In the fourth quarter of 2016, about 30% of all malware was classified in new research as “zero day,” as in, it was not caught by legacy antivirus solutions.
WatchGuard Technologies’ inaugural Quarterly Internet Security Report postulates that the finding indicates that cybercriminals’ capability to automatically repack or morph their malware has outpaced the AV industry’s ability to keep up with new signatures.
The study also uncovered a theme of old threats becoming new again. First, the results show that macro-based malware is still very prevalent. Despite being an old trick, many spear-phishing attempts still include documents with malicious macros, and attackers have adapted their tricks to include Microsoft’s new document format. Second, attackers still use malicious web shells to hijack web servers. PHP shells are alive and well, as nation-state attackers have been evolving this old attack technique with new obfuscation methods.
JavaScript is a popular malware delivery and obfuscation mechanism. The results indicate a rise in malicious JavaScript in the fourth quarter, both in email and over the web.
The report meanwhile found that most network attacks target web services and browsers. In fact, 73% of the top attacks target web browsers in drive-by download attacks.
Interestingly, the top network attack, Wscript.shell Remote Code Execution, almost entirely affected Germany alone. Breaking it down country by country, that attack targeted Germany 99% of the time.
WatchGuard’s Internet Security Report is based on anonymized data from more than 24,000 active WatchGuard unified threat management appliances worldwide, and the raw numbers show that attacks are up: These appliances blocked more than 18.7 million malware variants in the fourth quarter, which averages to 758 variants per participating device. They also blocked more than 3 million network attacks, which averages to 123 attacks per participating device.
“Our Threat Lab has been monitoring the most prevalent security industry threats and trends for years and now with the addition of the Firebox Feed—anonymized threat analytics from Fireboxes deployed around the world—we have firsthand, acute insight into the evolution of cyberattacks and how threat actors are behaving,” said Corey Nachreiner, CTO at WatchGuard. “Each quarter, our report will marry new Firebox Feed data with original research and analysis of major information security events to reveal key threat trends and provide defense best practices.”