Social Networks Not Major Carrier of Malware, Study Finds


Malware communicating with command and control servers is more commonly associated with custom applications and not social networks, according to an analysis conducted by Palo Alto Networks.

The firm said custom and unknown traffic accounts for 55 percent of malware logs, yet they typically use less than 2 percent of network bandwidth. Most attacks are moving from email as the primary source to custom Web applications, driven by the Black Hole automated attack toolkit, said Wade Williamson, security analyst at Palo Alto Networks.

"Email has always been a workhorse, but now we see a lot of infections moving to the Web, which are driven by the exploit kit," Williamson told CRN. "From an attacker's perspective, it's a good strategy and it's one of those things that is becoming standard operating procedure for attackers."

[Related: Behind The Facebook Breach And Other High-Profile Attacks]

The Santa Clara, Calif.-based network security vendor issued its Application Usage and Threat Report Thursday, analyzing the traffic at more than 3,000 organizations between May and December 2012. Palo Alto, which sells a next-generation firewall, is wrapping intrusion prevention capabilities into its product to compete against other firms in the space.

"Once malware is on the inside talking out, both ends of that conversation are malicious, both ends are untrusted and that changes the way you have to think about security," Williamson said. "The whole game of trying to find malware in your environment cannot be done reliably if you don't decode all the traffic."

The social network taking up the most bandwidth was Facebook, followed by Tumblr, Pinterest, MySpace and Google+.

"Merely blocking all of these applications will indeed improve the security posture of any organization, but not in the massive leaps and bounds that one would hope," Palo Alto Networks said in its report.

The firm said exploits, not malware logs, were more commonly detected in social networking by a ratio of 49 to1. Exploits consist of malicious code designed to target a specific vulnerability, typically a flaw in a user's browser or browser components. Exploits were primarily seen in Facebook third-party applications and widgets. Cross-site scripting attacks, a common technique, were extremely common in a handful of Facebook apps, the firm said. An attacker can put malicious code into a Web application, exploit a vulnerability on a user's machine and then infect that system with malware.

"A small number of applications were responsible for a very large number of cross-site scripting attacks," Palo Alto said in its report. "Facebook has a vast number of applications that are often developed by enthusiasts who may not appreciate the security consequences of their application."

PUBLISHED FEB. 21, 2013