March 27, 2013

New study finds malware variants skirting AV, mostly delivered via web

New study finds malware variants skirting AV, mostly delivered via web
New study finds malware variants skirting AV, mostly delivered via web

A recent study finds that a majority of malware variants have been delivered through the web, going completely undetected by anti-virus (AV) solutions.

After collecting data from more than 1,000 of its enterprise customers who use its Wildfire firewall, Palo Alto Networks has discovered that an overwhelming majority of “unknown” malware was delivered via web browsing.

Over a period of three months, more than 26,000 samples of “unknown” files, which turned out to be variants of malware, were analyzed in “The Modern Malware Review” report.

According to the results, web browsing is responsible for 90 percent of the fully undetected malicious files, taking AV vendors four times as long to detect the malware from web-based applications compared to emails. For their tests, researchers focused on malware samples without coverage from six AV vendors.

Small changes can be made to the rogue code of previous versions of malware, creating variants that skirt detection by anti-virus technology.

Although AV is a useful technology, there has been a shift, says Wade Williamson, senior security analyst at Palo Alto Networks. Malware, he said, is now being delivered and behaving in ways that AV is not designed to stop.

“Not only is web-based malware more real time, but it's really easy to customize each version of it,” Williamson told SCMagazine.com on Wednesday. “You end up with a lot of versions that are seemingly unique to each end-user who downloads the [malware]. That's not something that traditional AV is built for.”

The study additionally revealed that samples taken from FTP applications were “exceptionally high-risk.” Although it was the fourth most common source of unknown malware, 94 percent of the samples collected were only seen once, and were delivered in a non-standard evasive way.

According to Williamson, FTP applications were the most interesting to study because he believes they were the vectors that were closely tied to “truly targeted attacks.”

“That's important, because I don't think many security managers stay up at night worrying about FTP,” he said. “From an attacker's perspective, it's a very hot application in terms of targeted attacks.”

In order to combat these evolving threats, Williamson believes that organizations need to bring more attention to their anti-malware network, as well as do a better job of identifying variants of disguised malware.

“We've got to do a better job of just looking at the file name, URL or the hash value,” he said. “We've got to be able to catch some of those variants so we're not reanalyzing the same versions of malware with the same disguise.”

Related Articles
Related Topics

Sign up to our newsletters

More in News

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.

WordPress tightens security with two-factor authentication

The new feature is immediately available for users and "secret" codes can be accessed via SMS or through the Google Authenticator app.

Microsoft fixes three "critical" flaws with Patch Tuesday release

The biggies are two vulnerabilities in Internet Explorer and a single weakness in Remote Desktop Connection.