New Techniques Help Malware Evade Defences

Every three minutes, the average company encounters malware activity that exposes its information systems to attack, according to the latest report released by threat-protection firm FireEye.

Attackers are also increasingly using tactics aimed at escaping detection by standard defenses such as antivirus software, according to FireEye’s Advanced Threat Report for the second half of 2012.

Technology firms targeted

While law firms only see an event every 30 minutes, technology firms are attacked in some way every minute on average.

Based on data from 89 million incidents over six months, FireEye classified malicious activity as a drive-by download, a compromised computer contacting a botnet controller over the Internet or the receipt of an email with a malicious attachment or link.

“While virtually every company in every industry is being targeted by advanced attacks, there are some clear variances across the industries,” FireEye stated in the report. “The goals of attackers, the tactics they use and the frequency of attack can all vary substantially depending on the industry being examined.”

Attacks against companies in industries such as banking and legal services had wide variances in the number of incidents they faced each month. While other industries, such as technology and telecommunications, faced a much more consistent threat, the report found.

While the company did not release data on the trends, it found that increasing numbers of malware either detects the virtual machines (VMs) used as an environment to analyse malicious code or used delaying tactics to outlast the typical time that software programs are analysed. In addition, more malware is signed by a digital certificate to seem more legitimate.

Evading defences

“There is actually a very strong effort by malware writers to evade a lot of defences – not just antivirus anymore, but bypassing a lot of traditional sandboxing methods,” Rob Rachwald, senior director of market research FireEye told eWEEK.”

FireEye appliances are typically placed inside a company’s firewalls and email security gateways, so the events detected by the company are those that passed the first line of defences.

Malware that waits for actual user activity before executing will get passed to the user as a non-malicious file, Anup Ghosh, chief executive and founder of Invincea, an endpoint security firm.

“Companies have to be careful that if they are doing the analysis in a virtual environment, (the malware) may detect the VM and decide not to run,” said Anup Ghosh, chief executive and founder of Invincea. “Then you are passing it onto the user, indicating that it’s no threat, and that is a problem.”

ZIP files

FireEye also found that ZIP-compressed files are the most common form of email attachment, encompassing 92 percent of all malicious file types found appended to email messages.

The study represents only a snapshot of the data FireEye collected, but other security firms have made similar findings.

On 25 March, network security firm Palo Alto Networks released its own report finding that nearly 40 percent of malware escapes detection and makes it into the network.

Are you a security pro? Try our quiz!

Originally published on eWeek.