The bulk of “unknown” malware is hitting systems via Web-based attacks, proxies and FTP sessions, according to a new study.
The study, released by Palo Alto Networks, found more than 26,000 malware samples, and focuses on what the company calls unknown and undetected malware, samples that got past other antimalware systems.
The report, entitled “The Modern Malware Review,” emphasizes the shift attackers have made in recent years from email-based exploits to Web-based exploits. Since Web pages load instantly and attacks can change on the fly, while email-based attacks go out en masse and generally target a wider variety of people, there’s an inherent difference in how both end up recognized.
Ninety-four percent of the undetected malware came from Web-browsing or Web proxies.
The report calls FTP-based exploits “one of the most effective and evasive sources of malware;” 94 percent of FTP samples were only seen once, while 95 percent were never noticed by antivirus and 97 percent used non-standard ports to infect systems.
“FTP had the ignominious distinction of being both a common source of unknown malware as well as one of the sources that rarely received coverage,” the report said.
Palo Alto gives a handful of recommendations for mitigating Web and FTP-based malware including investigating unknown traffic, restricting rights to dynamic DNS domains, real-time detection and blocking, and more fully deploying antimalware technology.
The research is the result of monitoring three months of data compiled from the company’s WildFire feature, a malware blocking component of Palo Alto’s firewall service. More than 1,000 networks ended up monitored and they found just over 68,000 malware samples; 26,363 were what the company referred to as undetected.