Conficker: Microsoft says two basic security steps might have stopped infections

If businesses and consumers stuck to security basics, they could have avoided all cases of Conficker worm infection detected on 1.7 million systems by Microsoft researchers in the last half of 2011.

According to the latest Microsoft Security Intelligence report, all cases of Conficker infection stemmed from just two attack methods: weak or stolen passwords and exploiting software vulnerabilities for which updates existed.

More: Microsoft: Conficker still the top corporate network threat

BATTLING BOTS: Microsoft names alleged Kelihos botnet creator 

So using strong passwords and boosting password security in combination with promptly patching known vulnerabilities would have gone a long way toward reducing the number of Conficker infections, which rose by more than 500,000 in the fourth quarter of 2011, according to the study.

Despite these simple steps, Conficker has remained at the top of the enterprise threat list for the past two and a half years, the study says.

In defense of computer owners, the worm often carries key loggers that steal passwords, says Tim Rains, Microsoft's director of trustworthy computing. The report includes a graphic listing some of the passwords that Conficker tries when it's on a machine inside the enterprise trying to get into file shares, and the list is a who's who of weak passwords (11, 22, admin, asdfgh, foofoo, Password).

The report has recommendations for businesses trying to battle advanced persistent threats (APT), which it describes as targeted attacks that can use a variety of methods and that are carried out by adversaries who are very determined. That determination and commitment to long-term infiltration are the key features of APTs, Rains says.

To fight them requires holistic risk management that includes prevention, but also effective detection. A big-data approach to aggregating network security and traffic data and analyzing it for anomalous behavior increases the chances of noticing malicious activity of stealthy malware, he says.

Businesses should also architect their networks in segments designed to contain successful attacks, giving IT security more time to discover them and respond. That response should be well thought out and rehearsed so it can be implemented quickly when the time comes, he says.

(Tim Greene covers Microsoft for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter!/Tim_Greene)

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about APTING AustraliaLANMicrosoft

Show Comments