Security Experts:

Mac OS Malware, Web-based Threats Decline: Report

A new report from McAfee Labs shows that while malware overall continues to increase, web-based threats and Mac OS malware have declined in recent months.

McAfee Labs Threat Report: September 2016, published (PDF) today, comprises three special studies together with the usual current malware statistics. The studies are an analysis of information theft (methods and prevention); an analysis of the ransomware threat to hospitals, and "A crash course in security data science, analytics, and machine learning."

According to statistics from McAfee, new malware samples in Q2 2016 totaled more than 40 million, which is the second highest quarterly figure ever recorded. The total number of samples in the McAfee 'zoo' now stands at more than 600 million.

New samples of mobile malware detected in Q2 stand at just fewer than 2 million, which is the highest ever quarterly number. The zoo now contains around 11 million samples of mobile malware.

Ransomware continues to accelerate. New samples in Q2 were in excess of 1.3 million, while the total number of ransomware is around 7.25 million and is increasing by an average of 128% year on year. 

New malicious signed binaries declined throughout 2015, but are now increasing again. About 1.5 million were detected in Q2, 2016; and the total number of samples now stands at around 22 million.

The most dramatic growth, however, is the return of the macro malware. In Q3 2014, less than 10,000 new samples were detected. By Q1 2016 this had grown to more than 50,000 new samples -- and in Q2 2016 this jumped to just under 180,000 new samples. The total number of macro samples now stands at more than 600,000, with a growth of 39% in the last quarter alone.

Only Mac OS X malware bucks the trend, with new samples falling back to around 7,500 samples in Q2 from more than 25,000 in Q1. McAfee Labs believes this drop is caused by dramatically reduced activity from a single adware family, OSX.Trojan.Gen. Nevertheless, the total number of Mac OS samples in the zoo now stands at just under 90,000.

Web threats, however, are continuing to decline, with the number of new suspect URLs having now dropped for five successive quarters. New phishing URLs have declined from around 1.4 million in Q4 2015 to just over 500,000 in Q2 2016. New spam URLs have fallen from 2 million in Q3 2015 to around 400,000 in Q2 2016. Global spam volumes, however, have now been increasing over the last three quarters.

The report's study into information theft is based on the Intel Security 2016 Data Protection Benchmark Study commissioned by Intel Security and undertaken by Ponemon. It finds that the retail and financial services sector have the best defenses against data loss, and attributes this to the frequency of attacks and the high value of the data held. Conversely, healthcare and manufacturing are the least prepared sectors. McAfee attributes this to historically fewer attacks. However, the transition of criminal attacks aimed at replaceable payment card numbers to the less replaceable PII, PHI and intellectual property now makes these sectors mainstream targets.

"Industry sectors such as healthcare and manufacturing present both opportunity and motive for cybercriminals," explains Vincent Weafer, Vice President for Intel Security's McAfee Labs. "Their relatively weak defensive capabilities coupled with highly complex environments simplify breaches and subsequent data exfiltration. The cybercriminals' motive is ease of monetization, with less risk." 

The overall picture of breach prevention is not reassuring. Contrary to some reports, the time to detection is still increasing. "Breaches happen to far too many companies," says the report. "Worse, they are not discovered nearly often enough by internal security teams, leading to a long gap between detection and remediation. And if the internal team is not detecting the breaches, it is also not preventing them."

Other problem areas include a lack of visibility into the cloud (only 12% of companies are confident); weak monitoring of physical devices such as thumb drives (involved in 40% of breaches while only 37% of companies monitor physical connections to endpoints); and inconsistent monitoring of access to or sharing sensitive information.

The report's 'crash course in security data science, analytics, and machine learning' is in part a response to the attacks against 1st generation anti-malware companiesS (such as McAfee) by the new generation endpoint security companies that primarily use machine learning to detect malware presence. The report states very clearly that McAfee understands the science behind machine learning (which most 1st gen vendors do because they have been using machine learning to one degree or another for the last 10 years).

The report describes the use of analytics as evolving in three distinct phases, described as versions 1 to 3. The anti-malware industry has used Analytics 1.0 for years in a descriptive and diagnostic manner. Analytics 2.0 is emerging today, and is what is now used by the new generation companies. (1st gen anti-malware companies are also beginning to move into this area, as demonstrated by Symantec's new SEPC product launch).

Analytics 3.0 "moves the focus to predictive and prescriptive analytics." It will be possible with the combination of big data, deep learning, and cognitive computing. "We expect that most security vendors will deploy Analytics 3.0 by 2020," concludes McAfee.

The report's analysis of the ransomware threat explains its value to the criminal extortionists. In one underground forum, Intel researchers monitored a ransomware developer advertising his wares. "Intel Security," notes the report, "learned the ransomware author and distributer received BTC189,813 during the campaigns, which translates to almost $121 million. Of course, there are costs associated with these crimes such as renting botnets and purchasing exploit kits. Nonetheless, the current balance is around $94 million, which the developer claims to have earned in only six months."

At this time ransomware is particularly targeting the healthcare sector. "As targets, hospitals represent an attractive combination of relatively weak data security, complex environments, and the urgent need for access to data sources, sometimes in life or death situations," comments Weafer. Nevertheless, says the report, "McAfee Labs expects a growing number of new industry sectors to be targeted by the extensive networks launching such attacks."

Last last week, Intel announced that it would spin would spin off its security division as an independent company under the name McAfee. 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.