The bulk of “unknown” malware is being delivered to systems via Web-based attacks, proxies and FTP sessions, according to a study released by Palo Alto Networks this week.

The study dubbed “The Modern Malware Review,” found more than 26,000 malware samples, and focuses on what the firm calls unknown and undetected malware–samples that got past other antimalware systems.

The report emphasizes the shift attackers have made in recent years from email-based exploits to Web-based exploits and in turn. Since Web pages load instantly and attacks can be tweaked on the fly while email-based attacks are sent en masse and generally target a wider variety of people, there’s an inherent difference in how both are recognized.

Ninety-four percent of the undetected malware  came from Web-browsing or Web proxies.

The report calls FTP-based exploits “one of the most effective and evasive sources of malware;” 94 percent of FTP samples were only seen once, while 95 percent were never noticed by antivirus and 97 percent used non-standard ports to infect systems.

“FTP had the ignominious distinction of being both a common source of unknown malware as well as one of the sources that rarely received coverage,” said the report.

Palo Alto gives a handful of recommendations for mitigating Web and FTP-based malware including investigating unknown traffic, restricting rights to dynamic DNS domains, real-time detection and blocking, and more fully deploying antimalware technology.

The research is the result of monitoring three months of data compiled from the company’s WildFire feature, a malware blocking component of Palo Alto’s firewall service. More than 1,000 networks were monitored and while just over 68,000 malware samples were found, 26,363 were what the company referred to as undetected.

Categories: Malware

Comments (2)

  1. Anonymous

    I wonder why the they’ve choosen a pie-chart because those types of behaviour shouldn’t be mutually exclusive. For example a malware could use outbound traffic AND be persistent AND do data theft.

  2. Anonymous

    The headline is wrong: “Attackers Shifting to Delivering Unknown Malware Via FTP and Web Pages”

    There’s a simple reason why there’s lots more unknown malware in HTTP & FTP than in e-mail: executables are blocked on most mailservers nowadays, leaving only HTTP & FTP to transfer them. In email attackers are limited mostly to documents like pdf or doc (exe in encrypted zips are also filtered out because only the actual files are encrypted, not the filenames).

    And with exe it’s the easiest to avoid AV because they don’t need to leverage any exploit like a pdf or doc to execute something nasty, they’re already started by the user.

    The Paolo Alto study kindly leaves out the technology-types of malware found, but my guess would be something like:

    SMTP: PDF, doc, xls, zip

    HTTP & FTP: exe, jar, swf, pdf, html




Comments are closed.