Today at the RSA Europe 2011 conference Microsoft released their new Security Intelligence Report (SIR) report covering January to June 2011. As in previous editions it analyzes massive amounts of data form both the consumer and enterprise edition of Microsoft security tools such as the MSRT, MMPC, Security Essentials and Forefront.
Interestingly this edition contains a new section "Zeroing in on Malware", an analysis on the ways malware propagates between machines. This section, based on the MSRT data, is a welcome addition, as we security professionals frequently focus on the clever evasion techniques and sophisticated communication structures of the latest malware, rather than on the fundamental question: How does the malware get on the machine and how can we reduce the occurrences of these infections?
Microsoft lists the top 3 scenarios as:
- User Interaction – the user actively participates in the infection process, by opening an e-mail, or browsing to a malicious site or even installing a program that has a malware part embedded (Fake Anti-Virus, Games, Media, Productivity software come to mind)
- Autorun Infections – the user inserts an infected USB drive (memory stick, SD card, picture frame, etc) into the computer and the Operating system automatically installs the included "AUTORUN" program which contains malware. Similar behaviour can be triggered by infected network shares.
- Drive-by-Downloads – the user browses a web site that contains code that attacks a weakness in the browser or in the installed plug-ins and installs malware on visitor’s PC
The good news is that there are stable and mature technologies that address the above scenarios that we can deploy to make the life of an malware significantly harder. At Qualys, we call this "Software Hygiene", practices and configuration settings that prevent a large percentage of common attacks, the US DoD calls it "Cyber Hygiene", and the Australian Government calls it more prosaic "Mitigation Strategies" :
- User Interaction: the most straightforward solution seems to be user education, but there is a technology solution as well: not allowing your users to run as "admin" on the workstation will prevent them from installing the majority of malware. Pair this restriction with an "AppStore" approach to software installation where users can find approved and verified software packages for their professional and personal needs and you have a solution that addresses most users' needs.
- Autorun infections: install the Microsoft provided patches for Windows that disable AUTORUN for non-CD-ROMs or disable them through the registry. Microsoft included these patches in their February 2011 patch release and are pointing to some significant drops of the propagation of "autorun" malware, in some cases over 65%.
- Drive-by-downloads: The first level of defense against Drive-bys is to be fully patched as the attacks mostly target vulnerabilities that have a patch available already. Using the latest version of the software attacked usually means additional robustness against attacks – IE9 is better than IE6, Adobe Reader X is better than Adobe Reader 9 (or 8, which is as of this month unsupported) and Office 2010 is much more robust than Office 2007 or 2003. BTW, the most attacked plug-ins in H1 2011 has been Java, followed by Adobe Flash, making them the top 3rd party software to update on your workstations, if you need them at all.
0-day vulnerabilities play only a very small role in the propagation of the malware families Microsoft analyzed. This is not really a surprise as 0-days are a much too expensive component to be included in mass-malware, which tend to use older, well understood vulnerabilities for propagation.
It would be interesting to analyze how initial malware infections (i.e. the patient Zero) in a company occur. Unfortunately that requires extensive forensic analysis of the affected targets, something that is not within Microsoft’s reach and was thus not the focus of this report. However, we can still reason that the "autorun" vector will lose of its effectiveness and that exploitation through web browsing (i.e. ExploitKits) and through e-mail conatinign attachments and links will become major sources.
I often hear that companies cannot update software due to their internal polices and business applications that require using older software versions, particularly IE6 (still in use at over 45% of our customers) and Java. With the growth of recent attacks and associated data breaches, this is the right time to bring this discussion to the forefront and invest new resources into an automated and comprehensive patching program. Let me know your thoughts on how you have managed to implement your program or what are the challenges you faced when embarking on such a mission within your organization.
BTW, we will talk about a similar subject later this week at RSAC Europe: "SPO-209 Enterprise Patching – Best Ways to Proactively Protect Against Threats". If you are in London, please come by and discuss with us, either during/after the talk or later over a beer at the pub across the street.