In the second half of 2008, Microsoft recorded a significant increase in rogue security software and other social engineering tactics designed to prey on people’s fears, trust and desires. Rogue security software uses fear and annoyance tactics to convince victims to upgrade to paid-for “full” versions of the software to remove and protect themselves from malware.

Microsoft’s latest Security Intelligence Report shows that as operating systems become more secure, vulnerabilities are predominantly in the application layer, making software attacks more prevalent with third-party software vendors, Web services providers and original equipment manufacturers.

The report also shows that the need for organizations to implement strong data governance policies and procedures is paramount. Stolen and lost equipment such as laptops remain the primary causes of data loss through security breaches.

The global prevalence of rogue security software, which uses social engineering to obtain money or sensitive information from victims, has increased significantly over the past 18 months. Three of the top 10 threats detected worldwide in the second half of 2008 disseminate rogue security software. Win32/FakeXPA and Win32/FakeSecSen are both in the worldwide top 10 list of threats; neither was in the top 25 list of threats in the first half of 2008. Both were detected on more than 1.5 million computers in the second half of 2008.

In addition, Win32/Renos, a longtime threat often used as a delivery mechanism for rogue security software, was detected on 4.4 million distinct computers, an increase of 66.6 percent since the first half of 2008.

Rogue security software families are among the top threats detected in many countries throughout the world, suggesting that the appeal to people’s fear is an effective tactic that transcends language barriers. English seems to be the primary language used by rogue security software social engineering, although some of the software families have been released in multiple languages.

For the first time, the Microsoft Security Intelligence Report includes document file format exploit data regarding Microsoft Office and Adobe exploits observed in the second half of 2008. Overall, data showed that attackers incorporated document file format vulnerabilities as an infection technique in numbers not seen before, affecting both consumers and organizations.

The two most common attacks happen either through an e-mail message sent with an infected document attached or when a user visits an infected site and opens unknown links while browsing the Web.

The most frequently exploited vulnerabilities in Microsoft Office software were also some of the oldest; 91.3 percent of attacks exploited a single vulnerability for which a security update had been available for more than two years.

Use of the Adobe PDF format as an attack vector rose sharply in the second half of 2008, with attacks in July amounting to more than twice as many as in the first half of 2008. These attacks continued to double or almost double for most of the remaining months of the year. Two vulnerabilities accounted for all the attacks in the sample files examined; both vulnerabilities had security updates available.

Microsoft encourages customers to make sure they are using the latest versions of all software, including upgrading to Microsoft Office System (2007 release) or going to Microsoft Office Live or Microsoft Update to get the latest updates.

Also, for the first time, Microsoft is publishing data highlighting the different attacks that target individuals and businesses to help people understand the differences in malware trends and how they can better protect themselves.

The Security Intelligence Report, volume six, showed that computers running Microsoft Forefront Client Security (typically found in corporate environments) were much more likely to encounter worms than home computers running Windows Live OneCare. Home computers also encountered significantly greater percentages of trojans, trojan downloaders and droppers, adware and exploits. Similar percentages of backdoors and spyware were detected by both products. These results are likely due to the different ways people use computers at home and for business. For instance, home computers may be used to browse social networking sites or download media, exposing them to different attack vectors than computers used primarily for business needs.

Malware, Phishing and Drive-by Hosting Data

The Security Intelligence Report, volume six, data showed that Web sites hosting malware tend to be more stable and less geographically diverse than Web sites hosting phishing pages. This may be the result of the relatively recent use of server takedowns and Web reputation as weapons in the fight against malware distribution.

The Security Intelligence Report also showed that more than 1 million drive-by download pages have been detected monthly by Microsoft Live Search since the early part of the second half of 2008, equating 0.07 percent of all pages indexed (about one in 1,500). A drive-by download page is one that hosts malicious software where, if users visit the Web site and their computers are vulnerable, they can be exploited without their knowledge.

In the second half of 2008, Microsoft analyzed a sample of data obtained from customer-reported incidents, submissions of malicious code and Microsoft Windows error reports. The results included the following:

For browser-based attacks on Microsoft Windows XP-based machines, Microsoft vulnerabilities accounted for 40.9 percent of the total, down from 42 percent in the first half of 2008.

The proportion of Microsoft vulnerabilities on Windows Vista-based machines accounted for just 5.5 percent of the total, while third-party vulnerabilities made up 94.5 percent of total vulnerabilities exploited. Windows XP and Windows Vista were the only operating systems involved in the comparison.

Furthermore, similar to the trend observed in the first half of 2008, Microsoft software accounted for six of the top 10 browser-based vulnerabilities to computers running Windows XP, compared with zero of the top 10 browser-based vulnerabilities to computers running Windows Vista. Windows XP and Windows Vista were the only operating systems involved in the comparison.

The total number of unique vulnerability disclosures across the entire industry continued to decrease for the third consecutive reporting period. New vulnerability disclosures declined by 3 percent from the first half of 2008, and total disclosures for the full year of 2008 (5,596) were down 12 percent from 2007 (6,360).

The second half of 2008 marked a 4 percent increase in the disclosure of high-severity vulnerabilities over the first half of 2008 (from 1,396 to 1,449) across the entire software industry. The percentage of disclosed vulnerabilities that are easiest to exploit also increased; 56 percent required only a low-complexity exploit. However, for 2008 as a whole, there is still a 16 percent decline from 2007 (from 1,875 to 1,449) across the entire software industry.

Similar to what was reported in the first half of 2008, stolen and lost equipment continued to account for 50 percent of all reported security breaches in the second half of 2008. Stolen equipment was the top reason reported for data loss at 33.5 percent, with lost equipment accounting for 16.5 percent.

Showing a slight decrease from the first half of 2008, less than 20 percent of reported security breaches in the second half of 2008 resulted from incidents caused by malicious software.

Configure computers to use Microsoft Update instead of Windows Update; this will ensure receipt of security updates for Microsoft Office and other Microsoft applications, as well as security updates for Microsoft Windows operating systems. More information on how to do this is available at http://support.microsoft.com/kb/311047.

Make sure that updates are also enabled when possible for third-party applications.

Use an anti-malware product from a known, trusted source, and keep it updated. Be cautious not to follow advertisements for unknown software that appears to provide protection (also known as rogue security software).

Avoid opening attachments or clicking on links to documents in e-mail or instant messages that are received unexpectedly or from an unknown source.

Enterprise customers should ensure that policies are in place to secure all file shares and regulate the use of removable media.

Enterprise customers should use the Microsoft Security Assessment Tool (MSAT), available at http://technet.microsoft.com/en-us/security/cc185712.aspx, to help assess weaknesses in their IT security environment and build a plan to address the risks.

Enterprise customers should carefully control the use of remote management software.

Detailed help and guidance on helping secure the home computing environment is available on the Microsoft Security at Home Web site at http://www.microsoft.com/protect.