Security Experts:

Modern Malware Increasingly Using Real-Time Web to Evade Detection: Report

Study Showed Over 30% of Unknown Malware Connected to New or Unknown Internet Destinations. FTP Exceptionally High-risk, Rarely Detected.

Attackers are increasingly relying on real-time Web-enabled applications to deliver malware that is not easily detected by security defenses, according to a new study from Palo Alto Networks.

While email continues to be a major source of malware, attackers are increasingly pushing an “overwhelming volume of unknown malware” via Web-based sources, Palo Alto Networks found in its Modern Malware Review report released Monday.

Nearly 90 percent of “unknown malware” users encountered came from browsing the Web, compared to just 2 percent coming from email, Palo Alto Networks found in its report. Web browsing was also the leading source of malware, accounting for 68 percent of total malware, compared to 25 percent from email.

Security products generally don't have a lot of time to analyze Web-based malware as it needs to inspect the file as the Webpage is loading, Palo Alto Networks noted. In contrast, antivirus can take the time to thoroughly inspect malware sent over email. The report also noted that Web servers use server-side polymorphism to push out unique samples to each victim, making it harder for antivirus to detect the samples. Since email malware is frequently sent to multiple recipients at once, there are multiple samples for antivirus vendors to capture and analyze, Palo Alto Networks said.

Malware delivered via real-time applications are “disproportionally successful” at getting past antivirus compared to email-borne malware, the report found.

Palo Alto analyzed three months of malware data collected from more than 1,000 customers who deployed the next-generation firewall from Palo Alto Networks within their networks and subscribed to the WildFire cloud service. Researchers analyzed 68,047 samples flagged by WildFire as malware and found 26,363 samples, or 40 percent, which could not be detected by six “industry-leading” antivirus products.

It took antivirus vendors an average of five days to detect and deliver signatures for unknown malware samples which were delivered over email, the report found. In contrast, the products took about 20 days to detect malware that used other attack vectors, such as Web browsing. FTP was the fourth source of unknown malware, and nearly 95 percent of malware samples remained undetected undetected by antivirus after 31 days, Palo Alto Networks found. Malware delivered over social media and file-sharing often had samples which remained undetected by antivirus for 30 days or more, the report found.

Aditionally, the report found that traditional AV solutions are far less likely to detect malware outside of email, and also take far longer to get coverage.

FTP turned out to be an exceptionally high-risk application, as samples found on FTP sites were generally unique and not observed across multiple sites, making them harder to be detected by security tools. Nearly 97 percent of FTP traffic also used abnormal ports in order to avoid security products. Malicious FTP traffic also were more likely to use non-standard ports instead of ports 20 or 21. In fact, the report found FTP traffic on 237 non-standard ports.

Malware Delivery Methods

“FTP has been a network staple for so long that many organizations may just assume it is benign, but the data shows it is extremely effective for an attacker,” Palo Alto Networks said.

The goal of the report wasn't to call out antivirus products for not detecting these samples, but to identify practices that can help security teams be proactive fighting against modern malware and advanced threats, said Palo Alto Networks.

“While malware has proven the ability to avoid traditional AV signatures, the news is not all bad,” the report found, noting that even unknown malware had specific patterns that organizations can look for in order to reduce the organization's exposure. Nearly 70 percent of unknown samples exhibited “distinct identifiers or behaviors” which could be used for real-time control and blocking, Palo Alto Networks found in its report.

More than 40 percent of unknown samples were related to at least one other unknown sample, the report said. Palo Alto Networks found that even when malware was modified to create new variants, unique internal identifiers remained unchanged to the extent that related samples could be identified by looking at the SHA256 values.

Examining how malware communicates with remote servers was useful in identifying unknown malware, according to the report. About 30 percent of unknown malware samples generated unknown traffic, making it the third most common traffic type, after Web and DNS. Approximately 33 percent of samples also connected to newly-registered domains, fast-flux domains, and dynamic DNS servers, the report found. About 20 percent generated emails.

Attackers are using non-standard Web ports to avoid detection. For example, sending non-encrypted traffic on port 443 was the most common tactic, as many organizations don't bother to inspect traffic leaving on that port, assuming that it is encrypted, the report said.

“It is critical for security teams to gain new controls that proactively block the more common types of unknown malware in order to have the time and focus to root out the truly targeted attacks,” Palo Alto Networks said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.