Qualys Blog

www.qualys.com
wkandek

Microsoft SIR 2012 – New Conficker Statistics

This week Microsoft published its 12th edition of the Security Intelligence Report (SIR) covering the second half of 2011. Every six months Microsoft combines data from its Hotmail service on spam, the Microsoft Malware Protection Center (MMPC) on malware and the Microsoft Security Response Center (MSRC) on vulnerabilities, and reports on the state of Internet and Windows security.

This 12th edition contains a special case study that brings new numbers on an older, but still active threat: the Conficker Worm. Conficker first became active in 2008 and attacked a remote code execution vulnerability in Windows, addressed by Microsoft in MS08-067. At its height, it infected roughly 7 million computers and led to the founding of the Conficker Working Group that to this day is in charge of the Command and Control neutralizing mechanism developed to keep Conficker under control. Take a look at the recent book "Worm" by Mark Bowden, for a captivating and enjoyable story about the people and actions involved in investigating and combating Conficker.

In 2011 Conficker continued to be active and Microsoft collected data on 1.7 million infection attempts, both successful and unsuccessful. As we have detailed knowledge of the artifacts that Conficker leaves behind for each of its infection mechanisms, Microsoft was able to categorize the method that each attack employed to infect the systems monitored for the report. The results are quite surprising: they show that 43% of all Windows XP machines were infected through the original vulnerability, indicating that they do not have the three-year-old patch applied.

conficker1.png Figure 1: Conficker attack categorization

But the biggest infection vector turns out to be the credential-based attacks, which account for between 54% and 89% of all infections. Conficker has a small dictionary of passwords that is used in a brute force attack against other machines in the network and it continues to be surprisingly effective.

Reading through the report, it is clear that we have the means to block each and every attempt of conficker to infect other machines:

  • the dictionary attack is very basic and is prevented even by enforcing simple password composition policies, i.e. adding number and special characters to only alpha type passwords
  • the patch MS08-067 has been available for the last three years. It is well tested and its efficiency can actually be seen at the above numbers for Windows 7, which has the patch integrated in all of its versions since its release date.
  • Autorun functionality can be controlled by system administrators on the Registry level, and Microsoft has recently published patches that modify the default value to safer settings, prompting users to run the programs on the USB, Network share or CD-ROM, rather than blindly executing the specified program.

In all fairness, the overall numbers are dragged down by the consumer-side of Windows. Enterprise installations have better values, almost completely eliminating the Autorun vector, and bringing the vulnerability based attacks down to 12% on windows XP. Nevertheless, credential attacks continue to be effective accounting for over 90% of all successful attempts, clearly showing that while patching has gained good acceptance, secure configurations are still a challenge.

conficker-enterprise.png Figure 2: Conficker in the Enterprise

The ease with which Conficker continues to propagate in our networks shows that we continue to neglect basic OS hardening techniques. Improving the definition and enforcement of password policies, prompt patching and secure configuration of OS parameters such as Autorun will prove beneficial in combating not only Conficker, but also against Malware as a whole.

I hope that this quick summary on Microsoft SIR has piqued your interest sufficiently to give the whole report a read. You can access the latest edition at its page at Microsoft.

Leave a Reply