Report: 30% of malware is zero-day, missed by legacy antivirus

By:  Maria Korolov

At least 30 percent of malware today is new, zero-day malware that is missed by traditional antivirus defenses, according to a new report.

“We’re gathering threat data from hundreds of thousands of customers and network security appliances,” said Corey Nachreiner, CTO at WatchGuard Technologies. “We have different types of malware detection services, including a signature and heuristic-based gateway antivirus. What we found was that 30 percent of the malware would have been missed by the signature-based antiviruses.”

The company caught 18.7 million malware variants in the fourth quarter of 2016. Some of those customers had both traditional, signature-based antivirus and the company’s new, behavioral-based advanced malware prevention service, called APT Blocker.

With those customers, traditional antivirus caught 8,956,040 malware variants, while the behavioral-based system caught another 3,863,078 malware variants that the legacy antivirus didn’t catch.

“Nowadays, malware threat actors can morph or change their malware to make it look slightly different,” Nachreiner explained.

The APT blocker runs potentially dangerous applications in a cloud sandbox, on emulated Windows systems, and uses behavioral analysis to spot malware.

The traditional antivirus solution is from AVG Technologies, he said. The behavioral-based malware blocker is from Lastline.

“We go with the best-in-class strategy,” Nachreiner said.

The report also categorized the attacks by type of exploit.

All of the top 10 were web-based attacks that attack a web server or other network services via web-based portals, or attack web clients such as web browsers or browser plug-ins. But the web browser attacks were most numerous, accounting for 73 percent of the hits related to the top exploits. Attackers use them to force drive-by downloads of malicious software.

The leading exploit category was Linux trojans, which look for open Linux devices to turn into zombies. A close second was droppers, which typically deliver ransomware and banking Trojans.

“In other key findings, we’re seeing some old threats become new again,” said Nachreiner.

That includes Word documents with malicious macros.

“That is as old-school as you can get,” he said. “They disappeared for decades, but they’ve come back, and we can confirm that we’re blocking a whole bunch of macro-based malware.”

That could be because users consider these documents benign, or because they evade legacy security scans. They are typically spread as email attachments.

WatchGuard is also seeing PHP webshell scripts, which are the fourth most common malware detected by the company.

“It seems to us like a very very old technique,” he said. “But the alleged election manipulation that went on, a shell script was part of it, and they’ve added some new evasive technologies. The threat is old, but they’ve found a way to get past security with it.”