Conficker and other malware that exploit a vulnerability in the Windows Autorun feature continue to be top threats...
to business, according to security researchers at Microsoft.
Data drawn from a range of Microsoft security tools running on millions of systems shows that Conficker and Autorun-related malware are the top infections faced by business.
That is despite progress made against most worms and Trojans through improved security protection in software, as shown in the latest Security Intelligence Report (SIR) launched at RSA Conference 2012.
The report shows that malware was dominated by worms from 2002 to 2004, Trojans from 2006 to 2007, and password stealers from 2007 to 2010, but both forms of malware are now in decline.
In recent months, there has been a massive increase in the detection of adware, which is classed as "potentially unwanted" software and sometimes crosses the line to behave like malware.
However, this spike of adware relative to other forms of unwanted software is good news, according to Tim Rains, director of Microsoft Trustworthy Computing.
"The fact that adware-based malware such as Pornpop has risen to the top of trending malware indicates that other threats are declining," he told delegates at RSA 2012.
Expand your security strategy
Enlarging on the theme of intelligence-led security, Rains said businesses needed to note that the top threats to consumers differ from those to the enterprise. This means businesses need to pay attention to different areas of threat.
While businesses still need to pay attention to improving basic computer system hygiene by migrating to newer, more secure systems, patching vulnerabilities promptly, configuring systems properly, and educating users about the risks of social engineering, he said, they must also alter their security posture by adopting a broader security strategy to protect against determined and persistent threats.
Key to this is to assume that data systems will be breached, according to Rains. In response, businesses should classify all data to ensure only the right people access sensitive information in only appropriate ways and circumstances. They should develop a containment and recovery strategy, which may mean re-architecting the corporate environment to enable the isolation of threats that occur.
Address the top enterprise threats
Businesses can also allocate resources and attention based on research, which shows that the Conficker worm and attacks that exploit the Autorun feature in Windows are the top threats facing enterprises.
At the heart of the problem, he said, is that even though a patch for the vulnerability exploited by the original version of Conficker was released two months before the worm was released, some enterprises did not deploy the patch and Conficker was able to establish a foothold.
If an organisation is on SP2, it must get to SP3, so that it can start getting security updates again and be protected against Conficker and all other malware that exploits the Autorun vulnerability
Tim Rains, Microsoft Trustworthy Computing
Conficker then evolved into a blended threat, and although many of the vulnerabilities these subsequent versions exploited had been patched, such as a vulnerability in Windows Autorun, inadequate patching left many business environments open to infection.
Another reason it is a top threat in the enterprise world is the widespread use of fileshares with weak passwords, which has been exploited effectively by Conficker. Fileshares are almost non-existent in the consumer world, where Conficker does not make the list of top 10 threats.
The problem in the enterprise world was exacerbated by slow software refresh cycles, said Rains. Many organisations are still running Windows XP service pack 2 (SP2), which means they are not protected against exploits of the Autorun vulnerability as Microsoft ended support for SP2 in 2010.
Switch to XP SP3
According to Rains, a lot of businesses are still running Windows XP SP2. "If there is one call to action it is this: if an organisation is on SP2, it must get to SP3, so that it can start getting security updates again and be protected against Conficker and all other malware that exploits the Autorun vulnerability," he said.
Many businesses that have struggled to rid their systems of Conficker have discovered that the worm was lurking in their storage area networks (SANs), where there is typically no anti-malware software running. Conficker in the SANs was not being detected or cleaned, said Rains.
He advised that in addition to cleaning up their SANs, businesses should also clean up any embedded systems they may have that are connected to the network in some way, such as operating systems for printers.
Businesses must ensure all embedded systems are getting updated to defend against Conficker, he said, otherwise re-infections will continue.