Friday, July 03, 2020
According to anonymized statistics from free requests to the Kaspersky Threat Intelligence Portal, almost three quarters (72%) of the analyzed malicious files fell into three categories: Trojans, Backdoors and Droppers. These statistics highlight that the types of malware that researchers most frequently investigate do not coincide with those that are the most common.
Malicious activity detection is the first step in an attack investigation. To develop response and remediation measures, security analysts need to identify the target of attack, the origin of a malicious object, its popularity, etc. Kaspersky experts examined free requests submitted to the Kaspersky Threat Intelligence Portal to reveal which threats malicious objects processed by the portal are most often associated with.
In most cases, submitted hashes or suspicious uploaded files turned out to be Trojans (25%), Backdoors (24%) and Trojan-Droppers (23%). Statistics from Kaspersky Security Network, the infrastructure dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world, also show that Trojans are usually the most widespread type of malware. However, Backdoors and Trojan-Droppers are not as common only making up 7% and 3% of all malicious files blocked by Kaspersky endpoint products.
This difference can be explained by the fact that researchers are often interested in the final target of the attack, while endpoint protection products are seeking to prevent it at an early stage. For example, end point protection doesn’t allow an end user to open a malicious email or follow a malicious link, preventing backdoors from reaching the user’s computer. In addition, security researchers need to identify all the components inside the dropper.
The popularity of these categories can be explained by the interest in particular threats and the researchers’ need to analyze them in more detail. For example, many users actively searched for information about Emotet, as a several news articles appeared about this malware at the beginning of the year. A number of requests were related to Backdoors on the Linux and Android operating systems. Such malware families are of interest for security researchers, but their levels are relatively low in comparison to threats targeting Microsoft Windows.
“We have noticed that the number of free requests to the Kaspersky Threat Intelligence Portal to check viruses, or pieces of code that insert themselves in over other programs, is less than one percent, but it is traditionally among the most widespread threats detected by endpoint solutions,” said Denis Parinov, acting head of threats monitoring and heuristic detection. “This threat self-replicates and implements its code into other files, which may lead to the appearance of a large number malicious files on an infected system. As we can see, viruses are rarely of interest to researchers, most likely because they lack novelty compared to other threats.”
Kaspersky Threat Intelligence Portal is a single point of access for the company’s threat intelligence, providing all cyber-attack data and insights gathered by Kaspersky over more than 20 years. Free access to its curated features allowing users to check files, URLs, and IP addresses is available here.
 The anonymized requests were aggregated from November 2019 to May 2020.
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.