Palo Alto Pinpoints Older Ports That Are Letting In Malware


Enterprise IT professionals need to monitor nonstandard ports, such as those used by FTP and other file-sharing protocols, according to network security vendor Palo Alto Networks, which studied more than 26,000 malware samples that initially went undetected by antivirus.

Malware using the FTP protocol is significant enough to warrant attention, said Wade Williamson, a senior security analyst at Palo Alto Networks. The firm found that 97 percent of the unknown malware picked up by Palo Alto never use standard ports.

"If you talk to most enterprise IT guys, they're not spending much time worrying about FTP because it's seen as a dusty old protocol," Williamson told CRN. "Some of these older protocols that are flexible and still work are being used by attackers because nobody is going to blink if they see it."

[Related: 5 Most Dangerous New Hacking Techniques]

The Palo Alto malware analysis issued Monday found that Web browsing dominated as the source of undetected malware, accounting for 68 percent of total malware, but more than 90 percent of undetected samples. Meanwhile, malware from email (SMTP) accounted for 25 percent of the total malware, but it is much more heavily scrutinized by antivirus vendors, accounting for only 2 percent of fully undetected malware.

Williamson said that 40 percent of the samples analyzed by Palo Alto were malware variants, based on an older piece of malicious code. The firm said it found two classes of malware: Trojans designed to be truly targeted and polymorphic botnets -- mainly Zeus and Zero Access -- designed to steal account credentials and drain bank accounts. The Web servers that deliver the malware can automatically re-encode the malware payload to appear unique, bypassing most traditional security defenses, including antivirus.

"The technology that people have in general for finding bad things on the wire and in real time are a lot more generic, looking for hashes, URLs and file names," Williamson said "All of those things are very easy to make new again."

The analysis found custom traffic and malware behaviors can be used to detect and contain threats before they become a serious problem. The firm said that 30 percent of the malware it analyzed generated custom traffic. Some malware may use standard protocols, but peer-to-peer, instant messaging and remote desktop protocols and applications were common targets, Williamson said.

Palo Alto is pushing its new WildFire virtual sandboxing technology to identify malicious behaviors in executable files. The cloud-based service analyzes the files and automatically writes signatures, which are issued to WildFire customers on a daily basis.

Williamson said the service works because of its speed. Sandboxing technology can quickly analyze suspicious files before they execute on a system, he said. After a system was infected the malware entered a sleep cycle to avoid detection in nearly 57 percent of the attacks analyzed by Palo Alto.

Nearly 25 percent masqueraded as a Windows program, the firm found. Code injection, a process of injecting itself into a running process, was observed in more than 13 percent of the malware samples.

"If you can either get yourself into one of the protected Windows directories you are not going to get found by a casual user," Williams said. "You see lots of things that share the strategy that if I can name myself or overwrite a protected file in the operating system then I'm golden."

In addition, the security firm found that SSL was used frequently to keep content hidden from network security appliances. The security evasion tool Ultrasurf, which provides an encrypted tunnel to bypass firewalls and network appliances, was observed as one of the top downloaders.

"Its whole purpose is to punch through firewall and IPSes," Williamson said. "It's interesting to see malware authors grabbing this wholesale and using it for communication back out of the network."

PUBLISHED MARCH 25, 2013