ScanSafe Report Says Signature-based Scanners Missed Most Gumblar Attacks

SaaS Web security provider says Gumblar responsible for one of every eight malware blocks last quarter

ScanSafe's quarterly Global Threat Report, issued today, says that at its peak last quarter, 88 percent of malware blocks were zero-day threats and therefore not detected by signature-based scanners. The single largest contributor to the problem: second-stage Gumblar attacks.

Web-delivered malware rose 36 percent from the first quarter of 2009. "Overall, 14 percent of all Web malware encounters in 2Q09 were the result of encounters with Gumblar-compromised websites," according to the report. When combined, the next four most-popular threats in its top-ten list were responsible for just 8 percent of all threats.

The company calls Gumblar "the most sophisticated mass compromise seen this year," noting that "2008 was the largest year on record for Web-delivered malware, with a massive 300% increase from 2007. By all accounts, 2009 is on track to double that number."

"The fact that the most serious threat of the year was not detectable by most standard antivirus signatures should serve as yet another wake up call to the security community,” said Mary Landesman, senior security researcher at ScanSafe, in a statement.

“The evasiveness and sophistication of the Gumblar threat has set quite a precedent for threats to come. Companies need to be prepared with a comprehensive Web security solution -- specifically, a solution that adequately protects against the increasing rate of zero day threats,” Landesman said. (The company claims its Outbreak Intelligence product blocked one out of every three Web malware encounters during this period.)

ScanSafe said signatures for "Gumblar-compromised sites were not generally available until three weeks after the largest peak of Gumblar website compromises."

ScanSafe also reported a sharp increase in data theft Trojans during the quarter, increasing 37 percent over Q1. "The most prevalent of these encounters were with Backdoor Trojans, which can lead to data theft, registry manipulation. and full control of files on an infected system, among other things," the company warned.

“It is alarming that the prevalence of data theft trojans has increased so significantly this quarter, but not surprising,” said Landesman, in the company statement. “Stolen data is in high demand and in this economy cyber criminals are motivated to develop increasingly sophisticated tactics to obtain it.”

The two-page report can be downloaded from www.scansafe.com (short registration is required).