Microsoft's Security Intelligence Report (SIRv14) released

Published: 2013-04-23
Last Updated: 2013-04-23 06:01:50 UTC
by Russ McRee (Version: 1)
2 comment(s)

Full disclosure: I work at Microsoft.

This past Thursday (17 APR) Microsoft released  volume 14 of its Security Intelligence Report (SIRv14) which includes new threat intelligence from over a billion systems worldwide. 

It should come as no surprise that network worms are on the decrease and that web-based attacks are all the rage. Interesting report highlights include:

  • The proportion of Conficker and Autorun threats reported by enterprise computers each decreased by 37% from 2011 to 2H12
  • In the second half of 2012, 7 out of the top 10 threats affecting enterprises were associated with malicious or compromised websites (see example below)
  • Enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in 4Q12
  • One specific iFrame redirection family called IframeRef, increased fivefold in the fourth quarter of 2012 to become the number one malicious technique encountered by enterprises worldwide
  • IframeRef was detected nearly 3.3 million times in the fourth quarter of 2012

The report also takes a close look at the dangers of not using up-to-date antivirus software in an article titled “Measuring the Benefits of Real-time Security Software.” I read this with some skepticism imagining it might be heavily slanted to the use of Microsoft AV products, but read on, it's not. It refers to a ton of data generated via Microsoft telemetry but remains data-centric to point out that, on average, computers without AV protection were five and a half times more likely to be infected (What?! I'm shocked. This is my shocked face surprise). The study also found that 2.5 out of 10, or an estimated 270 million computers worldwide were not protected by up-to-date antivirus software. Now that actually is shocking. Really? What's the matter with people? For more information on that analysis, see details on TechNet.

On the related subject of web-based attacks, I recently completed a forensic review of an elderly Windows XP system that had clearly crossed paths with Blackhole, or as the SIR referers to it, Blacole; said system was infected with Exploit:Java/CVE-2011-3544. The behavior discovered warrants a quick review as it details just one of the plethora of manners in which web-based attacks can own you. Of interest, SIRv14 states that "detections of exploits targeting CVE-2011-3544 and CVE-2010-0840, two vulnerabilities with significant exploitation in the first half of the year, declined by large amounts in 2H12. Both are cross-platform vulnerabilities that were formerly targeted by the Blacole kit but have been removed from more recent versions of the kit." That's in keeping with findings on the machine I analyzed given that the related JAR files had been on the system since February 2012. Nonetheless, at the risk of oversimplifying the analysis, the writeup for CVE 2011-3544 describes a vulnerability that allows a remote attacker to execute arbitrary code on the system, caused by the improper handling of Rhino Javascript errors. Of note when unpacked from the initial JAR file were efira.class and (the applet). As ripped directly from the conclusion of Michael Schierl's excellent writeup on CVE-2011-3544:

Steps to exploit this vulnerability include:

  1. Assign a toString() method to this that will disable the security manager and then run your payload
  2. Create a new JavaScript error object
  3. Overwrite the error object's message property by this
  4. Return the error object
  5. Create a new script engine and bind the applet to a JS variable (in case your payload needs it)
  6. Evaluate the script mentioned above
  7. Add the resulting object to a JList
  8. Display the JList to the user and wait for the UI thread to render it
Strings analysis of Efira.class (see VirusTotal if you want hashes) returned the requisite steps including:
  • toString() (1)
  • java/lang/Object error (2)
  • javax/script/ScriptEngine (5) 
  • eval (6)
  • javax/swing/JList (7)
And this was but one example of six Java-specific exploits dropped on this victim system during its unfortunate visit to a Blackhole infected site. Stay tuned for new and interesting web-based exploits for 2013.
1) Run AV
2) Patch
3) Pray 
As always the SIR is a great read. Download it here.
2 comment(s)


As a user of SCEP12 - I found that the vast majority of the IframeRef alerts we get are false positives. It's distasteful to see you call it out as a benefit for the product, when it's one of the most frustrating things I've encountered.
Nice summary of the MS report. The takeaways have been true since Windows 95 and AOL went mainstream. It doesn't surprise me that so many (usually home/personal) systems still don't have a well running antivirus/security software solution. The reason is simple. Most security software (AV, firewalls, etc.) is still way too complicated and noisy for the average user. The vast majority of users have no idea how to properly answer the never ending pop-up questions the typical security programs will ask the user: Allow ABC program inbound acces? Allow XYZ to update your JKL? Allow DEF to run QRS on port 23? Pay $49 to STU company to update your VWX subscription so that you can continue receiving these valuable security alerts that don't make any sense to you?

Poorly running, outdated, and misconfigured security software will continue to be one of the biggest security problems until security software in general becomes more user friendly for the masses. It needs to be much more intuitive and much less complicated. We have light years to travel before the home user becomes a secure user instead of just another vulnerability in the chain.

Imagine if appliances in your home required the same amount of user questioning and precision to work properly as security software does? Every other house in your neighborhood would either be on fire, flooded, or condemned due to exploding, faulty, or broken appliances.

Diary Archives