Conficker found on 25% of enterprise Windows PCs, Microsoft says

Meanwhile, fake security software also becomes bigger threat, Microsoft says .

Conficker was far and away the most prevalent threat found on Windows machines in the second half of 2009 in the enterprise, Microsoft says. The company's security tools cleaned the Conficker worm from one quarter of enterprise Windows machines.

That was one of the findings in Microsoft's semi-annual security report card, the Microsoft Security Intelligence Report, published on Monday. Twice a year, Microsoft releases this report which analyzes the data it collects from all of its various security software on all of its flavors of Windows. It collects data from its licensed tools, like the Forefront products, its freebie tools like Windows Security Essentials, and the Windows Malicious Software Removal Tool which Microsoft distributes with Windows Update tools.

Worms were the most successful technique used against enterprise Windows machines. Although Microsoft released the critical patch MS08-067 to address Conficker in October, 2008, even as of the second half of 2009, of all the worms used, Conficker, was far and way the most common. Conficker remains successful because it uses so many ways to propagate, the report suggests. Some variants spread via removable drives. Some by exploiting weak passwords. Conficker can disable several system services and security products, and downloads arbitrary files.

Win32/Autorun, which targets removable drives, was also commonly found in the enterprise. More interesting, both Conficker and Autorun were found to be the worms of choice for hackers that gained the ability of downloading malware onto a machine by gaining access through another hole (such as Winmad, a class of malicious Windows Media files that contain links to executable files).

Top 10 Enterprise Security Threats

Source: Microsoft

In addition to the solely technical skill of propagating Conficker and other worms, hackers made progress at social engineering attacks, particularly scareware. Scareware, also known as rogue security software, is a fake security warning that pretends to detect a threat and asks the user to install it and then proceeds to try to talk the user into paying for registration or other services.

Microsoft says its security products cleaned scareware from 7.8 million computers in 2H09, up from 5.3 million computers in 1H09—an increase

of 46.5 percent. Win32/FakeXPA was the third-most prevalent threat detected of them all, too. Other scareware variants, such as Win32/Yektel, Win32/FakeSpypro, and Win32/Winwebsec, were in the top 20.

Some families even emulate the appearance of Microsoft's own Windows Security Center or use other trademarks to make them look like the real deal.

Microsoft has posted new videos intended to help IT managers educate users about the scareware threat. But here's more info that you can use to warn your users not to click on so-called security products with any of these names, and to never give them payment.

Win32/FakeXPA goes by the names of

  • Antivirus 7
  • Personal Security
  • AntiVir2010
  • Antivirus BEST
  • Green AV
  • MaCatte (and many others)

Win32/FakeSpypro goes by the names of

  • Antivirus System PRO
  • Spyware Protect 2009 (and others).

Win32/Winwebsec goes by the names of names

  • Winweb Security
  • System Security (and others).

While there was some good news in the report -- for instance, every service pack or newer release of Windows had less infections than the release before it -- vulnerabilities against Microsoft continue to be a growing hacker favorite. Microsoft released 47 security bulletins in second half of 2009 that addressed

104 individual vulnerabilities compared to 27 in the first half that fixed about 84 holes. Of these nearly 81% were reported to Microsoft first adhering to its "responsible disclosure practices" compared to 79.5 in the first half. In straight numbers, this still leaves more holes discovered out in the wild before Microsoft can fix them.

Hackers find more success in attacking applications than they do the operating systems or the browsers. Of those browser-based exploits, holes in Adobe reader account for the lion's share, according to Microsoft.

Ironically, the Microsoft Security Intelligence Report, Volume 8, is available as a PDF. It is also available as an .xps Office document file.

Posted by Julie Bort.

Like this post? Check out these others.

  • Data Protection Manager 2010 Protection Best Practices
  • After three years effort, Microsoft's open source IronRuby stable and available
  • Bigger is better when it comes to mailboxes, Microsoft says
  • Microsoft ... oh how you've changed! (Not)
  • Understanding How System Center Operations Manager Works
  • Patch Tuesday brings bevy of critical updates
Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.) All Microsoft Subnet bloggers on Twitter Julie Bort on Twitter




Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022