New study finds malware variants skirting AV, mostly delivered via web


A recent study finds that a majority of malware variants have been delivered through the web, going completely undetected by anti-virus (AV) solutions.

After collecting data from more than 1,000 of its enterprise customers who use its Wildfire firewall, Palo Alto Networks has discovered that an overwhelming majority of “unknown” malware was delivered via web browsing.

Over a period of three months, more than 26,000 samples of “unknown” files, which turned out to be variants of malware, were analyzed in “The Modern Malware Review” report.

According to the results, web browsing is responsible for 90 percent of the fully undetected malicious files, taking AV vendors four times as long to detect the malware from web-based applications compared to emails. For their tests, researchers focused on malware samples without coverage from six AV vendors.

Small changes can be made to the rogue code of previous versions of malware, creating variants that skirt detection by anti-virus technology.

Although AV is a useful technology, there has been a shift, says Wade Williamson, senior security analyst at Palo Alto Networks. Malware, he said, is now being delivered and behaving in ways that AV is not designed to stop.

“Not only is web-based malware more real time, but it's really easy to customize each version of it,” Williamson told on Wednesday. “You end up with a lot of versions that are seemingly unique to each end-user who downloads the [malware]. That's not something that traditional AV is built for.”

The study additionally revealed that samples taken from FTP applications were “exceptionally high-risk.” Although it was the fourth most common source of unknown malware, 94 percent of the samples collected were only seen once, and were delivered in a non-standard evasive way.

According to Williamson, FTP applications were the most interesting to study because he believes they were the vectors that were closely tied to “truly targeted attacks.”

“That's important, because I don't think many security managers stay up at night worrying about FTP,” he said. “From an attacker's perspective, it's a very hot application in terms of targeted attacks.”

In order to combat these evolving threats, Williamson believes that organizations need to bring more attention to their anti-malware network, as well as do a better job of identifying variants of disguised malware.

“We've got to do a better job of just looking at the file name, URL or the hash value,” he said. “We've got to be able to catch some of those variants so we're not reanalyzing the same versions of malware with the same disguise.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.