New research from Palo Alto Networks shows that targeted and unknown malware are a reality in enterprise networks today, finding hundreds of unique, previously-unknown malware samples on live networks.
Every tested network uncovered instances of real-world attacks from malware that was previously unknown. Researchers were also able to observe how phishing campaigns are branching out to new applications, such as web-based file hosting and webmail applications, to deliver their malware.
Seven percent of all unknown files analyzed contained malware. Over a three month period of analyzing unknown files from the Internet entering enterprise networks, more than 700 unique malware samples were discovered, 57 percent of which had no coverage by any antivirus service or were unknown by Virus Total at the time of discovery.
Out of all of the new malware identified, 15 percent also generated malicious or unknown outbound command and control traffic.
“I think we were all a bit surprised by the volume and frequency with which we were finding unknown malware in live networks,” said Wade Williamson, Senior Security Analyst at Palo Alto Networks. “Unknown malware often represents the leading edge of an organized attack, so this data really underscores the importance of getting new anti-malware technologies out of the lab and into the hands of IT teams who are on the front lines. The ability to detect, remediate and investigate unknown malware needs to become a practical part of a threat prevention strategy in the same way that IPS and URL filtering are used today.”
Palo Alto Networks found that zero-day malware was distributed by a wide variety of web applications, in addition to the traditional HTTP web-browsing and email traffic commonly associated with malware distribution.
Researchers were able to identify specific phishing campaigns based on their affinity for particular applications. One attacker used AOL Mail almost exclusively while another used the Hotfile file hosting service as the delivery vector.
“It’s important to note this, because many enterprises only inspect email or FTP traffic for malware but do not have the ability to scan other applications. Applications that tunnel within HTTP or other protocols can carry malware that will be invisible to a traditional anti-malware solution,” said Williamson.
“These are examples of the big reasons why a lot of malware gets missed – most enterprises only focus on scanning their corporate email application. To control this problem we need to expand our view to other applications, pull the traffic apart and go a level deeper in to find out if there’s a file transfer happening,” he added.