Webroot releases our 2016 Threat Brief

[Petrovic]

Key findings from the Webroot 2016 Threat Brief include:

• Malware and potentially unwanted applications (PUAs) have become overwhelmingly polymorphic, with 97% of malware morphing to become unique to a specific endpoint device. By changing attributes to evade detection, polymorphic threats pose a major problem for traditional, signature-based security approaches, which often fail to discover singular variants.
• Approximately 50 percent of Webroot users experienced a first contact with a zero-day phishing site, as compared to approximately 30 percent in 2014. This data indicates that zero-day phishing attacks are becoming the hacker’s choice for stealing identities.
• Technology companies, including Google, Apple and Facebook, were targeted by more than twice as many phishing sites as financial institutions, such as PayPal, Wells Fargo, and Bank of America. These tech companies are targeted because the same login credentials are often used to access many other websites, resulting in multiple compromised accounts with each phishing victim.
• 100,000 net new malicious IP addresses were created per day in 2015, a significant increase from the 2014 average of 85,000 a day indicating cybercriminals rely less on the same list of IPs, and are expanding to new IPs to avoid detection.
• The U.S. continues to have the most malicious IP addresses of all countries. In 2015, it accounted for over 40 percent of all malicious IP addresses, a significant increase from 31 percent of malicious addresses in 2014. Top countries hosting 75 percent of malicious IPs include the U.S., China, Japan, Germany, and the UK.
• As with malicious IP addresses, malicious URLs are largely hosted in the U.S. (30 percent), followed by China (11 percent). Furthermore, the U.S. is by far the largest host of phishing sites, with 56 percent of sites within its borders.
• In the second half of 2015, 52 percent of new and updated apps were unwanted or malicious—a significant increase over the first half of 2014, when only 21 percent were unwanted or malicious.

Full Article

 

[hjlbx]

"These numbers underscore the polymorphic nature of almost all malware today and how ineffective older, largely signature based malware detection technologies have become."

Webroot Threat Report 2016

Despite this being the case - for years - Webroot still uses file scanning\file reputation as their primary protection !

And it just isn't Webroot... so my comment is not meant to bash Webroot or any other AV.

The truth of the matter is that is what security soft vendors are capable of implementing at this point in time.

Webroot relies heavily upon their cloud-based Threat Intelligence Platform (file\URL reputation) in monitoring and scanning files.

Bitdefenders cloud intelligence, Emsisoft's Anti-Malware Network, Norton\Symantec Insight, etc all use basically the same type of cloud-based file reputation lookup and analysis. Some perform some further analysis like remote emulation, heuristics scoring, etc.

And all of them are mediocre against malwares that just entered the wild.

Some do better than others dependent upon the malware characteristics\type, the cloud algorithms, etc.

That's the current state of the art technology.

Until something new comes along it will remain so...

 

[Nightwalker]

"These numbers underscore the polymorphic nature of almost all malware today and how ineffective older, largely signature based malware detection technologies have become."

Webroot Threat Report 2016

Despite this being the case - for years - Webroot still uses file scanning\file reputation as their primary protection !

And it just isn't Webroot... so my comment is not meant to bash Webroot or any other AV.

The truth of the matter is that is what security soft vendors are capable of implementing at this point in time.

Webroot relies heavily upon their cloud-based Threat Intelligence Platform (file\URL reputation) in monitoring and scanning files.

Bitdefenders cloud intelligence, Emsisoft's Anti-Malware Network, Norton\Symantec Insight, etc all use basically the same type of cloud-based file reputation lookup and analysis. Some perform some further analysis like remote emulation, heuristics scoring, etc.

And all of them are mediocre against malwares that just entered the wild.

Some do better than others dependent upon the malware characteristics\type, the cloud algorithms, etc.

That's the current state of the art technology.

Until something new comes along it will remain so...

Not exactly, Norton cloud has the "famous" WS.Reputation.1 that turns the polymorphic, "newness" of malware against it.

WS.Reputation.1 | Symantec

You can try for yourself, it is very difficulty to infect a machine running Norton Security in real life scenario because of Insight component.

Kaspersky Urgent Detection System (UDS) seems to be doing a great job too nowdays, just look at the "Virus Exchange" forum.

IMO Webroot is the one suffering against polymorphic malware, they dont have strong heuristics/generic signatures + emulator (like Nod32/Bitdefender/Kaspersky). In the past Webroot could do nothing against Sality in one of my testing machines, while almost all vendors could protect just fine.

Example of Kaspersky UDS on this forum:

kudos to @Kantry123

 

[hjlbx]

Not exactly, Norton cloud has the "famous" WS.Reputation.1 that turns the polymorphic, "newness" of malware against it.

WS.Reputation.1 | Symantec

You can try for yourself, it is very difficulty to infect a machine running Norton Security in real life scenario because of Insight component.

Kaspersky Urgent Detection System (UDS) seems to be doing a great job too nowdays, just look at the "Virus Exchange" forum.

IMO Webroot is the one suffering against polymorphic malware, they dont have strong heuristics/generic signatures + emulator (like Nod32/Bitdefender/Kaspersky). In the past Webroot could do nothing against Sality in one of my testing machines, while almost all vendors could protect just fine.

I have tried Norton, Symantec, Kaspersky, etc.

They failed against some very newly-introduced malwares - especially digitally signed.

Kaspersky, at least, moved some files to Untrusted category in Application Control.

It's not criticism - just statement of fact.

No security soft is perfect - but they all are trying to improve their softs.

 

[Nightwalker]

I have tried Norton, Symantec, Kaspersky, etc.

They failed against some very newly-introduced malwares - especially digitally signed.

Kaspersky, at least, moved some files to Untrusted category in Application Control.

It's not criticism - just statement of fact.

No security soft is perfect - but they all are trying to improve their softs.

Fully agree with that, antivirus specially, but the cloud plus machine learning is really helping the industry; because of this technology they arent doing so bad like some years ago, we can say with confidence that antivirus isnt dead.

In the future we will probably see a much more agressive approach; everything that isnt in the "Cloud whitelist" will be blocked or marked as suspicious.

 

[hjlbx]

Fully agree with that, antivirus specially, but the cloud plus machine learning is really helping the industry; because of this technology they arent doing so bad like some years ago, we can say with confidence that antivirus isnt dead.

In the future we will probably see a much more agressive approach; everything that isnt in the "Cloud whitelist" will be blocked or marked as suspicious.

I actually like Norton\Symantec products quite a bit.

Insight and SONAR are pretty good.

In fact, if I needed a fully-featured security suite with Parental Control - I would use Norton Internet Security.

It is a "polished" product.

 

[jamescv7]

The numbers behind of those statistics is literally not surprising especially their techniques are through cloud as claimed to increase detection.

The fact because its a fast pacing response hence lot of generated data occur however many threats which are very low on prevalence is still a problem from major AV industry.

Likely its still in our hands to contribute as its not enough to rely on numerous machines to gain lot of samples.