Attackers Shifting to Delivering Unknown Malware Via FTP and Web Pages

The bulk of “unknown” malware is being delivered to systems via Web-based attacks, proxies and FTP sessions, according to a study released by Palo Alto Networks this week.

The bulk of “unknown” malware is being delivered to systems via Web-based attacks, proxies and FTP sessions, according to a study released by Palo Alto Networks this week.

The study dubbed “The Modern Malware Review,” found more than 26,000 malware samples, and focuses on what the firm calls unknown and undetected malware–samples that got past other antimalware systems.

The report emphasizes the shift attackers have made in recent years from email-based exploits to Web-based exploits and in turn. Since Web pages load instantly and attacks can be tweaked on the fly while email-based attacks are sent en masse and generally target a wider variety of people, there’s an inherent difference in how both are recognized.

Ninety-four percent of the undetected malware  came from Web-browsing or Web proxies.

The report calls FTP-based exploits “one of the most effective and evasive sources of malware;” 94 percent of FTP samples were only seen once, while 95 percent were never noticed by antivirus and 97 percent used non-standard ports to infect systems.

“FTP had the ignominious distinction of being both a common source of unknown malware as well as one of the sources that rarely received coverage,” said the report.

Palo Alto gives a handful of recommendations for mitigating Web and FTP-based malware including investigating unknown traffic, restricting rights to dynamic DNS domains, real-time detection and blocking, and more fully deploying antimalware technology.

The research is the result of monitoring three months of data compiled from the company’s WildFire feature, a malware blocking component of Palo Alto’s firewall service. More than 1,000 networks were monitored and while just over 68,000 malware samples were found, 26,363 were what the company referred to as undetected.

Suggested articles

Operationalizing Threat Intelligence with User-Driven Automation

To truly achieve operationalized threat intelligence, an investment must be made in an underlying threat intelligence management platform that will enable an organization to harness the power of threat intelligence and translate that threat intelligence into action.

Cutting Through the Noise from Daily Alerts

Cutting Through the Noise from Daily Alerts

The biggest challenge for security teams today is the quality of the threat intelligence platforms and feeds. How much of the intel is garbage and unusable? Threat intelligence process itself spans and feeds into many external and internal systems and applications. Without actionable data, it is impossible to understand the relevance and potential impact of a threat. Learn how Threat Intelligence management plays a role to help prioritize and act fast.