Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

4/17/2013
06:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft: Worms And Rogue AV Dying, Web Threats Thriving

Conficker finally flickering out, newest edition of Microsoft's Security Intelligence Report (SIR) shows

For the first time in nearly four years, the top malware threat plaguing enterprises is not the Conficker worm: Web-based attacks have taken over, according to new data gathered from more than 1 billion Windows machines worldwide.

IframeRef, a family of iFrame malware that infects Web servers, now holds the No. 1 spot, with a fivefold increase in the fourth quarter of 2012 alone with 3.3 million detections, according to the new Version 14 of Microsoft's Security Intelligence Report (SIR) for the second half of 2012.

"Conficker had been the No. 1 threat for the enterprise since we’ve been tracking domain-joined threats in [the second half of 2009]. In Q4, Conficker was significantly surpassed by IframeRef and was reflective of the overall impact of worms versus Web-based threats," says Holly Stewart, senior program manager for the Microsoft Malware Protection Center.

"The prevalence of IframeRef was a bit surprising," Stewart says. "I expected BlackHole [to be at the top]," she says. "But you're more likely to have a browser encounter with an iFrame redirector, so it really shot up over the past year."

The old mainstay worms, including Conficker and Autorun, dropped 37 percent from 2011 to the second half of 2012, mainly thanks to a second quarter 2011 update from Microsoft for XP and Vista and AV detections for Conficker. Stewart says Conficker had kept spreading for a while due to stolen passwords. "In the second quarter of 2012 is when Conficker started to decline, and this is a bit of a success story for IT pros. The changes they were making, [including] password security, are helping get rid of these worms," she says.

Even so, there are still users out there who don't run up-to-date antivirus programs: As a matter of fact, 2.5 out of 10 computers don't run up-to-date AV software, Microsoft's report says. And without updated AV, computers are 5.5 times more likely to get infected with malware, the report says.

"People intuitively understand the importance of locking their front doors to prevent their homes from being broken into. Computer security is no different. Surfing the Internet without up-to-date antivirus is like leaving your front door open to criminals," says Tim Rains, director of Trustworthy Computing at Microsoft. "With the release of this new research, Microsoft is urging people to make sure they have up-to-date Antivirus installed on their computers."

Interestingly, fake antivirus infections -- most commonly a consumer problem -- also began to decline over the second half of 2012. "For the first time in many years, we see a decline in the incidence of fake AV," Stewart says.

A Web Of Threats
But when one attack vector fizzles, another ignites: Microsoft's SIR shows how Web-borne attacks are on the rise, big-time.

Microsoft's findings on Web threats jives with that of Symantec's, which yesterday released its annual threat report. Symantec says Web-based attacks jumped by 30 percent last year, and the number of phishing sites posing as social networking sites exploded by 125 percent as attackers set their sights on social networks.

"These attacks silently infect enterprise and consumer users when they visit a compromised website," according to Symantec's Internet Security Threat Report 2012. "These attacks are successful because enterprise and consumer systems are not up to date with the latest patches for browser plug-ins, such as Adobe’s Flash Player and Acrobat Reader as well as Oracle’s Java platform. While a lack of attentiveness can be blamed for consumers remaining out of date, often in larger companies, older versions of these plug-ins are required to run critical business systems, making it harder to upgrade to the latest versions. Such patch management predicaments, with slow patch deployment rates, make companies especially vulnerable to Web-based attacks."

Stewart says the wave of Web attacks exploiting SQL injection and cross-site scripting flaws in websites during the past year contributed to some of the spikes in these attack numbers.

Seven of the top 10 threats discovered most on enterprise machines have Web threat ties, Stewart notes. "They are either a Web threat themselves or are known to be delivered through a Web threat in compromised websites, malicious websites, or a combination," she says. "Two are related to iFrame redirection, which is the middleman of Web-based attacks."

After Iframe Ref, the top malware families found in enterprises in the second half of last year were, in order, Conficker, Keygen, Autorun, Blacole, BlacoleRef, Zbot, Sirefef, Dorkbot, and Pdfjsc.

The IframeRef Trojan was found in 2.3 percent of machines in the first quarter of last year, and 13.6 percent by the fourth quarter.

Microsoft's SIR v14 drew data from 1 billion computers in more than 100 countries and regions, up from 600 million machines last year. The full SIR is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...