Successful attacks typically exploit zero-day vulnerabilities and frequently change the attacking domains and code binaries to avoid detection, according to a new FireEye report.
About 80 percent of enterprises in the report were hit with more than 100 new infections per week in the first half of 2011, according to a report from FireEye Malware Intelligence Lab released Aug. 31. If that number wasn’t high enough, 98.5 percent of enterprises have at least 10 infections a week, the report found.
Malware authors tend to employ dynamic “zero-day” tactics to exploit vulnerabilities no one else knows about and can’t defend against. Even so, 94 percent of malicious binaries are being “morphed” or modified within 24 hours of releasing them to stay undetected by security tools. The attackers also change the malicious domains hosting the malware within hours.
Criminals are moving their distribution sources very quickly, “like a drug dealer moving to a different street corner after every few deals.”
Criminals are constantly tweaking, encrypting, repackaging and obfuscating malicious code and toolkits, the researchers found. Despite the thousands of malware families that are circulating, the researchers estimated that the ones that fall in the “top 50” generated 80 percent of successful malware infections. The attacks come from all over the world and employ social engineering tactics designed to dupe even the “most educated” users, researchers said.
“The exploding zoo of malware executables can be attributed to a much smaller number of malware toolkit code bases,” FireEye said.
The most worrying finding in light of all the sophisticated attacks and number of threats was the fact that nearly all, or 99 percent, of enterprise networks had a security gap. Despite enterprises spending an aggregate $20 billion on IT security, malicious infections were entering the network every week, FireEye said. In fact, FireEye researchers calculated that enterprises on average were seeing 450 malicious infections each week. About 20 percent have “thousands of infections” per week, according to the report.
The infections were getting past “standard gateway defenses, such as firewalls, next-generation firewalls, IPS, antivirus, email and Web security gateways,” the researchers wrote.
FireEye’s technology is deployed as “the last line of network defense” behind firewalls, intrusion prevention systems, antivirus and other traditional security gateways and detects advanced malware, zero-day attacks and advanced persistent threats. The FireEye Malware Intelligence Lab reviewed hundreds of thousands of infection cases collected from its deployed systems during the first half of 2011 to generate the report.
“Cyber-criminals are nearly 100 percent effective at breaking through traditional security defenses in every organization and industry, from security-savvy to security laggards,” the lab researchers wrote.
The fastest growing malware categories are fake antivirus programs, downloader Trojans and information stealing executables. The primary function of downloader Trojans is to download other pieces of malware onto the compromised system and is usually among the first pieces of malware to infect the machine in the first place. Enterprises should consider fake antivirus programs as “gateway malware” as once installed, they can make it easier for more serious malware designed to steal information to penetrate the network, FireEye said.
Despite the headlines they garner, nation-state APT malware used for espionage is comparatively rare, according to FireEye.
Data stealing malware, such as Zeus (Zbot), Papras (Snifula), Zegost, Multibanker, Coreflood, and Licat were among the top information stealers in the second quarter of 2011, FireEye said.