New polymorphic malware discovered in the wild has an increasingly short shelf life, rendering signature-based antivirus protection largely ineffective against today’s attacks, a new study by Palo Alto Networks shows.
The Santa Clara, Calif.-based network security company used its new cloud-based virtual sandbox service called WildFire to analyze traffic moving through beta sites and its collection of honeypots on the Internet. The study determined 7% of unknown files encountered in the wild are actually malware and of those malicious files, 57% had no coverage by antivirus signatures.
“The problem is that attackers have figured out that if they really want to get in a network, they’ll attack it with something that’s never been used before,” said Wade Williamson, senior threat analyst at Palo Alto Networks.
Most of the polymorphic malware discovered was being updated every three to six days in order to avoid signature-based antivirus, Palo Alto said. Using WildFire, researchers were able to collect data throughout Europe, Asia and the United States and were able to analyze more than 10,000 unique samples of malware.
“What’s interesting,” said Williamson, “is that of all of the sites we looked at, all had unknown malware.”
WildFire, a free add-on to Palo Alto firewalls, examines outbound traffic in a cloud-based virtual sandbox for suspicious behavior that is blocked and eventually addressed with a new signature.
“Not only is it new and interesting technology, but it’s actually deployable,” Williamson said. “It makes it a really reasonable way to tackle this problem.”