pixel_dreams - Fotolia

Nearly a third of malware attacks are zero-day exploits

Companies could be missing up to third of malware that is targeting them, according to a report by WatchGuard

Recent research reveals that 30% of malware attacks are zero-day exploits that cannot be identified by legacy antivirus (AV) systems because they have not been seen in the wild before.

The finding confirms that cyber criminals’ capability to morph their malware has outpaced the AV industry’s ability to keep up with new signatures.

This means that without advanced threat prevention, companies could be missing up to a third of malware, according to first quarterly internet security report by network security firm WatchGuard.

The report also shows that old threats are reappearing and macro-based malware is still prevalent, with spear phishing attacks still relying on malicious macros hidden in files.

Typically, macro-based malware requires more user interaction, since macros are not enabled by default. However, this type of malware has made a comeback since many users consider documents benign, and these documents sometimes evade legacy security scans, the report said.

The research found that attackers also still use malicious web shells to hijack web servers, with nation state attackers evolving PHP shell attacks by adding new obfuscation methods.

Web shells or backdoor shells are malicious pieces of code uploaded to web servers that give hackers a page where they can access a web server’s file system to upload and download files, or in some cases even execute commands to gain full control of a server.

The report said the research finding that PHP web shells is the fourth most common type of malware is a good reminder that old does not necessarily mean irrelevant.

Despite their basic nature, hackers have continued to modify and improve on the original PHP shells, and still use them on websites they can gain access to through web application attacks, the report said.

Other findings in the WatchGuard Q4 2016 report include:

  • JavaScript is a popular malware delivery and obfuscation mechanism with a rise in malicious JavaScript, both in email and over the web.
  • Most network attacks were aimed at web services and browsers, with 73% of the top attacks targeting web browsers in drive-by download attacks.
  • The top 10 exploits were all web-based attacks.
  • Exploit kits are a popular malware delivery mechanism, and likely account for the prevalence of malicious JavaScript.
  • Sophisticated attackers continue to target banks with evasive malware.
  • There is a significant number of Linux-based trojans, likely connected with IoT attacks.
  • Nation-state hackers use similar hacking tools as criminals, but with more sophisticated obfuscation and evasion techniques.

The findings in the report are based on anonymised Firebox Feed data from WatchGuard’s 24,000 active unified threat management (UTM) appliances worldwide.

According to WatchGuard, the threat analytics from Fireboxes deployed around the world provide first-hand, acute insight into the evolution of cyber attacks and how threat actors are behaving.

“With ransomware attempts and malicious websites dominating the headlines, along with cyber attacks such as the Mirai Botnet, the Swift banking attacks and alleged Russian interference in the US presidential election, it was a busy quarter for cyber criminals,” said Jonathan Whitley, sales director for Northern Europe at WatchGuard.

“The insight trends, research and security tips in our quarterly internet security reports are designed to help companies stay educated and vigilant in such a dynamic threat landscape,” he said.

Read more about zero-day exploits

WatchGuard said the UTM devices used for the report blocked more than 18.7 million malware variants in the fourth quarter, which averages to 758 variants per device. They also blocked more than 3 million network attacks, which averages 123 attacks per device.

In response to the rapid spread of the Mirai botnet, the WatchGuard Threat Lab has launched an ongoing research project that analyses devices that make up the internet of things (IoT) for security flaws.

The research in the report evaluated Wi-Fi cameras, fitness accessories and network-enabled novelty devices. This includes a deeper look at vulnerabilities the Threat Lab found in a relatively popular wireless IP camera and steps that can be taken to secure IoT devices.   

In the light of the Mirai IoT botnet attacks, WatchGuard recommends that organisations replace default credentials with a strong password, protect IoT devices with a firewall and scan the network for unauthorized IoT devices.

Business owners should first ensure that their organisation is not helping to perpetuate the problem by scanning the network to ensure employees have not connected any unauthorised devices that may be vulnerable to attack and restricting remote access to IoT devices wherever possible, the report said.

Read more on Hackers and cybercrime prevention