Signature-based scanners miss 88% of Gumblar attacks

In its quarterly Global Threat Report issued today, ScanSafe, the pioneer and leading provider of SaaS Web Security, reported that at its highest peak in the second quarter of 2009, 88% of ScanSafe malware blocks were zero day threats, meaning that the vast majority of the attacks were not detected by signature based scanners. The single largest contributor to the high rate of signature misses were the second stage Gumblar attacks.

The overall rate of zero day Web malware in 2Q09 was 32% – nearly one in three Web malware encounters were blocked via ScanSafe Outbreak Intelligence™ zero-day threat protection. Companies relying on signature-based scanners alone would have been extremely vulnerable, given that signatures for Gumblar-compromised sites were not generally available until three weeks after the largest peak of Gumblar website compromises.

ScanSafe noted that the rate of Web-delivered malware increased sharply in the second quarter of 2009 – a staggering 36% from 1Q09. This was also due in large part to Gumblar, the most sophisticated mass compromise seen this year. 2008 was the largest year on record for Web-delivered malware, with a massive 300% increase from 2007. By all accounts, 2009 is on track to double that number. "The fact that the most serious threat of the year was not detectable by most standard antivirus signatures should serve as yet another wake up call to the security community,” said Mary Landesman, senior security researcher at ScanSafe. “The evasiveness and sophistication of the Gumblar threat has set quite a precedent for threats to come. Companies need to be prepared with a comprehensive Web security solution – specifically, a solution that adequately protects against the increasing rate of zero day threats.”

Worryingly, the second quarter of 2009 also demonstrated a sharp increase in data theft trojans. The rate of encounters with data theft trojans increased 37% in 2Q09. The most prevalent of these encounters were with Backdoor trojans, which can lead to data theft, registry manipulation and full control of files on an infected system, among other things. “It is alarming that the prevalence of data theft trojans has increased so significantly this quarter, but not surprising,” said Landesman. “Stolen data is in high demand and in this economy cyber criminals are motivated to develop increasingly sophisticated tactics to obtain it.”