New cybersecurity threats are challenging the ability of technology companies and traditional antivirus software companies to keep up, according to a new report from Seattle-based network security company WatchGuard Technologies.
The WatchGuard Technologies Internet Security Report found that 30 percent of malware detected globally by the Seattle-based company in the last three months of 2016 was classified as new or “zero day” code, which antivirus companies had not yet developed signatures to combat.
The inaugural report analyzed data from 24,694 active WatchGuard Firebox security appliances around the world. The company says that during the three-month period covered by the report, its Gateway AntiVirus (GAV) service prevented more than 14.8 million malware variants from entering customer networks. WatchGuard says in the report that its APT Blocker malware prevention service blocked an additional 3.8 million variants.
As a maker of security appliances, it’s in Watchguard’s interest to point out the threats that traditional antivirus solutions are missing. But the underlying data provides a unique view into the evolving landscape of cybersecurity threats.
One surprising type of malware on WatchGuard’s list: malicious macro documents that exploit the capability to create small automated programs for repetitive tasks in Microsoft Office (and particularly Microsoft Word).
“When macro malware first made its comeback in 2014, I was surprised,” admits WatchGuard chief technology officer Corey Nachreiner. “Macro-based malware was one of the most well-known threats back in 1999 (you might recall the Melissa virus). At the time, Office’s default settings for running macros were more permissive. However, after Melissa, Office products changed their defaults, requiring much more user interaction before you could run macros within documents.”
While the technology behind a macro-based attack hasn’t changed a lot since then, Nachreiner said the techniques used to get users to open documents containing macros have evolved in a way that’s making documents with malicious macros a more popular delivery mechanism for attacks. This is despite the fact that newer versions of Microsoft Office require users to actively give permission for macros to be enabled for use in a document.
“From a hacker’s point of view, every user interaction required for an attack lessens its chance of success. So it is surprising to see malicious macro documents make a comeback, simply because they require extra steps from the victim,” he said. “However, social engineering techniques have improved to convince people to enable macros, and perhaps more businesses today legitimately use macros in their official documents, making them more accustomed to enabling them anyway.”
One of the report’s most intriguing suggestions lies in where this new macro-delivered malware is coming from – with report showing that document macro malware appearing most commonly in the US and China – and a comment that “We believe the relationship may have to do with victim/attacker, and will leave you to conclude which is which.”
In an interview with Geekwire, Nachreiner offered a little more data to provide more insight on this. “The macro-based malware in our top ten looked totally different from the standpoint of geographic distribution. For instance, the top macro-based malware on our list (#6) was W97M/Class. We detected this variant 214,792 times (98.6%) in the US and 3,040 (1.4%) times in China,” he said. “However, it did not show up at all in any other countries.”
Nachreiner says the numbers do suggest some kind of relationship between the US and China around this threat. “The other macro malware in our list continued this trend, with the huge majority of detections in the US, and a smaller, but still relevant amount in China. Some later macro threats on our list at least start to have distribution in other countries too, but these were in the 10s and 100s of hits,” he said. “Furthermore, they were still not as widely distributed geographically as other malware. The US and China always had the most hits, with the major prevalence being within the US.”