New study finds malware variants skirting AV, mostly delivered via web

Share this article:
FBI ransomware scam finds new home on the Mac
FBI ransomware scam finds new home on the Mac

A recent study finds that a majority of malware variants have been delivered through the web, going completely undetected by anti-virus (AV) solutions.

After collecting data from more than 1,000 of its enterprise customers who use its Wildfire firewall, Palo Alto Networks has discovered that an overwhelming majority of “unknown” malware was delivered via web browsing.

Over a period of three months, more than 26,000 samples of “unknown” files, which turned out to be variants of malware, were analyzed in “The Modern Malware Review” report.

According to the results, web browsing is responsible for 90 percent of the fully undetected malicious files, taking AV vendors four times as long to detect the malware from web-based applications compared to emails. For their tests, researchers focused on malware samples without coverage from six AV vendors.

Small changes can be made to the rogue code of previous versions of malware, creating variants that skirt detection by anti-virus technology.

Although AV is a useful technology, there has been a shift, says Wade Williamson, senior security analyst at Palo Alto Networks. Malware, he said, is now being delivered and behaving in ways that AV is not designed to stop.

“Not only is web-based malware more real time, but it's really easy to customize each version of it,” Williamson told SCMagazine.com on Wednesday. “You end up with a lot of versions that are seemingly unique to each end-user who downloads the [malware]. That's not something that traditional AV is built for.”

The study additionally revealed that samples taken from FTP applications were “exceptionally high-risk.” Although it was the fourth most common source of unknown malware, 94 percent of the samples collected were only seen once, and were delivered in a non-standard evasive way.

According to Williamson, FTP applications were the most interesting to study because he believes they were the vectors that were closely tied to “truly targeted attacks.”

“That's important, because I don't think many security managers stay up at night worrying about FTP,” he said. “From an attacker's perspective, it's a very hot application in terms of targeted attacks.”

In order to combat these evolving threats, Williamson believes that organizations need to bring more attention to their anti-malware network, as well as do a better job of identifying variants of disguised malware.

“We've got to do a better job of just looking at the file name, URL or the hash value,” he said. “We've got to be able to catch some of those variants so we're not reanalyzing the same versions of malware with the same disguise.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

FBI to open Malware Investigator portal to security researchers

The portal is a virus analysis tool that examines suspicious files and shares information about them.

Android bug allowing SOP bypass farther reaching than initially thought

Researchers found that 42 out of the top 100 apps in the Google Play store with 'browser' in their names were vulnerable.

SUPERVALU and AB Acquisition LLC report being breached again

SUPERVALU and AB Acquisition LLC report being breached ...

The breaches involved different malware and both companies are investigating whether payment card information was stolen.