"The Microsoft Security Intelligence Report (SIR) is a comprehensive and wide-ranging study of the evolving threat landscape, and addresses such topics as software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.
Volume 8 of the Security Intelligence Report (SIR v8) covers July 2009 through December 2009. It includes data derived from more than 500 million computers worldwide, each running Windows. It also draws data from some of the busiest services on the Internet, such as Windows Live Hotmail and Bing."
Algumas conclusões interessantes:
As in previous periods, infection rates for more recently released operating systems and service packs are consistently lower than previous ones, for both client and server platforms.
For operating systems with service packs, each successive service pack has a lower infection rate than the one before it.
Rogue security software—software that displays false or misleading alerts about infections or vulnerabilities on the victim’s computer and offers to fix the supposed problems for a price—has become one of the most common methods that attackers use to swindle money from victims.
Domain-joined computers were much more likely to encounter worms than non-domain computers, primarily because of the way worms propagate. Worms typically spread most effectively via unsecured file shares and removable storage volumes, both of which are often plentiful in enterprise environments and less common in homes. In contrast, the Adware and Miscellaneous Trojans categories are much more common on non-domain computers.
Botnets and spam networks of malware-infected computers that can be controlled remotely by an attacker are responsible for much or most of the spam that is sent today.
Vulnerability disclosures in 2H09 were down 8.4 percent from the first half of the year, which continues an overall trend of moderate declines since 2006.
Application vulnerabilities continued to account for most vulnerabilities in 2H09, although the total number of application vulnerabilities was down significantly from 2H08 and 1H09.
Operating system and browser vulnerabilities were both roughly stable, and each accounted for a small fraction of the total.
Drive-by download pages are usually hosted on legitimate Web sites to which an attacker has posted exploit code. Attackers gain access to legitimate sites through intrusion or when they post malicious code to a poorly secured Web form, like a comment field on a blog. An analysis of the specific vulnerabilities targeted by drive-by download sites indicates that most exploits used by such malicious sites target older browsers and are ineffective against newer ones. Exploits that affect Internet Explorer 6 appeared on more than four times as many drive-by sites in 2H09 as did exploits that affect the newer Internet Explorer 7.
"We call it a botnet for fuzzing," said Gallagher, referring to what Microsoft has formally dubbed Distributed Fuzzing Framework (DFF). The fuzzing network originated with work by David Conger, a software design engineer on the Access team. Client software installed on systems throughout Microsoft's network automatically kicks in when the PCs are idle, such as on weekends, to run fuzzing tests "We would do millions of [fuzzing] iterations each weekend," Gallagher said -- up to 12 million in some cases.