Microsoft Says Worm Infections Declining, but Web Attacks Rising

Companies are rooting out Conficker and Autorun worms from their networks, but attacks through the Web are still causing problems, according to Microsoft's latest report.

Conficker, a worm that started spreading among enterprise desktop systems in 2008, continues to wriggle through corporate networks. But the total number of infected systems shrank during 2012, according to the latest Security Intelligence Report released by Microsoft on April 17.

In the last half of 2012, the average number of infections by the two major wormlike programs, Conficker and Autorun, declined by more than a third compared with the total in 2011, the company said. Worms are programs that spread from computer to computer by exploiting vulnerabilities to automatically compromise networks. Conficker typically spreads by guessing users' password, and Autorun jumps between bootable drives.

While companies are slowly tackling the threat of worms, Web-based attacks—especially those that redirect a victim's browser to a site hosting malicious code—have taken off, accounting for seven of the 10 top threats encountered by corporate users, the report stated.

"In the last quarter of 2012, a person in the enterprise was more likely to encounter attacks through the Web than any of the network worms," Holly Stewart, senior program manager with the Microsoft Malware Protection Center, told eWEEK.

A distinct difference exists between enterprise users and consumers in Microsoft's data, because the company can tell if the infected computer belongs to an Active Directory Domain Services domain, typically only used in business networks. Consumers were more likely to encounter adware and other potentially unwanted software than viruses and worms, Microsoft's report found.

The Security Intelligence Report also measured the effect of host-based security software on the rate of infection, finding that computers that had no anti-malware protection were 5.5 times more likely on average to be infected with malicious code.

Attackers appear to be focusing on Windows 7 systems, as unprotected computers running the original Windows 7 operating system—not the more recent Service Pack 1 version—had the highest infection rate, which is 2 percent. In contrast, an average of 4.2 Windows XP systems per 1,000 protected systems showed signs of infection, almost four times higher than Windows 7 Service Pack 1 systems protected by anti-malware.

Microsoft recommended that companies use anti-malware software and other security systems, regularly patch software, and ask vendors about their security development life cycle, which is a method of developing software that takes security into account. In addition, businesses should consider restricting Web sites on their networks to those known to be good and regularly check their own site for security vulnerabilities.

"The security issues posed by the Web are an interesting mix of social engineering and being able to affect servers that are not necessarily under corporate control," Stewart said. "You can lock down end users' systems, but you may not be able to control were they go."

Reports of vulnerabilities declined by 8 percent in the second half of 2012, mainly due to a drop in application vulnerabilities. Vulnerabilities reported in Microsoft products shrank by more than a quarter in the second half of 2012, their lowest level since 2005.

The Blackhole exploit kit, which Microsoft refers to as Blacole, accounted for a large proportion of the exploited vulnerabilities in the latter half of 2012, the Microsoft report stated. Six of the top 10 exploits detected in 2012 were components of this cyber-crime kit, Microsoft stated.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...