Introducing the Modern Malware Review



One of the core concepts behind WildFire is the ability to provide better protections against malware through the sharing of data across many networks. In most cases, this sharing is done automatically – new malware (or a new malware variant) is seen in a network in Los Angeles, and in 30 to 60 minutes, all subscribing customers worldwide are protected from that malware and its variants. However this idea of shared protections is far more extensible than simply looking at individual samples of malware, and that is the core idea behind our first version of the Modern Malware Review (you can read it here).

In this study, we analyzed 3 months of data from WildFire, including data from more than 1,000 real networks. With this perspective we were able to dig into the major trends we are seeing in malware, and most importantly, how that information can help better protect your networks. One of the most encouraging aspects of the study was that we were able to see that about 70% of the unique malware (by hash value) retained identifiers either in the payload or the traffic that can potentially be used for enforcement.

Of particular note, we found that WildFire subscribers can proactively block up to 40% of the unknown malware hitting enterprise networks through the use of WildFire signatures. These signatures identify malware based on identifiers in the malware header and payload that can often still be seen even when the hash and filename of the malware change. This was the case for 40% of the samples, which were observably related (and therefor blockable) even though they appeared to be unique samples based on the name and hash value. While this certainly doesn’t solve the modern malware problem, a move to a more proactive approach that can significantly reduce the scope of the problem is still pretty exciting.

Additionally, we were able to track the most common malware infection vectors, communication strategies, and behaviors on the target host. Many of these behaviors and techniques can be used in conjunction with the next-generation firewall to further reduce the risk from unknown and targeted malware. Take a read through the report and let us know what you think.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.