Microsoft is ready to officially declare network worms passé for the enterprise. In its latest Security Intelligence Report, released Wednesday, Microsoft said that risks posed by Web-based threats to large, distributed network environments have surpassed malware such as Conficker.
The report is based on data collected from more than one billion endpoints in more than 100 countries by the company’s Malicious Software Removal Tool, Hotmail accounts and Windows Defender users, said Holly Stewart, senior program manager for Microsoft’s Malware Protection Center.
For years, Microsoft has considered Conficker the benchmark of network-based malware. The worm first popped up in 2008 and paved the way for other credential-stealing malware. Now that’s changed, Stewart said.
“Conficker has been thought of as the sentinel of infiltration,” Stewart said. “It has not changed in years. It spreads using an old vulnerability. It steals passwords and uses USB drives and shared drives to move on the network. It’s been tracked as a beacon of things within the network when things are not quite right.”
Conficker is more of a chameleon, constantly changing propagation methods and malware techniques. The worm emerged in November 2008 and attacked a Windows vulnerability to steal passwords and build one of the more formidable botnets ever recorded, reaching a peak of 12 million bots in 2009 according to some estimates. But as enterprises in particular shore up their security efforts, Conficker infections are dwindling noticeably, Microsoft said. The drop coincides with a number of factors, including increased password vigilance and a policy decision by Microsoft to disable its Autorun functionality by default starting with Windows XP and Vista in 2011.
“Conficker started to decline in Q2 2011. If you look at two other worms, Autorun and Rimecud, both used the same propagation method and both had serious declines (37 percent and 69 percent respectively),” Stewart said. “Certainly there’s a correlation of the amount of threats we saw in the enterprise; it seems to indicate the decision had some impact.”
Autorun malware spreads via removable media and generally drops backdoors that enable additional malware infections such as keyloggers that steal credentials and other personal data. Rimecud is similar malware in that it propagates via USB drives and instant messenger applications. Its
payload includes backdoor connections to remote servers and additional malware is installed from third-party servers and peer-to-peer networks.
Naturally, however, enterprises aren’t out of the woods now that network worms have tailed off. Web-based threats have been a growing threat for years as hackers exploit common input-validation vulnerabilities with automated SQL injection attacks or cross-site scripting attacks that enable them to remotely control vulnerable browsers. Users are redirected to sites hosting malicious content and are infected with more malware, or are lured to an attacker-controlled site via social engineering (phishing, spam, typo-squatting) and tricked into entering legitimate credentials. The result has been a spike in Web-based attacks, in particular iFrame Redirects.
The Microsoft SIR said that seven of the top 10 threats it detects involves some sort of malicious website or compromised Web content, and two of those seven are iFrame-redirection attacks. Stewart said 3.3 million iFrame redirections were detected, a five-fold increase.
“It’s a really big shift in what we’re seeing as top threats for the enterprise,” Stewart said. “Malicious iFrame redirection is a middle man in these Web-based attacks; it’s that little component where the user is exposed to malicious content.”
Hackers have been able to automate scans for sites vulnerable to attacks such as SQL injection. A targeted Google search, for example, will render a detailed and sizeable list of Web servers vulnerable to any number of attacks. IFrame attacks are effective because the code is not obvious to the user or even the Web administrator for example, because the attacker isn’t adding a page to the vulnerable server, defacing a page or adding
malware, just a redirector, Stewart said.
“The iFrame exposes visitors to bad stuff that the attacker is hosting somewhere else,” Stewart said. “It’s a piece in the chain of a Web-based delivery system.”
IFrame attacks are not alone. Other threats such as Zbot, or the Zeus Trojan, the Blacole Trojan and keygen programs that generate product keys used to validate pirated software climbed the charts, Microsoft said.
“Enterprise customers are much more exposed than ever to malicious Web content,” Stewart said.