Malicious Code Regularly Dodging Defenses, Palo Alto Finds

An analysis of data collected from 1,000-plus corporate networks finds more than 26,000 malware samples that escaped detection by antivirus software.

Common antivirus software packages fail to detect nearly 40 percent of malware seen by the average corporate network, according to data from network security firm Palo Alto Networks.

In a report based on data from more than 1,000 actual company networks, Palo Alto found that antivirus products have great success rates against malware that spreads through email—detecting nearly 97 percent of all email-borne malware—but are less effective against malware transmitted over the Web, detecting less than half. Yet, 70 percent of the samples not detected by antivirus programs had identifiable characteristics that could aid in future detection.

While the analysis, released March 25, does not suggest that antivirus software is not without its uses, companies should make sure they are doing more than just relying on such programs for security, Wade Williams, senior security analyst with Palo Alto Networks, told eWEEK.

"It's not just traditional AV, but also your Web gateways and proxies that have been doing some anti-malware on the network [that] are having a hard time with today's malware, because it's changing in real time and is customizable each time it gets delivered to the target," Williams said.

Antivirus makers received a black eye in January, when The New York Times revealed that Chinese malware that infected the newspaper company's systems was not stopped by Symantec’s software. Security software's difficulty in dealing with targeted and low-volume attacks is a well-known problem.

Palo Alto culled the data from the networks of more than 1,000 companies that use a feature of its network-security appliances to analyze suspicious files in the cloud. Over three months, more than 68,000 files were determined to be malware samples, of which only 61 percent were detected by six popular antivirus programs, the company stated in its report.

The data shows that malware authors are focusing more on delivering malware through real-time communications to deny antivirus programs the time for analysis. Malware that infected systems through email typically escaped detection from antivirus software for five days, while infecting through other communications channels, such as the Web, appeared to help the malware escape detection for up to 20 days.

In addition, more than half of malicious files waited before executing to avoid detection by automated analysis platforms, which typically only observe malware for 30 minutes or less before moving onto the next sample.

"We saw more malware behavior that was dedicated to hiding from on-box security than we saw hacking and data-theft behavior," Williams said. "A really large part of the malware's brain is focused on how to stay away from the security that Windows has (and) how to stay away from the prying eyes of suspicious users."

More than 70 percent of the malware that was undetected by antivirus programs did have some identifiable attributes that could give defenders clues to the files' malicious nature, the report stated. About 40 percent of malware samples contained one or more identifiers common to other malware samples. Another 30 percent of malware used unknown Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) traffic, visited an unregistered domain, sent out emails or generated other customized traffic. For example, 95 percent of malware that used FTP for file transfers were not detected by antivirus programs.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...