For the past three and a half years, Win32/Conficker has been the top threat found in enterprise environments.  We have reported on Conficker in the Microsoft Security Intelligence Report since the second half of 2008.  No new variants of Conficker have been released in years and the methods it uses to propagate are well known, but once it finds its way into an environment it can be difficult to eliminate it.

New data just published in volume 14 of the report, focused on the second half of 2012 (2H12), shows that Conficker has competition as the number one threat in enterprise environments.  Figure 1 shows that JS/IframeRef was encountered by more computers than Conficker in the second (2Q12) and fourth (4Q12) quarters of 2012.  IframeRef was detected almost 3.3 million times in 4Q12.  JS/IframeRef is a malicious piece of JavaScript code that is presented on infected or malicious websites.  The purpose of the script is to redirect your browser to other sites that attempt to download malware onto your computer, often by exploiting unpatched software vulnerabilities. 

Figure 1 (left) and Figure 2 (right): Quarterly trends for the top 10 families detected on domain-joined computers in 2H12, by percentage of domain-joined computers reporting detections

   

Figure 3: Quarterly trends for top 10 families detected on domain-joined computers 1Q11 to 4Q12

Perhaps more importantly, in the second half of 2012, 7 out of the top 10 threats affecting enterprises were known to be delivered through malicious websites; these threats are denoted with an asterisk in Figure 1 and include JS/IframeRef, Blacole, JS/BlacoleRef, Win32/Zbot (also known as Zeus), Win32/Sirefef, Win32/Dorkbot, and Win32/Pdfjsc.

Exploit activity has been at high levels, as I recently wrote in an article called “Exploit Activity at Highest Levels in Recent Times: The Importance of Keeping All Software Up To Date.” Data in the Microsoft Security Intelligence Report shows that attackers have been using exploits more and more over the past eighteen to twenty-four months.  So it’s no surprise to see threats related to exploit activity in the top ten list of threats for the enterprise. 

The Call to Action
The good news is that enterprises can protect themselves using a number of mitigations, including:

  1. Keep all software up to date:  attackers are trying to use vulnerabilities in all sorts of software from different vendors, so organizations need to keep all of the software in their environment up to date, and run the latest versions of software whenever possible.  This will make it harder for the types of threats we now see in the enterprise to be successful.
  2. Demand software that was developed with a security development lifecycle:  until you get a software update from the affected vendor, test it, and deploy it, it’s important that you manage the risk that attackers will attempt to compromise your environment using these vulnerabilities.  A very effective way for software vendors to help you do this is by using security mitigations built into the platform, such as ASLR, DEP, SEHOP and others.  These mitigations can make it much harder for attackers to successfully exploit vulnerabilities.  Demand software from your vendors that use these mitigations.  You can check if the software you have in your environment have these mitigations turned on, using a tools like Binscope or EMET.  In cases where you have software deployed in your environment that do not use these mitigations, in some cases EMET might be able to turn them on for you.  These mitigations can help you manage risk by giving you more time to test and deploy security updates or new versions of software.
  3. Restrict websites: limiting the web sites that enterprise information workers can surf to, will reduce the chances of being exposed to the types of attackers we now see in the enterprise.  This likely won’t be popular in the office, but given that 70% of the top threats found in the enterprise are delivered via malicious websites, you might have the data you need to make the business case.  Restricting web access from servers has been a best practice for a long time. 
  4. Manage security of your websites: many organizations don’t realize that their websites could be hosting the malicious content that is being used in these attacks.  Organizations should regularly assess their own web content to avoid a compromise that could affect their customers and their reputation.
  5. Leverage network security technologies: technologies like Network Access Protection (NAP) can provide an additional layer of defense by providing a mechanism for automatically bringing network clients into compliance (a process known as remediation) and then dynamically increasing its level of network access.  

Tim Rains
Director
Trustworthy Computing