The Conficker worm is still one of the biggest malware threats to business, according to the latest edition of the Microsoft Security Intelligence Report.
The report confirms a trend identified in a ten-year review of the evolution of malware special report published in February.
Data drawn from a range of Microsoft security tools on 600 million systems worldwide shows that Conficker was detected almost 220 million times in the past two-and-a-half years.
The study revealed that the worm continues to spread as a result of weak or stolen passwords and vulnerabilities for which security updates exist.
Research shows that 92% of Conficker infections were a result of weak or stolen passwords. Some 8% of infections exploited vulnerabilities for which a security update exists.
“Conficker is one of the biggest security problems we face and yet it is well within our power to defend against,” said Tim Rains, director of Microsoft Trustworthy Computing.
“It is critically important that organisations focus on the security fundamentals to help protect against the most common threats," he said.
Because the original Conficker worm evolved into a blended threat, said Rains, and although many of the vulnerabilities these subsequent versions exploited have been patched, such as a vulnerability in Windows Autorun, inadequate patching has left many business environments open to infection.
Another reason Conficker is a top threat in the enterprise world is the widespread use of fileshares with weak passwords, which has been exploited by the worm to spread.
The report also reveals that many so-called Advanced Persistent Threats (APTs) constitute no more advanced or sophisticated than other types of attacks.
In most cases, the report said, these attacks use common attack methods such as exploiting weak or stolen passwords and vulnerabilities for which security updates exist.
However, the success of these attacks lies in their persistence and determination in trying different tactics to compromise the target, the report said.
According to Microsoft, it is more accurate to refer to these threats as "targeted attacks carried out by determined adversaries".
"Labelling cyber threats as ‘advanced’ is often misleading and can divert organisations’ attention away from addressing basic security issues which can prevent more common threats from infiltrating their systems,” said Rains.
“Most attacks do not possess new, super-advanced techniques or technology as the APT label implies; in the majority of cases they simply exploit weak or stolen passwords, vulnerabilities for which a security update exists and employ social engineering,” he said.
For both Conficker and attacks by persistent adversaries, Microsoft recommends businesses adhere to the following security basics:
- Use strong passwords and educate employees on their importance
- Keep systems up to date by regularly applying available updates for all products
- Use antivirus software from a trusted source
- Invest in newer products with a higher quality of software protection
For businesses Microsoft recommends a broad approach to risk management to help protect against both indiscriminate and targeted attacks.
As Scott Charney, corporate vice-president of Microsoft Trustworthy Computing, outlined in his keynote at RSA 2012, this broad approach should include:
- Prevention: Employ security fundamentals and pay close attention to configuration management and timely security update deployment;
- Detection: Carefully monitor and perform advanced analysis to identify threats. Keep abreast of security events and use credible sources of security intelligence;
- Containment: If the targeted organisation has configured its environment with targeted attacks by determined adversaries in mind, it is possible to contain the attacker’s activities and thereby buy time to detect, respond to, and mitigate the attack. To contain an attack, consideration should be given to architecting domain administration models that limit the availability of administrator credentials and apply available technologies such as IPsec-based network encryption to restrict unnecessary interconnectivity on the network;
- Recovery: It is important to have a well-conceived recovery plan, supported by a skilled incident response capability. Maintain a crisis committee to set response priorities and engage in exercises to test the organisation’s ability to recover from different attack scenarios.