Today FireEye publishes its Advanced Threat Report for 2H 2011, finding that in the latter half of the year the fastest growing malware categories were information stealers and pay-per-install (PPI) malware.
FireEye’s reports differ from most vendors’ threat analyses. As the software sits on the network behind the firewall and gateway anti-virus, it sees only the malware that has already been successful against traditional perimeter defenses. James Todd, FireEye’s European technical lead, explained that while signature detection systems do a great job, they cannot stop the polymorphic viruses that continually change their signature – such as the hugely successful Zbot.
“We look at the behavior of the traffic on the network, and take all the multiple data streams used by malware into context and load them into a virtual execution environment and watch what happens,” he said. “We don’t care what the vulnerability is, or the exploit, or the malware per se, we just safely watch what it does to decide whether is acceptable behavior or malware – and respond accordingly.”
That’s what makes this report different. It’s not an analysis of threats or exploits or vulnerabilities seen or encountered – it is specifically an analysis of the threats that are successful and therefore dangerous. FireEye takes the information gathered by all participating customers, about 85% of the total, and shares that information to improve the defense of everyone. It is also this pool of data that is analyzed to form the basis of the Advanced Threat Report.
The frightening conclusion is that attacks are becoming more complex, more targeted and more successful. The report notes that even the most security-conscious industries, from finance to health and government, all show a significant infection rate. “Based on this data”, concludes FireEye, “we see that today’s cyber criminals are nearly 100% effective at breaking through traditional security defenses in every organization and industry, from the security savvy to security laggards.”