Share
Email-born Malware, for the second quarter in a row, continues to slip past traditional anti-Virus and anti-Spam protections, Commtouch says in their latest report. According to their latest Internet Threats Trends Report, the number of Malware that slipped past normal defenses peaked every eleven to thirteen days.
Email-borne Malware slipping past defenses. (IMG: J. Anderson)
Malware writers are beginning to distribute short, massive outbreaks of different variants of a single piece of malicious code, Commtouch said, and these variants are not immediately blocked by most anti-Virus engines due to the lack of generic signatures for the Malware family.
“When a single Malware appears with multiple variants, many traditional anti-Virus solutions may have difficulty identifying and blocking them quickly,” the report notes.
For a while, anti-Virus vendors were great at catching the Malware and their variants, almost as soon as they were released. However, Commtouch researchers started to notice a trend during Q3 2009, as Malware authors would release multiple variants of a single Malware on a massive scale for a short time. Each new attack ends before anti-Virus vendors update the signatures to detect the Malware, infecting just enough systems to send the next wave of emails, and spread the new Variant.
Essentially this method of attack has created a consistent supply of bots on the Internet. Another stat from the Commtouch report cites 332,000 bots activated each day during the third quarter of 2009. Most of the Email-born Malware came from two families, Bredo A and Behav-340.
The Bredo A family of Malware created more than 10,000 variants in the course of nearly a month, while Behav-340, in the same monthly period, created more than 1,900 variants. Each Malware family was introduced to the victim using several different attack techniques. For example, Bredo A was used in the DHL scams, as well as the UPS scams. Behav-340 was seen in the “shipping confirmation” and “delivery problem” scams.
According to samples tested, and detection monitoring, Commtouch noted that it took vendors such as Kaspersky almost 20 hours before a signature was delivered for Bredo A, while Microsoft took almost 35 hours for a signature. Fortinet and McAfee took about 13 hours. Symantec was the second quickest for Bredo detection, with a signature delivered in just over 6 hours. However, Trend Micro pushed one in about 20 minutes, earning the quick draw award for fast detection.
The same vendors did differently for Behav-340. Kaspersky had a signature in about 7 hours, while McAfee took almost 51 hours to push one out. Fortinet and Trend Micro took about 21 and 29 hours respectively, and Microsoft waited about 34 hours.
While each vendor eventually had a signature to detect and stop the Malware from pushing past defenses, the sheer volume of variants led to the huge gaps in signature updates.
If anything, this proves that signature-based detection is not enough to stop the spread of Malware. One positive aspect to this is that the anti-Virus vendors know this, and are finally starting to beef up anti-Spam protections and layer detection methods with a more pro-active posture.
The full Commtouch report is here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story