New study finds malware variants skirting AV, mostly delivered via web

Share this article:
FBI ransomware scam finds new home on the Mac
FBI ransomware scam finds new home on the Mac

A recent study finds that a majority of malware variants have been delivered through the web, going completely undetected by anti-virus (AV) solutions.

After collecting data from more than 1,000 of its enterprise customers who use its Wildfire firewall, Palo Alto Networks has discovered that an overwhelming majority of “unknown” malware was delivered via web browsing.

Over a period of three months, more than 26,000 samples of “unknown” files, which turned out to be variants of malware, were analyzed in “The Modern Malware Review” report.

According to the results, web browsing is responsible for 90 percent of the fully undetected malicious files, taking AV vendors four times as long to detect the malware from web-based applications compared to emails. For their tests, researchers focused on malware samples without coverage from six AV vendors.

Small changes can be made to the rogue code of previous versions of malware, creating variants that skirt detection by anti-virus technology.

Although AV is a useful technology, there has been a shift, says Wade Williamson, senior security analyst at Palo Alto Networks. Malware, he said, is now being delivered and behaving in ways that AV is not designed to stop.

“Not only is web-based malware more real time, but it's really easy to customize each version of it,” Williamson told SCMagazine.com on Wednesday. “You end up with a lot of versions that are seemingly unique to each end-user who downloads the [malware]. That's not something that traditional AV is built for.”

The study additionally revealed that samples taken from FTP applications were “exceptionally high-risk.” Although it was the fourth most common source of unknown malware, 94 percent of the samples collected were only seen once, and were delivered in a non-standard evasive way.

According to Williamson, FTP applications were the most interesting to study because he believes they were the vectors that were closely tied to “truly targeted attacks.”

“That's important, because I don't think many security managers stay up at night worrying about FTP,” he said. “From an attacker's perspective, it's a very hot application in terms of targeted attacks.”

In order to combat these evolving threats, Williamson believes that organizations need to bring more attention to their anti-malware network, as well as do a better job of identifying variants of disguised malware.

“We've got to do a better job of just looking at the file name, URL or the hash value,” he said. “We've got to be able to catch some of those variants so we're not reanalyzing the same versions of malware with the same disguise.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

WikiLeaks makes FinFisher surveillance software available to public

Copies of controversial surveillance software, called "FinFisher," were made available for public scrutiny by WikiLeaks.

Researcher challenges reports that BlackPOS variant struck Home Depot

Nuix believes the malware found on Home Depot's systems belongs to a different threat family.

Documents reveal NSA plans to map every internet connected device in the ...

Documents provided by Edward Snowden reveal that the NSA is looking to build a near real-time map of every single internet-connected device in the world.