Web malware favoured 5-to-1 over email attacks, FireEye reports

Authors of insidious and targeted advanced persistent threats (APTs) all but ignored Australia during 2013, an analysis of the year's security events by security firm FireEye has found.

The company's FireEye Advanced Threat Report 2013 analysed some 39,504 unique cyber security incidents detected during 2013, of which 4192 were associated with advanced persistent threats (APTs).

Some 17,995 unique malware infections were discovered due to APT activity, with the US, Canada and Germany targeted by the highest number of unique malware families. FireEye identified 159 distinct APT-associated malware families, many of which were created using publicly available hacker tools like Dark Comet, LV, Gh0stRAT, and Poison Ivy.

As well as noting hackers' reliance on toolkits, FireEye noted that hackers had focused “significant effort on evasion and persistence”. This included innovations such as malware that only executes when users move a mouse – tricking sandbox detection systems because the malware doesn't generate activity when the system isn't being used. Malware authors had also begun incorporating virtual-machine detection so as to bypass security efforts based on virtual sandboxing.

Significantly, the analysis found that 92 percent of email attacks were .ZIP files – a finding that the company says “should encourage serious debate about how to filter such files in corporate networks.”

Command-and-control (CnC) infrastructure, which is used to co-ordinate the activities of large-scale malware around the world, was found in 206 countries – up from 184 detected CnC sources in 2012. The US, Germany, South Korea, China, Netherlands, UK, and Russia were home to the most CnC servers.

Australia was nowhere to be seen in the report's country-based breakdown of APT activity – in high contrast to a recent report from Fortinet, whose own recent findings said Australia was the second most-attacked country, behind the US but ahead of the UK, Israel, Japan, France, Puerto Rico, Turkey, Mexico, and Kazakhstan.

Similarly, a Trend Micro Labs analysis, published in the middle of 2013, also found Australia was a significant source of CnC traffic and had the world's second-highest botnet concentration.

FireEye's figures found that APT perpetrators were far and away focused on the United States, where 125 different malware families were observed. Canada suffered attacks by 52 different families of malware; Germany, 45; the UK, 43; and Japan, 37.

The firm's analysis also revealed some common trends in the distribution and behaviour of APTs, with federal government bodies targeted by the highest number of unique malware families and services, technology, financial services and telecommunications companies rounding out the top five.

Web-derived malware outnumbered email-derived malware by a ratio of five to one, with Java the most common zero-day focus for attackers and a burst of Internet Explorer watering hole attacks observed – particularly against US government Web sites – in the second half of the year.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwareFireEye

More about APTFireEyeFortinetTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts