Shockingly, tweaked old malware often works just as well as the new stuff
There are currently around 1,500 malware types in global circulation but it might surprise UK businesses users to hear that two of the three most likely to be detected on Britain’s enterprise networks in late 2015 first menaced the world nearly eight years ago.
New figures from enterprise security firm Check Point for October found that the top three malware families among the company’s UK customers were (in order of severity) Conficker, prodigious botnet malware 2008, the Neutrino NK ransomware exploit engine from 2013 and Hacker Defender, a rootkit also from 2008. As a new calculation from the firm's ThreatCloud system, these figures only cover one month but thtere is no reason to think they're not a reflection on the year as a whole.
Globally, names such as Cutwail, first detected in 2007, and Sality from 2010 also feature prominently on the Check Point list, and ram home the same theme – unusual targeted malware might offer a potent threat but the day-to-day menace comes from old names that just won’t go away. The volumes are also surprising with Conficker, Cutwail and Sality alone accounting for two in five malware examples detected, with the aged Conficker making up one in five on its own.
Looking further down the top ten list and the theme of old malware continues. We note the additional examples here with their year of first detection: Gamarue (2012), Alman (2007), Agent.Trojan (a generic threat but 2006 onwards), Pushdo (Cutwail’s Trojan, 2007), ZeroAccess (2011), Fareit (2012).
There is a reason why malware this old hangs around – it works. Years after it first appeared, Conficker for one sits exactly where it has for most of the time since it’s been a menace, which is to say near the top of every league table for detected malware. Many of the old malware is still good at feeding botnets with the clients they need for ever larger DDoS attacks, a primary reason why criminals persist with much of this old code.
Most of these families will have evolved from their original incarnations, but it remains true that introducing small changes to attempt to evade detection is still worth it most cases. The level of complexity or innovation required to beat most security systems most of the time is not high.
“It’s easy for hackers to use obfuscation tools to make small changes to malware code that enables it to bypass conventional AV defences, which is why existing, long-established malware families like Conficker are still in widespread use,” said Simon Moor, Check Point’s UK regional director.
“Their core functions are still effective if they can be smuggled onto a network by disguising them.”
There is nothing new about this observation but it is still extraordinary that the rule holds true deep into what we are often told is an age of complex, targeted threats. It’s not, of course that innovative, hard-to-detect malware isn’t out there and can’t do damage but it’s sobering that malware writers are able to keep firing the same old routines at networks and achieving success.
At least UK enterprises score well on a global level, with one of the lowest detection rates at PC level of only 1.4 ‘events’ per machine. This put the country in 111th place, joint equal with the US, out of 133 countries measured. Comparable European countries included Germany (93rd), Switzerland (89th), Spain (57th), France (54th) and Italy (40th). It could be far worse; one country, Tanzania, experienced an alarming and hard-to-fathom score of 100 percent.