Microsoft has released the fourteenth volume of its Security Intelligence Report, which contains threat intelligence from over one billion systems in more than 100 countries. The computing behemoth has found that web-based attacks have actually risen to become the No. 1 threat facing enterprises today. Meanwhile, network worms are starting to decline for the first time.
For the past three and a half years, the Win32/Conficker worm has been the top threat found in enterprise environments. But this year, something notable has happened: the proportion of Conficker and its fellow worm Autorun threats reported by enterprise computers each decreased by 37% from 2011.
“We have reported on Conficker in the Microsoft Security Intelligence Report since the second half of 2008,” Tim Rains, director of trustworthy computing at Microsoft, said in a blog. “No new variants of Conficker have been released in years and the methods it uses to propagate are well known, but once it finds its way into an environment it can be difficult to eliminate it.”
Stepping into Conficker’s dubious shoes as the No. 1 enterprise threat, however, is the general category of “compromised websites.” In the second half of 2012, seven out of the top 10 threats affecting enterprises were associated with malicious or compromised websites that serve malware like JS/IframeRef, Blacole, JS/BlacoleRef, Win32/Zbot (i.e., Zeus), Win32/Sirefef, Win32/Dorkbot and Win32/Pdfjsc.
The Microsoft SIR also found that enterprises were more likely to encounter the iFrame redirection technique than any other malware family tracked in the fourth quarter of 2012. One specific iFrame redirection family, called IframeRef, increased fivefold in the fourth quarter of 2012 to become the No. 1 malicious technique encountered by enterprises worldwide. IframeRef was detected nearly 3.3 million times in the fourth quarter of 2012.
That particular bug, Rains explained, is a malicious piece of JavaScript code that is presented on infected or malicious websites. The purpose of the script is to redirect a browser to other sites that attempt to download malware onto a computer, often by exploiting unpatched software vulnerabilities.
The SIR also acknowledged what seems obvious from scanning the headlines: exploit activity has been at high levels. Data in the Microsoft Security Intelligence Report shows that attackers have been using exploits more and more over the past 18–24 months. The increased exploit activity has been driven by increases in four types of exploits starting in the second half of 2011, including HTML/JavaScript, Oracle Java, document parser exploits, and operating system exploits. The largest increases in exploit activity have been in HTML/JavaScript and Oracle Java exploits.
The number of exploit detections blocked by Microsoft anti-malware increased comparatively from below 10% in the first quarter of 2011 to more than 15% in the first quarter of 2012.
“Although this increase isn’t as dramatic as some of the other threat categories during this period, exploits have been relatively low volume compared to other threat categories for quite some time,” Rains said. “A more typical level for exploits is between 4% and 7%.”
The good news is that enterprises can protect themselves using a number of mitigations, Rains said, including keeping software up to date, limiting the websites that enterprise workers can surf to, managing the security of business websites and leveraging network security technologies like Network Access Protection (NAP). NAP can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.