FireEye Malware Intelligence Lab released its 1H 2011 Advanced Threat Report. The analysis shows that 99% of enterprises had malicious infections in their network that make it past firewalls, IPS, antivirus and other traditional security gateways. 80% of the enterprises face more than 100 new infections per week; information stealers are the highest priority problem.
FireEye is a provider of next-generation threat protection to combat advanced malware, zero-day attacks and advanced persistent attacks (APT) with customers from enterprise, federal agencies and mid-sized companies across every industry. The FireEye analysis has a unique perspective since it is deployed as “the last line of network defense” behind firewalls, IPS, antivirus and other traditional security gateways which cybercriminals are evading.
After the FireEye Malware Intelligence Lab reviewed hundreds of thousands of infection cases from the first half of 2011, it released its 1H 2011 Advanced Threat Report which highlights these four main findings:
1. 99% of enterprise networks have a security gap despite $20B spent annually on IT security.
2. Successful attacks employ dynamic, “zero-day” malware tactics. 90% of malicious binaries and domains change in just a few hours; 94% within a day.
3. The fastest growing malware categories are Fake-AV programs and Info-stealer executables.
4. The “Top 50” of thousands of malware families generate 80% of successful malware infections.
According to the 1H 2011 FireEye Advanced Threat Report [PDF] “Cyber criminals are nearly 100% effective at breaking through traditional security defenses in every organization and industry, from security-savvy to security laggards.” The attacks come from all over the world and include “social engineering tactics which can fool even the most educated users.” Malware authors are morphing 94% of the malicious binaries (MD hash files) and changing the malicious domains that host the malware within 24 hours in an attempt to stay undetected.
99% of enterprise networks have a security gap. The analysis showed that 99% of enterprises had malicious infections entering the network each week, and 80% of enterprises faced more than 100 infections weekly. 98.5% enterprises have at least 10 infections a week, with 450 being the average number of malicious infections per week. Yet “20% of deployment have thousands of infections per week.” Of those numbers, all had made it “through standard gateway defenses, such as firewalls, next-generation firewalls, IPS, antivirus, email and web security gateways.”
Cybercriminals are constantly tweaking malicious code, packing, encrypting or otherwise obfuscating the nature of the code as well as using point-and-click toolkits. FireEye detected that the top 50 most frequent malware families are responsible for about 80% of all successful malware infections. “The exploding zoo of malware executables can be attributed to a much smaller number of malware toolkit code bases,” FireEye stated. “The prevalence of dynamic domain addresses indicates that criminals are moving their distribution sources very quickly as well, like a drug dealer moving to a different street corner after every few deals.”
The three largest categories of malware in Q2 are Fake-AV, Downloader Trojans (whose primary function is to download other pieces of malware), and information stealers. Although Fake-AV is less of a concern to enterprise, it should be considered as a “gateway malware” to introduce more serious information-theft malware into the network. Nation-state APT malware used for espionage is comparatively rare, but the range between those two zones are filled with “very potent, very dangerous attacks.” Information theft is the highest priority problem for enterprise. Zeus (Zbot), Papras (aka Snifula), Zegost, Multibanker, Coreflood, and Licat were the top information stealers in Q2 2011.