If you’re looking to deliver malware that effectively evades detection, your best bet is to deploy it using run-of-the-mill File Transfer Protocol (FTP). Malware let loose in this fashion evaded detection by traditional antivirus measures 95 percent of the time for more than 30 days, according to a new report [PDF].
The inaugural Modern Malware Review, issued by PaloAlto Networks, analyzed three months of data culled from 1,000 live customer networks employing their WildFire product – a feature of their Next-Generation Firewall designed to detect and block new and unknown malware. Once isolated, the samples were tested against 6 fully-updated, industry-leading antivirus products. Of these, 26,000+ samples had no coverage at the time they were detected in live enterprise networks.
Security Bistro spoke to Wade Williamson, senior security analyst at Palo Alto Networks, who found the data surrounding FTP malware delivery to be especially intriguing.
“A lot of times it's not the application that delivers the most malware that is interesting, but rather the application that is best at not being caught. In this case that was FTP,” he said. “By and large, when we saw malware being delivered by FTP, it was only seen once, and traditional AV vendors never caught it. So at first blush it seemed to be a very targeted vector for malware. “
Williamson said that malware delivered by FTP was not only effective, but also quite slippery.
“It was off the charts in terms of being evasive. Over 97% of samples used a non-standard port exclusively. To put that another way, only 3% of samples ever used port 20 or 21 (the traditional FTP ports). I think this is interesting because most network managers don't give a second thought to FTP, but it’s pretty obvious that attackers are thinking about it…a lot,” he added.
The results show that traditional antivirus solutions are not identifying the vast majority of malware infecting networks via real-time applications such as web browsing. In fact, 94 percent of the fully undetected malware discovered on surveyed networks was delivered in this fashion. It was also harder to detect, taking antivirus vendors 4 times as long to detect malware from web-based applications as opposed to email (20 days for web, 5 days for email).
Williamson said the findings help shed some light on how (and where) these malware attacks originate and how they can be mitigated, noting that malware signatures still hold a tremendous amount of value in preventing unknown or customized malware
“The working narrative in the industry is that malware signatures are an outdated technology that are essentially useless today. I think this is a pretty dangerous misconception. Just because a given technique isn't foolproof doesn't mean that it can't continue to have real value,” he said. “Ultimately a signature in some form is needed in order to actually block a threat and provide proactive protection, and the analysis shows that there is headroom for improvement here."
The study showed that 40 percent of seemingly unique malware samples -- with a unique hash value -- were variants that could be identified based on unique indicators in the malware header or payload. This is telling us that 40 percent of even unknown malware can be blocked if we can get signatures out quickly that are looking for the right indicators, he added.
While the report reveals some issues with traditional antivirus, the goal of focusing on unknown or undetected malware was not to point out deficiencies in traditional solutions -- but rather to better understand the problems, and hopefully identify practices that can help, according to the report.
Cost is a major factor. A recent Solutionary report found that the typical malware attack often goes undetected on enterprise networks for up to a month and at an average cost of $3,000 per day.
Williamson said that one of the things enterprises can do to protect themselves is to establish baselines in their networks so they can recognize when things are anomalous.
“We saw that about one-third of malware samples generated unknown or custom application traffic. This is much higher than you would expect to see for normal network traffic, and provides an easy place to start investigating,” he said. “However, this approach gets even more powerful when teams get into the habit of investigating any unknown traffic and properly re-classifying any benign or approved traffic. This makes the unknown far more exceptional and thus far more actionable. “
A full copy of the report can be found HERE [PDF].
- About Corero
- Investor Relations
- News Room
- Executive Management Team
- Corero Offices
- Contact Us