Almost Every Victim Sees Unique Malware, Webroot Says

Nearly 97 percent of malware encountered on users' computers is unique, as criminals automatically generate variants in order to stymie defensive software.

malware variants

Every snowflake may be unique, but now, so is nearly every piece of malware, according to the latest report by security firm Webroot.

Last year, 97 percent of malware encountered by potential victims was a unique variant, the culmination of a trend that started more than a half decade ago, the company stated in its Webroot 2016 Threat Brief. While no antivirus company relies only on signatures—also known as "hashes"—to detect malware, slightly modifying the malicious programs to foil the first line of defense is an easy step for attackers, Grayson Milbourne, security intelligence director for Webroot, told eWEEK.

"From a hash perspective, each of those threats are unique to that particular endpoint," he said. "Those threats were only seen on the endpoint that recorded it."

Overall, the amount of malware seen by end users appears to be leveling off. Webroot detected only a slight increase in malware as a proportion of all unique files executed by its users. The number of potentially unwanted software programs blocked by Webroot, however, declined by almost half. In part, the drop is likely due to efforts by the Clean Software Alliance, a group dedicated to preventing unwanted software installs.

"Because of the Clean Software Alliance, companies are doing a better job of leading people toward the legitimate source [of a desired program]," he said. "So the bad acting, pay-per-install groups are realizing that, if they are going to thrive, they have to act more like malware and evade detection. We see them using the same techniques now as most malware."

Webroot, however, saw a dramatic increase in the number of new Internet addresses from which malicious attacks came. On average, nearly 100,000 new Internet addresses showed signs of malicious behavior each day, making up about 40 percent of the 250,000 addresses showing daily signs of malicious activity, Milbourne said.

"There is an increased migration into the unused, and otherwise thought-to-be-benign, IP space, which is a reaction by cyber-criminals as they try to stay ahead of Web companies," he said.

The trend appears to be a sign that criminals are moving away from using the same sites and systems for malicious activity. In 2014, Webroot detected malicious activity 46 times from the average IP address on its top 10,000 list of malicious actors. In 2015, the frequency dropped to 18 times a year, Milbourne said.

"We track the top 10,000 IP addresses and how often we see malicious activity there," he said. "We have seen a drop in the number of times we see malicious activity from those addresses."

Many of the sites are used as a destination for phishing victims. Webroot found that phishing attacks were twice as likely to masquerade as a technology company than as a financial firm. Google, Dropbox and Yahoo topped the list of technology firms whose credentials attackers sought, Milbourne said.

"You would think that financial would be the target, but the technology companies provide more net value because if I can break into your email account at Google, I can then figure out what value you have," he said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...