Malware Dodging Defenses More Often on an Increasingly Dangerous Web

Companies see a malware-related event every three minutes while attackers are using various new techniques to better evade defenses.

It's a dangerous online world out there. Every three minutes, the average company encounters malware activity that exposes its information systems to attack, according to the latest report released by threat-protection firm FireEye.

Attackers are also increasingly using tactics aimed at escaping detection by standard defenses such as antivirus software, according to FireEye's Advanced Threat Report for the second half of 2012.

While law firms only see an event every 30 minutes, technology firms are attacked in some way every minute on average. Based on data from 89 million incidents over six months, FireEye classified malicious activity as a drive-by download, a compromised computer contacting a botnet controller over the Internet or the receipt of an email with a malicious attachment or link.

"While virtually every company in every industry is being targeted by advanced attacks, there are some clear variances across the industries," FireEye stated in the report. "The goals of attackers, the tactics they use and the frequency of attack can all vary substantially depending on the industry being examined."

Attacks against companies in industries such as banking and legal services had wide variances in the number of incidents they faced each month. While other industries, such as technology and telecommunications, faced a much more consistent threat, the report found.

While the company did not release data on the trends, it found that increasing numbers of malware either detects the virtual machines (VMs) used as an environment to analyze malicious code or used delaying tactics to outlast the typical time that software programs are analyzed. In addition, more malware is signed by a digital certificate to seem more legitimate.

"There is actually a very strong effort by malware writers to evade a lot of defenses—not just antivirus anymore, but bypassing a lot of traditional sandboxing methods," Rob Rachwald, senior director of market research FireEye told eWEEK.

FireEye appliances are typically placed inside a company's firewalls and email security gateways, so the events detected by the company are those that passed the first line of defenses.

Malware that waits for actual user activity before executing will get passed to the user as a non-malicious file, said Anup Ghosh, CEO and founder of Invincea, an endpoint security firm.

"Companies have to be careful that if they are doing the analysis in a virtual environment, (the malware) may detect the VM and decide not to run," Ghosh said. "Then you are passing it onto the user, indicating that it's no threat, and that is a problem."

FireEye also found that ZIP-compressed files are the most common form of email attachment, encompassing 92 percent of all malicious file types found appended to email messages.

The study represents only a snapshot of the data FireEye collected, but other security firms have made similar findings. On March 25, network security firm Palo Alto Networks released its own report finding that nearly 40 percent of malware escapes detection and makes it into the network.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...