Palo Alto study reiterates antivirus shortcomings

Chris Gonsalves asks what can be done to improve the effectiveness of anti-malware approaches

Most malware corrupting business computer systems is coming not from rogue emails or infected files, but from common and mundane activities like surfing the web, a vendor survey has found. As a result, most antivirus apps currently deployed appear powerless to curb the growing rate of infection.

In its Modern Malware Review released this week, network security specialist Palo Alto Networks says most malware is simply relocated and repackaged versions of the same code, citing Zeus botnets as an example.

Palo Alto Networks urges security teams to think beyond traditional AV and employ a multi-pronged security policy approach to identify and block bad actors on the corporate network.

The goal of the research, according to Palo Alto executives, was not so much to point out the deficiencies in traditional antivirus but to understand the problems better, and hopefully identify practices that can help.

"It's not enough to simply detect malware out there that is evading traditional security," says Wade Williamson, senior research analyst at Palo Alto Networks. "Enterprises should come to expect more comprehensive prevention from their vendors."

"That's what the Modern Malware Review is signalling. Analysing undetected malware in real networks has enabled us to arm IT security teams with actionable information for reducing their exposure against threats they might have otherwise missed," Williamson adds.

The study examined the behaviour of unknown malware from its entrance on the network, its behaviour on infected devices, and the outgoing traffic it generates. Findings included:

*94 per cent of undetected malware found on networks was delivered via web browsing or web proxies; and that
*40 per cent of seemingly unique malware was actually repackaged versions of the same code.

Modern malware is adept at remaining undetected on a host device. The review identified 30 techniques for evading security and more than half of all malware behaviours (52 per cent) were focused on remaining undetected -- just 15 per cent of malware activity focused on hacking or data theft.

FTP remains a highly effective method for introducing malware to a network, with 95 perc ent of malware delivered via FTP going undetected by AV tools for more than a month.

On the upside, Palo Alto Networks said it had found that some 70 per cent of malware left identifiers in their traffic or payload that can be used by security teams for detection.

It looked at malware collected between October and December 2012 via its WildFire malware analysis service. Palo Alto Networks identified 26,000 different malware samples that had gone completely undetected on networks by their antivirus software.

The study provides security specialists with a list of recommended actions based on the findings, including:

*deploying stream-based analysis of file headers and payloads for malicious indicators;
*establishing and updating a solid baseline for the network;
*investigating and remediating unknown traffic;
*restricting rights to unknown, newly registered domains and dynamic DNS domains; and
*only allowing email traffic to the corporate email server.

Phil Cummings, security administrator for public-health infrastructure support organisation Health Information Technology Services Nova Scotia (HITS-NS), Canada, has praised the report as "the kind of real-world data and actionable policy recommendations" that could make his job easier.

"Security managers are bombarded almost daily with alerts about the latest malware threats, and manually examining each threat to develop policy to stop it would overwhelm any security team," Cummings says.

A full version of the report and recommendations is available here.

As part of our special editorial partnership, CRN is republishing this article from Channelnomics