The median rate of web malware encounters in March 2014 was 1:260, compared to a median rate of 1:341 requests in February. At least some of this increased risk appears to have been a result of interest in the NCAA tournaments (aka March Madness), which kicked off during the second week of March in the United States.
In February 2014, web malware encounters from sports and video sites were in the 18 and 28 spot, respectively. During March 2014, web malware from sports- and video-related sites jumped to the number 7 and 8 spots, respectively. The presumed longer time spent viewing sports-related content may have been a factor in a 1% decrease in the total volume of web requests in March coupled with a corresponding 18% increase in terabytes received.
The ratio of unique non-malicious hosts to unique malware hosts decreased by 1%, at 1:4841 in March 2014 compared to 1:4775 in February. The ratio of unique non-malicious IP addresses to malicious unique IP addresses also dropped from 1:1351 in February 2014 to 1:1388 in March. There was also far less volatility in the rate of unique malicious IP addresses throughout March compared to February.
Java encounters dropped from 9% of all web malware encounters in February 2014 to 6% in March. At 43% of all Java encounters, Java version 7 exploits were the most frequently encountered, with 26% targeting Java version 6, and 32% targeting other versions of Java.
Web malware encounters from mobile devices decreased 24% from February to March 2014. In March 3.6% of all Web malware encounters resulted from mobile device browsing, compared to 4.7% in February. Conversely, web malware encounters from non-Android and non-iOS devices doubled for the period, from 0.1% in February to 0.2% in March. The cause of this increase was not due to any specific device, but rather an across-the-board increase affecting all non-Android and non-iOS devices.
At 18%, advertising was the most common vector of mobile device encounters, followed by business-related sites at 13% and video-related sites at 11% of mobile device encounters. For comparison purposes, in February 2014, sites in the business category were the most common vector of mobile device encounters (20%), followed by advertising (13%) and personal sites (8%). Video came in fourth in February, at 7%.
Pharmaceutical & Chemical remained at 1100% of median risk for web malware encounters in March 2014, the same rate experienced in February. Companies in the Entertainment vertical experienced an increase from 321% in February to 643% in March. The Energy, Oil & Gas vertical increased from a rate of 276% in February to 397% in March.
To assess vertical risk, we first calculate the median encounter rate for all enterprises, and then calculate the median encounter rate for all enterprises in a particular vertical, then compare the two. A rate higher than 100% is considered an increased risk.
Following a 73% increase from January to February, spam volumes increased another 45% in March to an average of 207 billion spam messages per day.
The top five global spam senders in February 2014 were the United States at 8%, followed by the Republic of Korea at 5%, Russian Federation at 3%, China at 2%, and Ukraine at 1%.
Tags: CSIRT, malware, metrics, security, Threat Metrics 2014, TRAC
Long before becoming a part of Cisco, the Sourcefire team was aggressively addressing the advanced malware challenges our customers face daily. We believe that the most effective way to address these challenges is a continuous Advanced Malware Protection (AMP) approach that does more than just track malware at a point in time, but is also unrelenting in both monitoring and applying protection. Cisco shares this vision, which is why the combination of our technologies is so powerful. It’s not just about the network, or just about the endpoint— it’s about connecting these and everything in between for complete protection.
While our customers knew it and we knew it, the industry at large can now be certain that this continuous approach is the most effective for addressing advanced threats. NSS Labs tested AMP along with other security solutions for its 2014 Breach Detection System Security Value Map (SVM) and Product Analysis Report (PAR). NSS Labs defines Breach Detection Systems as solutions that provide enhanced detection of advanced malware, zero-day and targeted attacks that could bypass traditional defenses. The SVM results speak for themselves:
The SVM is a unique graphical representation of the security effectiveness and value of tested products. It’s no surprise to us that AMP scored as high as it did, but the results are great validation of our commitment to delivering this leading protection with the best total cost of ownership (TCO).
The SVM is also further proof that solutions marketed at addressing targeted advanced persistent threats (APT) and zero-day attacks can’t stop at only offering point-in-time detection. Advanced Malware Protection is the only solution to offer continuous analysis, retrospective security, and multi-source Indicators of Compromise (IoC) for protection before, during and after attacks across the extended network. These capabilities address an important gap that exists in all point-in-time products. Our AMP solution provides the continuous capability to “go back in time” and retrospectively identify and then remediate files that initially evade defenses.
Some highlights from testing:
- AMP has the lowest TCO of any product tested
- AMP is a leader in security effectiveness achieving detection of 99 percent of all tested attacks
- AMP excelled in time-to-detection, catching threats faster than competing Breach Detection Systems
When we talk about AMP with our customers, we call it “AMP Everywhere” because it can protect from the cloud to the network to the endpoint. It has been available as a connector for endpoints and mobile devices, a standalone appliance, and as part of Next-Generation Firewall and Next-Generation IPS for the last two years. It has also recently been integrated into Cisco’s portfolio of Web and Email Security Appliances and Cloud Web Security. With web and email interactions remaining one of the primary vectors for malware infection in organizations, AMP integration on our leading email appliance and web security gateways provides our customers with even stronger protection wherever a threat can manifest itself.
“AMP Everywhere” is a reality. An extremely effective one, at that. I encourage you to see the results for yourself. Download a free copy of the 2014 NSS Labs Breach Detection Systems SVM and PAR for Advanced Malware Protection.
Tags: Advanced Malware Protection, AMP, malware, PAR, Product Analysis Report, Security Value Map, Sourcefire, SVM, tco, total cost of ownership
My personal email has 4 characteristics that drive me crazy:
- I get way too much email
- Most of my emails are a waste of time
- Emails carry the risk of, very rarely, nasty virus payloads (or link you to sites that have worse)
- Despite all this, I can’t live without email Read More »
Tags: coc-unified-communications, email security, esa, malware, trojan, virus, web security, wsa
Web surfers in February 2014 experienced a median malware encounter rate of 1:341 requests, compared to a January 2014 median encounter rate of 1:375. This represents a 10% increase in risk of encountering web-delivered malware during the second month of the year. February 8, 9, and 16 were the highest risk days overall, at 1:244, 1:261, and 1:269, respectively. Interestingly, though perhaps not unexpectedly, web surfers were 77% more likely to encounter Facebook scams on the weekend compared to weekdays. 18% of all web malware encounters in February 2014 were for Facebook related scams.
Read More »
Tags: CSIRT, malware, security, Threat Metrics 2014, TRAC
This post is co-authored with Levi Gundert and Andrew Tsonchev.
Update 2014-03-21: For clarity, the old kernel is a common indicator on the compromised hosts. We are still investigating the vulnerability, and do not yet know what the initial vector is, only that the compromised hosts are similarly ‘old’.
Update 2014-03-22: This post’s focus relates to a malicious redirection campaign driven by unauthorized access to thousands of websites. The observation of affected hosts running Linux kernel 2.6 is anecdotal and in no way reflects a universal condition among all of the compromised websites. Accordingly, we have adjusted the title for clarity. We have not identified the initial exploit vector for the stage zero URIs. It was not our intention to conflate our anecdotal observations with the technical facts provided in the listed URIs or other demonstrable data, and the below strike through annotations reflect that. We also want to thank the community for the timely feedback.
All of the affected web servers that we have examined use the Linux 2.6 kernel. Many of the affected servers are using Linux kernel versions first released in 2007 or earlier. It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators.
Read More »
Tags: malware, TRAC