Over Half of Malware Found by WildFire Was Unknown to Security Industry
The new WildFire cloud-based analysis engine found that seven percent of all unknown files analyzed contained malware. Over a three month period of analyzing unknown files from the Internet entering enterprise networks, more than 700 unique malware samples were discovered, 57 percent of which had no coverage by any antivirus service or were unknown by Virus Total at the time of discovery. Out of all of the new malware identified, 15 percent also generated malicious or unknown outbound command and control traffic.
"I think we were all a bit surprised by the volume and frequency with which we were finding unknown malware in live networks," said Wade Williamson, Senior Security Analyst at Palo Alto Networks. "Unknown malware often represents the leading edge of an organized attack, so this data really underscores the importance of getting new anti-malware technologies out of the lab and into the hands of IT teams who are on the front lines. The ability to detect, remediate and investigate unknown malware needs to become a practical part of a threat prevention strategy in the same way that IPS and URL filtering are used today."
Criminals Using New Web Application Types for Malware Distribution
WildFire found that zero-day malware was distributed by a wide variety of web applications, in addition to the traditional HTTP web-browsing and email traffic commonly associated with malware distribution. By using the next-generation firewall's ability to identify all applications, WildFire was able to identify specific phishing campaigns based on their affinity for particular applications. One attacker used AOL Mail almost exclusively while another used the Hotfile file hosting service as the delivery vector.
To provide context for the commonality of the applications in the enterprise, previously-published research from Palo Alto Networks' May 2011 Application Usage and Risk Report shows that traffic from browser-based file sharing applications was observed on the 91 percent of 1,253 enterprise networks analyzed from October 2010 to April 2011.
"It's important to note this, because many enterprises only inspect email or FTP traffic for malware but do not have the ability to scan other applications. Applications that tunnel within HTTP or other protocols can carry malware that will be invisible to a traditional anti-malware solution," said Williamson. "These are examples of the big reasons why a lot of malware gets missed - most enterprises only focus on scanning their corporate email application. To control this problem we need to expand our view to other applications, pull the traffic apart and go a level deeper in to find out if there's a file transfer happening."
Findings Powered by New Next-Generation Firewall Features
These malware discoveries were made using WildFire--a new service recently announced by Palo Alto Networks that integrates in-line firewalling with automated cloud-based malware analysis. With the introduction of WildFire, customers can extend the capabilities of all of their Palo Alto Networks next-generation firewalls to addresses the challenge of modern malware, which is often targeted, unknown, highly evasive and network enabled.
This latest addition to Palo Alto Networks' next-generation firewalls identifies unknown and potentially-malicious files by directly and automatically executing them in a virtual cloud-based environment to expose malicious behavior even if the malware has never been seen in the wild before. For malicious files, Palo Alto Networks then automatically generates new signatures for both the file itself and for any traffic generated by the malicious file. These signatures are then distributed with regular signature updates, in addition to providing the user with an actionable analysis of exactly how the malware behaves, who was targeted and what application delivered the threat.
"WildFire is taking sandbox technology out of the lab and applying it to a real product that people can actually deploy in a reasonable, cost-effective manner. By integrating this type of advanced analysis with the next-generation firewall, customers can detect and protect themselves against malware using the hardware that they already have deployed today," said Williamson. "We give IT a signature for both the malware and the malicious traffic it generates. This allows customers to block the malicious traffic to minimize data loss and quarantine the malware. Once the threat is contained, they can then clean or reimage the machine. The final step is to analyze how the infection penetrated the network in the first place, to prevent future infections."
About Palo Alto Networks Palo Alto Networks(TM) is the network security company. Its next-generation firewalls enable unprecedented visibility and granular policy control of applications and content - by user, not just IP address - at up to 20Gbps with no performance degradation. Based on patent-pending App-ID(TM) technology, Palo Alto Networks firewalls accurately identify and control applications - regardless of port, protocol, evasive tactic or SSL encryption - and scan content to stop threats and prevent data leakage. Enterprises can for the first time embrace Web 2.0 and maintain complete visibility and control, while significantly reducing total cost of ownership through device consolidation. Most recently, Palo Alto Networks has enabled enterprises to extend this same network security to remote users with the release of GlobalProtect(TM) and to combat targeted malware with its WildFire(TM) service. For more information, visit www.paloaltonetworks.com.