Signature based scanners missed 88% of Gumblar attacks

In its quarterly Global Threat Report issued today, ScanSafe reported that at its highest peak in the second quarter of 2009, 88% of malware blocks were zero day threats, meaning that the vast majority of the attacks were not detected by signature based scanners. The single largest contributor to the high rate of signature misses were the result of the second stage Gumblar attacks.

The overall rate of zero day Web malware in 2Q09 was 32% – nearly one in three Web malware encounters which were blocked by ScanSafe zero day threat protection. Companies relying on signature-based scanners alone would have been extremely vulnerable, given that signatures for Gumblar-compromised sites were not generally available until three weeks after the largest peak of Gumblar website compromises.

ScanSafe noted that the rate of Web-delivered malware increased sharply in the second quarter of 2009 – a staggering 36% from 1Q09. This was also due in large part to Gumblar, the most sophisticated mass compromise seen this year. 2008 was the largest year on record for Web-delivered malware, with a massive 300% increase from 2007. By all accounts, 2009 is on track to double that number.

Worryingly, the second quarter of 2009 also demonstrated a sharp increase in data theft trojans. The rate of encounters with data theft trojans increased 37% in 2Q09. The most prevalent of these encounters were with Backdoor trojans, which can lead to data theft, registry manipulation and full control of files on an infected system, among other things.