'Zero days' last up to six months for some malware

The majority of new malware is added to antivirus signature databases within 24 hours

expect delays
Credit: Tom Woodward

The majority of new malware is added to antivirus signature databases within 24 hours of first appearance, and 93 percent is detected within a month, but it can take as long as six months for antivirus to catch the remaining 7 percent, according to a new study by Atlanta-based security vendor Damballa, Inc.

In the study, Damballa started with a sample set of tens of thousands of different suspicious files in January of 2014.

Damballa offers a service that monitors for unusual behaviors, helping enterprises spot files with malicious payloads that have gotten past their antivirus software.

Then Damballa researchers ran this "zero day" sample set past the top four antivirus products.

One hour after discovery, the antivirus products missed 70 percent of the malware.

After 24 hours, the antivirus products only missed 34 percent.

After one week, the antivirus products were only missing 28 percent.

After one month, only 7 percent were still missed. It took six months to get to a 100 percent detection rate, said Damballa CTO Brian Foster.

"That time is what we call infection dwell time," he said. "If it took you six months to get detected, that's six months when that hacker has had access to one of your systems."

Foster declined to name the specific brands of antivirus tested, or which ones did better than others.

Damballa doesn't report the malware it finds to the antivirus vendors, he said.

However, individual customers do share the infected files they identify with Damballa's help with their antivirus vendors, and then the vendors share their signatures with one another, he said.

"If someone shares it with McAfee, McAfee is in signature sharing agreements with the antivirus community, and everyone gets it," he said. "That's why the detection rate jumps from 30 percent to 72 percent in a week."

The way the Damballa product works, in the majority of cases it doesn't actually spot particular files but instead just identifies the suspicious activity, Foster said.

For example, an employee might have downloaded malware at an Internet cafe that infected their laptop. When they come back to the office and connect the laptop to the network, the malware will do something unusual and trigger an alert, prioritized by the threat level of the infection.

"Some of our largest customers may have 90 active infections going on at a time, spread around the world," said Foster. "They can't necessarily go and remediate all 90 in 24 hours. But if you can put the asset on a subnet, kick it off the network, remotely patch it, or remotely reimage it, that helps."

In addition, Damballa makes it easier for customers to share the results with antivirus vendors, so that future attacks with the same malware are stopped immediately.

"We work with customers to make it an automated process to share the files that they do see so humans don't have to get in the loop to make the submission to Symantec or McAfee possible," he said.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.