'Zero days' last up to six months for some malware

The majority of new malware is added to antivirus signature databases within 24 hours of first appearance, and 93 percent is detected within a month, but it can take as long as six months for antivirus to catch the remaining 7 percent, according to a new study by Atlanta-based security vendor Damballa, Inc.

In the study, Damballa started with a sample set of tens of thousands of different suspicious files in January of 2014.

Damballa offers a service that monitors for unusual behaviors, helping enterprises spot files with malicious payloads that have gotten past their antivirus software.

Then Damballa researchers ran this "zero day" sample set past the top four antivirus products.

One hour after discovery, the antivirus products missed 70 percent of the malware.

After 24 hours, the antivirus products only missed 34 percent.

After one week, the antivirus products were only missing 28 percent.

After one month, only 7 percent were still missed. It took six months to get to a 100 percent detection rate, said Damballa CTO Brian Foster.

"That time is what we call infection dwell time," he said. "If it took you six months to get detected, that's six months when that hacker has had access to one of your systems."

Foster declined to name the specific brands of antivirus tested, or which ones did better than others.

Damballa doesn't report the malware it finds to the antivirus vendors, he said.

However, individual customers do share the infected files they identify with Damballa's help with their antivirus vendors, and then the vendors share their signatures with one another, he said.

"If someone shares it with McAfee, McAfee is in signature sharing agreements with the antivirus community, and everyone gets it," he said. "That's why the detection rate jumps from 30 percent to 72 percent in a week."

The way the Damballa product works, in the majority of cases it doesn't actually spot particular files but instead just identifies the suspicious activity, Foster said.

For example, an employee might have downloaded malware at an Internet cafe that infected their laptop. When they come back to the office and connect the laptop to the network, the malware will do something unusual and trigger an alert, prioritized by the threat level of the infection.

"Some of our largest customers may have 90 active infections going on at a time, spread around the world," said Foster. "They can't necessarily go and remediate all 90 in 24 hours. But if you can put the asset on a subnet, kick it off the network, remotely patch it, or remotely reimage it, that helps."

In addition, Damballa makes it easier for customers to share the results with antivirus vendors, so that future attacks with the same malware are stopped immediately.

"We work with customers to make it an automated process to share the files that they do see so humans don't have to get in the loop to make the submission to Symantec or McAfee possible," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags iscoapplicationssoftwareDamballadata protection

More about Inc.Symantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place