Content

Threat and Vulnerability Risk Assessment

The McAfee Avert® Labs Threat Risk Assessment Program

The McAfee Avert Labs Vulnerability Risk Assessment Program

Goals and Benefits

The McAfee Risk Assessment Program evaluates the level of risk posed by threats encountered in the field or at customer sites. The team of global threat experts at McAfee® Avert® Labs strives to inform customers and PC users about current infection risks and their possible consequences, so that they can take appropriate security measures to protect themselves against infection. Risk assessments are included in the threat descriptions posted to the Threat Library. The information is also available at our online Threat Center. Note that risk assessments are supplied only for malicious threats, such as viruses, worms and Trojan horses, at this time.   Potentially unwanted programs (PUPs) are not rated currently.

Executive Summary

Today, there are more than 150,000 viruses, virus variants, Trojans, and other types of malicious code in circulation. Every month, this figure increases by approximately 2,500 to 4,000. In order to help network administrators and home users protect their networks and systems when new threats strike, McAfee Avert Labs rates each threat based on criteria described below.

When assessing the level of a particular threat, McAfee Avert Labs determines risk to corporate users and home users separately. This information is included in the threat definition posted by our researchers.

Criteria for Assessing the Risk

Risk of a threat to any individual or corporation can be determined by answering the following questions:

  1. How likely is it that I will be attacked successfully (exposure)?
  2. What is the impact if I am attacked successfully (impact)?

Note that this is a statement of probability. While it may be true for a hypothetical user and a hypothetical threat, for any individual user or corporation with a real threat, the answer is that you either will or will not be infected. Whether that occurs depends on your particularly security posture, countermeasures you have in place, response speed, effectiveness of your countermeasures, and even pure luck. When determining the risk of a threat, McAfee Avert Labs attempts to gauge the average probability for our customers globally. This does not mean that some customers will not be affected by low-risk threats, or that many users will be unscathed by high-risk threats.

Exposure: How likely is a successful attack?

In theory, measuring exposure should be fairly straightforward. If a threat is e-mail-borne, and one in 10 e-mails contains the threat, then the risk of exposure is 10 percent. In practice, the situation is seldom this straightforward. Some factors that may alter true exposure levels include:

  • The number and popularity of possible targets (Microsoft® Windows® threats are likely to spread more effectively than Macintosh® or Unix threats)
  • The number of propagation or infection vectors the threat is capable of exploiting.
  • · The popularity of those vectors. (For example, significantly more people use e-mail than peer-to-peer file-sharing programs.)
  • · Whether the threat requires user interaction to mount a successful attack.
  • If the threat requires user interaction, the effectiveness of the social engineering employed to trick the user into running the threat.
  • If the threat exploits a vulnerability in a piece of software, the availability of a patch and the length of time that the patch has been available.
  • The existence and effectiveness of existing countermeasures capable of thwarting an attack. (Do some or most anti-virus vendors detect the threat proactively?)
  • The degree to which previous threats exploiting the same vectors or media interest have alerted users to the dangers posed by the social engineering or an unpatched vulnerability.
  • The degree to which customers have become desensitized to security industry warnings as a result of frequent or exaggerated warnings about other threats.
  • The number and types of limitation or bugs in the threat's coding.
  • Whether the threat was actually ever released and how it was released . (Was the threat seeded slowly or mass-spammed? Were the initial seeding attempts thwarted?)
  • The speed and effectiveness at which the security community-including security vendors, Internet service providers, and law enforcement agencies--responds to the threat.

The single most reliable measure of exposure is prevalence to date. Prevalence can be thought of as actual, verified customer reports of successful attacks over time. However, measuring this can be complicated as well for these reasons:

  • Customers may fail to notify us of infections.
  • Customers may report blocked threats as if they were infections or vice versa.
  • Attempts to extrapolate infection rates from volume of infected e-mails are notoriously flimsy. Threats can vary by many orders of magnitude in terms of number of infected e-mails per infected machine.
  • Occasional traces such as the counter supplied by the MyWife.d author may be misinterpreted or abused.

As a result, it is difficult to determine a numeric or absolute standard for different prevalence levels. The following guidelines work with some threats, but Avert may revise them on a case-by-case basis based on our decade of experience fighting malware. In some cases, higher exposure risks may be assigned:

  • High Exposure Potential —The threat has been identified in the field, and more than 20 instances have been reported in less than four hours. Threats exploiting unpatched vulnerabilities in popular operating systems or applications with significant secondary indications of infection may also be placed in this category.
  • Significant Exposure Potential —The threat has been identified in the field, and more than 20 instances have been reported during one business day (eight hours). The reported cases can originate in a single country or region or from numerous countries and regions. Threats exploiting patched vulnerabilities in popular operating systems or applications; unpatched vulnerabilities in less common applications or operating systems.
  • Moderate Exposure Potential —The threat has been identified in the field, but fewer than 20 instances have been reported over 24 hours. This classification applies to threats exploiting vulnerabilities where a patch has been available for more than a certain number of days.
  • Low Exposure Potential—The virus is known to our researchers, but few or no infections have been reported over a period of several days.

Payload: What kind of damage results from infection?

Like exposure, damage can be difficult to measure in an absolute fashion. Generally, damage that is visible and obvious is considered less severe than damage that is difficult to see or quantify. Examples of more complex damage include:

  • Data or potentially confidential files being sent to third-parties.
  • Loss of reputation or legal liability as a result of data breaches.
  • Installation of components that allow arbitrary code execution at a future point in time (backdoors and bots).
  • Subtle manipulation of data files (See see XM/Compat.A)
  • Allows attacks on other parties (DDoS clients).
  • Causes issues with printers or other network-attached devices. (See W32/Bugbear@MM)
  • Terminates or otherwise interferes with security products, leading to exposure to unknown future attacks.

Based on these considerations, Avert uses the following guidelines for determining potential damage caused by threats.

  • Unforeseeable Damage—The threat redistributes confidential data to third parties, creates additional unbounded security holes, or brings down an entire network.
  • Extremely Serious Damage—The threat manipulates data silently or contributes to the harm of others.
  • Serious Damage —The threat deletes a number of files, formats hard drives, or deletes the Flash BIOS.
  • Medium Damage—The threat deletes individual files or renders the computer temporarily unavailable.
  • Minimal Damage—The threat generates bogus text or generates sounds.

Risk Levels

McAfee Avert Labs report risk levels for threats in order of severity: The risk level assigned to a threat changes as its prevalence changes. Each level is defined below. Recommended actions for customers and actions taken by Avert with each risk level are listed in a table following the risk level descriptions. The recommended action should be modified to meet your specific needs.

High/Outbreak

These viruses are detected by our threat researchers on most continents within a very short period of time. They are almost always spread via mass mailings or via remote vulnerability exploitation, so they often have a global impact in a matter of hours.

Examples:

  • W97M/Melissa
  • VBS/Loveletter
  • VBS/VBSWG (Anna)
  • W32/Nimda
  • W32/Mydoom

High

Viruses in this category are discovered in the field and have a payload that can cause serious damage. They usually spread rapidly on common platforms with widely used operating systems. If a virus causes serious damage or catastrophic damage, it may be classified as high risk even if its prevalence is low.

Examples:

  • Win95/CIH
  • VBS/Newlove
  • W32/SQLSlammer.worm
  • W32/Sobig.f
  • W32/IRCbot.worm!MS05-039

Medium/On Watch

These viruses gain prevalence quickly, have a payload, and usually infect common systems or spread via popular applications. This risk level serves as an early warning signal. The experts at McAfee Avert Labs closely monitor the prevalence of these viruses as they spread to determine whether the risk level needs to be elevated.

Examples:

  • W97M/Resume
  • W32/Badtrans.b
  • W32/Fizzer.gen
  • W32/Blaster.worm
  • W32/Bagle.aa

Medium

This level of risk applies to viruses that have been reported by several McAfee customers or McAfee Avert Labs researchers. They may have a destructive payload and may infect common platforms and widely used applications.

Examples:

  • W32/Sober.c
  • W32/Bagle
  • W32/Netsky.b
  • W32/Sasser.worm
  • W32/Zafi.d

Low/Profiled

This rating applies to viruses that appear to be low risk but warrant additional monitoring because they have attracted media interest. These viruses may not yet have been discovered in the field and may not have a dangerous payload. We may also classify a virus as a Low/Profiled if it is a variant of a family of viruses that has high prevalence and has the potential to spread.

Examples:

  • W32/Bugbros@MM
  • W32/Bizex.worm
  • W32/Evaman@MM
  • W64/Shruggle

Low

This classification is for viruses that may not yet have been reported in the field and may not have a dangerous payload. These viruses typically target obscure or rarely used applications, though at times, they may run on common platforms. The risk assessment for such viruses is Low if the payload is classified as Extremely Serious or Unforeseeable.

Examples:

  • W32/Cycle.worm.a
  • W32/Reatle.gen
  • W32/Vulgar

Not Applicable (N/A)

The Not Applicable (N/A) risk assessment is used on descriptions for threats or apparent threats that do not warrant an assessment. E-mail hoax descriptions have a risk assessment of N/A as they are not Trojans or infectious like viruses. Trojan and virus family descriptions and heuristic detection descriptions have a risk assessment of N/A because they are general descriptions and do not describe specific threats.

Updated Risk Assessments

The risk level for a virus can move from lower to higher over a period of time. For example, a virus may start out with a Low risk assessment, but is later elevated to a Medium or Medium/On Watch level as its prevalence increases. In most instances where a virus is classified as Medium/On Watch, we frequently raise the risk assessment to High. A risk assessment is lowered when the prevalence of a virus decreases. When a virus is no longer classified as a High risk, it often stays in the Medium risk category for a period of time.

Examples of viruses that have had their risk assessments raised:

  • IRC/Stages
  • W32/SirCam
  • W32/APost
Risk Level Recommended Customer Action Avert Actions
Update All Systems (DATs or EXTRA.DAT) Update Critical Systems Assess Risk Deploy Patch Update HIPS or NIPS Signatures Post Description Extra.DAT Created Emergency DAT Release Press Release Stinger Virus Alert
High/Outbreak ASAP ASAP Recom-mended ASAP Where Applicable Yes If Necessary Yes Yes Yes Alert
High ASAP ASAP Recom-mended ASAP Where Applicable Yes If Necessary Yes Yes Yes Alert
Medium/On watch Recom-mended ASAP Recom-mended Recom-mended Where Applicable Yes If Necessary Yes Yes Yes Advisory
Medium Recom-mended Recom-mended Recom-mended Recom-mended Where Applicable Yes If Necessary Yes Yes Yes Advisory
Low/Profiled Next Regular Update Next Regular Update       Yes If Necessary Next Regular Update     Notice
Low           As Required On Demand Next Regular Update      
N/A           As Required On Demand Next Regular Update      

Notes:

ASAP—Deploy patches (if necessary to prevent exploitation of a vulnerability by a threat with this rating), EXTRA.DATs, or full DATs as soon as available.

Recommended —Avert Recommends that you also perform these steps as soon as possible (if you cannot perform a step because of lack of resources or lack of appropriate technology deployment).

Where Applicable —Entercept® and IntruShield® signatures will be released on Medium and above threats when those technologies are capable of protection.

If Necessary—EXTRA.DAT files will only be created if the latest full DAT release does not contain detection for the threat.

Next Regular Update—Low/Profiled and below threats will be included in the next regular DAT release unless they increase in risk.

back to top

The McAfee Avert Labs Vulnerability Risk Assessment Program

Goals and Benefits

The McAfee Vulnerability Risk Assessment Program evaluates the level of risk posed by vulnerabilities and associated exploit code. Our team of global threat experts at McAfee Avert Labs strives to inform customers about vulnerabilities and their possible consequences, so that they can take appropriate security measures to protect themselves against exploitation. Risk assessments are included in the vulnerability descriptions posted to the Vulnerability Library. The information is also available at our online ThreatCenter.

 

Executive Summary

The McAfee Vulnerability Risk Assessment Program evaluates the severity of weaknesses in your system or infrastructure that may open the door to potential attacks. Vulnerabilities can pose great risks for businesses and users' systems. Such attacks may violate the access, availability, or confidentiality of your systems, data, and applications. We have categorized Vulnerability Risk Assessment levels as Low, Medium, High, and Critical. These assessments are primarily based on how easy it is to exploit the vulnerability and the impact of the exploitation. The classifications are also based on the availability of exploit code and other parameters. These risk assessments are not subject to rigorous algorithmic measurement, so judgment calls are often made when assigning a risk level.

 

Criteria for Assessing the Vulnerability Risk

McAfee Avert Labs considers the following criteria when evaluating vulnerability risk:

Origins of potential attacks

Vulnerabilities can be exploitable from outside your network (“remotely exploitable”), or they can only be exploitable from a local network or on a particular user's system (“locally exploitable”). A locally exploitable vulnerability can only be targeted by attackers within the network, while a remotely exploitable vulnerability can be targeted by insiders as well as by attackers outside the network.

Self-execution capabilities of attacks

Vulnerabilities can be exploited without any involvement by the victim, or they can only be exploited with the unwitting cooperation of the victim. In the latter, the victim is tricked into engaging in a certain activity, such as visiting a malicious website or opening a malicious media file.

Results of successful attacks

Vulnerabilities are exploited in order to execute code, elevate access privileges, obtain sensitive information, cause a denial of service of an application, service, or system, enable extortion, etc. In general, vulnerabilities that lead to code execution are the most dangerous, while vulnerabilities that result in a denial-of-service are far less dangerous. Denial-of-service attacks usually do not result in permanent damage.

In addition to the above criteria, we also take into account the availability of exploit code, the number of vulnerable systems or applications, and the configuration of the vulnerable software. The risk assessment will change over time, depending on the vulnerability life-cycle.

Vulnerability Risk Levels

Critical
  • Applies to vulnerabilities that were originally rated "High" but are elevated when exploit code is published.
High
  • Applies to remotely exploitable vulnerabilities that require no user interaction. When these vulnerabilities are successfully leveraged, the result is permanent compromise of the attacked systems.
  • Applies to vulnerabilities that were originally rated "Medium" but are elevated when exploit code is published.
Medium
  • Applies to remotely exploitable vulnerabilities that require no user interaction and that, when successfully leveraged, do not result in a permanent compromise of the attacked systems
  • Applies to remotely exploitable vulnerabilities that require user interaction
  • Applies to a locally exploitable vulnerabilities that, when successfully leveraged, result in a permanent compromise of the attacked systems.
Low
  • Applies to locally exploitable vulnerabilities that, when successfully leveraged, do not result in a permanent compromise of the attacked systems
  • Applies to vulnerabilities that were originally rated "Medium" and are present only in a non-default configuration or in a application with a limited distribution

The table below lists the Vulnerability Risk Levels based on the criteria mentioned above.

Origins of Potential Attacks Self-execution Capabilities of Attacks Permanent Compromise Vulnerability Risk Level Vulnerability Level if Exploit Code is Available
remote no user interaction needed   yes High Critical
remote no user interaction needed   no Medium High
remote yes, user interaction needed   yes or no Medium High
local not relevant   yes Medium High
local not relevant   no Low Low