypasses the User Account Control (UAC) prompt to gain administrative privileges on a computer. It was encountered at very low volumes in 1Q15, then became the fourth most commonly encountered exploit family in 2Q15. - The number of encounters involving other types of exploits remained mostly stable during the second half of the year, and each accounted for a small percentage of total exploits. **Exploit families** Figure 28 lists the exploit-related malware families that were detected most often during the first half of 2015. ----- Figure 28. Quarterly encounter rate trends for the exploit families most commonly detected and blocked by Microsoft real-time antimalware products in 1H15, shaded according to relative prevalence **Exploit** **Type** **3Q14** **4Q14** **1Q15** **2Q15** JS/Axpergle Exploit kit 0.87% 0.86% 0.85% 0.64% CVE-2010-2568 (CplLnk) Operating system 0.35% 0.35% 0.30% 0.23% JS/Fiexp Exploit kit 0.31% 0.30% 0.21% 0.05% Win32/Anogre Exploit kit 0.60% 0.42% 0.22% 0.04% JS/Neclu Exploit kit 0.11% 0.06% 0.03% 0.14% HTML/IframeRef Generic 0.10% 0.09% 0.07% 0.05% HTML/Meadgive Exploit kit 0.15% 0.08% 0.06% 0.05% JS/NeutrinoEK Exploit kit 0.00% 0.01% 0.07% 0.04% Win32/Sdbby Other — — 0.00% 0.09% CVE-2014-6332 Operating system — 0.03% 0.04% 0.05% Totals for individual vulnerabilities do not include exploits that were detected as part of exploit kits. - Exploit kits accounted for six of the 10 most commonly encountered exploits during 1H15. See “Exploit kits” on page 44 for more information about exploit kits. - Exploits targeting the Java Runtime Environment (JRE) have gone from seven of the top 10 individual exploits detected in 2H13 to none in 1H15. A number of changes that were made to Java and Internet Explorer over the past two years have made it much more difficult for attackers to take advantage of Java-based vulnerabilities, which is the most likely explanation for this significant decrease. (See “Java exploits” on page 47 for more information.) - [CVE-2010-2568, the most commonly targeted individual vulnerability in](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568) 1H15, is a vulnerability in Windows Shell. Detections are often identified as [variants in the Win32/CplLnk family, although several other malware families](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CplLnk) attempt to exploit the vulnerability as well. An attacker exploits CVE-20102568 by creating a malformed shortcut file—typically distributed through social engineering or other methods—that forces a vulnerable computer to load a malicious file when the shortcut icon is displayed in Windows Explorer. The vulnerability was first discovered being used by the malware [family Win32/Stuxnet in mid-2010, and it has since been exploited by a](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Stuxnet) number of other families, many of which predated the disclosure of the vulnerability and were subsequently adapted to attempt to exploit it. [Microsoft published Security Bulletin MS10-046 in August 2010 to address](http://technet.microsoft.com/security/bulletin/MS10-046) |Exploit|Type|3Q14|4Q14|1Q15|2Q15| |---|---|---|---|---|---| |JS/Axpergle|Exploit kit|0.87%|0.86%|0.85%|0.64%| |CVE-2010-2568 (CplLnk)|Operating system|0.35%|0.35%|0.30%|0.23%| |JS/Fiexp|Exploit kit|0.31%|0.30%|0.21%|0.05%| |Win32/Anogre|Exploit kit|0.60%|0.42%|0.22%|0.04%| |JS/Neclu|Exploit kit|0.11%|0.06%|0.03%|0.14%| |HTML/IframeRef|Generic|0.10%|0.09%|0.07%|0.05%| |HTML/Meadgive|Exploit kit|0.15%|0.08%|0.06%|0.05%| |JS/NeutrinoEK|Exploit kit|0.00%|0.01%|0.07%|0.04%| |Win32/Sdbby|Other|—|—|0.00%|0.09%| |CVE-2014-6332|Operating system|—|0.03%|0.04%|0.05%| ----- the issue, and Windows 8 and Windows 8.1 have never been vulnerable to exploits of CVE-2010-2568. - [HTML/IframeRef is a generic detection for specially formed HTML inline](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=HTML/IframeRef) frame (IFrame) tags that redirect to remote websites that contain malicious content. More properly considered exploit downloaders than true exploits, these malicious pages use a variety of techniques to exploit vulnerabilities in browsers and plug-ins. The only commonality is that the attacker uses an inline frame to deliver the exploits to users. The exact exploit delivered and detected by one of these inline frames might be changed frequently. - [CVE-2014-6332 is a vulnerability in Windows Object Linking and Embedding](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332) (OLE) that can be used to launch remote attacks on a computer through Internet Explorer in some circumstances. Microsoft released Security Bulletin [MS14-064 in November 2014 to address this issue. See “The life and times of](http://technet.microsoft.com/security/bulletin/MS14-064) [an exploit” on pages 3–10 of Microsoft Security Intelligence Report, Volume](http://www.microsoft.com/download/details.aspx?id=46928) _[18 (July–December 2014), available from the Microsoft Download Center, for](http://www.microsoft.com/download/details.aspx?id=46928)_ more information about this vulnerability and what Microsoft has done to mitigate it. **Exploit kits** _Exploit kits are collections of exploits bundled together and sold as commercial_ software or as a service. Prospective attackers buy or rent exploit kits on malicious hacker forums and through other illegitimate outlets. A typical kit comprises a collection of webpages that contain exploits for several vulnerabilities in popular web browsers and browser add-ons. When the attacker installs the kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of having their computers compromised through drive-by download attacks. (See page 105 for more information about drive-by downloads.) ----- Figure 29. How a typical exploit kit works Microsoft security products detect and block the characteristic techniques that a number of common exploit kits use to infect computers, along with several generic HTML and JavaScript exploit techniques. Figure 30 shows the prevalence of several top web-based exploit kits and techniques during each of the four most recent quarters. ----- Figure 30. Trends for the top exploit kit-related threats detected and blocked by Microsoft real-time antimalware products in 1H15 1.0% 0.9% 0.8% 0.7% **JS/Axpergle** **(Angler)** 0.6% 0.5% 0.4% 0.3% 0.2% **JS/Neclu** **(Nuclear)** 0.1% **JS/Fiexp (Fiesta)** **HTML/Meadgive** 0.0% **(Redkit)** **Win32/Anogre** 3Q14 4Q14 1Q15 2Q15 **(Sweet Orange)** - [JS/Axpergle, a detection for the so-called Angler exploit kit, was the most](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) commonly encountered exploit kit family in 1H15. The Angler kit first appeared in 3Q14 and rapidly increased in prominence during the second [quarter. It is known to target a number of vulnerabilities in Silverlight (CVE-](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0074) ##### Exploit kit authors update the exploits they use fre- quently, adding exploits for newly discovered vulnerabilities while [2013-0074), Internet Explorer (CVE-2013-2551), Adobe Flash](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0074) [Player (CVE-2014-8439, CVE-2015-0311, and CVE-2015-0313,](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8439) [among others), and Java (CVE-2013-2460), although exploit kit](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2460) authors frequently change the exploits included in their kits in an effort to stay ahead of software publishers and security software vendors. - After decreasing to low levels in 2H14, detections of the [Nuclear exploit kit (detected as JS/Neclu) reversed course and](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Neclu) began trending upward in 2015, making it the second most commonly encountered exploit kit in 2Q15. ##### dropping poorly - Encounters involving the Sweet Orange and Fiesta ##### performing ones. exploit kits (detected as Win32/Anogre and JS/Fiexp, respectively), the second and third most commonly encountered exploit kits in 2H14, decreased to much lower levels in 1H15. Exploit kit authors update the exploits they use frequently, adding exploits for newly discovered vulnerabilities while dropping poorly performing ones. Figure ----- 31 lists some of the exploits that researchers have observed being added to a number of prominent exploit kits in 1H15. Figure 31. Newly discovered exploits observed being used by exploit kits in 1H15 **Vulnerability** **Exploit type** **Addressed by** **Exploit kit(s)** [CVE-2015-0310](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0310) Adobe Flash Player [APSB15-02](https://helpx.adobe.com/security/products/flash-player/apsb15-02.html) [Angler (JS/Axpergle)](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) [CVE-2015-0311](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0311) Adobe Flash Player [APSB15-03](https://helpx.adobe.com/security/products/flash-player/apsb15-03.html) Angler [CVE-2015-0313](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0313) Adobe Flash Player [APSB15-04](https://helpx.adobe.com/security/products/flash-player/apsb15-04.html) Angler [CVE-2015-0336](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0336) Adobe Flash Player [APSB15-05](https://helpx.adobe.com/security/products/flash-player/apsb15-05.html) [Nuclear (JS/Neclu); Angler](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Neclu) [CVE-2015-0359](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0359) Adobe Flash Player [APSB15-06](https://helpx.adobe.com/security/products/flash-player/apsb15-06.html) Angler [CVE-2015-3090](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3090) Adobe Flash Player [APSB15-09](https://helpx.adobe.com/security/products/flash-player/apsb15-09.html) Angler [CVE-2015-3104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3104) Adobe Flash Player [APSB15-11](https://helpx.adobe.com/security/products/flash-player/apsb15-11.html) Angler [CVE-2015-3105](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3105) Adobe Flash Player [APSB15-11](https://helpx.adobe.com/security/products/flash-player/apsb15-11.html) [Magnitude (HTML/Pangimop)](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=HTML/Pangimop) [CVE-2015-3113](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3113) Adobe Flash Player [APSB15-14](https://helpx.adobe.com/security/products/flash-player/apsb15-14.html) Magnitude **Java exploits** Figure 32 shows the prevalence of different Java exploits by quarter. Figure 32. Trends for the top Java exploits detected and blocked by Microsoft real-time antimalware products in 1H15 |Vulnerability|Exploit type|Addressed by|Exploit kit(s)| |---|---|---|---| |CVE-2015-0310|Adobe Flash Player|APSB15-02|Angler (JS/Axpergle)| |CVE-2015-0311|Adobe Flash Player|APSB15-03|Angler| |CVE-2015-0313|Adobe Flash Player|APSB15-04|Angler| |CVE-2015-0336|Adobe Flash Player|APSB15-05|Nuclear (JS/Neclu); Angler| |CVE-2015-0359|Adobe Flash Player|APSB15-06|Angler| |CVE-2015-3090|Adobe Flash Player|APSB15-09|Angler| |CVE-2015-3104|Adobe Flash Player|APSB15-11|Angler| |CVE-2015-3105|Adobe Flash Player|APSB15-11|Magnitude (HTML/Pangimop)| |CVE-2015-3113|Adobe Flash Player|APSB15-14|Magnitude| ----- - Overall, encounters with Java exploits continued to decrease significantly in 1H15. This decrease is likely caused by several important changes in the way web browsers evaluate and execute Java applets: - The IExtensionValidation interface in Internet Explorer 11, released in late ##### IExtensionValidation in Internet Explorer 11 provides a mechanism for se curity software to validate that a webpage is safe before allowing instantiation of ActiveX controls. 2013, provides a mechanism for security software to validate that a webpage is safe before allowing instantiation of ActiveX controls, such as the control that hosts embedded Java applets. If a webpage is determined to be malicious, the ActiveX controls are blocked from loading, and the actual Java exploit itself is therefore never encountered. (See “Exploit detection with Internet Explorer and IExtensionValidation” on page 55 for more information.) Subsequent Internet Explorer security updates released in 2014 added an isolated heap mechanism and a deferred-free method to mitigate use-after-free bugs, which further hardened Internet Explorer against Java exploitation. - Beginning with Java 7 update 51, released in January 2014, the Java Runtime Environment (JRE) requires Java applets running in web browsers to be digitally signed by default. - In September 2014, Microsoft published updates for versions 8 through [11 of Internet Explorer to begin blocking out-of-date ActiveX controls,](http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx) including controls that host older versions of the JRE in the browser. As explained in this section, the most commonly encountered Java exploits all target vulnerabilities that were addressed with security updates years ago, but remain present in out-of-date Java installations. When a webpage attempts to load one of the vulnerable versions of Java in Internet Explorer with the update applied, the control is blocked by default and the user is urged to update Java to a more secure version. Figure 33. Internet Explorer blocks out-of-date ActiveX controls from running - [CVE-2012-1723, the most commonly encountered individual Java exploit in](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1723) 2Q15 and the second most common in 1Q15, is a type-confusion vulnerability in the Java Runtime Environment (JRE) that is exploited by tricking the JRE into treating one type of variable like another type. Oracle confirmed the existence of the vulnerability in June 2012, and addressed it ----- [the same month with its June 2012 Critical Patch Update. The vulnerability](http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html) was observed being exploited in the wild beginning in early July 2012, and has been used in a number of exploit kits. For more information about this exploit, see the entry ##### Internet Explorer [“The rise of a new Java vulnerability - CVE-2012-1723”](http://blogs.technet.com/b/mmpc/archive/2012/08/01/the-rise-of-a-new-java-vulnerability-cve-2012-1723.aspx) (August 1, 2012) in the Microsoft Malware Protection has begun blockCenter (MMPC) blog at blogs.technet.com/mmpc. ing out-of-date - [Obfuscator is a generic detection for programs that have](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Java/Obfuscator) ActiveX controls, been modified by malware obfuscation, often in an attempt to avoid detection by security software. Files including controls identified as Java/Obfuscator can represent exploits that that host older target many different Java vulnerabilities. ##### versions of the JRE - [CVE-2010-0840 is a JRE vulnerability that was first](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0840) in the browser. disclosed in March 2010 and addressed by Oracle with a [security update the same month. The vulnerability was](http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html) previously exploited by some versions of the Blackhole exploit kit (detected [as JS/Blacole), which has been inactive in recent years.](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Blacole) - [CVE-2012-0507 allows an unsigned Java applet to gain elevated permissions](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0507) and potentially have unrestricted access to a host system outside its sandbox environment. The vulnerability is a logic error that allows attackers to run code with the privileges of the current user, which means that an attacker can use it to perform reliable exploitation on other platforms that support the JRE, including Apple Mac OS X, Linux, VMWare, and others. [Oracle released a security update in February 2012 to address the issue.](http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html) - [CVE-2013-0422 first appeared in January 2013 as a zero-day vulnerability.](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422) CVE-2013-0422 is a package access check vulnerability that allows an untrusted Java applet to access code in a trusted class, which then loads the [attacker’s own class with elevated privileges. Oracle published a security](http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html) [update to address the vulnerability on January 13, 2013.](http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html) [For more information about CVE-2013-0422, see the entry “A technical](http://blogs.technet.com/b/mmpc/archive/2013/01/20/a-technical-analysis-of-a-new-java-vulnerability-cve-2013-0422.aspx) [analysis of a new Java vulnerability (CVE-2013-0422)” (January 20, 2013) in](http://blogs.technet.com/b/mmpc/archive/2013/01/20/a-technical-analysis-of-a-new-java-vulnerability-cve-2013-0422.aspx) the MMPC blog at blogs.technet.com/mmpc. ----- **Operating system exploits** Although most operating system exploits detected by Microsoft security products are designed to affect the platforms on which the security products run, malicious or infected files that affect other operating systems are sometimes downloaded. Figure 34 shows trends for the individual exploits most commonly detected and blocked or removed during each of the past four quarters. Figure 34. Individual operating system exploits detected and blocked by Microsoft real-time antimalware products, 3Q14–2Q15 0.40% 0.35% 0.30% 0.25% **Win32/CplLnk** 0.20% 0.15% 0.10% 0.05% **CVE-2014-6332** **Unix/Lotoor** **CVE-2011-1823** 0.00% **(GingerBreak)** 3Q14 4Q14 1Q15 2Q15 **CVE-2011-3874** - [Win32/CplLnk, an exploit that targets a vulnerability in Windows Shell,](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CplLnk) remained the most commonly encountered operating system exploit in [1H15. An attacker exploits the vulnerability (CVE-2010-2568) by creating a](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568) malformed shortcut file that forces a vulnerable computer to load a malicious file when the shortcut icon is displayed in Windows Explorer. [Microsoft released Security Bulletin MS10-046 in August 2010 to address this](http://technet.microsoft.com/security/bulletin/MS10-046) issue. - [CVE-2014-6332 is a vulnerability in Windows Object Linking and Embedding](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332) (OLE) that can be used to perform remote attacks on a computer through Internet Explorer in some circumstances. Microsoft released Security Bulletin [MS14-064 in November 2014 to address this issue. See “The life and times of](http://technet.microsoft.com/security/bulletin/MS14-064) [an exploit” on pages 3–10 of Microsoft Security Intelligence Report, Volume](http://www.microsoft.com/download/details.aspx?id=46928) _[18 (July–December 2014), available from the Microsoft Download Center, for](http://www.microsoft.com/download/details.aspx?id=46928)_ ----- more information about this vulnerability and what Microsoft has done to mitigate it. - Three of the five most commonly encountered operating system exploits on Windows computers in 1H15 actually target the Android mobile operating system published by Google and the Open Handset Alliance. Microsoft security products detect these threats when Android devices or storage cards are connected to computers running Windows, or when Android users knowingly or unknowingly download infected or malicious programs to their computers before transferring the software to their devices. Most detections that affect Android involve exploits that enable an attacker or other user to obtain root privileges on vulnerable Android devices. Device owners sometimes use such exploits intentionally to gain access to additional functionality (a practice often called Three of the five _rooting or jailbreaking), but these exploits can also be_ most commonly used by attackers to infect devices with malware that ##### encountered oper bypasses many typical security systems. ##### ating system ex - [Unix/Lotoor is an exploit family that exploits](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Unix/Lotoor) vulnerabilities in the Android operating system to gain ploits on Windows root privileges on a mobile device. Google published computers in 1H15 a source code update in March 2011 that addressed actually target the the vulnerability. ##### Android mobile - [CVE-2011-1823 is sometimes called the GingerBreak](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1823) vulnerability because of its use by a popular rooting operating system. application of that name. It is also used by [AndroidOS/GingerMaster, a malicious program that can allow a remote](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=AndroidOS/GingerMaster) attacker to gain access to the mobile device. GingerMaster might be bundled with clean applications, and includes an exploit for the CVE 2011-1823 vulnerability disguised as an image file. Google published a source code update in May 2011 that addressed the vulnerability. - [CVE-2011-3874 can also be used to gain root privileges on devices](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3874) running some versions of Android. Google published a source code update in November 2011 that addressed the vulnerability. ----- **Document exploits** _Document exploits are exploits that target vulnerabilities in the way a document_ editing or viewing application processes a particular file format. Figure 35 shows encounter rates for individual exploits. Figure 35. Individual document exploits detected and blocked by Microsoft real-time antimalware products, 3Q14–2Q15 0.07% 0.06% 0.05% 0.04% 0.03% 0.02% 0.01% **Win32/Pdfjsc** **CVE-2012-0158** **Win32/Wordinvop** 0.00% **CVE-2010-3336** 3Q14 4Q14 1Q15 2Q15 **Win32/Wordjmp** - Most detections of exploits that affect Adobe Reader and Adobe Acrobat [were associated with the exploit family Win32/Pdfjsc, a detection for PDF](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Pdfjsc) [files containing malicious JavaScript that targets CVE-2010-0188 and other](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0188) [vulnerabilities. Adobe released Security Bulletin APSB10-07 in February 2010](http://www.adobe.com/support/security/bulletins/apsb10-07.html) to address CVE-2010-0188. Pdfjsc and related exploits were particularly prevalent in eastern Europe. Pdfjsc mostly targets older Java vulnerabilities, so attackers may find it less useful as more computers are updated to newer versions of Java, which could explain the decrease in encounters over the past several quarters. **Adobe Flash Player exploits** Figure 36 shows the prevalence of different Adobe Flash Player exploits by quarter. ----- Figure 36. Adobe Flash Player exploits detected and blocked by Microsoft real-time antimalware products, 3Q14–2Q15 0.035% 0.030% 0.025% 0.020% 0.015% 0.010% 0.005% 0.000% 3Q14 4Q14 1Q15 2Q15 - Encounters involving Obfuscator variants that target Adobe Flash Player increased from very low levels in 1Q15 to become the largest source of Flash Player-related exploit encounters in 2Q15. Most of these encounters [involved two newly discovered threats: Exploit:SWF/Obfuscator.K targets](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:SWF/Obfuscator.K) [CVE-2014-8439, CVE-2015-0311, CVE-2015-0313, and CVE-2015-0359;](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8439) [Exploit:SWF/Obfuscator.L mainly targets CVE-2015-0336.](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:SWF/Obfuscator.L) - [CVE-2014-0515, the most commonly exploited Adobe Flash Player](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0515) vulnerability in 1Q15 and the second most common in 1H15 overall, is a [buffer overflow vulnerability. Adobe released Security Bulletin APSB14-13 on](http://helpx.adobe.com/security/products/flash-player/apsb14-13.html) April 28, 2014 to address the issue. - [CVE-2015-0359, a double free vulnerability, was first disclosed in April 2015](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0359) and became the second most commonly encountered Adobe Flash Player [exploit in the second quarter. Adobe released Security Bulletin APSB15-06](https://helpx.adobe.com/security/products/flash-player/apsb15-06.html) on April 14 to address the issue. - [CVE-2014-0497 is an integer underflow vulnerability. Adobe released](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0497) [Security Bulletin APSB14-04 on February 4, 2014 to address the issue.](http://www.adobe.com/support/security/bulletins/apsb10-14.html) **Browser exploits** Figure 37 shows the prevalence of different browser exploits by quarter. ----- Figure 37. Browser exploits detected and blocked by Microsoft real-time antimalware products, 3Q14–2Q15 0.025% 0.020% **CVE-2013-7331** **(MS14-052)** 0.015% 0.010% **MS09-002** 0.005% **CVE-2014-0322** **(MS14-012)** **CVE-2012-1889** **(MS12-043)** 0.000% **CVE-2013-2551** 3Q14 4Q14 1Q15 2Q15 **(MS13-037)** - [Exploits targeting CVE-2013-7331, a vulnerability affecting the](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7331) Microsoft.XMLDOM ActiveX control in Internet Explorer, accounted for the largest share of browser-related exploits encountered in 1H15. Exploiting this vulnerability allows an attacker to confirm the existence or nonexistence of arbitrarily specified paths and hostnames in the local environment. Microsoft [published Security Bulletin MS14-052 in September 2014 to address the](https://technet.microsoft.com/library/security/ms14-052) issue. - [Exploits targeting vulnerabilities addressed by Security Bulletin MS09-002,](https://technet.microsoft.com/library/security/ms09-002) published by Microsoft in February 2009, accounted for the second largest share of browser-related exploits encountered in 1H15. Of these, most [targeted CVE-2009-0075, an uninitialized memory corruption vulnerability](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0075) in Internet Explorer 7. - [Encounters involving exploits targeting CVE-2013-2551, a use-after-free](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2551) vulnerability in versions 6 through 10 of Internet Explorer, accounted for the largest share of browser-related exploit encounters in 2H14, then fell to negligible levels in 1H15 as exploit kit authors dropped them in favor of exploits targeting CVE-2013-7331. ----- **Exploit detection with Internet Explorer and IExtensionValidation** IExtensionValidation is an interface introduced in Internet Explorer 11 that realtime security software can implement to block ActiveX controls from loading on malicious pages. When Internet Explorer loads a webpage that includes ActiveX controls, if the security software has implemented IExtensionValidation, the browser calls the security software to scan the HTML and script content on the page before loading the controls themselves. If the security software determines that the page is malicious (for example, if it identifies the page as an exploit kit landing page), it can direct Internet Explorer to prevent individual controls or the entire page from loading. Figure 38. Internet Explorer 11 can block pages that contain ActiveX controls if security software determines that the page is malicious Figure 39 shows the types of ActiveX controls identified on malicious webpages in Internet Explorer 11 for each quarter in 2014. ----- Figure 39. ActiveX controls detected on malicious webpages through IExtensionValidation, 3Q14–2Q15, by control type 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 3Q14 4Q14 1Q15 2Q15 Adobe Flash Java Silverlight Adobe Reader Other - Adobe Flash Player objects were the most commonly detected type of object hosted on malicious pages in each of the past four quarters. - After accounting for a high of 45.3 percent of object detections in 3Q14, ##### Adobe Flash objects were the most commonly detected type of object hosted on detections of Java applets on malicious pages decreased to just 0.5 percent of detections by 2Q15. A number of changes that have been made to Java and Internet Explorer over the past two years have made it much more difficult for attackers to take advantage of Java-based vulnerabilities, which is the most likely explanation for this significant decrease. (See “Java exploits” on page 47 for more information.) ##### malicious pages.  Silverlight, Adobe Reader, and other malicious objects each accounted for less than 3 percent of object detections each quarter. **Exploits used in targeted attacks** A targeted attack is an attack against the computers or networks of a specific group of companies or individuals. This type of attack usually attempts to gain access to the computer or network before trying to steal information or disrupt the infected computers. Figure 40 lists some of the exploits Microsoft has observed being used in targeted attacks in 1H15. ----- Figure 40. Some of the exploits used in targeted attacks in 1H15 **CVE** **Exploit type** **Affecting** **Security update** [CVE-2015-0097](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0097) Word HTA Microsoft Word [MS15-022](https://technet.microsoft.com/library/security/ms15-022) [CVE-2015-1641](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1641) Word RTF Microsoft Word [MS15-033](https://technet.microsoft.com/library/security/ms15-033) [CVE-2015-1701](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1701) Win32k EoP Microsoft Windows [MS15-051](https://technet.microsoft.com/library/security/ms15-051) [CVE-2015-1769](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?name=CVE-2015-1769) USB vector Microsoft Windows [MS15-085](https://technet.microsoft.com/library/security/ms15-085) [CVE-2015-1770](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1770) Word OSF Microsoft Word [MS15-059](https://technet.microsoft.com/library/security/ms15-059) [CVE-2015-2360](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2360) Win32k EoP Microsoft Windows [MS15-061](https://technet.microsoft.com/library/security/ms15-061) [CVE-2015-3043](http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3043) Flash codec Adobe Flash Player [APSB15-06](https://helpx.adobe.com/security/products/flash-player/apsb15-06.html) [See the entry “Targeted Attacks Video Series” (June 13, 2013) on the Microsoft](http://blogs.microsoft.com/cybertrust/2013/06/13/targeted-attacks-video-series/) Cyber Trust blog at blogs.microsoft.com/cybertrust for an informative series of videos and papers about targeted attacks, the techniques used by attackers, and some of the steps that organizations can take to secure their networks against targeted attacks. |CVE|Exploit type|Affecting|Security update| |---|---|---|---| |CVE-2015-0097|Word HTA|Microsoft Word|MS15-022| |CVE-2015-1641|Word RTF|Microsoft Word|MS15-033| |CVE-2015-1701|Win32k EoP|Microsoft Windows|MS15-051| |CVE-2015-1769|USB vector|Microsoft Windows|MS15-085| |CVE-2015-1770|Word OSF|Microsoft Word|MS15-059| |CVE-2015-2360|Win32k EoP|Microsoft Windows|MS15-061| |CVE-2015-3043|Flash codec|Adobe Flash Player|APSB15-06| ----- ## Malware and unwanted software ###### Most attempts by malware to infect computers are unsuccessful. More than three-quarters of Internet-connected personal computers worldwide are protected by real-time security software that constantly monitors the computers and network traffic for threats and blocks them before they can infect the computers, if possible. Therefore, a comprehensive understanding of the malware landscape requires consideration of infection attempts that are blocked as well as infections that are removed. Microsoft uses two different metrics to measure malware and unwanted software prevalence:[16] - _Encounter rate is simply the percentage of computers running Microsoft_ real-time security products that report a malware encounter.[17] For example, [the encounter rate for the malware family JS/Bondat in Mexico in 2Q15 was](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Bondat) 4.2 percent. This data means that, of the computers in Mexico that were running Microsoft real-time security software in 2Q15, 4.2 percent reported encountering the Bondat family, and 95.8 percent did not. Encountering a threat does not mean the computer has been infected. Only computers whose users have opted in to provide data to Microsoft are considered when calculating encounter rates.[18] 16 Microsoft regularly reviews and refines its data collection methodology to improve its scope and accuracy. For this reason, the statistics presented in this volume of the Microsoft Security Intelligence Report may differ slightly from comparable statistics in previous volumes. 17 Encounter rate does not include threats that are blocked by a web browser before being detected by antimalware software. In particular, IExtensionValidation in Internet Explorer 11 enables security software to block pages that contain exploits from loading. (See “Exploit detection with Internet Explorer and IExtensionValidation” on page 55 for information about IExtensionValidation and the threats it blocks.) For this reason, encounter rate figures may not fully reflect all of the threats encountered by computer users. 18 For information about the products and services that provide data for this report, see “Appendix B: Data sources” on page 129. ----- - _Computers cleaned per mille, or CCM, is an infection rate metric that is_ defined as the number of computers cleaned for every 1,000 unique computers that run the Malicious Software Removal Tool (MSRT), a free tool distributed through Microsoft update services that removes more than 200 highly prevalent or serious threats from computers. Because it is not a realtime tool, the MSRT only detects and removes threats that are already present on the computer; it does not block infection attempts as they happen. Figure 41 illustrates the difference between these two metrics. Figure 41. Worldwide encounter and infection rates, 2Q14–2Q15, by quarter 25% 20% 15% 10% 5% 0% 0 3Q14 4Q14 1Q15 2Q15 Encounter rate Infection rate Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. As Figure 41 shows, and as one would expect, malware encounters are much more common than malware infections. On average, about 17.0 percent of reporting computers worldwide encountered malware over the past four quarters. At the same time, the MSRT removed malware from about 7.1 out of every 1,000 computers, or 0.71 percent. Together, encounter and infection rate information can help provide a broader picture of the malware landscape by offering different perspectives on how malware propagates and how computers get infected. ----- **Brantall, Rotbrow, and Filcout** [Where noted, the figures in this report omit detections of Win32/Brantall,](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Brantall) [Win32/Rotbrow, and Win32/Filcout. These three families were involved in an](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Rotbrow) incident in which a rogue developer with access to commercial source code modified the source code to serve as a stealth distribution method for malware without being detected by major security software vendors. When the modification was discovered, it resulted in a significant installed base of commercial software being reclassified as malicious, which had an outsized effect on infection rates. Microsoft believes that the unmodified infection and encounter figures do not create an accurate picture of the worldwide threat landscape over the past year and a half. As a result, totals for the Brantall, Filcout, and Rotbrow families have been removed from the infection and encounter figures presented here where appropriate, as noted. [See “The Sefnit saga: a timeline” on pages 57–64 of Microsoft Security](http://www.microsoft.com/download/details.aspx?id=44937) _[Intelligence Report, Volume 17 (January–June 2014), available from the Microsoft](http://www.microsoft.com/download/details.aspx?id=44937)_ Download Center, for a more in-depth explanation of the incident, along with detection statistics and a timeline of events. **Malware and unwanted software worldwide** The telemetry data generated by Microsoft security products from computers whose administrators or users choose to opt in to provide data to Microsoft includes information about the location of the computer, as determined by IP geolocation. This data makes it possible to compare infection and encounter rates, patterns, and trends in different locations around the world.[19] [19 For more information about this process, see the entry “Determining the Geolocation of Systems Infected](http://blogs.microsoft.com/cybertrust/2011/11/15/determining-the-geolocation-of-systems-infected-with-malware/) [with Malware” (November 15, 2011) in the Microsoft Cyber Trust Blog (blogs.microsoft.com/cybertrust).](http://blogs.microsoft.com/cybertrust/2011/11/15/determining-the-geolocation-of-systems-infected-with-malware/) ----- Figure 42. Encounter rate trends for the locations with the most computers reporting malware and unwanted software encounters in 1H15, by number of computers reporting **Country/Region** **3Q14** **4Q14** **1Q15** **2Q15** United States 15.4% 11.6% 11.0% 9.8% Brazil 32.9% 21.7% 20.5% 20.2% Russia 27.3% 24.1% 22.8% 17.7% India 38.2% 32.0% 34.9% 31.3% France 22.8% 13.0% 15.8% 13.2% Turkey 35.1% 27.9% 32.0% 28.1% China 18.1% 15.2% 13.1% 13.7% United Kingdom 17.2% 11.4% 12.7% 11.7% Mexico 30.0% 21.7% 22.6% 21.2% Canada 18.1% 12.5% 14.0% 12.5% Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - Locations in Figure 42 are ordered by the number of computers reporting detections in 1H15. - As Figure 41 on page 59 illustrates, the worldwide encounter rate increased slightly in 1Q15 before decreasing again in 2Q15, and this pattern is reflected in several of the locations in Figure 42 as well. India, France, Turkey, the United Kingdom, Mexico, and Canada all had small encounter rate increases in the first quarter of 2015, followed by decreases to around the same level as 2Q14. In general, however, encounter rates remained largely stable through the first half of 2015 in all of these locations, without any unusually large increases or decreases. - [The browser modifiers Win32/KipodToolsCby and Win32/CouponRuc and](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) [the adware family Win32/SaverExtension, the three most commonly](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) encountered families worldwide in 1H15, were also the three most commonly encountered families in the United States, France, Turkey, the United Kingdom, Mexico, and Canada, and were all in the top six families encountered in Russia and India. See “Threat families” beginning on page 74 for more information about these and other malware and unwanted software families. - Encounters in the United States in 1H15 were dominated by unwanted software, which accounted for nine of the ten most commonly encountered families. Of these, six were browser modifiers, including CouponRuc and |Country/Region|3Q14|4Q14|1Q15|2Q15| |---|---|---|---|---| |United States|15.4%|11.6%|11.0%|9.8%| |Brazil|32.9%|21.7%|20.5%|20.2%| |Russia|27.3%|24.1%|22.8%|17.7%| |India|38.2%|32.0%|34.9%|31.3%| |France|22.8%|13.0%|15.8%|13.2%| |Turkey|35.1%|27.9%|32.0%|28.1%| |China|18.1%|15.2%|13.1%|13.7%| |United Kingdom|17.2%|11.4%|12.7%|11.7%| |Mexico|30.0%|21.7%|22.6%|21.2%| |Canada|18.1%|12.5%|14.0%|12.5%| ----- KipodToolsCby, the first and third most commonly detected threat families in the US, respectively. [The browser modifiers KipodToolsCby, CouponRuc, and Win32/IeEnablerCby](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/IeEnablerCby) were the most commonly detected families in Brazil in 1H15. Families that ranked [unusually high in Brazil included Win32/Banload (ranked fourth in Brazil, 54th](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Banload) worldwide), which is usually used to steal login credentials for Brazilian banks, [and the worm family JS/Proslikefan (14th in Brazil, 101st worldwide). (See](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Proslikefan) ##### As is typically the “Win32/Banload and Banking Malware” on page 21 for more information about Banload in Brazil.) ##### case, the threat - [Encounters in Russia were led by Win32/Peals, a family](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) ##### landscape in China of trojans, and the downloader family Win32/Ogimant, which was dominated by has a Russian-language interface and masquerades as a downloader for peer-to-peer and torrent services. Detections of ##### malware families Ogimant in Russia decreased from 3.6 percent in 1Q15 to 0.75 ##### that are much less percent in 2Q15, but it remained the second most commonly detected family in Russia in 1H15, overall, behind Peals. Other ##### common families that were unusually common in Russia in 1H15 included ##### worldwide. the trojan family Win32/Radonskra (ranked ninth in Russia, 84th [worldwide) and the generic trojan detection Win32/Peaac (10th](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peaac) in Russia, 48th worldwide). - The mix of threats encountered in India and Turkey were largely similar to the worldwide mix, but each location also reported significant encounters with a threat that appeared to be strongly targeted at a specific region. The [worm family MSIL/Mofin (ranked 12th in India, 115th worldwide) was](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=MSIL/Mofin) unusually common in India, where more than 85 percent of all Mofin [encounters occurred in 1H15. And the trojan family Win32/BeeVry (11th in](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/BeeVry) Turkey, 134th worldwide) was unusually common in Turkey, where more than 98 percent of all BeeVry encounters occurred in 1H15. - As is typically the case, the threat landscape in China in 1H15 was dominated by malware families that are much less common worldwide. Of the threats most commonly encountered in China, only the generic detections [Win32/Obfuscator, INF/Autorun, and Win32/Dynamer and the trojan family](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Obfuscator) [Win32/Ramnit were also commonly encountered worldwide. All of the most](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Ramnit) commonly encountered families in China in 1H15 were malware families. The most commonly detected unwanted software family in China (KipodToolsCby) ranked 48th there overall. Families that were unusually ----- [prevalent in China included the virus DOS/JackTheRipper (ranked second in](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=DOS/JackTheRipper) [China, 119th worldwide), the downloader HTML/Adodb (fifth in China, 108th](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=HTML/Adodb) [worldwide), and the worm ALisp/Kenilfe (seventh in China, 125th worldwide).](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=ALisp/Kenilfe) - [The downloader family W97M/Adnel was unusually prevalent in the United](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=W97M/Adnel) Kingdom (ranked 12th in the UK, 98th worldwide). - [The rogue security software family JS/FakeCall was unusually prevalent in](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/FakeCall) Canada (ranked 11th in Canada, 96th worldwide). For a different perspective on threat patterns worldwide, Figure 43 shows the infection and encounter rates in locations around the world in 2Q15. Figure 43. Encounter rates (top) and infection rates (bottom) by country/region in 2Q15 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. ----- The next several figures illustrate trends for specific locations around the world with particularly high or low incidences of threat detection. Figure 44 and Figure 45 show trends for the locations with the highest rates of detection as determined by encounter rate and CCM, respectively. Figure 44. Trends for the five locations with the highest encounter rates in 1H15 (100,000 reporting computers minimum) 60% 50% **Pakistan** **Indonesia** **Algeria** 40% **Bangladesh** **Nepal** 30% 20% **_Worldwide_** 10% 0% 3Q14 4Q14 1Q15 2Q15 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. Figure 45. Trends for the five locations with the highest infection rates in 1H15, by CCM (100,000 MSRT computers minimum) 100 90 80 **Iraq** **Libya** 70 **Palestinian** **Authority** 60 **Morocco** **Pakistan** 50 40 30 20 10 **_Worldwide_** 0 3Q14 4Q14 1Q15 2Q15 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. ----- - The locations with the highest encounter rates were Pakistan, Indonesia, Algeria, Bangladesh, and Nepal. - Pakistan, Indonesia, and Algeria also had the highest encounter rates in 2H14. - As in 2H14, exploit kits were relatively rare in the locations with the [highest encounter rates. JS/Axpergle, the most commonly encountered](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) exploit kit worldwide in 1H15, ranked no higher than 34th in any of the locations with the highest encounter rates. - Unwanted software was highly prevalent in these locations, as it was worldwide in 1H15. The browser [modifiers Win32/KipodToolsCby and](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) [Win32/CouponRuc and the adware family](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CouponRuc) [Win32/SaverExtension, the three most commonly](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) encountered families worldwide in 1H15, were all among the top nine families encountered in all of the locations with the highest encounter rates. - Families that were unusually prevalent in Pakistan ##### As in 2H14, exploit kits were relatively rare in the locations with the highest encounter rates. [included Win32/Nuqel (ranked 11th in Pakistan, 34th worldwide), a](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Nuqel) [worm, and the virus family Win32/Chir (13th in Pakistan, 69th](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Chir) worldwide). In both cases, the encounter rate for the family in Pakistan was more than twice as high as in any other country or region. - Families that were unusually prevalent in Indonesia included the exploit [Win32/CplLnk (ranked fifth in Indonesia, 20th worldwide) and the virus](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Copali) [family Win32/Slugin (ranked 13th in Indonesia, 92nd worldwide).](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Slugin) - [Win32/Macoute, a worm, was unusually prevalent in Algeria (ranked](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Macoute) 17th in Algeria, 148th worldwide). Most Macoute encounters worldwide took place in Algeria and several other locations in Africa, including Senegal, Ghana, and Tunisia. - [The worm family Win32/Vercuser was unusually prevalent in Bangladesh](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Vercuser) (ranked 14th in Bangladesh, 102nd worldwide) and a number of nearby locations, including Nepal, Pakistan, and India. - The locations with the highest infection rates were Iraq, Libya, the Palestinian territories, Morocco, and Pakistan. ----- - [The worm family VBS/Jenxcus was the most common malware family](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=VBS/Jenxcus) infecting computers in 1H15 in all of these locations except Morocco, where it was second. Infection rates for Jenxcus were particularly high across the Middle East, and low in North America and Europe. - [Infections involving the backdoor family MSIL/Bladabindi, which ranked](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=MSIL/Bladabindi) 26th among infecting families worldwide, were particularly common in Iraq (where it ranked fourth), Libya (third), the Palestinian territories (11th), and Morocco (seventh). Like Jenxcus, Bladabindi had its greatest impact in the Middle East. - In Morocco, the most common infecting malware family was the worm [family Win32/Yeltminky, which had its highest infection rate there (a](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Yeltminky) CCM of 23.8 in Morocco in 2Q15, compared to 3.3 in Algeria, the next highest location). Yeltminky is a family of worms that spreads by making copies of itself on all available drives and creating an autorun.inf file to execute the copies. Figure 46. Trends for locations with low encounter rates in 1H15 (100,000 reporting computers minimum) 25% 20% 15% **_Worldwide_** **Denmark** 10% **Norway** **Sweden** **Finland** 5% **Japan** 0% 3Q14 4Q14 1Q15 2Q15 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. ----- Figure 47. Trends for locations with low infection rates in 1H15, by CCM (100,000 reporting computers minimum) 9 **_Worldwide_** 8 7 6 5 **Denmark** 4 **Norway** **Switzerland** 3 **Japan** **Finland** 2 1 0 3Q14 4Q14 1Q15 2Q15 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - The Nordic countries, including Denmark, Finland, Iceland, Norway, and Sweden, have perennially been among the healthiest locations in the world with regard to malware exposure, as has Japan. In 1H15, the infection and encounter rates for these locations were typically about half of the worldwide averages. (See the blog entry series “Lessons from Least Infected [Countries” at blogs.technet.com/b/security/p/series-](http://blogs.technet.com/b/security/p/series-lessons-from-least-infected-countries.aspx) [lessons-from-least-infected-countries.aspx for more](http://blogs.technet.com/b/security/p/series-lessons-from-least-infected-countries.aspx) All five locations information about locations that typically have low infection and encounter rates.) had similar - All of these locations, even geographically- and encounter and culturally-distant Japan, had similar encounter and infection statistics infection statistics in 1H15. Unwanted software dominated ##### in 1H15. encounters in each location, led by browser modifiers [Win32/KipodToolsCby, Win32/CouponRuc, and](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) [Win32/AlterbookSP; adware family Win32/SaverExtension; and software](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/AlterbookSP) [bundler Win32/InstalleRex.](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/InstalleRex) - Infection rates trended up significantly in all five locations in 2Q15 because [of removals of Win32/CompromisedCert, an advertising program pre-](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CompromisedCert) installed on some Lenovo laptops that installed a compromised trusted root [certificate, and Win32/IeEnablerCby, a browser modifier that bypasses user](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/IeEnablerCby) ----- consent dialogs to install software without the user’s explicit permission. See page 78 for more information about IeEnablerCby. - Threats that are particularly uncommon in these locations include [Win32/Frethog, a game password stealer that is most prevalent in Asia;](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Frethog) [Win32/Yeltminky, a worm that is most prevalent in the Middle East;](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Yeltminky) [Win32/Gamarue, a worm that is prevalent in southeast Asia and the Middle](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Gamarue) [East; and Win32/Ramnit, a virus that is prevalent in southern and southeast](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Ramnit) Asia. **Microsoft and partners disrupt the Simda.AT botnet** On April 12, 2015, Interpol and the Dutch National High Tech Crime Unit [(DNHTCU) announced the disruption of Backdoor:Win32/Simda.AT, a significant](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Backdoor:Win32/Simda.AT) malware threat affecting more than 770,000 devices in more than 190 countries and regions. [Win32/Simda is a family of threats that can provide an attacker with backdoor](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Simda) access to and control of an infected device. They can then steal passwords and gather information about the device to send to the attacker. The Simda.AT variant first appeared in 2012, and is often downloaded to a vulnerable device by a drive-by download. Aside from the information-stealing behavior common to Simda variants, Simda.AT redirects search traffic from popular websites such as Bing, Google, and Facebook to its own domain, and can download other malware from a remote host. Simda was the 55th most commonly encountered malware family worldwide in 1H15, with the overwhelming majority of encounters involving the Simda.AT variant. Figure 48. Average number of Simda-infected devices connecting to the sinkhole each month, April–July, 2015 ----- Interpol coordinated the operation and the DNHTCU, with the support of the Federal Bureau of Investigation (FBI), successfully took down Simda.AT’s active command and control infrastructure across four countries including the Netherlands, Luxembourg, Russia, and the United States. The Microsoft Malware Protection Center (MMPC) and the Microsoft Digital Crimes Unit (DCU) led the analysis of the malware threat in partnership with CDI Japan, Kaspersky Lab, and Trend Micro. [The MMPC activated the Coordinated Malware Eradication (CME) platform to](http://blogs.technet.com/b/mmpc/archive/2014/01/27/industry-needs-to-work-together-to-eradicate-malware.aspx) provide in-depth research, telemetry, samples, and cleaning solutions to law enforcement and Microsoft partners. This information helped law enforcement take action against Simda.AT and its infrastructure, while providing remediation and recovery options for infected devices around the world. For more information about the takedown and technical information about the [Simda.AT backdoor, see the entry “Microsoft partners with Interpol, industry to](http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx) [disrupt global malware attack affecting more than 770,000 PCs in past six](http://blogs.technet.com/b/mmpc/archive/2015/04/12/microsoft-partners-with-interpol-industry-to-disrupt-global-malware-attack-affecting-more-than-770-000-pcs-in-past-six-months-39-simda-at-39-designed-to-divert-internet-traffic-to-disseminate-other-types-of-malware.aspx) months” (April 12, 2015) on the MMPC blog at blogs.technet.com/mmpc. **Threat categories** The MMPC classifies individual threats into types based on a number of factors, including how the threat spreads and what it is designed to do. To simplify the presentation of this information and make it easier to understand, the Microsoft _Security Intelligence Report groups these types into categories based on_ similarities in function and purpose. ----- Figure 49. Encounter rates for significant malware categories, 3Q14–2Q15 7% 6% 5% **Trojans** 4% **Worms** 3% **Obfuscators &** **Injectors** **Exploits** 2% **Downloaders &** **Droppers** **Viruses** 1% **Backdoors** **Other Malware** **Password Stealers** 0% **& Monitoring Tools** 3Q14 4Q14 1Q15 2Q15 **Ransomware** Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - The number of encounters for most categories of malware remained stable or decreased throughout the first half of 2015, with the exception of Trojans, which increased to 4.5 percent in 2Q15 after dipping slightly in the first quarter. Encounters with the three most commonly detected trojan families, [Win32/Peals, Win32/Kilim, and Win32/Skeeyah, all increased significantly in](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) 2Q15, contributing to the overall increase, which was partly ameliorated by [the disruption of the Win32/Ramnit family. See “Threat families” beginning](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Ramnit) on page 74 for more information about these and other malware and unwanted software families. ----- Figure 50. Encounter rates for unwanted software categories, 3Q14–2Q15 8% 7% 6% **Browser** **Modifiers** 5% 4% 3% 2% **Adware** **Software** 1% **Bundlers** 0% 3Q14 4Q14 1Q15 2Q15 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - Encounters involving browser modifiers more than doubled between 1Q15 and 2Q15 because of changes to Microsoft detection criteria for unwanted software. In January, Microsoft security products began detecting as unwanted software browser add-ons that Encounters involvlimit user control over their browser in a number of ways, ing browser modiincluding disabling certain browser controls, limiting the ##### fiers more than user’s ability to choose their default search provider, and bypassing consent dialogs for newly installed add-ons. doubled because See “Threat families” beginning on page 74 for more of changes to information about this change. ##### detection criteria. - Encounters involving adware increased from 2.5 percent in 4Q14 to 3.7 percent in 1Q15, then fell to 1.6 percent. Much of the increase [and subsequent decrease was related to Win32/SaverExtension, a browser](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) add-on that shows ads in the browser without revealing their source, and prevents itself from being removed normally. ----- Figure 51. SaverExtension prevents itself from being removed - Detections of software bundlers increased slightly in 1Q15 because of [Win32/InstalleRex, a software bundler that installs other unwanted software](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/InstalleRex) families. Threat categories by location Significant differences exist in the types of threats that affect users in different parts of the world. The spread of malware can be highly dependent on language and socioeconomic factors as well as on the methods used for distribution. Some threats are spread using techniques that target people who speak a particular language or who use online services that are local to a specific geographic region. Other threats target vulnerabilities or operating system configurations and applications that are unequally distributed around the world. Figure 52 shows the relative prevalence of different categories of malware in several locations around the world in 2Q15. ----- Figure 52. Threat category prevalence worldwide and in the 10 locations with the most computers reporting encounters in 2Q15 **Category** Browser Modifiers 5.6% 9.1% 11.6% 7.0% 22.3% 14.2% 16.5% 0.6% 10.8% 13.9% 11.2% Trojans 4.5% 4.2% 12.6% 20.6% 17.9% 5.7% 25.9% 10.2% 4.4% 9.0% 5.1% Worms 2.9% 0.6% 8.8% 4.5% 31.2% 1.9% 17.2% 5.6% 0.8% 20.8% 0.6% Adware 1.6% 4.5% 7.0% 5.1% 8.2% 7.7% 9.6% 0.2% 4.7% 6.3% 5.3% Obfuscators & Injectors 1.5% 1.0% 5.3% 7.3% 8.5% 1.9% 7.7% 4.9% 1.7% 3.1% 1.6% Software Bundlers 1.5% 1.7% 1.5% 0.5% 5.2% 2.2% 3.5% 0.2% 2.3% 2.9% 2.5% Exploits 1.5% 3.4% 2.4% 1.3% 4.7% 2.5% 4.5% 1.7% 4.4% 2.9% 5.6% Downloaders & 1.2% 2.3% 6.4% 6.6% 4.2% 2.7% 3.6% 3.2% 3.1% 2.0% 3.3% Droppers Viruses 1.0% 0.4% 2.2% 1.5% 8.2% 0.4% 6.6% 7.4% 0.3% 1.2% 0.4% Backdoors 0.6% 0.7% 1.4% 2.0% 3.5% 0.9% 3.2% 1.8% 0.9% 1.5% 0.7% Other Malware 0.4% 0.9% 0.3% 0.3% 1.7% 0.5% 1.4% 1.3% 0.6% 0.6% 1.5% Password Stealers & 0.2% 0.4% 1.0% 0.8% 0.8% 0.3% 1.0% 0.5% 0.4% 0.5% 0.6% Monitoring Tools Ransomware 0.2% 0.6% 0.5% 0.6% 0.1% 0.7% 0.6% 0.0% 0.4% 0.8% 0.7% Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - Within each row of Figure 52, a darker color indicates that the category is more prevalent in the specified location than in the others and a lighter color indicates that the category is less prevalent. As in Figure 42 on page 61, the locations in the table are ordered by number of computers reporting detections in 1H15. - India experienced higher encounter rates for Backdoors, Browser Modifiers, Obfuscators & Injectors, Other Malware, Software Bundlers, Viruses, and Worms than the other locations in Figure 52. - [Turkey had the highest encounter rate for Trojans, led by Win32/Peals and](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) [Win32/Kilim, and Adware, led by Win32/SaverExtension.](http://blogs.technet.com/b/mmpc/archive/2011/10/25/get-gamed-and-rue-the-day.aspx?query=Win32/Kilim) |Category|Worldwide|United States|Brazil|Russia|India|France|Turkey|China|United Kingdom|Mexico|Canada| |---|---|---|---|---|---|---|---|---|---|---|---| ----- - [Canada had the highest encounter rate for Exploits, led by JS/Axpergle, a](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) detection for the Sweet Orange exploit kit. See “Exploit kits” on page 44 for more information. Axpergle encounters also contributed to relatively high encounter rates for Exploits in the United States and United Kingdom. - Russia had the highest encounter rate for Downloaders & Droppers, led by ##### India experienced higher encounter rates for Back- doors, Browser Modifiers, Obfus- cators & Injectors, Other Malware, Software Bundlers, Viruses, and Worms than the other locations. [Win32/Ogimant. Brazil also had a high Downloaders &](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Ogimant) [Droppers encounter rate, led by Win32/Banload. (See](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Banload) “Win32/Banload and Banking Malware” on page 21 for more information about Banload in Brazil.) - Though relatively quite rare overall, ransomware was unusually prevalent in North America and Europe, led by [Win32/Crowti, JS/Krypterade, and Win32/Reveton.](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Crowti) - Mexico had a relatively high encounter rate for Worms, [led by Win32/Bondat and VBS/Jenxcus. Computers in Mexico](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Bondat) accounted for nearly a third of Bondat encounters worldwide in 1H15. - Computers in France had a relatively high encounter [rate for Adware, led by Win32/SaverExtension and](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) [Win32/EoRezo.](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/EoRezo) - China had a relatively high encounter rate for Viruses, [led by DOS/JackTheRipper.](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=DOS/JackTheRipper) See “Appendix C: Worldwide encounter and infection rates” on page 127 for more information about malware around the world. Also, see “Linking [Cybersecurity Policy and Performance” at aka.ms/securityatlas for an in-depth](http://aka.ms/securityatlas) examination of the socioeconomic factors that correlate with high infection rates in different parts of the world. **Threat families** Figure 53 and Figure 54 show trends for the top malware families that were detected on computers by Microsoft real-time antimalware products worldwide in 1H15. ----- Figure 53. Quarterly trends for the top 10 malware families encountered by Microsoft real-time antimalware products in 1H15, shaded according to relative encounter rate **Rank** **Family** **Most significant category** **3Q14** **4Q14** **1Q15** **2Q15** 1 [Win32/Obfuscator](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Obfuscator) Obfuscators & Injectors 1.12% 1.08% 1.04% 1.08% 2 [VBS/Jenxcus](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=VBS/Jenxcus) Worms 1.46% 1.23% 0.92% 0.76% 3 [Win32/Gamarue](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Gamarue) Worms 0.93% 1.00% 0.83% 0.75% 4 [JS/Axpergle](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) Exploits 0.87% 0.86% 0.85% 0.64% 5 [INF/Autorun](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=INF/Autorun) Obfuscators & Injectors 1.01% 1.07% 0.89% 0.57% 6 [Win32/Peals](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) Trojans — 0.09% 0.46% 0.70% 7 [Win32/Kilim](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Kilim) Trojans 0.24% 0.06% 0.35% 0.71% 8 [Win32/Skeeyah](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Skeeyah) Trojans — — 0.10% 0.70% 9 [Win32/Ramnit](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Ramnit) Viruses 0.47% 0.46% 0.43% 0.33% 10 [Win32/Sality](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Sality) Viruses 0.48% 0.47% 0.42% 0.35% Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. Figure 54. Encounter rate trends for a number of notable malware families in 1H15 1.6% 1.4% 1.2% **Win32/Obfuscator** 1.0% **VBS/Jenxcus** **Win32/Gamarue** 0.8% **JS/Kilim** **Win32/Skeeyah** 0.6% **Win32/Peals** **JS/Axpergle** **INF/Autorun** 0.4% 0.2% 0.0% 3Q14 4Q14 1Q15 2Q15 - [Win32/Obfuscator, the most commonly encountered threat in 1H15, is a](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Obfuscator) generic detection for programs that have been modified by malware obfuscation tools. These tools typically use a combination of methods, including encryption, compression, and anti-debugging or anti-emulation techniques, to alter malware programs in an effort to hinder analysis or detection by security products. The output is usually another program that |Rank|Family|Most significant category|3Q14|4Q14|1Q15|2Q15| |---|---|---|---|---|---|---| |1|Win32/Obfuscator|Obfuscators & Injectors|1.12%|1.08%|1.04%|1.08%| |2|VBS/Jenxcus|Worms|1.46%|1.23%|0.92%|0.76%| |3|Win32/Gamarue|Worms|0.93%|1.00%|0.83%|0.75%| |4|JS/Axpergle|Exploits|0.87%|0.86%|0.85%|0.64%| |5|INF/Autorun|Obfuscators & Injectors|1.01%|1.07%|0.89%|0.57%| |6|Win32/Peals|Trojans|—|0.09%|0.46%|0.70%| |7|Win32/Kilim|Trojans|0.24%|0.06%|0.35%|0.71%| |8|Win32/Skeeyah|Trojans|—|—|0.10%|0.70%| |9|Win32/Ramnit|Viruses|0.47%|0.46%|0.43%|0.33%| |10|Win32/Sality|Viruses|0.48%|0.47%|0.42%|0.35%| ----- keeps the same functionality as the original program but with different code, data, and geometry. - [Encounters involving VBS/Jenxcus declined steadily over the past four](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=VBS/Jenxcus) quarters, but it remained the second-most commonly encountered family in 1H15. Jenxcus is a worm coded in VBScript that opens a backdoor on an infected computer, enabling an attacker to control it remotely. In addition to ##### Win32/Gamarue, the third most commonly en- countered threat in spreading via removable drives, Jenxcus was often transmitted via a fake Adobe Flash Player update from spoofed YouTube webpages. Encounters involving Jenxcus decreased significantly after the Microsoft Digital Crimes Unit launched a takedown operation in June of 2014 that successfully disrupted the Jenxcus botnet. The original owners of the botnet subsequently left the project, but the Jenxcus code is now being used by other criminal organizations. ##### 1H15, was espe- criminal organizations. cially prevalent in See “The Microsoft DCU and the legal side of fighting malware” southeast Asia and on pages 29–32 of Microsoft Security Intelligence Report, Volume _[17 (January–June 2014), available from the Microsoft Download](http://www.microsoft.com/download/details.aspx?id=44937)_ ##### the Middle East. Center, for more information about the Microsoft takedown of the Jenxcus botnet. For additional technical information about Jenxcus, see the following entries in the MMPC blog (blogs.technet.com/mmpc): - [MSRT February 2014 – Jenxcus (February 11, 2014)](http://blogs.technet.com/b/mmpc/archive/2014/02/11/msrt-february-2014-jenxcus.aspx) - [Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware](http://blogs.technet.com/b/mmpc/archive/2014/06/30/microsoft-digital-crimes-unit-disrupts-jenxcus-and-bladabindi-malware-families.aspx) families (June 30, 2014) - [Win32/Gamarue, the third most commonly encountered threat in 1H15, was](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Gamarue) especially prevalent in southeast Asia and the Middle East. Gamarue is commonly distributed via exploit kits and social engineering. Variants have been observed stealing information from the local computer and communicating with command-and-control (C&C) servers managed by attackers. For more information about Gamarue, see the following entries in the MMPC blog at blogs.technet.com/mmpc: - [Get gamed and rue the day… (October 25, 2011)](http://www.bing.com/) - [The strange case of Gamarue propagation (February 27, 2013)](http://blogs.technet.com/b/mmpc/archive/2013/02/27/the-strange-case-of-gamarue-propagation.aspx) - [Win32/Kilim is a family of trojans that makes money for the attacker by](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Kilim) generating fake likes and shares on Facebook. Prior to 2015, Kilim ----- encounters were heavily concentrated in Turkey, and were rare elsewhere. Since then, encounters have increased tenfold from 4Q14 levels, with most of the increase occurring outside Turkey. - [Encounters involving two newly designated generic detections, Win32/Peals](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) [and Win32/Skeeyah, increased rapidly to account for a significant share of](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Skeeyah) encounters worldwide by 2Q15. - [JS/Axpergle, a detection for the Angler exploit kit, is the only exploit-related](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) family in the top ten in 1H15. See “Exploit families” on page 42 for more information about Axpergle and other exploit kits. - [The encounter rate for Win32/Ramnit decreased from 0.52 percent in 1Q15](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Ramnit) to 0.40 percent in 2Q15 following its disruption in February by the European Cybercrime Center (EC3) with the assistance of the MMPC. For more [information, see the entry “Microsoft Malware Protection Center assists in](http://blogs.technet.com/b/mmpc/archive/2015/02/25/microsoft-malware-protection-center-assists-in-disrupting-ramnit.aspx) [disrupting Ramnit” (February 25, 2015) on the MMPC blog at](http://blogs.technet.com/b/mmpc/archive/2015/02/25/microsoft-malware-protection-center-assists-in-disrupting-ramnit.aspx) blogs.technet.com/mmpc. - Families that dropped out of the list of the most commonly encountered malware families between 2H14 and 1H15 include the downloader families [Win32/Tugspay and Win32/Ogimant and the exploit kit family](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Tugspay) [Win32/Anogre.](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Anogre) Figure 55 and Figure 56 show trends for the top unwanted software families that were detected on computers by Microsoft real-time antimalware products worldwide in 1H15. Figure 55. Quarterly trends for the top five unwanted software families encountered by Microsoft real-time antimalware products in 1H15, shaded according to relative encounter rate |Col1|Family|Most Significant Category|3Q14|4Q14|1Q15|2Q15| |---|---|---|---|---|---|---| |1|Win32/KipodToolsCby|Browser Modifiers|—|—|3.22%|2.03%| |2|Win32/CouponRuc|Browser Modifiers|—|1.80%|2.39%|2.50%| |3|Win32/SaverExtension|Adware|—|—|2.83%|0.83%| |4|Win32/IeEnablerCby|Browser Modifiers|—|—|1.67%|0.11%| |5|Win32/InstalleRex|Software Bundlers|—|—|0.00%|1.34%| ----- Figure 56. Encounter rate trends for the top unwanted software families in 1H15 3.5% 3.0% 2.5% **Win32/CouponRuc** 2.0% **Win32/KipodToolsCby** 1.5% **Win32/InstalleRex** 1.0% **Win32/SaverExtension** 0.5% **Win32/IeEnablerCby** 0.0% 3Q14 4Q14 1Q15 2Q15 - All of the five most commonly encountered unwanted software families in 1H15 were first detected in 4Q14 or 1Q15. - [Win32/KipodToolsCby and Win32/IeEnablerCby are browser modifiers that](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) bypass user consent dialogs to install software without the user’s explicit permission. Microsoft security products started detecting these browser modifiers in January after Microsoft changed its unwanted software detection criteria to include attempts to bypass user consent for actions such as installing new browser add-ons. KipodToolsCby and IeEnablerCby were both encountered at high levels in 1Q15 as Microsoft security products detected and removed large numbers of installations from previous periods. Encounters subsequently decreased significantly in 2Q15, following the removal of these older installations. Figure 57. An add-on consent dialog bar from Internet Explorer 11. Add-ons that disable consent dialogs are now detected as unwanted software. For more information about this change and its ramifications, see the following entries on the MMPC blog at blogs.technet.com/mmpc: - [Staying in control of your browser: New detection changes (October 17,](http://blogs.technet.com/b/mmpc/archive/2014/10/17/staying-in-control-of-your-browser-new-detection-changes.aspx) 2014) ----- - [A timeline of consent and control (December 11, 2014)](http://blogs.technet.com/b/mmpc/archive/2014/12/11/a-timeline-of-consent-and-control.aspx) - [Win32/CouponRuc is an adware program that installs a](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CouponRuc) ##### KipodToolsCby browser extension without user consent. It can prevent the user from removing it or other add-ons normally, or and IeEnablerCby changing other browser settings. ##### are browser modi - [Win32/SaverExtension is an adware program that](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) fiers that bypass displays advertisements on webpages without identifying itself as the source, which is a violation of Microsoft’s user consent objective criteria for classifying unwanted software.[20] It dialogs to install can also install additional browser extensions that the ##### software without user cannot remove normally. ##### the user’s explicit - [Win32/InstalleRex is a software bundler that installs](https://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/InstalleRex) unwanted software, including CouponRuc and permission. SaverExtension. It can be installed by third-party software bundlers. When it installs itself, it alters its own “Installed On” date in Programs and Features to be a year older than the actual date of installation, so that a user who tries to remove it by looking at recently installed programs might have difficulty identifying it. Threat families by platform Malware does not affect all platforms equally. Some threats are spread by exploits that are ineffective against one or more operating system versions. Some threats are more common in parts of the world where specific platforms are more or less popular than elsewhere. In other cases, differences between platforms might be caused by simple random variation. As Figure 58 demonstrates, the threats encountered by client and server platforms tend to be quite different. 20 Microsoft has published the criteria that the company uses to classify programs as unwanted software at [www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx. For programs that have been](http://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx) classified as unwanted software, Microsoft provides a dispute resolution process to allow for reporting of potential false positives and to provide software vendors with the opportunity to request investigation of a rating with which they do not agree. ----- Figure 58. The malware and unwanted software families most commonly encountered on supported Windows client and server platforms in 2Q15 **Most significant** **Most significant** **Client family** **2Q15** **Server family** **2Q15** **category** **category** 1 [Win32/CouponRuc](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CouponRuc) Browser Modifiers 2.56% [Win32/Peals](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) Trojans 0.40% 2 [Win32/KipodToolsCby](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) Browser Modifiers 2.03% [Win32/KipodToolsCby](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) Browser Modifiers 0.38% 3 [Win32/InstalleRex](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/InstalleRex) Software Bundlers 1.41% [Win32/Crowti](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Crowti) Ransomware 0.33% 4 [Win32/Obfuscator](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Obfuscator) Obfuscators & Injectors 1.11% [Win32/Conficker](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Conficker) Worms 0.32% 5 [Win32/AlterbookSP](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/AlterbookSP) Browser Modifiers 0.85% [Win32/AlterbookSP](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/AlterbookSP) Browser Modifiers 0.28% 6 [Win32/SaverExtension](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) Adware 0.85% [Win32/Sality](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Sality) Viruses 0.28% 7 [Win32/Kilim](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Kilim) Trojans 0.71% [Win32/Skeeyah](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Skeeyah) Trojans 0.27% 8 [VBS/Jenxcus](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=VBS/Jenxcus) Worms 0.71% [Win32/Obfuscator](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Obfuscator) Obfuscators & Injectors 0.24% 9 [Win32/Gamarue](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Gamarue) Worms 0.71% [INF/Autorun](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=INF/Autorun) Obfuscators & Injectors 0.23% 10 [Win32/Skeeyah](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Skeeyah) Trojans 0.70% [JS/Axpergle](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) Exploits 0.22% Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - Unwanted software was encountered significantly more often on client platforms than on server platforms. Five of the top ten families encountered [by client versions of Windows in 1Q15—Win32/CouponRuc,](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CouponRuc) [Win32/KipodToolsCby, Win32/InstalleRex, Win32/AlterbookSP, and](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) [Win32/SaverExtension—were unwanted software families, compared to just](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) |Col1|Client family|Most significant category|2Q15 Server family|Most significant category|2Q15| |---|---|---|---|---|---| |1|Win32/CouponRuc|Browser Modifiers|2.56% Win32/Peals|Trojans|0.40%| |2|Win32/KipodToolsCby|Browser Modifiers|2.03% Win32/KipodToolsCby|Browser Modifiers|0.38%| |3|Win32/InstalleRex|Software Bundlers|1.41% Win32/Crowti|Ransomware|0.33%| |4|Win32/Obfuscator|Obfuscators & Injectors|1.11% Win32/Conficker|Worms|0.32%| |5|Win32/AlterbookSP|Browser Modifiers|0.85% Win32/AlterbookSP|Browser Modifiers|0.28%| |6|Win32/SaverExtension|Adware|0.85% Win32/Sality|Viruses|0.28%| |7|Win32/Kilim|Trojans|0.71% Win32/Skeeyah|Trojans|0.27%| |8|VBS/Jenxcus|Worms|0.71% Win32/Obfuscator|Obfuscators & Injectors|0.24%| |9|Win32/Gamarue|Worms|0.71% INF/Autorun|Obfuscators & Injectors|0.23%| |10|Win32/Skeeyah|Trojans|0.70% JS/Axpergle|Exploits|0.22%| ##### Attackers often use PHP-based two (KipodToolsCby and AlterbookSP) of the top ten families encountered on servers. The discrepancy reflects the very different ways servers are used to access the Internet, enforced by features such as Enhanced Security Configuration in Internet Explorer. ##### malware to Explorer. compromise  PHP/SimpleShell was only the 515th most prevalent family overall in 2Q15, but ranked 13th on server platforms. ##### vulnerable servers. When installed on a compromised web server, it creates a webpage that an attacker can use to run shell commands on the server. A number of popular content management systems (CMSes) are written in the PHP scripting language, including WordPress, Drupal, and MediaWiki, and attackers often use PHP-based malware to compromise vulnerable servers for purposes such as sending spam and hosting exploit kit landing pages. Figure 59 and Figure 60 demonstrate how detections of the most prevalent malware and unwanted software families in 2Q15 ranked differently on different operating system/service pack combinations. ----- Figure 59. The malware families most commonly encountered by Microsoft real-time antimalware solutions in 2Q15, and how they ranked in prevalence on different platforms **Rank** **Rank** **Rank** **Rank** **Rank** **Family** **Most significant category** **(Windows** **Windows 7** **(Windows 8** **(Windows** **2Q15** **Vista SP2)** **SP1)** **RTM)** **8.1 RTM)** 1 [Win32/Obfuscator](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Obfuscator) Obfuscators & Injectors 2 2 3 1 2 [VBS/Jenxcus](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=VBS/Jenxcus) Worms 11 5 1 4 3 [Win32/Gamarue](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Gamarue) Worms 9 6 2 3 4 [Win32/Kilim](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Kilim) Trojans 3 3 7 5 5 [Win32/Skeeyah](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Skeeyah) Trojans 4 7 5 2 6 [Win32/Peals](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) Trojans 1 4 6 7 7 [JS/Axpergle](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) Exploits 82 1 340 130 8 [INF/Autorun](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=INF/Autorun) Obfuscators & Injectors 8 8 4 6 9 [Win32/Sality](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Sality) Viruses 48 9 10 8 10 [Win32/Ramnit](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Ramnit) Trojans 45 13 9 9 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - [Encounters involving JS/Axpergle, a detection for the Angler exploit kit and](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) the only exploit-related family in the top ten in 1H15, were almost entirely confined to computers running Windows 7; although Axpergle ranked first on that platform, it ranked 82nd on Windows Vista and ranked outside the top 100 on Windows 8 and Windows 8.1. The malicious webpages that exploit kits use to spread malware often include scripts that detect certain aspects of the computer’s computing environment and only present their exploits to computers that meet criteria specified by the attacker. The Angler exploit kit clearly affects Windows 7 far more than other platforms, which may partially be caused by the integration of Adobe Flash Player into Internet Explorer in Windows 8 and 8.1. The Angler exploit kit relies heavily on exploiting vulnerabilities in old, out-of-date versions of Flash Player, which must be installed as an add-on and updated separately from Internet Explorer in versions of Windows prior to Windows 8. Because Flash Player is integrated into Internet Explorer in Windows 8 and Windows 8.1, it receives security updates through Windows Update and Microsoft Update along with other operating system components, which makes it easier for users to stay current on security updates for the component. - Apart from Axpergle, the list of the most commonly encountered malware [families was largely consistent from platform to platform. Win32/Peals,](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) |Rank 2Q15|Family|Most significant category|Rank (Windows Vista SP2)|Rank Windows 7 SP1)|Rank (Windows 8 RTM)|Rank (Windows 8.1 RTM)| |---|---|---|---|---|---|---| |1|Win32/Obfuscator|Obfuscators & Injectors|2|2|3|1| |2|VBS/Jenxcus|Worms|11|5|1|4| |3|Win32/Gamarue|Worms|9|6|2|3| |4|Win32/Kilim|Trojans|3|3|7|5| |5|Win32/Skeeyah|Trojans|4|7|5|2| |6|Win32/Peals|Trojans|1|4|6|7| |7|JS/Axpergle|Exploits|82|1|340|130| |8|INF/Autorun|Obfuscators & Injectors|8|8|4|6| |9|Win32/Sality|Viruses|48|9|10|8| |10|Win32/Ramnit|Trojans|45|13|9|9| ----- [Win32/Skeeyah, and Win32/Obfuscator were all among the five most](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Skeeyah) commonly encountered malware platform on each supported client platform. Figure 60. The unwanted software families most commonly encountered by Microsoft real-time antimalware solutions in 2Q15, and how they ranked in prevalence on different platforms **Rank** **Rank** **Rank** **Rank** **Rank** **Most significant** **Family** **(Windows** **Windows 7** **(Windows 8** **(Windows** **2Q15** **category** **Vista SP2)** **SP1)** **RTM)** **8.1 RTM)** 1 [Win32/CouponRuc](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CouponRuc) Browser Modifiers 2 1 1 1 2 [Win32/KipodToolsCby](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) Browser Modifiers 1 2 2 3 3 [Win32/InstalleRex](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/InstalleRex) Software Bundlers 6 4 3 2 4 [Win32/SaverExtension](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) Adware 4 5 4 4 5 [Win32/AlterbookSP](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/AlterbookSP) Browser Modifiers 3 3 5 5 - Unlike malware, unwanted software delivery mechanisms typically make little effort to distinguish between different platforms, and as a result the list of the most commonly encountered unwanted software families is almost identical on each supported platform. **Home and enterprise threats** The usage patterns of home users and enterprise users tend to be very different. Enterprise users typically use computers to perform business functions while connected to a network, and may have limitations placed on their Internet and email usage. Home users are more likely to connect to the Internet directly or through a home router and to use their computers for entertainment purposes, such as playing games, watching videos, shopping, and communicating with friends. These different usage patterns mean that home users tend to be exposed to a different mix of computer threats than enterprise users. The infection telemetry data produced by Microsoft antimalware products and tools includes information about whether the infected computer belongs to an Active Directory Domain Services (AD DS) domain. Such domains are used almost exclusively in enterprise environments, and computers that do not belong to a domain are more likely to be used at home or in other nonenterprise contexts. Comparing the threats encountered by domain-joined computers and non-domain computers can provide insights into the different ways attackers target enterprise and home users and which threats are more likely to succeed in each environment. |Rank 2Q15|Family|Most significant category|Rank (Windows Vista SP2)|Rank Windows 7 SP1)|Rank (Windows 8 RTM)|Rank (Windows 8.1 RTM)| |---|---|---|---|---|---|---| |1|Win32/CouponRuc|Browser Modifiers|2|1|1|1| |2|Win32/KipodToolsCby|Browser Modifiers|1|2|2|3| |3|Win32/InstalleRex|Software Bundlers|6|4|3|2| |4|Win32/SaverExtension|Adware|4|5|4|4| |5|Win32/AlterbookSP|Browser Modifiers|3|3|5|5| ----- Figure 61. Malware encounter rates for domain-based and non-domain computers, 3Q14–2Q15 25% 20% **Non-domain** 15% 10% **Domain** 5% 0% 3Q14 4Q14 1Q15 2Q15 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. Figure 62. Malware and unwanted software encounter rates for domain-based and non-domain computers, 1H15, by category 7% 6% 5% 4% Domain Non-domain 3% 2% 1% 0% Browser Trojans Worms Adware Exploits Obfuscators Downloaders Viruses Software Backdoors Other Password Ransomware Modifiers & Injectors & Droppers Bundlers Malware Stealers & Monitoring Tools Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - Enterprise environments typically implement defense-in-depth measures, such as enterprise firewalls, that prevent a certain amount of malware from reaching users’ computers. Consequently, enterprise computers tend to ----- encounter malware at a lower rate than consumer computers. As Figure 61 shows, the encounter rate for consumer computers was about 2.5 times as high as the rate for enterprise computers in 1H15. - In addition to encountering less malware in general, computers in enterprise ##### Enterprise computers tend to encounter malware at a lower rate than consumer computers. environments tend to encounter different kinds of threats than consumer computers, as shown in Figure 62. Non-domain computers encountered disproportionate amounts of unwanted software compared to domain-based computers, with Adware, Browser Modifiers, and Software Bundlers each appearing between three and six times as often on non-domain computers. Meanwhile, domain-based computers encountered Password Stealers & Monitoring Tools malware nearly as often as their non-domain counterparts, despite encountering less than half as much malware as non-domain computers overall. - [One password stealer in particular, Win32/Dyzap, was encountered by](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Dyzap) domain-based computers more than four times as often as non-domain computers (an encounter rate of 0.12 percent on domain-based computers, compared to 0.03 percent on non-domain computers.) Dyzap steals login credentials for a long list of banking websites using man-in-the-browser (MITB) attacks. It is usually installed on the infected [computer by the downloader family Win32/Upatre, which is typically](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Upatre) delivered via social engineering techniques that target enterprise audiences (for example, spam messages that mimic business faxes or overnight package delivery notifications). Figure 63 and Figure 64 list the top 10 malware families detected on domainjoined and non-domain computers, respectively, in 1H15. ----- Figure 63. Quarterly trends for the top 10 malware and unwanted software families detected on domain-joined computers in 1H15, by percentage of computers encountering each family **Family** **Most significant category** **1Q15** **2Q15** [Win32/KipodToolsCby](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) Browser Modifiers 0.92% 0.58% [JS/Axpergle](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) Exploits 0.46% 0.45% [Win32/CouponRuc](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CouponRuc) Browser Modifiers 0.42% 0.38% [Win32/Conficker](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Conficker) Worms 0.45% 0.32% [Win32/AlterbookSP](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/AlterbookSP) Browser Modifiers — 0.70% [VBS/Jenxcus](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=VBS/Jenxcus) Worms 0.34% 0.29% [Win32/Upatre](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Upatre) Downloaders & Droppers 0.42% 0.19% [INF/Autorun](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=INF/Autorun) Obfuscators & Injectors 0.38% 0.22% [Win32/Peals](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Peals) Trojans 0.18% 0.41% [Win32/SaverExtension](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) Adware 0.47% 0.11% 1.0% 0.9% 0.8% 0.7% 0.6% 0.5% 0.4% 1Q15 0.3% 2Q15 0.2% 0.1% 0.0% Browser Modifiers Worms Exploits Downloaders Obfuscators & Trojans Adware & Droppers Injectors Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. |Family|Most significant category|1Q15|2Q15| |---|---|---|---| |Win32/KipodToolsCby|Browser Modifiers|0.92%|0.58%| |JS/Axpergle|Exploits|0.46%|0.45%| |Win32/CouponRuc|Browser Modifiers|0.42%|0.38%| |Win32/Conficker|Worms|0.45%|0.32%| |Win32/AlterbookSP|Browser Modifiers|—|0.70%| |VBS/Jenxcus|Worms|0.34%|0.29%| |Win32/Upatre|Downloaders & Droppers|0.42%|0.19%| |INF/Autorun|Obfuscators & Injectors|0.38%|0.22%| |Win32/Peals|Trojans|0.18%|0.41%| |Win32/SaverExtension|Adware|0.47%|0.11%| |Win32/KipodToolsCby Win32/CouponRuc Win32/AlterbookSP Browser Modifiers|Win32/Conficker VBS/Jenxcus Worms|JS/Axpergle Exploits|Win32/Upatre Downloaders & Droppers|INF/Autorun Obfuscators & Injectors|Win32/Peals Trojans|Win32/SaverExtension Adware| |---|---|---|---|---|---|---| ----- Figure 64. Quarterly trends for the top 10 malware and unwanted software families detected on non-domain computers in 1H15, by percentage of computers encountering each family **Family** **Most significant category** **1Q15** **2Q15** [Win32/KipodToolsCby](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) Browser Modifiers 3.47% 2.20% [Win32/CouponRuc](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/CouponRuc) Browser Modifiers 2.60% 2.74% [Win32/SaverExtension](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/SaverExtension) Adware 3.09% 0.91% [Win32/Obfuscator](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Obfuscator) Obfuscators & Injectors 1.13% 1.18% [Win32/IeEnablerCby](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/IeEnablerCby) Browser Modifiers 1.83% 0.13% [VBS/Jenxcus](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=VBS/Jenxcus) Worms 0.98% 0.82% [Win32/Gamarue](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Gamarue) Worms 0.89% 0.81% [INF/Autorun](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=INF/Autorun) Obfuscators & Injectors 0.95% 0.61% [JS/Axpergle](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=JS/Axpergle) Exploits 0.89% 0.66% [Win32/InstalleRex](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/InstalleRex) Software Bundlers 0.004% 1.46% 4.0% 3.5% 3.0% 2.5% 2.0% 1.5% 1Q15 1.0% 2Q15 0.5% 0.0% Browser Modifiers Adware Worms Obfuscators & Injectors Exploits Software Bundlers Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - [Six families—INF/Autorun, JS/Axpergle, Win32/CouponRuc,](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=INF/Autorun) [Win32/KipodToolsCby, VBS/Jenxcus, and Win32/SaverExtension—were](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/KipodToolsCby) common to both lists. All were more frequently encountered on nondomain computers than on domain-joined computers. See “Threat families” on page 74 for more information about these families. |Family|Most significant category|1Q15|2Q15| |---|---|---|---| |Win32/KipodToolsCby|Browser Modifiers|3.47%|2.20%| |Win32/CouponRuc|Browser Modifiers|2.60%|2.74%| |Win32/SaverExtension|Adware|3.09%|0.91%| |Win32/Obfuscator|Obfuscators & Injectors|1.13%|1.18%| |Win32/IeEnablerCby|Browser Modifiers|1.83%|0.13%| |VBS/Jenxcus|Worms|0.98%|0.82%| |Win32/Gamarue|Worms|0.89%|0.81%| |INF/Autorun|Obfuscators & Injectors|0.95%|0.61%| |JS/Axpergle|Exploits|0.89%|0.66%| |Win32/InstalleRex|Software Bundlers|0.004%|1.46%| |Win32/KipodToolsCby Win32/CouponRuc Win32/IeEnablerCby Browser Modifiers|Win32/SaverExtension Adware|VBS/Jenxcus Win32/Gamarue Worms|Win32/Obfuscator INF/Autorun Obfuscators & Injectors|JS/Axpergle Exploits|Win32/InstalleRex Software Bundlers| |---|---|---|---|---|---| ----- - The four families that were unique to the top 10 list for domain-joined computers but not for non-domain computers are the worm family [Win32/Conficker, the browser modifier](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Conficker) [Win32/AlterbookSP, the downloader family](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/AlterbookSP) Conficker was dis[Win32/Upatre, and the trojan family Win32/Peals.](http://www.microsoft.com/security/portal/threat/encyclopedia/search.aspx?query=Win32/Upatre) ##### rupted several - Conficker is a worm that was disrupted several years ago, ##### years ago, but but continues to be encountered in domain environments because of its use of a built-in list of continues to be common and weak passwords to spread between encountered in computers. ##### domain environ - AlterbookSP is a browser add-on that formerly displayed ##### ments because of behaviors of unwanted software. Recent versions of the add-on no longer meet Microsoft detection criteria, and its use of a built-in are no longer considered unwanted software. list of common and - Upatre installs malware and unwanted software on the weak passwords to affected computer without the user’s consent. It is ##### spread between frequently distributed as an attachment to spam email messages. For more information about Upatre and how computers. it spreads, see the following entries in the MMPC blog at blogs.technet.com/mmpc: - [Wire transfer spam spreads Upatre (December 12, 2014)](http://blogs.technet.com/b/mmpc/archive/2014/12/11/wire-transfer-spam-spreads-upatre.aspx) - [Upatre update: infection chain and affected countries (March 12, 2015)](http://blogs.technet.com/b/mmpc/archive/2015/03/12/upatre-update-infection-chain-and-affected-countries.aspx) See “Malware at Microsoft: Dealing with threats in the Microsoft environment” on page 110 for information about the threat landscape on computers at Microsoft and to learn about the actions Microsoft IT takes to protect users, data, and resources. **Security software use** Recent releases of the MSRT collect and report details about the state of realtime antimalware software on a computer, if the computer’s administrator has chosen to opt in to provide data to Microsoft. This telemetry data makes it possible to analyze security software usage patterns around the world and correlate them with infection rates. Figure 65 shows the percentage of computers worldwide that the MSRT found to be protected or unprotected by real-time security software each quarter in 2H14 and 1H15. ----- Figure 65. Percentage of computers worldwide protected by real-time security software, 3Q14–2Q15 80% **Always** **protected** 70% 60% 50% 40% 30% 20% **Unprotected** 10% **Intermittently** **protected** 0% 3Q14 4Q14 1Q15 2Q15 - A typical computer runs the MSRT three times each quarter, once for each monthly version of the tool that Microsoft releases. In Figure 65, “Protected” represents computers that had real-time security software active and up-todate every time the MSRT ran during a quarter; “Intermittently protected” represents computers that had security software active during one or more MSRT executions, but not all of them. “Unprotected” represents computers that did not have security software active during any MSRT executions that quarter. - Overall, about three-fourths of computers worldwide were found to be always protected at every monthly MSRT execution in each of the past four quarters, varying between 71.4 percent and 74.3 percent. - Computers that never reported running security software accounted for between 18.8 and 19.3 percent of computers worldwide each quarter. Intermittently protected computers—those that were found to be running real-time security software during at least one MSRT execution in a quarter, but not all of them—accounted for between 6.4 and 9.9 percent of computers each quarter. Computers that do not run real-time security software are at significantly greater risk of malware infection than computers that do. Figure 66 compares infection rates with protection levels worldwide for each of the last four quarters. ----- Figure 66. Infection rates for protected and unprotected computers, 3Q14–2Q15 25 **Unprotected** 20 **Intermittently** 15 **protected** 10 5 **Always** **protected** 0 3Q14 4Q14 1Q15 2Q15 Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - The MSRT reported that computers that were never found to be running real-time security software during 1H15 were about six times as likely to be infected with malware as computers that were always found to be protected. - Computers that were intermittently protected were about three times more likely to be infected with malware in 1H15 than computers that were always protected. ##### Users who don’t - Users who don’t run real-time security software aren’t always unprotected by choice: a number of prevalent run real-time malware families are capable of disabling some security security software products, potentially without the user even knowing. ##### aren’t always Other users might disable or uninstall security software intentionally because of perceived performance issues, a unprotected by belief that protection is not necessary, or a desire to run choice. programs that would be quarantined or removed by security software. In other cases, users lose up-to-date real-time protection when they don’t renew paid subscriptions for their antimalware software, which might come pre-installed with their computers as limited-time trial software. (See “The challenge of expired security software” on pages 21–28 [of Microsoft Security Intelligence Report, Volume 17 (January–June 2014),](http://www.microsoft.com/download/details.aspx?id=44937) available from the Microsoft Download Center, for more information about ----- the causes and consequences of expired security software.) Whatever the reason, users who don’t have functioning real-time antimalware protection face significantly greater risk from malware infection than users who do, as Figure 66 illustrates. Security software use worldwide Just as infection and encounter rates differ from one country or region to another, so do security software usage rates, as shown in Figure 67. Figure 67. Average security software protection state for the locations with the most computers executing the MSRT in 1H15 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% (Worldwide) China United Japan Germany France United Brazil Russia Canada Italy States Kingdom Protected Intermittent Unprotected - Computers that reported being fully protected in these locations ranged between 67.7 percent and 79.1 percent, with all locations except China and Russia exceeding the worldwide rate of 74.3 percent of computers reporting as fully protected. - Computers that reported being fully unprotected in these locations ranged between 13.6 percent and 22.5 percent, with Russia and China reporting larger percentages of fully unprotected computers than the world overall. - Computers that were protected in some months but not in others accounted for between 4.6 percent and 9.8 percent in these locations. The rate of security software usage in a country or region often correlates with its infection rate. Figure 68 and Figure 69 show the percentage of computers in ----- different countries and regions that reported being fully protected and fully unprotected, respectively, in 2Q15. Figure 68. Percent of computers reporting as Protected during every MSRT execution in 2Q15, by country/region Figure 69. Percent of computers reporting as Unprotected during every MSRT execution in 2Q15, by country/region - The locations with the most computers reporting as fully protected by realtime security software include Finland, with 83.9 percent of computers reporting as fully protected in 2Q15; Denmark, at 79.5 percent; and Norway, at 78.9 percent. Locations with the fewest computers reporting as fully protected include Libya, at 46.9 percent; Iraq, at 53.3 percent; and Azerbaijan, at 57.9 percent. ----- - The ranking of countries and regions by unprotected rate is largely an inverse of their ranking according to protected rate. The locations with the fewest computers reporting as fully unprotected include Finland, at 10.4 percent; Denmark, at 14.2 percent; and the Czech Republic, at 14.4 percent. Locations with the most computers reporting as fully unprotected include Libya, at 41.7 percent; Iraq, at 39.5 percent; and Azerbaijan, at 32.5 percent. Countries and regions with high percentages of computers reporting as fully unprotected also tend to have high infection rates, as Figure 70 shows. Figure 70. Infection rates for the locations with the highest percentage of computers reporting as fully unprotected in 1H15 **1H15 average** **Unprotected** **Unprotected** **Country/region** **CCM 1Q15** **CCM 2Q15** **unprotected %** **CCM 1Q15** **CCM 2Q15** Libya 40.76% 61.0 69.8 126.8 145.5 Iraq 39.29% 76.6 80.2 178.0 187.8 Azerbaijan 32.19% 29.0 34.1 72.5 80.7 Mongolia 32.19% 66.8 77.6 178.4 202.3 Morocco 32.19% 58.2 66.6 162.7 181.5 Palestinian Authority 32.18% 59.5 68.7 157.3 182.0 Jordan 31.04% 36.6 45.3 98.8 120.4 Turkey 30.24% 22.5 26.3 59.7 63.6 Lebanon 30.22% 31.7 42.5 90.9 114.3 Vietnam 29.71% 30.4 35.8 77.6 92.6 _Worldwide_ _19.11%_ _5.4_ _8.4_ _15.7_ _20.7_ Figures do not include Brantall, Rotbrow, and Filcout. See “Brantall, Rotbrow, and Filcout” on page 60 for more information. - The locations in the table all had overall infection rates ranging between 3.1 and 14.2 times as high as the worldwide average each quarter. - The infection rates for fully unprotected computers in these locations ranged between 3.1 and 11.4 times as high as the infection rates for fully unprotected computers worldwide, and between 7.6 and 33.0 times as high as the infection rates for all computers worldwide. In Mongolia, the location with the highest infection rates in Figure 70, the MSRT detected and removed malware on 20.2 percent of the fully unprotected computers that executed it at least once in 2Q15 (a CCM of 202.3). |Country/region|1H15 average unprotected %|CCM 1Q15|CCM 2Q15|Unprotected CCM 1Q15|Unprotected CCM 2Q15| |---|---|---|---|---|---| |Libya|40.76%|61.0|69.8|126.8|145.5| |Iraq|39.29%|76.6|80.2|178.0|187.8| |Azerbaijan|32.19%|29.0|34.1|72.5|80.7| |Mongolia|32.19%|66.8|77.6|178.4|202.3| |Morocco|32.19%|58.2|66.6|162.7|181.5| |Palestinian Authority|32.18%|59.5|68.7|157.3|182.0| |Jordan|31.04%|36.6|45.3|98.8|120.4| |Turkey|30.24%|22.5|26.3|59.7|63.6| |Lebanon|30.22%|31.7|42.5|90.9|114.3| |Vietnam|29.71%|30.4|35.8|77.6|92.6| |Worldwide|19.11%|5.4|8.4|15.7|20.7| ----- Security software use by platform Protection rates can also vary by operating system, as shown in Figure 71. Figure 71. Average quarterly security software protection state for supported client versions of Windows in 1H15 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Windows Vista SP2 Windows 7 SP1 Windows 8 RTM Protected Intermittent Unprotected - Only 10.0 percent of computers running Windows 8.1 reported being unprotected during every MSRT execution each quarter on average, about half of the rate reported by computers running any other supported client version of Windows. At the same time, Windows 8.1 had a higher rate of intermittent protection than any other platform, primarily because of active security products expiring during the period. In most cases, this is probably because of commercial security products pre-installed on new computers with trial subscriptions that expire within a few months unless the purchaser pays to extend the subscription. - The reasons computers go unprotected can vary significantly by platform, as Figure 72 illustrates. ----- Figure 72. Status reported by unprotected computers running supported client versions of Windows in 1H15 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% Windows Vista SP2* Windows 7 SP1* Windows 8 RTM Windows 8.1 RTM Expired Off Out of date No AV installed Snoozed - Windows Vista and Windows 7 do not report expired subscriptions. - On Windows Vista and Windows 7, unprotected computers predominantly report having no antimalware software installed at all. On Windows 8 and Windows 8.1, Windows Defender is enabled by default if no other antimalware software is present, so the number of computers reporting no antimalware software is very low. - On Windows 8 and Windows 8.1, expired versions of commercial antimalware products that are no longer receiving signature updates account for the largest percentage of unprotected computers. **Advanced Threat Protection takes malware defense to the next level** Computer security is a constant arms race: security professionals and antimalware vendors continually seek ways to better protect computers and people from harm, while attackers continually look for ways to defeat those protections. Conventional antimalware products offer protection against known threats, but are significantly less effective against unknown and unidentifiable malware. The advent of targeted attack groups, such as the one described in “STRONTIUM: A profile of a persistent and motivated adversary” beginning on page 3, has raised the bar for defenders, as these groups often have the resources to craft custom malware variants and test them against popular security products to ensure that they will not be detected. Although security ----- ----- ensure that they will not be detected. By the time detection signatures are available to stop such a threat, it may have already compromised the organization. Exchange Online Advanced Threat Protection adds a new layer of defense against email-borne threats that uses behavioral analysis to detect incoming files that may be harmful, and blocks them before they can reach their intended recipients. When an incoming message includes a potentially dangerous attached file, Exchange Online launches it in a detonation chamber—a virtual sandboxed environment in which potential threats can run without posing harm to any other resources—and monitors it for malicious behavior such as suspicious registry changes, attempts to access memory dumps, changes to executables, and other actions that malware characteristically takes. This monitoring makes it possible to detect and block threats that have never been seen before and for which no detection signatures are available. Exchange Online Advanced Threat Protection includes anti-sandbox detection features such as vulnerability detection to combat advanced threats that avoid taking malicious actions when they determine they are being run in a virtual machine. Figure 74. Exchange Online Advanced Threat Protection notifies administrators when malware is detected Administrators can configure how Exchange Online reacts when it determines that an attachment contains malware. Exchange Online can be configured to block delivery of the message, notify administrators, and include a copy of the blocked message so they can analyze it themselves and determine whether additional action is necessary. The process of analyzing a message typically takes about four to five minutes; administrators can set a 30 minute time limit for ----- ----- Figure 76. Exchange Online Advanced Threat Protection blocks malicious links in email messages Exchange Online Advanced Threat Protection can be configured to track when users clicks malicious links to help administrators monitor potential targeted attacks and determine which computers may have been exposed to malware. Customers with privacy or compliance concerns can disable the link tracking feature. Advanced Threat Protection is available for subscribers of select Exchange or Office 365 plans for an additional small per-user fee. For more information, see https://products.office.com/exchange/online-email-threat-protection. **Guidance: Defending against malware** Effectively protecting users from malware requires an active effort on the part of [organizations and individuals. For in-depth guidance, see Help prevent malware](http://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx) [infection on your PC at the Microsoft Malware Protection Center website at](http://www.microsoft.com/security/portal/mmpc/shared/prevention.aspx) www.microsoft.com/mmpc. For help understanding the threats that pose the greatest risk to your [environment and how to defend against them, see “Fixing the #1 Problem in](https://gallery.technet.microsoft.com/Fixing-the-1-Problem-in-2e58ac4a) [Computer Security: A Data-Driven Defense,” available from Microsoft TechNet.](https://gallery.technet.microsoft.com/Fixing-the-1-Problem-in-2e58ac4a) ----- ## Malicious websites ###### Attackers often use websites to conduct phishing attacks or distribute malware. Malicious websites typically appear to be completely legitimate, and provide no outward indicators of their malicious nature even to experienced computer users. In many cases, these sites are legitimate websites that have been compromised by malware, SQL injection, or other techniques in efforts by attackers to take advantage of the trust users have invested in such sites. To help protect users from malicious webpages, Microsoft and other browser vendors have developed filters that keep track of sites that host malware and phishing attacks and display prominent warnings when users try to navigate to them. The information in this section is compiled from a variety of sources, including telemetry data produced by SmartScreen Filter (in Internet Explorer versions 8 through 11 and pre-release versions of Microsoft Edge) and the Phishing Filter (in Internet Explorer 7), from a database of known active phishing and malware hosting sites reported by users of Internet Explorer and other Microsoft products and services, and from malware data provided by Microsoft antimalware technologies. (See “Appendix B: Data sources” on page 125 for more information about the products and services that provided data for this report.) ----- Figure 77. SmartScreen Filter in Internet Explorer blocks reported phishing and malware distribution sites to protect users **Phishing sites** Microsoft gathers information about phishing sites and impressions from _phishing impressions that are_ generated by users who choose to enable the Phishing Filter or SmartScreen Filter.[21] A phishing impression is a single instance of a user attempting to visit a known phishing site with SmartScreen Filter enabled and being warned, as illustrated in Figure 78. 21 See “Appendix B: Data sources” on page 129 for information about the products and services used to provide data for this report. ----- Figure 78. How Microsoft tracks phishing impressions Figure 79 illustrates the volume of phishing impressions tracked by SmartScreen Filter each month from February through July of 2015, compared to the volume of distinct phishing URLs visited. Figure 79. Phishing sites and impressions reported by SmartScreen Filter, February–July 2015, relative to the monthly average for each ----- - Numbers of active phishing sites and phishing impressions both increased between February and July, indicative of a general increase in phishing activity. Because phishers are frequently observed using campaigns to drive large amounts of traffic to a relatively small number of pages, however, the two metrics are generally not strongly correlated, and the dual increase through June and July may be largely coincidental. Target institutions Some types of sites tend to consistently draw many more impressions per site than others. Figure 80 shows the breakdown of phishing impressions by category as reported by SmartScreen Filter. Figure 80. Impressions reported by SmartScreen Filter for each type of phishing site, February–July 2015 60% 50% 40% 30% Impressions Sites 20% 10% 0% Online Services Financial Sites Social Networking E-Commerce Gaming - Financial institutions have always been popular phishing targets because of their potential for providing direct illicit access to victims’ bank accounts. Sites that targeted financial institutions accounted for the largest number of active phishing attacks during the period, as well as the second largest number of impressions. (See “Win32/Banload and Banking Malware” on page 21 for information about regional problems with banking malware in Brazil.) ----- - Phishing sites that targeted online services received the largest share of impressions during the period, and accounted for the second largest number of active phishing URLs. - The other three categories each accounted for a small percentage of both sites and impressions. Global distribution of phishing sites and clients Phishing impression information from SmartScreen Filter includes anonymized information about the IP addresses of the clients making the reports, as well as the IP addresses of the phishing sites themselves. Performing geographic lookups on these addresses makes it possible to analyze patterns among both the computers that host phishing sites and the users that they target. Figure 81. Phishing sites per 1,000 Internet hosts for locations around the world in 1H15 - SmartScreen Filter detected approximately 5.0 phishing sites per 1,000 Internet hosts worldwide in 1H15. - Locations hosting higher than average concentrations of phishing sites include Bulgaria (98.5 per 1,000 Internet hosts in 1Q15), Libya (15.6), and Belize (14.5). Locations with low concentrations of phishing sites include Taiwan (1.2), the United Arab Emirates (1.4), and Korea (1.6). **Malware hosting sites** SmartScreen Filter helps provide protection against sites that are known to host malware, in addition to phishing sites. SmartScreen Filter uses file and URL ----- reputation data and Microsoft antimalware technologies to determine whether sites distribute unsafe content. As with phishing sites, Microsoft collects anonymized data regarding how many people visit each malware hosting site and uses the information to improve SmartScreen Filter and to better combat malware distribution. Figure 82. SmartScreen Filter in Internet Explorer displays a warning when a user attempts to download an unsafe file Figure 83 compares the volume of active malware hosting sites in the Microsoft database each month with the volume of malware impressions tracked. Figure 83. Malware hosting sites and impressions tracked each month, February–July 2015, relative to the monthly average for each 180% 160% 140% **Sites** 120% **Impressions** 100% **_Average_** 80% 60% 40% 20% 0% February March April May June July - As with phishing sites and impressions, malware hosting sites and impressions rarely correlate strongly with one another. The number of impressions remained largely stable each month from February through July, while the number of active malware hosting sites tracked by SmartScreen Filter increased sharply from February to April, then retreated to lower levels for the remainder of the period. ----- Global distribution of malware hosting sites and clients Figure 84 shows the geographic distribution of malware hosts and computers reporting impressions in 1H15. Figure 84. Malware distribution sites per 1,000 Internet hosts for locations around the world in 1H15 - SmartScreen Filter detected approximately 16.7 malware hosting sites per 1,000 Internet hosts worldwide in 1H15. - Locations with large concentrations of malware hosting sites included Brazil (41.0 per 1,000 Internet hosts in 1H15), Costa Rica (38.8), and Russia (23.9). Locations with low concentrations of malware hosting sites included Taiwan (2.8), Saudi Arabia (4.3), and Finland (4.4). **Drive-by download sites** A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. Drive-by download pages are usually hosted on legitimate websites to which an attacker has posted exploit code. Attackers gain access to legitimate sites through intrusion or by posting malicious code to a poorly secured web form, like a comment field on a blog. Compromised sites can be hosted anywhere in the world and concern nearly any subject imaginable, making it difficult for even an experienced user to identify a compromised site from a list of search results. ----- Figure 85. One example of a drive-by download attack Search engines such as Bing have taken a number of measures to help protect users from drive-by downloads. As Bing indexes webpages, they are assessed for malicious elements or malicious behavior. Because the owners of compromised sites are usually victims themselves, the sites are not removed from the Bing index. Instead, clicking the link in the list of search results displays a prominent warning, saying that the page may contain malicious software, as shown in Figure 86. Figure 86. A drive-by download warning from Bing ----- Figure 87 shows the concentration of drive-by download pages in countries and regions throughout the world at the end of 1Q15 and 2Q15, respectively. Figure 87. Drive-by download pages indexed by Bing at the end of 1Q15 (top) and 2Q15 (bottom), per 1,000 URLs in each country/region - Each map shows the concentration of drive-by download URLs tracked by Bing in each country or region on a reference date at the end of the associated quarter, expressed as the number of drive-by download URLs per every 1,000 URLs hosted in the country/region. - Significant locations with high concentrations of drive-by download URLs in both quarters include Panama, with 8.7 drive-by URLs for every 1,000 URLs tracked by Bing at the end of 2Q15; Vietnam, with 3.0; and Russia, with 1.7. ----- **Guidance: Protecting users from unsafe websites** One of the best ways organizations can protect their users from malicious and compromised websites is by mandating the use of web browsers with appropriate protection features built in and by promoting safe browsing practices. For in-depth guidance, see “Top security solutions” at [www.microsoft.com/security/pc-security/solutions.aspx.](http://www.microsoft.com/security/pc-security/solutions.aspx) ----- ## Mitigating risk **Malware at Microsoft: Dealing with threats in the** **Microsoft environment ........................................................... 111** ----- ----- ## Malware at Microsoft: Dealing with threats in the Microsoft environment **_Microsoft IT_** _Microsoft IT provides information technology services internally for Microsoft_ _employees and resources. Microsoft IT manages more than 600,000 devices for_ _more than 150,000 users across more than 100 countries and regions worldwide._ _Safeguarding a computing infrastructure of this size requires implementation of_ _strong security policies, technology to help keep malware off the network and_ _away from mission-critical resources, and dealing with malware outbreaks swiftly_ _and comprehensively when they occur._ This section of the report compares the potential impact of malware to the levels of antimalware compliance from more than 500,000 workstation computers and devices managed by Microsoft IT between January and June 2015. This data is compiled from multiple sources, including System Center Endpoint Protection (SCEP), Windows Defender, DirectAccess, forensics, and manual submission of suspicious files. Comparing the nature and volume of the malware detected on these computers to the level of protection they receive can illustrate significant trends and provide insights as to the effectiveness of antimalware software and security best practices. **Antimalware usage** Real-time antimalware software is required on all user devices that connect to the Microsoft corporate network. System Center Endpoint Protection 2012 (SCEP) and Windows Defender are the antimalware solutions that Microsoft IT deploys to its users. To be considered compliant with antimalware policies and standards, user computers must be running the latest version of the SCEP or Defender client, antimalware signatures must be no more than six days old, and real-time protection must be enabled. ----- Figure 88 shows the level of antimalware noncompliance in the Microsoft user workstation environment for each month in 1H15. Figure 88. Percentage of computers at Microsoft running real-time antimalware software in 1H15 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% January February March April May June Despite a small drop in compliance at the beginning of the year that was mostly related to internal testing of current and future versions of Windows, the average monthly compliance rate at Microsoft exceeded 98 percent during the first half of the year. In any network of this size, it is almost inevitable that a small number of computers will be in a noncompliant state at any given time. In most cases, these are computers that are being rebuilt or are otherwise in a state of change when online, rather than computers that have had their antimalware software intentionally disabled. Microsoft IT believes that a compliance rate in excess of 98 percent among approximately half a million computers is an acceptable level of compliance. In most cases, attempting to boost a large organization’s compliance rate the rest of the way to 100 percent will likely be a costly endeavor, and the end result— 100 percent compliance—will be unsustainable over time. **Malware detections** Figure 89 shows the categories of malware and unwanted software that were most frequently detected at Microsoft in 1H15. ----- Figure 89. Top categories of malware and unwanted software detected by System Center Endpoint Protection at Microsoft in 1H15 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 0 Adware Downloaders Browser Trojans Exploits Other Worms Viruses Backdoors Password & Droppers Modifiers Malware Stealers & Monitoring Tools In this section, malware detections are defined as files and processes flagged by SCEP, regardless of the success or failure of automated containment or remediation. Malware detections are a measure of attempted malware activity, and do not necessarily indicate that a computer has been successfully infected. (Note that the methodology for assessing encounters used elsewhere in this report counts unique computers with detections, an approach that differs from the methodology used in this section, in which individual detections are counted. For example, if a computer encountered one trojan family in February and another one in June, it would only be counted once for the purposes of figures such as Figure 49 on page 70. In the preceding Figure 89, it would be counted twice, once for each detection.) Adware was the most prevalent category, with nearly one and a half times as many detections as all other categories combined. The outsized number of internal adware detections is caused by a pilot project that MSIT has undertaken with the Microsoft Security Response Center (MSRC) to improve detection of adware and other unwanted software. As this work is evaluated and found to produce valid and satisfactory results, any improved detection methods will be incorporated into Microsoft security products for the benefit of customers and end users. ----- Figure 90 shows the top 10 file types among threat detections at Microsoft in 1H15. Figure 90. Top ten file types used by threats detected at Microsoft in 1H15 1,400,000 1,200,000 1,000,000 800,000 600,000 400,000 200,000 0 .exe .dll .tmp .temp .xml .host .xls .htm .mp3 .lnk Executable program files with the .exe extension were the most commonly detected type of malicious file at Microsoft by a large margin. Many of these detections were related to the joint effort between MSIT and the MSRC to improve detection of unwanted software, as noted earlier. Malicious .dll files were the next most common type of threats, followed by the .tmp and .temp extensions, typically used for temporary files. Transmission vectors Examining the processes targeted by malware can help illustrate the methods that attackers use to propagate it. Figure 91 lists the top five transmission vectors used by the malware encountered at Microsoft in 1H15. ----- Figure 91. The top five transmission vectors used by malware encountered at Microsoft in 1H15 **Rank** **Description** 1 Web browsing 2 File transfers in the operating system 3 Scheduled tasks in the operating system 4 Cloud backup/storage 5 File transfer applications The transmission vector most commonly used by infection attempts detected on Microsoft computers in 1H15 involved web browsing, followed by file transfers made through Windows Explorer and scheduled operating system tasks. Cloud backup and storage services were fourth, followed by file transfer applications, including peer-to-peer (P2P) applications. **Malware infections** Because almost all of the computers at Microsoft run real-time security software at all times, most infection attempts are detected and blocked before they are able to infect the target computer. When Defender or SCEP do disinfect a computer, it is usually because the software’s signature database has been updated to enable it to detect a threat that it did not recognize when the computer first encountered the threat. This lack of recognition may be because the threat is a new malware family, a new variant of a known family, a known variant that has been encrypted or otherwise repackaged to avoid detection, or because of some other reason. The MMPC constantly analyzes malware samples submitted to it, develops appropriate detection signatures, and deploys them to customers who use SCEP, Microsoft Security Essentials, and Windows Defender. Figure 92 shows the most commonly detected categories of malware and unwanted software that SCEP and Defender removed from computers at Microsoft between January and June of 2015. |Rank|Description| |---|---| |1|Web browsing| |2|File transfers in the operating system| |3|Scheduled tasks in the operating system| |4|Cloud backup/storage| |5|File transfer applications| ----- Figure 92. Infections and removals at Microsoft in 1H15, by category 35 30 25 20 15 10 5 0 Downloaders & Trojans Backdoors Worms Software Obfuscators & Other Malware Droppers Bundlers Injectors As this chart shows, detection and infection statistics were significantly different in 1H15. Adware, which accounted for more than 1.2 million detections at Microsoft in 1H15, was not discovered on a single computer internally during the period. Most of the other categories also show clear differences between Figure 89 and Figure 92, although the ordering in the latter chart is significantly influenced by the low volumes involved. Figure 93 shows the top 10 file types used by malware to infect computers at Microsoft in 1H15. ----- Figure 93. Infections and removals at Microsoft in 1H15, by file type 30 25 20 15 10 5 0 .exe .doc .bin .scr ._ .js .txt .chm Figure 93 is important because it provides information about threats that Defender and SCEP did not detect when they were first encountered—and therefore provides a clue about the areas in which malware authors have been focusing their efforts in recent months. More than half of the malicious files removed from computers at Microsoft by Defender and SCEP in 1H15 had the extension .exe, used by executable program files, with seven extensions accounting for the remaining files. The .doc extension used for Microsoft Word binary files was next, followed by .bin, .scr, and “._”, an extension consisting of a single underscore. Four other file types each accounted for a single removal. **What IT departments can do to protect their users** - Evaluate commercially available management tools, develop a plan, and implement a third-party update mechanism to disseminate non-Microsoft updates. - Ensure that all software deployed on computers in the environment is updated regularly. If the software provider offers an automatic update utility [similar to Microsoft Update, ensure that it is enabled by default. See “Turn](http://windows.microsoft.com/en-us/windows/turn-automatic-updating-on-off) [automatic updating on or off” at windows.microsoft.com for instructions on](http://windows.microsoft.com/en-us/windows/turn-automatic-updating-on-off) enabling automatic updates of Microsoft software. ----- - Ensure that SmartScreen Filter is enabled in Internet Explorer. See [“SmartScreen Filter: frequently asked questions” at windows.microsoft.com](http://windows.microsoft.com/en-US/internet-explorer/use-smartscreen-filter) for more information. - Use Group Policy to enforce configurations for Windows Update, Windows [Firewall, and SmartScreen Filter. See Knowledge Base article KB328010 at](http://support.microsoft.com/kb/328010) [support.microsoft.com, and “Windows Firewall with Advanced Security](https://technet.microsoft.com/library/jj717241.aspx) [Deployment Guide” and “Manage Privacy: SmartScreen Filter and Resulting](https://technet.microsoft.com/library/jj717241.aspx) [Internet Communication” at technet.microsoft.com for instructions.](http://technet.microsoft.com/library/jj618329.aspx) - Set the default configuration for antimalware to enable real-time protection across all drives, including removable devices. - [Enable Microsoft Active Protection Service (MAPS) advanced membership in](http://blogs.technet.com/b/mmpc/archive/2015/01/20/maps-in-the-cloud_3A00_-how-can-it-help-your-enterprise_3F00_.aspx) Windows Defender and Microsoft Security Essentials in your organization to protect your enterprise software security infrastructure in the cloud. Figure 94. Enabling MAPS advanced membership in Windows Defender - Identify business dependencies on Java and develop a plan to minimize its use where it is not needed. - Use AppLocker to block the installation and use of unwanted software such [as Java or peer-to-peer (P2P) applications. See “AppLocker: Frequently](http://technet.microsoft.com/library/ee619725(v=WS.10).aspx) [Asked Questions” at technet.microsoft.com for more information.](http://technet.microsoft.com/library/ee619725(v=WS.10).aspx) ----- - Implement the Enhanced Mitigation Experience Toolkit (EMET), if possible, to minimize exploitation of vulnerabilities in all software in your [environment. See technet.microsoft.com/security/jj653751 for more](http://technet.microsoft.com/security/jj653751) information. - Implement strong password policies, and require employees to change their passwords periodically. - [Strengthen authentication by using smart cards. See “Smart Cards” at](http://technet.microsoft.com/library/dd277362.aspx) technet.microsoft.com for more information. Use Network Access Protection (NAP) and DirectAccess (DA) to enforce compliance policies for firewall, antimalware, and patch management on remote [systems that connect to a corporate network. See “Network Access Protection”](http://msdn.microsoft.com/library/windows/desktop/aa369712(v=vs.85).aspx) [at msdn.microsoft.com and “Windows 7 DirectAccess Explained” at](http://technet.microsoft.com/video/windows-7-directaccess-explained.aspx) technet.microsoft.com for more information. ----- ----- ## Appendixes **Appendix A: Threat naming conventions .............................. 123** **Appendix B: Data sources ........................................................... 125** **Appendix C: Worldwide encounter and infection rates .... 127** **Glossary ............................................................................................. 132** **Threat families referenced in this report................................ 141** **Index ..................................................................................................148** ----- ----- ## Appendix A: Threat naming conventions Microsoft names the malware and unwanted software that it detects according to the Computer Antivirus Research Organization (CARO) Malware naming scheme. This scheme uses the following format: Figure 95. The Microsoft malware naming convention When Microsoft analysts research a particular threat, they will determine what each of the components of the name will be. **Type** The type describes what the threat does on a computer. Worms, trojans, and viruses are some of the most common types of threats Microsoft detects. **Platform** The platform refers to the operating system (such as Windows, Mac OS X, and Android) that the threat is designed to work on. Platforms can also include programming languages and file formats. **Family** A group of threats with the same name is known as a family. Sometimes different security software companies use different names. ----- **Variant letters** Variant letters are used sequentially for each different version or member of a family. For example, the detection for the variant “.AF” would have been created after the detection for the variant “.AE.” **Additional information** Additional information is sometimes used to describe a specific file or component that is used by another threat in relation to the identified threat. In the preceding example, the !lnk indicates that the threat is a shortcut file used by the Backdoor:Win32/Caphaw.D variant, as shortcut files usually use the extension .lnk. ----- ## Appendix B: Data sources Data included in the Microsoft Security Intelligence Report is gathered from a wide range of Microsoft products and services whose users have opted in to provide usage data. The scale and scope of this telemetry data allows the report to deliver the most comprehensive and detailed perspective on the threat landscape that is available in the software industry: - [Bing, the search and decision engine from Microsoft, contains technology](http://www.microsoft.com/security/portal/) that performs billions of webpage scans per year to seek out malicious content. After such content is detected, Bing displays warnings to users about it to help prevent infection. - [Exchange Online is Microsoft’s hosted email service for business. Exchange](https://products.office.com/exchange/exchange-online) Online antimalware and antispam services scan billions of messages every year to identify and block spam and malware. - [The Malicious Software Removal Tool (MSRT) is a free tool that Microsoft](http://www.microsoft.com/security/pc-security/malware-removal.aspx) designed to help identify and remove specific prevalent malware families from customer computers. The MSRT is primarily released as an important update through Windows Update, Microsoft Update, and Automatic Updates. A version of the tool is also available from the Microsoft Download Center. The MSRT was downloaded and executed more than 600 million times each month on average in 1H15. The MSRT is not a replacement for an up-to-date real-time antivirus solution. - [The Microsoft Safety Scanner is a free downloadable security tool that](http://www.microsoft.com/security/scanner) provides on-demand scanning and helps remove malware and other malicious software. The Microsoft Safety Scanner is not a replacement for an up-to-date antivirus solution, because it does not offer real-time protection and cannot prevent a computer from becoming infected. - [Microsoft Security Essentials is a free, easy-to-download real-time](http://windows.microsoft.com/en-us/windows/security-essentials-all-versions) protection product that provides basic, effective antivirus and antispyware protection for Windows Vista and Windows 7. - [Microsoft System Center Endpoint Protection (formerly Forefront Client](https://technet.microsoft.com/en-us/library/hh508836.aspx) Security and Forefront Endpoint Protection) is a unified product that provides protection from malware and unwanted software for enterprise desktops, laptops, and server operating systems. It uses the Microsoft ----- Malware Protection Engine and the Microsoft antivirus signature database to provide real-time, scheduled, and on-demand protection. - [Office 365 is the Microsoft Office subscription service for business and home](http://products.office.com/business) users. Select business plans include access to Exchange Online with Advanced Threat Protection. - [SmartScreen Filter, a feature in Internet Explorer and Microsoft Edge, offers](http://windows.microsoft.com/en-US/internet-explorer/use-smartscreen-filter) users protection against phishing sites and sites that host malware. Microsoft maintains a database of phishing and malware sites reported by users of Internet Explorer and other Microsoft products and services. When a user attempts to visit a site in the database with the filter enabled, the browser displays a warning and blocks navigation to the page. - [Windows Defender in Windows 8 and Windows 8.1 provides real-time](http://www.microsoft.com/security/pc-security/windows-defender.aspx) scanning and removal of malware and unwanted software. - [Windows Defender Offline is a downloadable tool that can be used to create](http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline) a bootable CD, DVD, or USB flash drive to scan a computer for malware and other threats. It does not offer real-time protection and is not a substitute for an up-to-date antimalware solution. Figure 96. US privacy statements for the Microsoft products and services used in this report |Product or service|Privacy statement URL| |---|---| |Bing|www.microsoft.com/en-us/privacystatement/default.aspx| |Exchange Online|www.microsoft.com/online/legal/v2/?docid=22&langid=en-us| |Internet Explorer 11|windows.microsoft.com/en-us/internet-explorer/ie11-preview-privacy-statement| |Malicious Software Removal Tool|www.microsoft.com/security/pc-security/msrt-privacy.aspx| |Microsoft Security Essentials|windows.microsoft.com/en-us/windows/security-essentials-privacy| |Microsoft Safety Scanner|www.microsoft.com/security/scanner/en-us/privacy.aspx| |Office 365|www.microsoft.com/online/legal/v2/?docid=22&langid=en-us| |System Center Endpoint Protection|https://www.microsoft.com/privacystatement/en-us/SystemCenter2012R2/ Default.aspx#tilepspSystemCenter2012R2EndpointProtectionModule| |Windows Defender in Windows 8.1|windows.microsoft.com/en-us/windows-8/windows-8-1-privacy- statement#T1=supplement§ion_43| |Windows Defender Offline|windows.microsoft.com/en-us/windows/windows-defender-offline-privacy| ----- ## Appendix C: Worldwide encounter and infection rates “Malware and unwanted software” on page 58 explains how threat patterns differ significantly in different parts of the world. Figure 97 shows the infection and encounter rates for 1Q15 and 2Q15 for locations around the world.[22] See page 58 for information about how infection and encounter rates are calculated. Figure 97. Encounter and infection rates for locations around the world, 1Q15–2Q15, by quarter (100,000 computers reporting minimum) **Encounter** **Encounter** **Country/region** **CCM 1Q15** **CCM 2Q15** **rate 1Q15** **rate 2Q15** _Worldwide_ _17.3%_ _14.8%_ _5.4_ _8.4_ Albania 37.6% 31.1% 35.2 36.8 Algeria 45.5% 39.7% 54.0 57.2 Angola — — 35.5 40.9 Argentina 23.7% 21.4% 8.0 15.7 Armenia 35.3% 26.6% 11.6 13.5 Australia 11.9% 11.2% 2.2 5.0 Austria 12.8% 10.7% 2.1 4.1 Azerbaijan 31.9% 24.4% 29.0 34.1 The Bahamas — — 9.0 17.3 Bahrain 0.0% 21.8% 18.8 29.0 Bangladesh 43.2% 39.7% 29.8 32.8 Barbados — — 4.1 12.0 Belarus 29.9% 22.4% 7.3 8.8 Belgium 16.0% 13.5% 2.4 6.0 Bolivia 26.3% 24.1% 16.7 24.6 22 Encounter rate and CCM are shown for locations with at least 100,000 computers running Microsoft realtime security products and the Malicious Software Removal Tool, respectively, during a quarter. Only computers whose users have opted in to provide data to Microsoft are considered when calculating encounter and infection rates. |Country/region|Encounter rate 1Q15|Encounter rate 2Q15|CCM 1Q15|CCM 2Q15| |---|---|---|---|---| |Worldwide|17.3%|14.8%|5.4|8.4| |Albania|37.6%|31.1%|35.2|36.8| |Algeria|45.5%|39.7%|54.0|57.2| |Angola|—|—|35.5|40.9| |Argentina|23.7%|21.4%|8.0|15.7| |Armenia|35.3%|26.6%|11.6|13.5| |Australia|11.9%|11.2%|2.2|5.0| |Austria|12.8%|10.7%|2.1|4.1| |Azerbaijan|31.9%|24.4%|29.0|34.1| |The Bahamas|—|—|9.0|17.3| |Bahrain|0.0%|21.8%|18.8|29.0| |Bangladesh|43.2%|39.7%|29.8|32.8| |Barbados|—|—|4.1|12.0| |Belarus|29.9%|22.4%|7.3|8.8| |Belgium|16.0%|13.5%|2.4|6.0| |Bolivia|26.3%|24.1%|16.7|24.6| ----- |Country/region|Encounter rate 1Q15|Encounter rate 2Q15|CCM 1Q15|CCM 2Q15| |---|---|---|---|---| |Bosnia and Herzegovina|33.2%|26.7%|16.2|24.4| |Brazil|20.5%|20.2%|8.0|16.2| |Bulgaria|31.4%|24.1%|9.1|12.7| |Cambodia|35.7%|34.4%|18.6|22.5| |Cameroon|—|—|36.1|33.1| |Canada|14.0%|12.5%|2.0|4.5| |Chile|23.1%|20.9%|7.6|20.3| |China|13.1%|13.7%|3.8|4.4| |Colombia|24.2%|20.9%|9.9|25.1| |Costa Rica|18.3%|14.5%|6.8|11.2| |Côte d’Ivoire|—|—|32.5|30.8| |Croatia|28.8%|22.3%|5.7|12.0| |Cyprus|25.3%|18.8%|7.4|12.8| |Czech Republic|18.1%|14.7%|4.6|6.7| |Denmark|10.6%|10.2%|2.0|4.2| |Dominican Republic|31.4%|27.2%|24.2|33.5| |Ecuador|28.4%|23.9%|11.1|19.9| |Egypt|39.8%|35.5%|49.8|55.8| |El Salvador|24.0%|20.1%|7.4|17.3| |Estonia|17.7%|14.3%|2.3|6.2| |Finland|6.1%|6.0%|1.3|2.5| |France|15.8%|13.2%|2.7|8.9| |Georgia|37.2%|29.7%|25.4|27.2| |Germany|11.1%|8.9%|2.1|4.6| |Ghana|39.0%|36.2%|22.1|25.4| |Greece|23.8%|17.1%|7.0|10.3| |Guadeloupe|—|—|4.9|13.5| |Guatemala|20.9%|18.2%|8.7|17.1| |Honduras|25.8%|23.4%|11.6|25.8| |Hong Kong SAR|11.8%|10.5%|3.5|7.0| |Hungary|22.3%|17.6%|4.9|8.1| ----- |Country/region|Encounter rate 1Q15|Encounter rate 2Q15|CCM 1Q15|CCM 2Q15| |---|---|---|---|---| |Iceland|14.8%|11.0%|2.8|5.6| |India|34.9%|31.3%|24.2|30.4| |Indonesia|42.8%|40.6%|30.6|38.2| |Iraq|41.4%|34.4%|76.6|80.2| |Ireland|13.6%|12.3%|2.2|5.4| |Israel|20.4%|16.1%|9.5|13.7| |Italy|19.5%|15.3%|3.3|8.8| |Jamaica|29.1%|24.3%|10.0|18.7| |Japan|5.5%|5.4%|0.9|2.8| |Jordan|39.5%|33.3%|36.6|45.3| |Kazakhstan|31.4%|24.6%|21.6|21.6| |Kenya|31.3%|28.9%|18.9|22.9| |Korea|12.8%|10.3%|7.2|13.8| |Kuwait|27.6%|22.7%|17.6|27.1| |Latvia|23.1%|16.2%|3.2|6.1| |Lebanon|33.5%|28.4%|31.7|42.5| |Libya|—|—|61.0|69.8| |Lithuania|24.7%|18.7%|5.0|8.9| |Luxembourg|—|—|2.1|5.4| |Macao SAR|—|—|5.1|8.1| |Macedonia, FYRO|33.6%|28.5%|16.8|21.9| |Malaysia|26.4%|23.9%|16.3|21.8| |Malta|—|—|3.3|9.5| |Martinique|—|—|3.3|11.0| |Mauritius|—|—|11.4|20.8| |Mexico|22.6%|21.2%|11.4|18.6| |Moldova|29.3%|21.5%|10.3|12.4| |Mongolia|—|—|66.8|77.6| |Morocco|36.9%|29.2%|58.2|66.6| |Mozambique|—|—|21.1|28.9| |Namibia|—|—|16.3|23.1| ----- |Country/region|Encounter rate 1Q15|Encounter rate 2Q15|CCM 1Q15|CCM 2Q15| |---|---|---|---|---| |Nepal|45.0%|39.0%|39.1|43.7| |Netherlands|12.9%|11.6%|1.8|4.3| |New Zealand|12.8%|12.0%|2.6|4.7| |Nicaragua|—|—|5.7|15.1| |Nigeria|31.4%|28.0%|25.9|28.7| |Norway|9.8%|10.2%|2.0|3.9| |Oman|35.3%|30.6%|25.8|37.6| |Pakistan|51.2%|45.1%|55.9|58.6| |Palestinian Authority|44.9%|40.5%|59.5|68.7| |Panama|22.6%|20.0%|8.1|15.0| |Paraguay|—|—|10.4|20.3| |Peru|25.3%|23.3%|13.5|23.4| |Philippines|32.0%|29.1%|30.9|37.6| |Poland|16.4%|13.0%|7.7|11.5| |Portugal|22.3%|18.9%|3.3|9.4| |Puerto Rico|19.5%|16.8%|6.8|13.4| |Qatar|30.2%|24.3%|14.3|24.6| |Réunion|18.8%|13.2%|3.3|10.9| |Romania|29.4%|22.5%|16.5|20.9| |Russia|22.8%|17.7%|4.7|6.6| |Saudi Arabia|31.3%|26.4%|24.1|31.3| |Senegal|42.1%|37.0%|20.6|24.4| |Serbia|31.1%|25.6%|12.1|18.8| |Singapore|14.8%|14.0%|4.5|8.9| |Slovakia|18.9%|14.5%|6.7|9.0| |Slovenia|20.2%|15.4%|3.4|6.9| |South Africa|22.8%|20.4%|10.7|14.4| |Spain|19.6%|16.4%|4.3|12.4| |Sri Lanka|31.9%|26.6%|16.4|22.6| |Sweden|9.9%|8.9%|2.0|4.1| |Switzerland|12.4%|11.0%|1.5|3.8| ----- |Country/region|Encounter rate 1Q15|Encounter rate 2Q15|CCM 1Q15|CCM 2Q15| |---|---|---|---|---| |Taiwan|14.3%|13.6%|5.4|8.6| |Tanzania|—|—|22.7|26.8| |Thailand|26.8%|22.9%|22.3|31.0| |Trinidad and Tobago|26.3%|21.9%|9.6|16.8| |Tunisia|43.1%|36.4%|36.2|50.1| |Turkey|32.0%|28.1%|22.5|26.3| |Ukraine|31.1%|23.8%|7.3|8.9| |United Arab Emirates|31.1%|25.4%|16.7|27.0| |United Kingdom|12.7%|11.7%|2.3|5.8| |United States|11.0%|9.8%|3.2|5.0| |Uruguay|23.6%|19.6%|5.0|15.1| |Venezuela|32.4%|29.9%|17.5|26.5| |Vietnam|36.7%|33.2%|30.4|35.8| |Zimbabwe|—|—|16.2|19.8| |Worldwide|17.3%|14.8%|5.4|8.4| ----- ## Glossary For additional information about these and other terms, visit the MMPC glossary [at www.microsoft.com/security/portal/Threat/Encyclopedia/Glossary.aspx.](http://www.microsoft.com/security/portal/Threat/Encyclopedia/Glossary.aspx) **account credentials** Information presented to a service provider to verify that the holder of the credentials is authorized to access an account. Account credentials typically take the form of user names paired with passwords, but other forms of identification are possible. **ActiveX control** A software component of Microsoft Windows that can be used to create and distribute small applications through Internet Explorer. ActiveX controls can be developed and used by software to perform functions that would otherwise not be available using typical Internet Explorer capabilities. Because ActiveX controls can be used to perform a wide variety of functions, including downloading and running programs, vulnerabilities discovered in them may be exploited by malware. In addition, cybercriminals may also develop their own ActiveX controls, which can do damage to a computer if a user visits a webpage that contains the malicious ActiveX control. **Address Space Layout Randomization (ASLR)** A security feature in recent versions of Windows that randomizes the memory locations used by system files and other programs, which makes it harder for an attacker to exploit the system by targeting specific memory locations. **air gap** The complete separation of a computer or network from others, with no wired or wireless data connections. Data can only be exchanged across an air gap by physically transporting removable media from one computer to another. **ASEP** See autostart extensibility point. **ASLR** See Address Space Layout Randomization (ASLR). **autostart extensibility point (ASEP)** A place in the registry or file system that Windows checks for programs and processes that should be automatically launched after boot. Threats often add ----- themselves to one or more ASEPs to ensure that they run automatically whenever the computer is rebooted. **backdoor trojan** A type of trojan that provides attackers with remote unauthorized access to and control of infected computers. Bots are a subcategory of backdoor trojans. Also see botnet. **boleto** Short for boleto bancário. A popular payment method in Brazil, similar to an invoice. Some threats steal money by altering boletos in web pages or email messages. **botnet** A set of computers controlled by a “command-and-control” (C&C) computer to execute commands as directed. The C&C computer can issue commands directly (often through Internet Relay Chat [IRC]) or by using a decentralized mechanism, such as peer-to-peer (P2P) networking. Computers in a botnet are often called bots, nodes, or zombies. **browser modifier** A program that changes browser settings, such as the home page, without adequate consent. This also includes browser hijackers. **buffer overflow** An error in an application in which the data written into a buffer exceeds the current capacity of that buffer, thus overwriting adjacent memory. Because memory is overwritten, unreliable program behavior may result and, in certain cases, allow arbitrary code to run. **C&C** Short for command and control. See botnet. **CCM** Short for computers cleaned per mille (thousand). The number of computers cleaned for every 1,000 executions of the Microsoft Malicious Software Removal Tool (MSRT). For example, if the MSRT has 50,000 executions in a particular location in the first quarter of the year and removes infections from 200 computers, the CCM for that location in the first quarter of the year is 4.0 (200 ÷ 50,000 × 1,000). Also see encounter rate. ----- **clean** To remove malware or unwanted software from an infected computer. A single cleaning can involve multiple disinfections. **command and control** See botnet. **credentials** See account credentials. **definition** See detection signature. **detection signature** A set of characteristics that can identify a malware family or variant. Signatures are used by antimalware products to determine whether a file is malicious or not. Also see definition. **detonation chamber** A sandbox environment in which potentially dangerous files can be automatically launched and monitored for possible malicious activity. **disclosure** Revelation of the existence of a vulnerability to a third party. **disinfect** To remove a malware or potentially unwanted software component from a computer or to restore functionality to an infected program. Compare with _clean._ **double free vulnerability** A vulnerability triggered when code attempts to free the same memory address twice. This can cause memory corruption, which an attacker may be able to take advantage of if it is not handled properly. **downloader** See downloader/dropper. **downloader/dropper** A form of trojan that installs other malicious files to a computer that it has infected, either by downloading them from a remote computer or by obtaining them directly from a copy contained in its own code. ----- **encounter** An instance of security software detecting a threat and blocking, quarantining, or removing it from the computer. **encounter rate** The percentage of computers running Microsoft real-time security software that report detecting malware or potentially unwanted software, or report detecting a specific threat or family, during a period. Also see infection rate. **exploit** Malicious code that takes advantage of software vulnerabilities to infect a computer or perform other harmful actions. **exploit kit** A collection of exploits bundled together and sold as commercial software. A typical kit contains a collection of web pages that contain exploits for vulnerabilities in popular web browsers and add-ons, along with tools for managing and updating the kit **firewall** A program or device that monitors and regulates traffic between two points, such as a single computer and the network server, or one server to another. **generic** A type of signature that is capable of detecting a variety of malware samples from a specific family, or of a specific type. **hash** Text that has been encoded using a one-way cryptographic function that prevents it from being decrypted. Also refers to a checksum produced by a hash function to identify or authenticate data. **heuristics** A tool or technique that can help identify common patterns. This can be useful for making generic detections for a malware family. **IFrame** Short for inline frame. An IFrame is an HTML document that is embedded in another HTML document. Because the IFrame loads another webpage, it can be used by criminals to place malicious content, such as a script that downloads and installs spyware, into non-malicious HTML pages that are hosted by trusted websites. ----- **in the wild** Said of malware that is currently detected on active computers connected to the Internet, as compared to those confined to internal test networks, malware research laboratories, or malware sample lists. **infection** The presence of malware on a computer, or the act of delivering or installing malware on a computer. Also see encounter. **infection rate** See CCM. **jailbreaking** See rooting. **login credentials** See account credentials. **Malicious Software Removal Tool** A free tool that Microsoft designed to help identify and remove specific prevalent malware families from customer computers. An updated version of the tool is released each month through Windows Update and other updating services. The MSRT is not a replacement for an up-to-date real-time antivirus solution. **malware** Short for malicious software. The general name for programs that perform unwanted actions on a computer, such as stealing personal information. Some malware can steal banking details, lock a computer until the user pays a ransom, or use the computer to send spam. Viruses, worms and trojans are all types of malware. **malware impression** A single instance of a user attempting to visit a page known to host malware and being blocked by SmartScreen Filter in Internet Explorer versions 8 through 11. Also see phishing impression. **man-in-the-browser attack** A type of web-based threat where a malicious program makes changes to a website without the website owner knowing it is happening. ----- **monitoring tool** Software that monitors activity, usually by capturing keystrokes or screen images. It may also include network sniffing software. Also see password stealer _(PWS)._ **MSRT** See Malicious Software Removal Tool. **multifactor authentication** Requiring a user to provide two or more forms of authentication, such as a username/password and a physical token, to access an account. **open source intelligence (OSINT)** Intelligence information collected from unclassified, publicly available sources. **OSINT** See open source intelligence. **P2P** See peer-to-peer (P2P). **pass-the-hash (PtH)** An attack technique wherein the attacker gains access to a resource by presenting a hashed credential directly for authentication, instead of presenting the password normally and allowing the authentication system to create the hash. **password stealer (PWS)** Malware that is specifically used to transmit personal information, such as user names and passwords. A PWS often works in conjunction with a keylogger. Also see monitoring tool. **payload** The actions conducted by a piece of malware for which it was created. Payloads can include, but are not limited to, downloading files, changing system settings, displaying messages, and logging keystrokes. **peer-to-peer (P2P)** A system of network communication in which individual nodes are able to communicate with each other without the use of a central server. ----- **phishing** A method of credential theft that tricks Internet users into revealing personal or financial information online. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands to steal personally identifiable information (PII), such as user names, passwords, credit card numbers, and identification numbers. **phishing impression** A single instance of a user attempting to visit a known phishing page with Internet Explorer versions 7 through 11, and being blocked by the Phishing Filter or SmartScreen Filter. Also see malware impression. **ransomware** A type of malware that prevents use of a computer or access to the data that it contains until the user pays a certain amount to a remote attacker (the “ransom”). Computers that have ransomware installed usually display a screen containing information on how to pay the “ransom.” A user cannot usually access anything on the computer beyond the screen. **return-oriented programming (ROP)** An exploit technique that involves gaining control of a program's control flow and calling a chain of instructions that already exist in memory, each of which ends in a return command. **rogue security software** Software that appears to be beneficial from a security perspective but that provides limited or no security capabilities, generates a significant number of erroneous or misleading alerts, or attempts to socially engineer the user into participating in a fraudulent transaction. **rooting** Obtaining administrative user rights on a mobile device through the use of exploits. Device owners sometimes use such exploits intentionally to gain access to additional functionality, but these exploits can also be used by attackers to infect devices with malware that bypasses many typical security systems. The term “rooting” is typically used in the context of Android devices; the comparable process on iOS devices is more commonly referred to as _jailbreaking._ **ROP** See return-oriented programming (ROP). ----- **sandbox** A specially constructed portion of a computing environment in which potentially dangerous programs or processes may run without causing harm to resources outside the sandbox. **signature** See detection signature. **sinkhole** A server or set of servers designed to absorb and analyze malware traffic. **social engineering** A technique that defeats security precautions by exploiting human vulnerabilities. Social engineering scams can be both online (such as receiving email messages that ask the recipient to click the attachment, which is actually malware) and offline (such as receiving a phone call from someone posing as a representative from one’s credit card company). Regardless of the method selected, the purpose of a social engineering attack remains the same—to get the targeted user to perform an action of the attacker's choice. **software bundler** A program that installs unwanted software on a computer at the same time as the software the user is trying to install, without adequate consent. **spam** Bulk unsolicited email. Malware authors may use spam to distribute malware, either by attaching the malware to email messages or by sending a message containing a link to the malware. Malware may also harvest email addresses for spamming from compromised machines or may use compromised machines to send spam. **spear phishing** Phishing that targets a specific person, organization, or group, containing additional information associated with that person, organization, or group to lure the target further into a false sense of security to divulge more sensitive information. **SQL injection** A technique in which an attacker enters a specially crafted Structured Query Language (SQL) statement into an ordinary web form. If form input is not filtered and validated before being submitted to a database, the malicious SQL statement may be executed, which could cause significant damage or data loss. ----- **targeted attack** A malware attack against a specific group of companies or individuals. This type of attack usually aims to get access to the computer or network, before trying to steal information or disrupt the infected machines. **tool** In the context of malware, a software program that may have legitimate purposes but may also be used by malware authors or attackers. **trojan** A generally self-contained program that does not self-replicate but takes malicious action on the computer. **unwanted software** A program with potentially unwanted functionality that is brought to the user’s attention for review. This functionality may affect the user’s privacy, security, or computing experience. **virus** Malware that replicates, typically by infecting other files in the computer, to allow the execution of the malware code and its propagation when those files are activated. **vulnerability** A weakness, error, or poor coding technique in a program that may allow an attacker to exploit it for a malicious purpose. **wild** See in the wild. **worm** Malware that spreads by spontaneously sending copies of itself through email or by using other communication mechanisms, such as instant messaging (IM) or peer-to-peer (P2P) applications. ----- ## Threat families referenced in this report The definitions for the threat families referenced in this report are adapted from the Microsoft Malware Protection Center encyclopedia [(www.microsoft.com/security/portal), which contains detailed information about](http://www.cve.mitre.org/cgi-bin/cvename.cgi) a large number of malware and unwanted software families. See the encyclopedia for more in-depth information and guidance for the families listed here and throughout the report. W97M/Adnel. A family of macro malware that can download other threats to the computer, including TrojanDownloader:Win32/Drixed. HTML/Adodb. A generic detection for script trojans that exploit a vulnerability in Microsoft Data Access Components (MDAC) that allows remote code execution. Microsoft released Security Bulletin MS06-014 in April 2006 to address the vulnerability. Win32/AlterbookSP. A browser add-on that formerly displayed behaviors of unwanted software. Recent versions of the add-on no longer meet Microsoft detection criteria, and are no longer considered unwanted software. Win32/Anogre. A detection for the Sweet Orange exploit kit, which exploits vulnerabilities in some versions of Windows, Adobe Flash Player, and Java to install malware. INF/Autorun. A family of worms that spreads by copying itself to the mapped drives of an infected computer. The mapped drives may include network or removable drives. JS/Axpergle. A detection for the Angler exploit kit, which exploits vulnerabilities in some versions of Internet Explorer, Silverlight, Adobe Flash Player, and Java to install malware. Win32/Bancos. A data-stealing trojan that captures online banking credentials and relays them to the attacker. Most variants target customers of Brazilian banks. ----- Win32/Banker. A family of data-stealing trojans that captures banking credentials such as account numbers and passwords from computer users and relays them to the attacker. Most variants target customers of Brazilian banks; some variants target customers of other banks. Win32/Banload. A family of trojans that download other malware. Banload usually downloads Win32/Banker, which steals banking credentials and other sensitive data and sends it back to a remote attacker. Win32/BeeVry. A trojan that modifies a number of settings to prevent the computer from accessing security-related websites, and lower the computer's security. JS/Blacole. An exploit pack, also known as Blackhole, that is installed on a compromised web server by an attacker and includes a number of exploits that target browser software. If a vulnerable computer browses a compromised website that contains the exploit pack, various malware may be downloaded and run. MSIL/Bladabindi. A family of backdoors created by a malicious hacker tool called NJ Rat. They can steal sensitive information, download other malware, and allow backdoor access to an infected computer. JS/Bondat. A family of threats that collects information about the computer, infects removable drives, and tries to stop the user from accessing files. It spreads by infecting removable drives, such as USB thumb drives and flash drives. Win32/BrobanDel. A family of trojans that can modify boletos bancários, a common payment method in Brazil. They can be installed on the computer when a user opens a malicious spam email attachment. Win32/Chir. A family with a worm component and a virus component. The worm component spreads by email and by exploiting a vulnerability addressed by Microsoft Security Bulletin MS01-020. The virus component may infect .exe, .scr, and HTML files. Win32/CompromisedCert. A detection for the Superfish VisualDiscovery advertising program that was preinstalled on some Lenovo laptops sold in 2014 and 2015. It installs a compromised trusted root certificate on the computer, which can be used to conduct man-in-the-middle attacks on the computer. ----- Win32/Conficker. A worm that spreads by exploiting a vulnerability addressed by Security Bulletin MS08-067. Some variants also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products, and downloads arbitrary files. Win32/CouponRuc. A browser modifier that changes browser settings and may also modify some computer and Internet settings. Win32/CplLnk. A generic detection for specially-crafted malicious shortcut files that attempt to exploit the vulnerability addressed by Microsoft Security Bulletin MS10-046. Win32/Crowti. A ransomware family that encrypts files on the computer and demands that the user pay a fee to decrypt them, using Bitcoins. Win32/Dynamer. A generic detection for a variety of threats. Win32/Dyzap. A threat that steals login credentials for a long list of banking websites using man-in-the-browser (MITB) attacks. It is usually installed on the infected computer by TrojanDownloader:Win32/Upatre. Win32/EoRezo. Adware that displays targeted advertising to affected users while browsing the Internet, based on downloaded pre-configured information. Win32/Foosace. A threat that creates files on the compromised computer and contacts a remote host. Win32/Frethog. A large family of password-stealing trojans that targets confidential data, such as account information, from massively multiplayer online games. Win32/Gamarue. A worm that is commonly distributed via exploit kits and social engineering. Variants have been observed stealing information from the local computer and communicating with command-and-control (C&C) servers managed by attackers. AndroidOS/GingerMaster. A malicious program that affects mobile devices running the Android operating system. It may be bundled with clean applications, and is capable of allowing a remote attacker to gain access to the mobile device. ----- Win32/IeEnablerCby. A browser modifier that installs additional browser addons without the user's consent. It bypasses the normal prompts or dialogs that ask for consent to install add-ons. Win32/InstalleRex. A software bundler that installs unwanted software, including Win32/CouponRuc and Win32/SaverExtension. It alters its own “Installed On” date in Programs and Features to make it more difficult for a user to locate it and remove it. DOS/JackTheRipper. A virus that can stop some files from working correctly in Windows XP and earlier operating systems. It spreads by infecting the master boot record (MBR) on connected hard disks and floppy disks. VBS/Jenxcus. A worm that gives an attacker control of the computer. It is spread by infected removable drives, like USB flash drives. It can also be downloaded within a torrent file. ALisp/Kenilfe. A worm written in AutoCAD Lisp that only runs if AutoCAD is installed on the computer or network. It renames and deletes certain AutoCAD files, and may download and execute arbitrary files from a remote host. Win32/Kilim. A trojan that hijacks the user's Facebook, Twitter, or YouTube account to promote pages. It may post hyperlinks or like pages on Facebook, post comments on YouTube videos, or follow profiles and send direct messages on Twitter without permission. Win32/KipodToolsCby. A browser modifier that installs additional browser addons without the user's consent. It bypasses the normal prompts or dialogs that ask for consent to install add-ons. JS/Krypterade. Ransomware that fraudulently claims the computer has been used for unlawful activity, locks it, and demands that the user pay to unlock it. Unix/Lotoor. A detection for specially crafted Android programs that attempt to exploit vulnerabilities in the Android operating system to gain root privilege. Win32/Macoute. A worm that can spread itself to removable USB drives, and may communicate with a remote host. MSIL/Mofin. A worm that can steal files from your PC and send them to a malicious hacker. It spreads via infected removable drives, such as USB flash drives. ----- Win32/Nuqel. A worm that spreads via mapped drives and certain instant messaging applications. It may modify system settings, connect to certain websites, download arbitrary files, or take other malicious actions. Win32/Obfuscator. A generic detection for programs that have had their purpose disguised to hinder analysis or detection by antivirus scanners. Such programs commonly employ a combination of methods, including encryption, compression, anti-debugging and anti-emulation techniques. Win32/Ogimant. A threat that claims to help download items from the Internet, but actually downloads and runs files that are specified by a remote attacker. HTML/Pangimop. A detection for the Magnitude exploit kit, also known as Popads. It attempts to exploit vulnerabilities in programs such as Java and Adobe Flash Player to install other malware. Win32/Pdfjsc. A family of specially crafted PDF files that exploit Adobe Acrobat and Adobe Reader vulnerabilities. Such files contain malicious JavaScript that executes when the file is opened. Win32/Peaac. A generic detection for various threats that display trojan characteristics. Win32/Peals. A generic detection for various threats that display trojan characteristics. JS/Proslikefan. A worm that spreads through removable drives, network shares, and P2P programs. It can lower the computer's security settings and disable antivirus products. Win32/Radonskra. A family of threats that perform a variety of malicious acts, including stealing information about the computer, showing extra advertisements as the user browses the web, performing click fraud, and downloading other programs without consent. Win32/Ramnit. A family of multi-component malware that infects executable files, Microsoft Office files, and HTML files. Win32/Ramnit spreads to removable drives and steals sensitive information such as saved FTP credentials and browser cookies. It may also open a backdoor to await instructions from a remote attacker. ----- Win32/Reveton. A ransomware family that targets users from certain countries or regions. It locks the computer and displays a location-specific webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material. Win32/Sality. A family of polymorphic file infectors that target executable files with the extensions .scr or .exe. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services. Win32/SaverExtension. A browser add-on that shows ads in the browser without revealing their source, and prevents itself from being removed normally. Win32/Sdbby. A threat that exploits a bypass to gain administrative privileges on a machine without going through a User Access Control prompt. Win32/Simda. A threat that can give an attacker backdoor access and control of an infected computer. It can then steal passwords and gather information about the computer to send to the attacker. PHP/SimpleShell. A backdoor that can give an attacker the ability to run shell commands on a compromised server. Win32/Skeeyah. A generic detection for various threats that display trojan characteristics. Win32/Slugin. A file infector that infects .exe and .dll files. It may also perform backdoor actions. Win32/Stuxnet. A multi-component family that spreads via removable volumes by exploiting the vulnerability addressed by Microsoft Security Bulletin MS10046. Win32/Tugspay. A downloader that spreads by posing as an installer for legitimate software, such as a Java update, or through other malware. When installed, it downloads unwanted software to the computer. Win32/Upatre. A downloader that installs malware and unwanted software on the affected computer without the user’s consent. It is frequently distributed as an attachment to spam email messages. ----- Win32/Vercuser. A worm that typically spreads via drive-by download. It also receives commands from a remote server, and has been observed dropping other malware on the infected computer. Win32/Wordinvop. A detection for a specially-crafted Microsoft Word file that attempts to exploit the vulnerability CVE-2006-6456, addressed by Microsoft Security Bulletin MS07-014. Win32/Wordjmp. An exploit that targets a vulnerability in Word 2002 and 2003 that could allow an attacker to remotely execute arbitrary code. Microsoft released Security Bulletin MS06-027 in June 2006 to address the vulnerability. ----- ## Index Active Directory, 82 ActiveX, 48, 54, 55, 56, 132 address space layout randomization (ASLR), 16, 17, 132 Adnel, 63, 141 Adobe Acrobat, 52, 145 Adobe Flash Player, 8, 17, 18, 41, 46, 47, 52– 53, 56, 57, 76, 81, 141, 145 Adobe Reader, 52, 56, 145 Adobe Security Bulletins, 17, 47, 52, 53 Adodb, 63, 141 Advanced Threat Protection. See Exchange Online Advanced Threat Protection adware, 61, 65, 67, 71, 73, 74, 77, 79, 80, 82, 83, 84, 85, 86, 113, 116, 143 Africa, 65, 130 air gaps, 11, 12, 14, 15, 19, 132 Albania, 127 Algeria, 65, 66, 127 AlterbookSP, 67, 80, 82, 85, 87, 141 Android, 32, 33, 35, 37, 51, 123, 138, 143, 144 security updates, 51 Angler. See Axpergle Angola, 127 Anogre, 43, 46, 74, 77, 141 Apple Inc., 36, 49 AppLocker, 27, 118 Argentina, 22, 127 Armenia, 127 ASEP. See autostart extensibility points Asia, 3, 68, 76 ASLR. See address space layout randomization (ASLR) Australia, 127 Austria, 127 Autorun (malware family), 15, 62, 75, 80, 81, 85, 86, 141 autostart extensibility points, 11, 132 Axpergle, 43, 46, 47, 65, 74, 75, 77, 80, 81, 85, 86, 141 Azerbaijan, 22, 91, 92, 127 backdoors, vi, 10, 11, 13, 15, 66, 68, 69, 70, 73, 76, 83, 133, 142, 145, 146 Bahamas, The, 127 Bahrain, 127 Banco Bradesco, 24 Banco do Brasil, 24 Banco do Estado do Rio Grande do Sul, 24 Banco Itaú, 24 Banco Safra, 24 Banco Santander, 24 Bancos, 21–27, 141 Bangladesh, 65, 127 Banker (malware family), 21–27, 142 banking malware, 21–27 Banload, 21–27, 62, 74, 142 Banrisul. See Banco do Estado do Rio Grande do Sul Barbados, 127 BeeVry, 62, 142 Belarus, 127 Belgium, 127 Belize, 103 Bing, ii, 68, 105–7, 125, 126 Blackhole. See Blacole Blacole, 49, 142 Bladabindi, 66, 76, 142 boletos bancários, 24–26, 133, 142 Bolivia, 22, 127 Bondat, 74, 142 Bosnia and Herzegovina, 128 Brantall, 60 Brazil, 1, 21–27, 61, 62, 73, 74, 90, 102, 105, 128, 133, 142 BrobanDel, 24–26, 142 ----- browser modifiers, 61, 62, 65, 67, 71, 73, 77, 78, 80, 82, 83, 84, 85, 86, 87, 133, 143, 144 Bulgaria, 103, 128 Caixa Econômica Federal, 24 Cambodia, 128 Cameroon, 128 Canada, 61, 63, 73, 74, 90, 128 CCM. See computers cleaned per mille CDI Japan, 69 CERT/CC, 32 Chile, 128 China, 61, 62, 73, 74, 90, 128 Chir, 65, 142 Citibank, 24 CME. See Coordinated Malware Eradication (CME) Colombia, 128 Columbia, 22 Common Platform Enumeration, 36 Common Vulnerabilities and Exposures. See CVE identifier Common Vulnerability Scoring System, 33, 34 CompromisedCert, 67, 142 Computer Emergency Response Team Coordination Center. See CERT/CC computers cleaned per mille, 59 Conficker, 80, 85, 87, 143 Control Flow Guard, 17 Coordinated Malware Eradication, 69 Costa Rica, 105, 128 Côte d’Ivoire, 128 CouponRuc, 61, 62, 65, 67, 77, 78, 79, 80, 82, 85, 86, 143, 144 CPE. See Common Platform Enumeration CplLnk, 40, 43, 50, 65, 143 Croatia, 128 Crowti, 74, 80, 143 CVE identifier, 31, 32, 40 CVE-2009-0075, 54 CVE-2010-0188, 52 CVE-2010-0840, 47, 49 CVE-2010-2568, 40, 43, 50 CVE-2010-3336, 52 CVE-2011-1823, 50, 51 CVE-2011-3874, 50, 51 CVE-2012-0158, 52 CVE-2012-0507, 47, 49 CVE-2012-1723, 47, 48, 49 CVE-2012-1889, 54 CVE-2013-0074, 46 CVE-2013-0422, 47, 49 CVE-2013-2460, 46 CVE-2013-2551, 46, 54 CVE-2013-7331, 54 CVE-2014-0322, 54 CVE-2014-0497, 53 CVE-2014-0515, 53 CVE-2014-6332, 43, 44, 50 CVE-2014-8439, 46, 53 CVE-2015-0097, 57 CVE-2015-0310, 47 CVE-2015-0311, 46, 47, 53 CVE-2015-0313, 46, 47, 53 CVE-2015-0336, 47, 53 CVE-2015-0359, 47, 53 CVE-2015-1641, 16, 57 CVE-2015-1701, 14, 18, 19, 57 CVE-2015-1769, 57 CVE-2015-1770, 57 CVE-2015-2360, 57 CVE-2015-2424, 16, 17 CVE-2015-3043, 17, 18, 57 CVE-2015-3090, 47 CVE-2015-3104, 47 CVE-2015-3105, 47 CVE-2015-3113, 47 CVSS. See Common Vulnerability Scoring System Cyprus, 128 Czech Republic, 92, 128 DCU. See Microsoft Digital Crimes Unit Denmark, 67, 91, 92, 128 DirectAccess, 111, 119 DNHTCU. See Dutch National High Tech Crime Unit Dominican Republic, 128 downloaders, 62, 63, 77, 84, 87, 134, 146 ----- Downloaders & Droppers, vi, 70, 73, 74, 83, 85 drive-by downloads, 6, 7, 44, 68, 97, 105–7, 147 droppers, 10, 134 Dutch National High Tech Crime Unit, 68, 69 Dynamer, 62, 143 Dyzap, 84, 143 EC3. See European Cybercrime Centre Ecuador, 128 Egypt, 128 El Salvador, 22, 128 email, 4, 5, 7, 11, 20, 27, 82, 87, 94–98, 125, 133, 138, 139, 140, 142, 146 EMET. See Enhanced Mitigation Experience Toolkit (EMET) encounter rate, 58 Enhanced Mitigation Experience Toolkit (EMET), 119 EoRezo, 74, 143 Estonia, 128 Europe, 3, 52, 66, 74, 77 European Cybercrime Centre, 77 Exchange Online, 95, 96, 97, 98, 125, 126 Exchange Online Advanced Threat Protection, 94–98, 126 exploit kits, vi, 41, 42, 43, 44–47, 49, 65, 76, 77, 81, 135, 143 exploits, v, vi, 3, 4, 7, 8, 9, 10, 14, 16, 17, 18, 19, 29, 31, 34, 35, 40–57, 58, 65, 70, 73, 74, 75, 76, 77, 79, 80, 81, 83, 85, 86, 105, 132, 135, 138, 140, 141, 142, 143, 144, 145, 146, 147 Adobe Flash Player, 41, 52–53 browser, 41, 53–54 document, 41, 52 HTML, 41, 44, 45 Java, 41, 42, 43, 47–49 JavaScript, 41, 45 operating system, 41, 42, 50–51 Silverlight, 46, 141 zero-day, 3, 4, 8, 9, 16, 49 Facebook, 68, 76, 144 FakeCall, 63 FBI. See Federal Bureau of Investigation Federal Bureau of Investigation, 69 Fiesta (exploit kit). See Fiexp Fiexp, 43, 46 Filcout, 60 Finland, 67, 91, 92, 105, 128 Foosace, 10, 143 France, 61, 73, 74, 90, 128 Frethog, 68, 143 Gamarue, 68, 75, 76, 80, 81, 86, 143 G-Buster Browser Defense, 24 Georgia, 128 Germany, 90, 128 Ghana, 65, 128 GingerBreak. See CVE-2011-1823 GingerMaster, 51, 143 Google, 32, 33, 35, 36, 37, 51, 68 Google Chrome, 36 Google Play Store, 32, 33, 35, 37 Greece, 128 Guadeloupe, 128 Guatemala, 128 Honduras, 128 Hong Kong SAR, 128 HSBC, 24 Hungary, 128 Iceland, 67, 129 IeEnablerCby, 62, 67, 77, 78, 86, 144 IExtensionValidation, 41, 48, 55–56, 58 IframeRef, 43, 44 India, 61, 62, 65, 73, 129 Indonesia, 65, 129 InstalleRex, 67, 72, 77, 78, 79, 80, 82, 86, 144 Internet Explorer, 8, 11, 17, 27, 36, 41, 43, 44, 46, 48, 50, 54, 55, 56, 55–56, 58, 78, 80, 81, 99, 100, 104, 118, 126, 132, 136, 138, 141 Enhanced Security Configuration, 80 Interpol, 68, 69 Iraq, 65, 66, 91, 92, 129 Ireland, 129 Israel, 129 Italy, 90, 129 JackTheRipper, 63, 74, 144 ----- Jamaica, 129 Japan, ii, 67, 90, 129 Java Runtime Environment, 8, 41, 42, 43, 46, 47–49, 52, 56, 118, 141, 145, 146 Jenxcus, 66, 74, 75, 76, 80, 81, 85, 86, 144 Jordan, 92, 129 Kali Linux, 15 Kaspersky Lab, 69 Kazakhstan, 129 Kenilfe, 63, 144 Kenya, 129 keyloggers, 11 Kilim, 70, 73, 75, 76, 80, 81, 144 KipodToolsCby, 61, 62, 65, 67, 77, 78, 80, 82, 85, 86, 144 Korea, 103, 129 Krypterade, 74, 144 Kuwait, 129 Latvia, 129 Lebanon, 92, 129 Lenovo, 67, 142 Libya, 65, 66, 91, 92, 103, 129 Linux, 12, 15, 36, 49 Lithuania, 129 Lotoor, 50, 51, 144 Luxembourg, 69, 129 Mac OS X, 49, 123 Macao SAR, 129 Macedonia, FYRO, 129 Macoute, 65, 144 Magnitude. See Pangimop Malaysia, 129 Malicious Software Removal Tool, 136 Malicious Software Removal Tool (MSRT), 59, 64, 76, 87, 88, 89, 90, 91, 92, 93, 125, 126, 127, 133 Malta, 129 malware, v, vi, 3, 4, 6, 7, 9, 10, 11, 13, 15, 19, 21–27, 31, 40, 41, 42, 43, 49, 51, 58–98, 99, 100, 102, 103, 104, 105, 111–19, 123–24, 125, 126, 132, 134, 135, 136, 137, 138, 139, 140, 141–47 banking, 21–27, 84, 102, 136, 141, 142, 143 by country or region, 60–68 categories, 69–74 by location, 72–74 families, 74–82 by operating system, 79–82 on home and enterprise computers, 82– 87 malware hosting, 103–5 by country or region, 105 MAPS. See Microsoft Active Protection Service (MAPS) Martinique, 129 Mauritius, 129 Meadgive, 43 Metasploit, 9 Mexico, 61, 73, 74, 129 Microsoft Active Protection Service (MAPS), 118 Microsoft Digital Crimes Unit, ii, 69, 76 Microsoft IT, 111–19 Microsoft Malware Protection Center, ii, v, 3, 26, 49, 69, 76, 77, 78, 87, 98, 115, 132, 141 Microsoft Malware Protection Engine, v, 126 Microsoft Office, ii, 16, 17, 95, 98, 126, 145 Microsoft Safety Scanner, 125, 126 Microsoft Security Bulletins, 14, 16, 18, 40, 43, 44, 50, 54, 57, 141, 142, 143, 146, 147 Microsoft Security Essentials, 115, 118, 125, 126 Microsoft Security Response Center, 113, 114 Microsoft Update, 26, 81, 117, 125 Microsoft Word, 8, 16, 57, 117, 147 Middle East, 66, 68, 76 Mimikatz, 14 MMPC. See Microsoft Malware Protection Center Mofin, 62, 144 Moldova, 129 Mongolia, 92, 129 Morocco, 65, 66, 92, 129 Mozambique, 129 Mozilla Firefox, 9, 10, 26, 36 MSRC. See Microsoft Security Response Center ----- MSRT. See Malicious Software Removal Tool (MSRT) multi-factor authentication, 19 Namibia, 129 NAP. See Network Access Protection National Vulnerability Database, 31, 36 NATO, 3, 7 Neclu, 43, 46, 47 Nepal, 65, 130 Netherlands, 69, 130 Network Access Protection, 119 NeutrinoEK, 43 New Zealand, 130 Nicaragua, 130 Nigeria, 130 Nordic countries, 67 North America, 66, 74 Norway, 67, 91, 130 Nuclear (exploit kit). See Neclu Nuqel, 65, 145 NVD. See National Vulnerability Database Obfuscator (malware), 47, 49, 53, 62, 75, 80, 81, 82, 86, 145 Obfuscators & Injectors, 70, 73, 75, 80, 81, 83, 85, 86 Object Linking and Embedding (OLE), 44, 50 Office 365, ii, 95, 98, 126 Ogimant, 62, 74, 77, 145 OLE. See Object Linking and Embedding (OLE) Oman, 130 open-source intelligence, 4, 20, 137 OpenSSL, 13 Oracle Corporation, 8, 48, 49 security updates, 49 OSINT. See open-source intelligence Other Malware (category), 70, 73, 83 Pakistan, 65, 130 Palestinian Authority, 65, 66, 92, 130 Panama, 107, 130 Pangimop, 47, 145 Paraguay, 130 pass the hash, 14, 19, 137 password stealers, 68, 84, 137 Password Stealers & Monitoring Tools, 70, 73, 83, 84 Pdfjsc, 52, 145 Peaac, 62, 145 Peals, 62, 70, 73, 75, 77, 80, 81, 85, 87, 145 Peru, 130 Philippines, 130 phishing, 3, 4, 7, 27, 100–103, 103, 104, 126, 136, 138 by country or region, 103 spear phishing, 4, 5, 19, 139 target institutions, 102–3 Phishing Filter, 99, 100, 138 PHP, 80, 146 Poland, 130 Portugal, 21, 22, 130 Portuguese language, 23 Proslikefan, 62, 145 PtH. See pass the hash Puerto Rico, 130 Qatar, 130 Radonskra, 62, 145 Ramnit, 62, 68, 70, 75, 77, 81, 145 ransomware, vi, 70, 73, 74, 80, 83, 138, 143, 144, 146 Registry, Windows, 11 return-oriented programming (ROP), 16, 17, 138 Réunion, 130 Reveton, 74, 146 rogue security software, vi, 63, 138 Romania, 130 ROP. See return-oriented programming (ROP) Rotbrow, 60 Russia, 3, 61, 62, 69, 73, 74, 90, 105, 107, 130 Russian language, 62 Safari, 36 Sality, 75, 80, 81, 146 sandbox, 8 Saudi Arabia, 105, 130 SaverExtension, 61, 65, 67, 71, 72, 73, 74, 77, 78, 79, 80, 82, 85, 86, 144, 146 ----- SCEP. See System Center Endpoint Protection Sdbby, 42, 43, 146 SDL. See Security Development Lifecycle Security Development Lifecycle, 38, 39 security software, real-time, 21, 27, 40, 41, 58, 87–94, 127 by location, 90–92 by operating system, 93–94 expired, 89 security updates, 8, 9, 16, 17, 26, 44, 48, 49, 81 Senegal, 65, 130 Serbia, 130 Silverlight, 46, 56, 141 Simda, 68–69, 146 SimpleShell, 80, 146 Singapore, 130 Skeeyah, 70, 75, 77, 80, 81, 82, 146 Slovakia, 130 Slovenia, 130 Slugin, 65, 146 smart cards, 119 SmartScreen Filter, 99–105, 126 SMEP. See Supervisor Mode Execution Protection (SMEP) social engineering, vi, vii, 7, 8, 9, 10, 19, 23, 43, 76, 84, 139, 143 software bundlers, 67, 72, 73, 77, 79, 80, 82, 83, 84, 86, 139, 144 Spain, 7, 130 spam, 80, 84, 87, 125, 136, 139, 142, 146 spear phishing. See phishing Squid (proxy server), 13 Sri Lanka, 130 SSL, 32, 33, 35, 37 STRONTIUM, 3–20 Stuxnet, 43, 146 Supervisor Mode Execution Protection (SMEP), 18 Sweden, 22, 67, 130 Sweet Orange. See Anogre Switzerland, 130 System Center Endpoint Protection, 111, 113, 115, 117, 125, 126 Taiwan, 103, 105, 131 Tanzania, 131 targeted attacks, vi, 3–20, 56–57, 94, 140 Thailand, 131 Trend Micro, 3, 69 Trinidad and Tobago, 131 trojans, vi, 24, 62, 70, 73, 75, 76, 80, 81, 83, 85, 87, 113, 123, 133, 134, 136, 140, 141, 142, 143, 144, 145, 146 Tugspay, 77, 146 Tunisia, 65, 131 Turkey, 22, 61, 62, 73, 77, 92, 131 UAC. See User Account Control Ukraine, 131 United Arab Emirates, 103, 131 United Kingdom, 61, 63, 73, 74, 90, 131 United States, 61, 69, 73, 74, 90, 131 unwanted software, v, 29, 58–98, 111–19, 123–24, 125, 126, 134, 135, 139, 140, 141– 47 by country or region, 60–68 categories, 69–74 by location, 72–74 families, 74–82 by operating system, 79–82 on home and enterprise computers, 82– 87 Upatre, 84, 85, 87, 143, 146 Uruguay, 22, 131 USB, 11, 15, 57, 126, 142, 144 User Account Control, 27, 42 VBScript, 76 Venezuela, 131 Vercuser, 65, 147 Vietnam, 92, 107, 131 viruses, 63, 65, 68, 70, 73, 74, 75, 80, 81, 83, 123, 136, 140, 142, 144 VMWare, 49 VPN, 16 vulnerabilities, v, vi, vii, 4, 8, 9, 15, 16, 17, 18, 31–39, 40–57, 72, 81, 105, 119, 132, 134, ----- 135, 139, 140, 141, 142, 143, 144, 145, 146, 147 application, 35–37 browser, 35–37 complexity, 34–35 in Microsoft products, 37–38 operating system, 35–37 severity, 33–34 Windows 7, 18, 81, 82, 94, 125 Windows 8, 17, 18, 40, 44, 81, 82, 94, 126 Windows 8.1, 17, 44, 81, 82, 93, 94, 126 Windows Defender, 40, 94, 111, 115, 117, 118, 126 Windows Defender Offline, 126 Windows Explorer, 43, 50, 115 Windows Update, 26, 81, 118, 125 Windows Vista, 81, 82, 94, 125 Wordinvop, 52, 147 Wordjmp, 52, 147 worms, vi, 62, 63, 65, 66, 68, 70, 73, 74, 75, 76, 80, 81, 83, 85, 86, 87, 123, 136, 140, 141, 142, 143, 144, 145, 147 Yeltminky, 66, 68 YouTube, 76, 144 Zimbabwe, 131 ----- ----- -----