Nearly 99 percent of enterprise-level networks have a serious gap in their IT security defenses enabling advanced malware to easily slip through, according to FireEye.
Successful attacks typically exploit zero-day
vulnerabilities and frequently change the attacking domains and code binaries
to avoid detection, according to a new FireEye report.
About 80 percent of enterprises in the report were hit with
more than 100 new infections per week in the first half of 2011, according to a
report from FireEye Malware Intelligence Lab
released Aug. 31. If that number
wasn't high enough, 98.5 percent of enterprises have at least 10 infections a
week, the report found.
Malware authors tend to employ dynamic "zero-day"
tactics to exploit vulnerabilities no one else knows about and can't defend
against. Even so, 94 percent of malicious binaries are being
"morphed" or modified within 24 hours of releasing them to stay
undetected by security tools. The attackers also change the malicious domains
hosting the malware within hours.
Criminals are moving their distribution sources very
quickly, "like a drug dealer moving to a different street corner after
every few deals."
Criminals are constantly tweaking, encrypting, repackaging
and obfuscating malicious code and toolkits, the researchers found. Despite the
thousands of malware families that are circulating, the researchers estimated
that the ones that fall in the "top 50" generated 80 percent of
successful malware infections. The attacks come from all over the world and
employ social engineering tactics designed to dupe even the "most educated"
users, researchers said.
"The exploding zoo of malware executables can be
attributed to a much smaller number of malware toolkit code bases,"
The most worrying finding in light of all the sophisticated
attacks and number of threats was the fact that nearly all, or 99 percent, of
enterprise networks had a security gap. Despite enterprises spending an
aggregate $20 billion on IT security, malicious infections were entering the
network every week, FireEye said. In fact, FireEye researchers calculated that
enterprises on average were seeing 450 malicious infections each week. About 20
percent have "thousands of infections" per week, according to the
The infections were getting past "standard gateway
defenses, such as firewalls, next-generation firewalls, IPS, antivirus, email
and Web security gateways," the researchers wrote.
FireEye's technology is deployed as "the last line of
network defense" behind firewalls, intrusion prevention systems, antivirus
and other traditional security gateways and detects advanced malware, zero-day
attacks and advanced persistent threats. The FireEye Malware Intelligence Lab
reviewed hundreds of thousands of infection cases collected from its deployed
systems during the first half of 2011 to generate the report.
"Cyber-criminals are nearly 100 percent effective at
breaking through traditional security defenses in every organization and
industry, from security-savvy to security laggards," the lab researchers
The fastest growing malware categories are fake antivirus
programs, downloader Trojans and information stealing executables. The primary
function of downloader Trojans is to download other pieces of malware onto the
compromised system and is usually among the first pieces of malware to infect
the machine in the first place. Enterprises should consider fake antivirus
programs as "gateway malware" as once installed, they can make it
easier for more serious malware designed to steal information to penetrate the
network, FireEye said.
Despite the headlines they garner, nation-state APT malware
used for espionage is comparatively rare, according to FireEye.
Data stealing malware, such as Zeus (Zbot), Papras
(Snifula), Zegost, Multibanker, Coreflood, and Licat were among the top
information stealers in the second quarter of 2011, FireEye said.