Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/11/2019
10:55 AM
50%
50%

Only Half of Malware Caught by Signature AV

Machine learning and behavioral detection are necessary to catch threats, WatchGuard says in a new report. Meanwhile, network attacks have risen, especially against older vulnerabilities, such as those in Apache Struts.

For years, signature-based antivirus has caught about two-thirds of threats at the network edge — in the last quarter, that success rate has plummeted to only 50%, according to WatchGuard Technologies' latest quarterly report, published on December 11.

The network security firm found that the percentage of malware that successfully bypassed signature-based antivirus scanners at companies' network gateways has increased significantly, either by scrambling code — known as "packing" — using basic encryption techniques or by the automatic creation of code variants. In the past quarter, the share of malware using these obfuscation techniques has jumped to 50% of malicious programs detected at the edge of the network, bypassing common antivirus engines, the company found.

Dubbed "zero-day malware," these attacks demonstrate how attackers have adapted to the decades-old signature-based antivirus scanning technology, says Corey Nachreiner, chief technology officer at WatchGuard Technologies.

"The big change is that more and more malware is becoming evasive, so that signature-based protection is no longer sufficient," he says. "There is nothing wrong with having it, because it will catch 50% to two-thirds of the traffic, but you definitely need something more." 

In the first quarter of 2019, the company saw signature antivirus catch 64% of malware. In the second quarter, that dropped only slightly to 62%. In 2017, antivirus firm Malwarebytes found that using two signature-based antivirus engines still only caught about 60% of threats.

While the statistic applies only to the BitDefender antivirus engine used in WatchGuard's product, Nachreiner argues that the scanner is better than average — based on VirusTotal detections — suggesting that malware is even more successful getting past other companies' products.

"The reason that we feel that we can extrapolate from a single engine is that we use VirusTotal all the time, and BitDefender is always one of the first to detect threats," he says. "We feel that extrapolation, while not exact, will be very representative, even conservatively, of the capabilities of signature-based engines."

Zero-day malware — not to be confused with zero-day exploits — need to be caught by technologies other than signature-based antivirus, he says. WatchGuard, for example, incorporate three different anti-malware services into its product, including machine learning-based pattern detection and a sandbox service to catch threats based on their execution behavior.

The rise in evasive malware is the most significant trend in WatchGuard's "Internet Threat Report: Q3 2019," but the company also saw a general rise in network attacks — those attempts that attempt to actually compromise a network — of about 8% from the previous quarter.

Attacks using SQL injection, cross-site scripting, and brute-force credential stuffing topped the list of attacks the company detected in the third quarter of 2019, but the top 10 network-based attacks also include exploits aimed at two older vulnerabilities in the Apache Struts web application framework, security issues that led to the massive breach of data-collection firm Equifax. The company missed patching key servers that were then compromised by attackers, leading to the leak of information on about 148 million Americans. The breach led to a $700 million fine and, because of his stock trading prior to public notification of the breach, the conviction of the former CIO on insider trading.

"With a 10 of 10 for severity in the National Vulnerability Database and the national attention the Equifax breach got from this vulnerability, we hope web admins have already upgraded their servers," WatchGuard stated in the report. "If you've patched, this attack won't work ... [but] vulnerable servers won't last long while connected to the Internet."

The increase in attacks on older vulnerabilities makes it even more important for companies to look to their patching processes and make sure that they are not missing any servers, Nachreiner says.

"After Equifax, you would have hoped that everyone had patched immediately, but the fact that the attackers are ramping up attacks could mean that they have seen some success," he says. "So, you need to ask, have you really patched the Apache Struts vulnerability? Check your environment to make sure that you are not vulnerable."

The WatchGuard report gathers data from users that have opted into its data-collection program, about 37,000 devices in the latest quarterly report. 

 

Related Content

 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Security 101: What Is a Man-in-the-Middle Attack?"

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Will This Be the Year of the Branded Cybercriminal?
Raveed Laeb, Product Manager at KELA,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Give us your best shot! You might win an Amazon gift card!
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3686
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.