Internet Security Hass and Associates Reviews: 90% of Unknown Malware

90% of unknown
malware is delivered via the web

A new study of
malware takes an unusual approach – instead of analyzing known malware, it
analyzes the unknown malware that traditional defenses miss; and finds that 90%
is delivered from the web rather than via emails.

The study, The
modern malware review, was undertaken by Palo Alto Networks drawing on data
from more than 1000 enterprise customers that use its WildFire firewall option.
Wildfire analyzes unknown files; that is, files that are neither whitelisted
nor blacklisted. It is the unknown files that turned out to be unknown malware
that have been analyzed: some 26,000 samples over a period of 3 months.

90% of the
undetected malware is delivered via web browsing, implying that traditional AV
is better at detecting email-borne viruses. In fact, it takes AV companies four
times as long to detect web malware as it does to detect email malware (20 days
rather than 5 days).

There are
several reasons for this. Firstly, since email malware tends to be sent to
multiple targets, there are multiple incidences waiting to be found in
mailboxes and analyzed. “However a potentially more significant factor,” says
the report, “is that web-based malware easily leverages server-side
polymorphism.” Put simply, the malware is frequently and rapidly re-encoded to
avoid detection, “which vastly reduces the likelihood that AV vendors will be
able to capture the sample and create a signature.”

FTP was found
to be particularly risky. The FTP malware samples are more likely to be unique
(94% were seen only once), are often missed by the AV industry (95% were never
covered), and are port-independent (97% used only non-standard ports). “It was
the 4th most common source of unknown malware, the malware it delivered was
rarely detected... and almost always operated on a non-standard port.”

The malware
samples were found to make significant efforts at avoiding detection. “52% of
observed malware behaviors focused on evading security or analysis, compared to
only 15% focused on hacking and data theft.” The most common evasion technique
is the ‘long sleep’. Code injection is another evasion technique, notable
“because it allows malware to hide within another running process.” It is
consequently invisible in the Task Manager, and can also foil some attempts at
whitelisting on the host.

the report suggests that 70% of this unknown malware shows indicators in the
payload or traffic that could aid identification. Suspicious traffic is one of
the biggest indicators – a behavior perhaps more easily detected by a firewall
than anti-virus software. For example, “33% of the samples connected to new
domains, DNS or fast-flux”, which lends itself to blocking. Similarly, 20% of
the samples generated emails. “Network policy,” says the report, “should only
allow email protocols to and from the corporate mail server, and block direct
email to the Internet.”

Just detecting
this unknown malware is not enough. The purpose of this review is to give the
enterprise the information it needs to be more proactive. “Analyzing undetected
malware in real networks,” said Wade Williamson, senior research analyst at
Palo Alto Networks, “has enabled us to arm IT security teams with actionable
information for reducing their exposure against threats they might have
otherwise missed.”

Some tips for
you to know about:


By: mildredhughes (1.50)

Tags: internet security hass and associates reviews

Location: New York, United States

Liveleak on Facebook