Brian Pennington

A blog about Cyber Security & Compliance



What Is Your Business’ Greatest Cyber Threat?


Advance malware threats are growing at an alarming rate

FireEye have published their Advanced Threat Report for the first half of 2012. The results are based on their knowledge of Advanced Persistent Threats and the rest of the malware market.

Their key findings are:

  • Organizations are seeing a massive increase in advanced malware that is bypassing their traditional security defenses.
  • The patterns of attack volumes vary substantially among different industries, with organizations in healthcare and energy/utilities seeing particularly high growth rates.
  • The dangers posed by email-based attacks are growing ever more severe, with both link and attachment-based malware presenting significant risks.
  • In their efforts to evade traditional security defenses, cybercriminals are increasingly employing limited-use domains in their spear phishing emails.
  • The variety of malicious email attachments is growing more diverse, with an increasing range of files evading traditional security defenses.

Finding 1: Explosion in Advanced Malware Bypassing Traditional Signature-Based Defenses

The malicious advanced malware organizations have to contend with has grown dramatically, not just in terms of volume, but in its effectiveness in bypassing traditional signature-based security mechanisms. On average, organizations are experiencing a staggering 643 Web-based malicious events each week, incidents that effectively penetrate the traditional security infrastructure of organizations and infect targeted systems.

This figure includes file-based threats that are delivered over the web and email. File-based threats can be malicious executables, or files that contain exploit s targeting vulnerabilities in applications. They are downloaded directly by users, via an exploit, or links in emails. The statistic of 643 infections per week does not include callback activities, which largely happen over the Web.

Compared to the second half of 2011, the number of infections per company rose by 225% in the first half of 2012. If you compare the first six months of 2011 with the first six months of 2012, the increase seen is even larger at 392%.

These figures are not the total found in the so-called “wild”, but are the number of Web-based infections that successfully evaded organizations’ existing security defenses, such as next-generation firewalls and AV.

  • Users remain very susceptible to clicking on malicious links, especially when those links exploit social engineering tactics.
  • Embedding malicious code within Hypertext Transfer Protocol (HTTP) traffic is proving effective at bypassing traditional security mechanisms.
  • As a result of these two dynamics, cybercriminals see that their tactics are working, so the number of attacks they launch continues to grow

Explosive Growth in Advanced Malware Infections

  • Growth from 2H 2011 to 1H 2012: 225%
  • Growth from 1H 2011 to 1H 2012: 392%

Finding 2: Patterns of Attacks Vary Substantially by Industry—Attacks on Healthcare up 100%, 60% in Energy/Utilities

When assessing the average number of incidents that evade traditional security defenses, patterns and trends vary substantially across industries. For the most part, each industry experiences peaks in attack volumes at different times.

A couple of industries that are prone to high incidents were excluded from this report. Education was excluded since little, if any, control can be had over student systems and in general students are surfing more and visiting more risky sites. Also government was excluded since it is common for government agencies to receive data from FireEye but not send information back to FireEye.

The figures below illustrate the monthly incidents, including inbound attacks as well as outbound exfiltration and communication attempts. These incidents were identified by the FireEye MPS appliances deployed globally within the networks of customers and technology partners.


Between January 2012 and June 2012, the number of events detected at healthcare organizations has almost doubled. Compared to other industries, however, there has been a more consistent pattern of malicious activity, indicating a persistent and steady threat confronting these organizations.

As healthcare organizations move toward the adoption of electronic health record systems and digitally store and manage Personally Identifiable Information (PII), these sensitive assets seem to be coming under increasing attack by cybercriminals.

Financial Services

Between the second half of 2011 and the first half of 2012, the financial services industry has seen a massive increase in terms of the average number of events per customer for that industry. In May 2012 the industry saw more events than the entire second half of 2011. Compared to healthcare, there have been more dramatic fluctuations in this market. The most dramatic shift discovered was a huge spike in May 2012, followed by a drop-off in June, which was a pattern also seen in May and June of 2011.


Companies in the technology sector continue to be the most targeted organizations. While total numbers have remained relatively stable on a month-to-month basis, overall numbers remain high compared to other industries.


In the energy/utilities sector, there have also been some significant fluctuations in incidents, however the overall trend indicates a huge increase. In the past six months, energy and utility organizations have seen a 60% increase in incidents.

As the Night Dragon attack dramatically illustrated, critical infrastructures of energy and utility companies are under attack. In this case, criminals went after intellectual property, information on ongoing exploration, and records associated with bids on oil and gas reserves. Due to current geopolitical dynamics, data surrounding the sources of fossil fuel-based energy in particular are some of the most targeted assets.

Finding 3: The Intensified Dangers of Email-Based Attacks, Both Via Links and Attachments

While the APT attacks that have been reported on in recent years have exhibited a range of different tactics, it is clear that there is one very common characteristic: email is the primary channel through which the attacks are initiated. Operation Aurora, GhostNet, Night Dragon, the RSA breach, and the majority of the other APTs that have been publicly documented have been initiated at least in part through targeted spear phishing emails. The bottom line is that organizations looking to stop APTs absolutely have to have capabilities for detecting and guarding against these kinds of attacks.

To gain entry into an organization’s network, cybercriminals are launching their attacks through spear phishing emails. These emails either use attachments that exploit zero-day vulnerabilities or malicious and dynamic URLs. Between 1Q 2012 and 2Q 2012, there was a 56% increase in the amount of email-based attacks that successfully penetrated organizations’ traditional security mechanisms.

During the course of 2012, there has been significant fluctuation in the amount of malware delivered via attachments versus links. In January 2012, the number of malicious links represented about 15% of the volume of malicious emails. By May and June however, the volume of malicious links outnumbered malicious attachments.

Moving forward, we expect to see continued fluctuation in the relative numbers of these categories on a monthly basis, but don’t expect that either one will dramatically or permanently overtake the other in the long term. The critical takeaway is that both of these types of threats exist in significant numbers, and that organizations need to guard against both of these threat vectors to effectively strengthen their security posture.

As zero-day application vulnerabilities are patched, file attachments used in attacks wane and cybercriminals return to Web-based vectors. However, as we have seen in the past, a new crop of zero-day application vulnerabilities is always just around the corner, leading cybercriminals to return to file attachment-based attacks.

Finding 4: Increased Prevalence of Limited-Use Domains in Spear Phishing Attacks

In their efforts to bypass organizations’ security mechanisms, cybercriminals have continued to employ increasingly dynamic tactics. The continued explosion of malicious domains used in spear phishing attacks illustrates the unsolvable problem facing technologies that rely on backward-facing signatures, domain reputation analysis, and URL blacklists.

Criminals are increasingly employing malicious URLs for only a brief period of time before they move on to using others. “Throw-away” domains are malicious domain names used only a handful of times, say in 10 or fewer spear phishing emails. These domains are so infrequently used that they fly under the radar of URL blacklists and reputation analysis and remain largely ignored and unknown. As the chart on the next page illustrates, the number of throw-away domains identified increased substantially in the first half of 2012.

Through social engineering, cybercriminals are personalizing emails and then using throw-away domains to bypass the signature and reputation based mechanisms that organizations rely on to filter out malicious emails. It is important to note that these URLs are sometimes randomly generated, and sometimes tailored to a specific tactic. In the second half of 2011, domains that were seen just once comprised 38% of total malicious domains used for spear phishing.

In the first half of 2012, that figure grew to 46%. The graph below shows that the overall volume of spear phishing emails is increasing and our domain analysis also shows the ratio of emails that use limited-use domains is also on the rise.

Finding 5: Increased Dynamism of Email Attachments

As outlined earlier, email-based attacks are used to initiate the bulk of the APT s reported, and guarding against both malicious attachments and URLs distributed via email is a critical mandate for organizations. Email-based attacks are the first tactic cybercriminals employ in order to get through the target’s perimeter defenses and gain a foothold in the network. As security teams seek to guard against malicious email attachments, however, they are encountering a fundamentally evolving dynamic in the makeup of these files. Just like URLs, the use of malicious attachments is growing increasingly dynamic.

Over the past twelve months, the diversity of attachments that led to infections has expanded dramatically. In the second half of 2011, the top 20 malicious attachments accounted for 45% of attachments that evaded organizations’ perimeter defenses. In the first half of 2012, the variety of malicious attachments increased so that the top 20 malicious attachments only accounted f or 26%, nearly half of the figure in the second half of 2011. These numbers make clear that cybercriminals are changing their malware more quickly, employing a longer list of file names, and reproducing malware and morphing it in an automated fashion. In this way, the task of creating signature based defenses to thwart these malicious files grows increasingly difficult.

Between the second half of 2011 and the first half of 2012, the average number of times a given malicious attachment was sent in an email dropped from 2.44 to 1.87.

FireEye’s conclusions on its report

As this report amply illustrates, organizations are under persistent attack, and the attacks being waged continue to grow more dynamic, effective, and damaging. For organizations that continue to rely solely on firewalls, IPS, AV, and other signature, reputation, and basic behavior-based technologies, it is abundantly clear that compromises and infections will continue to grow. To effectively combat these attacks, it is imperative that organizations augment their traditional security defenses with technologies that can detect and thwart today’s advanced, dynamic attacks. This requires capabilities for guarding against attacks being waged on the Web, and those being perpetrated through email, including spear phishing emails that use malicious attachments and URLs.


How advanced attacks succeed, despite $20B spend on enterprise IT security

Image representing FireEye as depicted in Crun...
Image via CrunchBase

FireEye has recently released their research into why IT Security attacks continue to be successful despite an annual IT Security spend of $20 billion.

A summary of key findings of the FireEye research are below:

1) 99% of enterprises have a security gap, despite $20B spent annually on IT security. Within a given week, the typical enterprise network has anywhere from hundreds to thousands of new malicious infections and all industries are under sustained attack.

2) 90% of malicious executables and malicious domains changed in just a few hours. The dynamic nature of modern attacks is the primary means to bypass signature-based tools, making defenses such as antivirus and URL blacklists ineffective.

3) The fastest growing malware categories are Fake-AV programs, which take part in extortion tactic and info stealers, which abscond information.

4) The top 50 out of thousands of malware families account for 80% of successful infections. Sophisticated toolkits and other means are enabling the rapid production of advanced malware.

Extended details on the four findings:

Finding 1: 99% of enterprise networks have a security gap despite $20B spent annually on IT security.

Despite the massive investment in IT security equipment each year, our analysis of FireEye MPS deployments shows that essentially all enterprises are compromised with malware: 99% of enterprises had malicious infections entering the network each week, and 80% of enterprises faced more than one hundred infections per week, with many in the thousands per week. The median weekly infection caseload was 450 infections per week (normalized per Gbps of traffic), with wide variations.

These are all events that have made it through standard gateway defenses, such as firewalls, next-generation firewalls, IPS, antivirus, email and web security Gateways. These malicious events make it through because traditional security systems either rely on signatures, reputation and crude heuristics or were originally designed for policy control. They no longer keep up with the highly dynamic, multi-stage attacks that have become common today for targeted and APT attacks.

Even the most security-conscious industries are fraught with dangerous infections.

Every company studied in every industry looks to be vulnerable and under attack. Even the most security-conscious industries, such as Financial services, health care and government sectors, which have intellectual property, personally identifiable information, and compliance requirements—show a significant infection rate.

Based on this data, FireEye see that today’s cyber criminals are nearly 100% effective at breaking through traditional security defenses in every organization and industry, from security-savvy to security laggards.

Today’s attacks also exhibit a global footprint with infected sites, malicious servers, and callback destinations distributed around the world.

Finding 2: Successful attacks employ dynamic, “zero-day” malware tactics. 90% of malicious binaries and domains change in just a few hours; 94% within a day.

Our Q2 2011 data showed that 90% of both malicious binaries (MD5 hash files) and malicious domains (URLs hosting malware) changed almost immediately, and 94% changed within a day. This dynamism increased noticeably from Q1 to Q2 2011.

FireEye believe the daily morphing of malicious binaries and domains is timed to stay ahead of the typical practice of daily DAT and blacklist/reputation updates, enabling the malware to remain undetected and its communications unblocked.

Those that change within a few hours stay ahead of centralized “real-time” threat intelligence services that assess risk based on signatures, reputation, and behavior. Those that change once a day stay ahead of defenses that use scheduled daily updates.

Malicious executables are constantly being repacked to appear new each time. Most of the MD5s FireEye observed are so dynamic that they persist for an hour or less or are seen just once. The curve has moved noticeably up and to the left from Q1 to Q2,  indicating that a smaller fraction of malware samples remain unchanged over the course of days (note that this is despite the fact that the Q2 sample is larger than the Q1 sample, increasing the size of our view into malware behavior). It’s also striking that the curve steps up at each 24-hour interval indicating that some malware authors are using an integer number of days as the expiration  time before they generate a new packing.

Note that FireEye are not implying that all malware attacks are dynamic, just that the successful attacks penetrating through the signature and reputation-based defenses use dynamic tactics to defeat those static defenses.

Therefore, FireEye believe that dynamic binaries and dynamic domains form the core of today’s advanced, zero-day malware tactics. Cybercriminals are moving quickly and building manoeuvrability into their tools and operations.

In part, the move to malware dynamism explains the rapid expansion in botnets. For example, criminals need more IP addresses (aka bots or zombies) to evade signature and reputation-based filters.

Another conclusion from these findings is that network defenses must tool up for constant change and resilience. Countermeasures must be designed for highly dynamic threats across vectors, such as Web and email. FireEye also see a trend in which organizations must treat every attachment or Web object as suspicious.

Finding 3: The fastest growing malware categories are Fake-AV programs and Info-stealer executables.

While malware programs have multiple capabilities, the FireEye research team provides a general categorization of each malware executable with what they believe to be its primary purpose. For example, Click Fraud software makes money by creating automated HTTP transactions to particular websites in the interest of distorting (driving up) payments to advertisers. Fake-AV software is sold on the pretence that it has found non-existent malware on consumer computers and then offering to “clean” out the infection if consumers buy the full version.

Several things stand out. The three largest categories of malware in Q2 are Fake-AV (listed as Rogue Anti_malware), Downloader Trojans (whose primary function is to download other pieces of malware), and information stealers of various forms. Comparing to Q1, they see a striking growth in Fake-AV (Rogue Anti_malware) and information stealing malware most likely due to a successful monetization model.

Of these, the information stealers are clearly the greater threat to corporate integrity. While FireEye would certainly not advocate ignoring Fake-AV programs, they are a threat to employees’ private finances and act as a conduit for more serious malware infections, it’s clear that information theft is currently the highest priority problem for enterprises.

  • Zbot (Zeus) Primarily a banking Trojan, Zbot has become extremely famous for fraud against online banking for both consumers and small and medium enterprises and likely represents a high priority threat even to large enterprises in the form of fraud against senior executives.
  • Papras (aka Snifula) has received far less publicity, but in our sample it appears to have become just as widespread as Zbot. Papras is less specialized: it steals account credentials for various online services and also logs information entered in web forms. As such, it’s probably a basic tool in a number of different kinds of manually directed intrusions and information thefts.
  • Zegost is also primarily a keylogger
  • Multibanker are specialized banking trojans.
  • Coreflood is a botnet that operated in many versions for ten years until taken down by the Department of Justice in April of 2011.
  • Licat is believed to be associated with Zbot.

Finding 4: The “Top 50″ of thousands of malware families generate 80% of successful malware infections.

In  reviewing several hundreds of thousands of events, they found that the vast  majority of them derive from a few hundred malware families (as evidenced by  the particular callback protocol we detected in use), and that the Top 50 most  frequent malware families are represented in about 80% of all cases.

From  the figure, they conclude that the exploding zoo of malware executables can be attributed to a much smaller number of malware toolkit code bases. In reviewing the top 50 families, the more successful code bases have optimized aspects of their malware binary output to be dynamic and deceptive.

Note that the frequency of appearance is not  correlated with risk. One of the most common malware families, Fake-AV, extorts  payments from users for falsified virus scans. This class of malware is less of a concern from an enterprise perspective, though Fake-AV should be seen as a “gateway malware” to introduce more serious information-theft malware into the network. On the other hand, nation-state APT malware used for espionage is likely to be out in the long tail of comparatively rare malware. In the range between these two zones, they find very potent, very dangerous attacks.

Many of the Top 50 attacks reflect advanced malware used by criminal syndicates for financial gain. This variety of threat is characterized by periodic campaigns combining exploit toolkits and specific malware families such as “Rogue AV” or “Fake-AV.” The attacks cast a relatively “wide but shallow” net, harvesting data and relying on automation for efficiency and profitable success rates.

Here’s  the anatomy of a typical “wide and shallow” attack, one that is dynamic and  short-lived (in each campaign), but not especially targeted or heavily  personalized:

  • Hunt new victims for a few hours at certain infectious IP addresses
  • Install malware via drive-by download or phishing campaign (possibly run  through a social networking site)
  • Collect account data from victims’ computers (or install data-stealing malware on these hosts)
  • Pause (or move on to a new site)
  • Monetize the data that has been collected (for perhaps days or weeks)
  • Run another campaign with a tweaked version of the malware and different IP  addresses when we look at malware by family, and the event timeline of malware activity, they see evidence of the compressed timelines used in campaigns today. FireEye see sharp spikes. Even with a relatively protracted activity, like that shown with Rogue.AV, FireEye see significant spikes above a significant baseline.

The other major category of attack is the “Narrow and Deep” attack that includes  targeted and APT attacks. These attacks infect a relatively small number of machines that act as the beachhead from which to further infiltrate other enterprise systems, especially those that contain critical or sensitive information.

The deeper infiltration is accomplished via lateral movement by propagating the malware infection to other systems and servers in the enterprise network. Only real-time monitoring of suspicious code will detect these subtle attacks.

How do criminals make their malware and domains dynamic? Point-and-click Toolkits?

Criminals make code appear new by packing, encrypting, or otherwise obfuscating the nature of the code. Malware toolkits like Zeus (banking Trojan) and Blackhole (drive-by downloads) automate this process today, which FireEye believe explains some of our finding of increasing and almost ubiquitous dynamism.

The prevalence of dynamic domain addresses indicates that criminals are moving their distribution sources very quickly as well, like a drug dealer moving to a different street corner after every few deals. By moving their malware to an unknown site (often a compromised server or zombie), and using short URLs, cross-site scripting or redirects to send traffic to that site, the criminals can stay ahead of reputation-based defenders.

Criminals invest in toolkits and dynamic domains because signatures and reputation engines have become adept at blacklisting known bad content and “bad” or “risky” URLs sites. Any stationary criminal assets will quickly be blacklisted, therefore these assets must move to remain valuable.

FireEye Conclusions

The new breed of cyber–attacks are evading existing defenses by using dynamic malware, toolkits and novel callback techniques, leaving virtually every enterprise vulnerable to data theft and disruption. Although enterprises are investing $20B per year on IT security systems, cybercriminals are able to evade traditional defenses, such as firewalls, IPS, antivirus and Gateways, as they are all based on older technology: signatures, reputation and crude heuristics.

Enterprises must reinforce traditional defenses with a new layer of security that detects and blocks these sophisticated, single-use attacks. New technologies are needed that can recognize advanced malware entering through Web and email, and thwart attempts by malware to call back to command and control centers. This extra  defense is designed specifically to fight the unknown threats, such as zero-day  and targeted APT attacks, thereby closing the IT security gap that exists in all enterprises.

The FireEye report can be found here.


Create a free website or blog at

Up ↑

%d bloggers like this: