Skip to content

Microsoft Secure

In part 1 of this series I started comparing what the threat landscape looked like at the turn of the century to what it looks like today. Continuing that theme, today we have released a new special edition Microsoft Security Intelligence Report (SIR) called “The evolution of malware and the threat landscape – a ten year review.”


This special edition of the SIR contains a look back at how the threat landscape has changed over the past ten years and includes trending data on vulnerability disclosures, exploit trends, malware and potentially unwanted software, regional malware infection rates, growth rates for Windows Update/Microsoft Update usage, and more. This data is very interesting as it is the first time we have aggregated, analyzed and released data going back so far in time, in the SIR – providing a long term view of how attackers have changed their strategies and tactics over time.

Figure on left: Approximate growth of malware since 1991; figure on right: Percentage increase in the number of files submitted to the MMPC since 2005, an increase of more than 200 percent


For example, one way to get an idea of how the number of attackers and threats have exploded over time is to look at how anti-malware signature files have grown. Today anti-malware signature files range to more than 100 MB in size, while in 2002 typical anti-malware signature files were less than one MB in size. In 2011 Microsoft added more than 22,000 signatures to detect key threat families.

Looking at how the threat categories and major threat families within those categories have ebbed and flowed over time gives you an idea how malware authors changed their tactics. For example, the Trojan Downloaders and Droppers category, which affected less than nine percent of computers with detections in the first half of 2006 (1H06), rose rapidly to become one of the most significant threat categories in 2007 and 2008, primarily because of increased detections of Win32/Zlob and Win32/Renos. After decreasing significantly from its 1H06 peak, the Worms category began to increase again in 2009 after the discovery of Win32/Conficker and reached a second peak in the second quarter of 2010 (2Q10) with increased detections of Win32/Taterf and Win32/Rimecud. Malware families in the Password Stealers and Monitoring Tools category, which were responsible for a negligible percentage of detections in 1H06, increased slowly but steadily through 2008 and 2009 before peaking in 2Q10. Game password stealers such as Win32/Frethog were responsible for much of this increase.

Figure: Worms, Trojan Downloaders and Droppers, and Password Stealers and Monitoring Tools categories since 2006


The Adware, Miscellaneous Potentially Unwanted Software, and Miscellaneous Trojans categories were the most commonly detected categories in 2010 and 2011. Adware detections increased significantly in the first half of 2011 (1H11), including the adware families Win32/OpenCandy and JS/Pornpop. The Miscellaneous Potentially Unwanted Software category, which was the most commonly detected category in 2006, declined in prevalence in 2007 and 2008, then increased again to become the second most prevalent category in the second quarter of 2011 (2Q11). Significant families in this category in 2Q11 were Win32/Keygen, a generic detection for tools that generate product keys for illegally obtained versions of various software products, and Win32/Zwangi, a program that runs as a service in the background and modifies web browser settings to visit a specific website.

Figure: Adware, Miscellaneous Potentially Unwanted Software, and Miscellaneous Trojans categories since 2006


The Miscellaneous Trojans category has consistently affected about a third of computers that were infected with malware in each period since the second half of 2008 (2H08). A number of rogue security software families fall into this category, such as Win32/FakeSpyPro, the most commonly detected rogue security software family in 2010. Other prevalent families in this category include Win32/Alureon, the data-stealing trojan, and Win32/Hiloti, which interferes with an affected user’s browsing habits and downloads and executes arbitrary files.

Much more data and insights are available in this new ten year review – please download your free copy of the report here.

Tim Rains
Trustworthy Computing