Conficker makes way for web-based attacks, says Microsoft
Web attacks emerge as top threat as businesses finally begin to win the battle against Conficker and other worms, says Microsoft
Businesses are finally winning the battle against Conficker and other malware worms that exploit a vulnerability in the Windows Autorun feature, according to security researchers at Microsoft.
Data drawn from a range of Microsoft security tools running on more than one billion systems in more than 100 countries shows a decline of the Conficker, Autorun and Rimecud worms.
According to the latest Microsoft Security Intelligence Report (SIR), enterprise reports of Conficker and Autorun threats declined 37% in 2012, while Rimecud reports dropped by 59%.
“I see this as a success story, with enterprises gaining the ability to lock things down more,” said Holly Stewart, senior program manager at the Microsoft Malware Protection Center.
“We have seen a significant decline of network worms, which have been a top threat to enterprises for several years, so the declines are significant,” she told Computer Weekly.
Despite the declines, Conficker is still ranked the number two threat, so enterprises cannot afford to dismiss it just yet, but the list of enterprise threats is now topped by web-based trojans.
Web-based threat grows
According to volume 14 of the SIR, seven of the top 10 threats affecting enterprises in the second half of 2012 were associated with malicious or compromised websites.
“This can be an exploit that can be delivered over the web, a malicious web technique, or a family that is known to be delivered through one of those vectors,” said Stewart.
The Microsoft data shows that the most common of these threats are redirectors that are usually planted on compromised websites.
The most popular is a JavaScript trojan known as IframeRef that is designed to redirect browsers to another, usually malicious, website or piece of malware.
The data shows that IframeRef instances increased fivefold in the fourth quarter of 2012, when it was detected nearly 3.3 million times.
The second most common redirector is BlacoleRef, which is a type of malware which uses a user's internet browser to attack their computer and infect it with other malware, such as trojans and viruses.
BlacoleRef belongs to the Blacole family of malware, which together are known as the Blacole or "Blackhole" exploit kit.
Download in-depth resources on targeted attacks
Automated attack method
Attackers use automated systems to scan websites, identify vulnerable websites and infect them using a range of attack methods such as cross-site scripting and SQL injection, said Stewart.
The compromised server then hosts a small, seemingly benign piece of code that serves as a “redirector”, which can serve malicious pages from another server to infect the victim.
“The redirector is practically invisible to website users and administrators because the website is not defaced and there are no malicious files placed on the server,” said Stewart.
The data shows that the three main methods for infecting computers are social engineering to trick people into clicking on malicious links, creating malicious websites with very similar URLs to popular websites known as “typosquatting”, and compromising legitimate websites.
Attack prevention strategy
Stewart listed five ways enterprises can mitigate against web-based attacks:
- Keep all software up to date
This includes business applications, not just operating systems. More than 99% of exploits are of vulnerabilities that have had a security update available for some time. - Use software that was developed with a security development lifecycle (SDL)
If enterprises choose more secure software, they are less likely to have vulnerabilities that can be exploited by attackers. - Restrict websites on the corporate network
By limiting employee access to business-related sites, organisations can reduce their exposure to threats hosted on legitimate sites that are not directly related business activities. - Manage the security of your own websites
Companies should ensure all company websites are not vulnerable to common attack methods, such as cross-site scripting and SQL injection, to avoid putting their own customers at risk. - Use mature network security technologies
Access controls can ensure that any device connecting to the internet has security and other software that is up to date and protected against at least all known threats. Organisations should also consider intrusion prevention and content filtering systems if they are not using them yet.
Stewart said Microsoft has introduced a no-cost Security Response Readiness Assessment to help enterprises determine whether they are prepared for a system attack or compromise.
“This could be a useful tool to identify potential security gaps and for any information security professionals looking for a call to action,” she said.