Businesses are finally winning the battle against Conficker and other malware worms that exploit a vulnerability in the Windows Autorun feature, according to security researchers at Microsoft.
Data drawn from a range of Microsoft security tools running on more than one billion systems in more than 100 countries shows a decline of the Conficker, Autorun and Rimecud worms.
According to the latest Microsoft Security Intelligence Report (SIR), enterprise reports of Conficker and Autorun threats declined 37% in 2012, while Rimecud reports dropped by 59%.
“I see this as a success story, with enterprises gaining the ability to lock things down more,” said Holly Stewart, senior program manager at the Microsoft Malware Protection Center.
“We have seen a significant decline of network worms, which have been a top threat to enterprises for several years, so the declines are significant,” she told Computer Weekly.
Despite the declines, Conficker is still ranked the number two threat, so enterprises cannot afford to dismiss it just yet, but the list of enterprise threats is now topped by web-based trojans.
According to volume 14 of the SIR, seven of the top 10 threats affecting enterprises in the second half of 2012 were associated with malicious or compromised websites.
“This can be an exploit that can be delivered over the web, a malicious web technique, or a family that is known to be delivered through one of those vectors,” said Stewart.
The Microsoft data shows that the most common of these threats are redirectors that are usually planted on compromised websites.
The most popular is a JavaScript trojan known as IframeRef that is designed to redirect browsers to another, usually malicious, website or piece of malware.
The data shows that IframeRef instances increased fivefold in the fourth quarter of 2012, when it was detected nearly 3.3 million times.
The second most common redirector is BlacoleRef, which is a type of malware which uses a user's internet browser to attack their computer and infect it with other malware, such as trojans and viruses.
BlacoleRef belongs to the Blacole family of malware, which together are known as the Blacole or "Blackhole" exploit kit.
Attackers use automated systems to scan websites, identify vulnerable websites and infect them using a range of attack methods such as cross-site scripting and SQL injection, said Stewart.
The compromised server then hosts a small, seemingly benign piece of code that serves as a “redirector”, which can serve malicious pages from another server to infect the victim.
“The redirector is practically invisible to website users and administrators because the website is not defaced and there are no malicious files placed on the server,” said Stewart.
The data shows that the three main methods for infecting computers are social engineering to trick people into clicking on malicious links, creating malicious websites with very similar URLs to popular websites known as “typosquatting”, and compromising legitimate websites.
Stewart listed five ways enterprises can mitigate against web-based attacks:
Stewart said Microsoft has introduced a no-cost Security Response Readiness Assessment to help enterprises determine whether they are prepared for a system attack or compromise.
“This could be a useful tool to identify potential security gaps and for any information security professionals looking for a call to action,” she said.
19 Apr 2013