Malicious URLS Slipping Past Security Vendors, Experts Weigh In

BACKGROUND:

In a new report “Characterizing Malicious URL Campaigns”,  researchers analyzed a data set of 311 M records containing 77 M URLs that had been submitted to the online virus checking website VirusTotal between December 2019 and January 2020.   Key findings:

  • 17M unique pieces of content were flagged
  • Attacks seem rampant in the United States
  • 98.27% of all flagged submissions were detected by less than 10 vendors
  • Majority of submissions were automated, with a large % from a select few vendors
  • 58.98% of submissions were unflagged
  • 98.27% (125.6M) of all flagged submissions were detected by 10 or fewer vendors.
  • Detection rates fell to just 13.27% when campaigns used more than 100 unique URLs

Experts Comments

September 23, 2021
Bill Lawrence
CISO
SecurityGate

It should come as no surprise that online virus checking services like VirusTotal don’t alert on every single malicious URL campaign that is submitted, despite running the gauntlet past over 70 security vendors. URLs are very easy to create, especially complex and confusing ones that take the human and the endpoint device somewhere very bad on the Internet, and they probably come back with something even worse for the whole network ‘family’.  So, don’t rely on these sites as the single

.....Read More

It should come as no surprise that online virus checking services like VirusTotal don’t alert on every single malicious URL campaign that is submitted, despite running the gauntlet past over 70 security vendors. URLs are very easy to create, especially complex and confusing ones that take the human and the endpoint device somewhere very bad on the Internet, and they probably come back with something even worse for the whole network ‘family’.  So, don’t rely on these sites as the single point of defense for your users and systems to sound an ‘all clear’, since a majority of modern detection technology seems generally ineffective, per the report. 

Also, it is important to understand that any raw data such as URLs and other artifacts (like slide decks) that are uploaded to these service sites get shared with their ‘security partners’ as well as ‘customers’ and even though “all of whom are contractually bound to use the Services and any of its contents only for internal security purposes” - if you don’t want something confidential on the internet, don’t upload it here either.

Still, as a benefit to defenders, VirusTotal is starting to get unclassified malware samples right from the Cyber National Mission Force, a unit of the US Cyber Command. Hopefully, the security vendors will make quick use of these updates for their customers and make life more difficult for the attackers.

  Read Less
September 23, 2021
Doug Britton
CEO
Haystack Solutions

It is startling to see just how ineffective the majority of malware detection solutions are. Relying on a single vendor to defend your networks could contain more risk than you may think. As a community, we need to significantly improve the talent entering the cybersecurity profession. We have the tools to find them and get them into the fight. If malware is considered a cat and mouse game, then investing in talent is a game-changer.

September 23, 2021
Garret F. Grajek
CEO
YouAttest

VirusTotal is the industry method of validating the efficacy of the various vendors who work to detect these malicious URLs. If the report is showing that these URLs are not picked up by these vendors - then "it's game on" for the attacker. These sites often host malware that enable the attacker to start the infection into the enterprise or user who accesses a desired enterprise. That's why it's important to mitigate the actions of the attackers at every level.  

The next step for the attacker

.....Read More

VirusTotal is the industry method of validating the efficacy of the various vendors who work to detect these malicious URLs. If the report is showing that these URLs are not picked up by these vendors - then "it's game on" for the attacker. These sites often host malware that enable the attacker to start the infection into the enterprise or user who accesses a desired enterprise. That's why it's important to mitigate the actions of the attackers at every level.  

The next step for the attacker after the malware is installed is to implement lateral movement, privilege escalation and persistency. Detecting these efforts are a necessary line of defense after the initial wall has been breached.

  Read Less
September 23, 2021
Saryu Nayyar
CEO
Gurucul

As individual computer users, we like to think that our anti-virus software protects us from all known attacks. However, a large-scale analysis of malicious URLs shows that individual anti-virus and anti-malware packages did not identify many of the links, and none of the packages tested identified all of them.

This study demonstrates conclusively that a single point product for attacks is insufficient.  Enterprises need anti-virus and anti-malware, sure, but that has to be just one aspect of

.....Read More

As individual computer users, we like to think that our anti-virus software protects us from all known attacks. However, a large-scale analysis of malicious URLs shows that individual anti-virus and anti-malware packages did not identify many of the links, and none of the packages tested identified all of them.

This study demonstrates conclusively that a single point product for attacks is insufficient.  Enterprises need anti-virus and anti-malware, sure, but that has to be just one aspect of a comprehensive threat identification and response strategy. Enterprises need a layered strategy to make sure all aspects of security are covered.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.