FireEye, in its 2H 2012 Advanced Threat Report, found that, on average, enterprises experience a malware event once every three minutes. Across industries, the rate of malware activity varies, with technology companies experiencing the highest volume – up to one event per minute. Some industries are attacked cyclically, while some verticals experience attacks erratically.
“The high rate at which cyber attacks are happening illustrates the allure of malware,” said Zheng Bu, senior director of research at FireEye. “Today, malware writers spend enormous effort on developing evasion techniques that bypass legacy security systems. Unless enterprises take steps to modernize their security strategy, most organizations are sitting ducks.”
A good portion of the attacks can be avoided by using common cyber-sense when it comes to catching on to social engineering tactics. The report found that spear phishing remains the most common method for initiating advanced malware campaigns.
When sending spear phishing emails, attackers opt for file names with common business terms to lure unsuspecting users into opening the malware and initiating the attack. These terms fall into three general categories: shipping and delivery, finance and general business. The top term in malware file names, for example, was “UPS”. Also, ZIP files remain the preferred file of choice for malware delivery: malicious malware is delivered in ZIP file format in 92% of attacks, according to the report.
While educating employees to become savvier at identifying phishy emails is a key to bolstering defenses against the malware maelstrom, the report also found that malware authors are getting sneakier. Once that bad file is clicked and downloaded, several innovations have appeared in the code to better evade detection.
Researchers have uncovered instances of malware that execute only when users move a mouse or left-click on a file/link, which is a tactic that could dupe current sandbox detection systems because the malware doesn’t generate any activity. Two recent examples of this are Trojan Upclicker and the recently uncovered BaneChant – both of which hook to the PC/laptop mouse to avoid being seen.
In addition, malware writers have also incorporated virtual machine detection to bypass sandboxing. For example, the Shylock financial malware platform was found last autumn to have evolved to identify and avoid remote desktop environments – a setup commonly used by researchers when analyzing malware. Thus, it can bypass new defensive technologies put in place by financial institutions and enterprises.
In addition, attackers are increasingly using DLL [dynamic link library] files, the report found. By avoiding the more common .exe file type, attackers leverage DLL files to prolong infections. For instance, the recent Evernote compromise relied on dropping a DLL file.
“This report provides an overview of how attacks have become much more advanced and successful at penetrating networks, regardless of industry,” said Ashar Aziz, FireEye founder and CTO. “As cybercriminals invest more in advanced malware and innovations to better evade detection, enterprises must rethink their security infrastructure and reinforce their traditional defenses with a new layer of security that is able to detect these dynamic, unknown threats in real time.”