Malicious URLS Slipping Past Security Vendors, Experts Weigh In

By   ISBuzz Team
Writer , Information Security Buzz | Sep 23, 2021 04:42 am PST


In a new report “Characterizing Malicious URL Campaigns”,  researchers analyzed a data set of 311 M records containing 77 M URLs that had been submitted to the online virus checking website VirusTotal between December 2019 and January 2020.   Key findings:

  • 17M unique pieces of content were flagged
  • Attacks seem rampant in the United States
  • 98.27% of all flagged submissions were detected by less than 10 vendors
  • Majority of submissions were automated, with a large % from a select few vendors
  • 58.98% of submissions were unflagged
  • 98.27% (125.6M) of all flagged submissions were detected by 10 or fewer vendors.
  • Detection rates fell to just 13.27% when campaigns used more than 100 unique URLs
Notify of
4 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Doug Britton
Doug Britton , CEO
September 23, 2021 12:56 pm

<p>It is startling to see just how ineffective the majority of malware detection solutions are. Relying on a single vendor to defend your networks could contain more risk than you may think. As a community, we need to significantly improve the talent entering the cybersecurity profession. We have the tools to find them and get them into the fight. If malware is considered a cat and mouse game, then investing in talent is a game-changer.</p>

Last edited 2 years ago by Doug Britton
Garret F. Grajek
September 23, 2021 12:55 pm

<p>VirusTotal is the industry method of validating the efficacy of the various vendors who work to detect these malicious URLs. If the report is showing that these URLs are not picked up by these vendors – then \"it\’s game on\" for the attacker. These sites often host malware that enable the attacker to start the infection into the enterprise or user who accesses a desired enterprise. That\’s why it\’s important to mitigate the actions of the attackers at every level.  </p>
<p>The next step for the attacker after the malware is installed is to implement lateral movement, privilege escalation and persistency. Detecting these efforts are a necessary line of defense after the initial wall has been breached.</p>

Last edited 2 years ago by Garret F. Grajek
Saryu Nayyar
Saryu Nayyar , CEO
September 23, 2021 12:53 pm

<p>As individual computer users, we like to think that our anti-virus software protects us from all known attacks. However, a large-scale analysis of malicious URLs shows that individual anti-virus and anti-malware packages did not identify many of the links, and none of the packages tested identified all of them.</p>
<p>This study demonstrates conclusively that a single point product for attacks is insufficient.  Enterprises need anti-virus and anti-malware, sure, but that has to be just one aspect of a comprehensive threat identification and response strategy. Enterprises need a layered strategy to make sure all aspects of security are covered.</p>

Last edited 2 years ago by Saryu Nayyar
Bill Lawrence
Bill Lawrence , CISO
September 23, 2021 12:50 pm

<p>It should come as no surprise that online virus checking services like VirusTotal don’t alert on every single malicious URL campaign that is submitted, despite running the gauntlet past over 70 security vendors. URLs are very easy to create, especially complex and confusing ones that take the human and the endpoint device somewhere very bad on the Internet, and they probably come back with something even worse for the whole network ‘family’.  So, don’t rely on these sites as the single point of defense for your users and systems to sound an ‘all clear’, since a majority of modern detection technology seems generally ineffective, per the report. </p>
<p>Also, it is important to understand that any raw data such as URLs and other artifacts (like slide decks) that are uploaded to these service sites get shared with their ‘security partners’ as well as ‘customers’ and even though “all of whom are contractually bound to use the Services and any of its contents only for internal security purposes” – if you don’t want something confidential on the internet, don’t upload it here either.</p>
<p>Still, as a benefit to defenders, VirusTotal is starting to get unclassified malware samples right from the Cyber National Mission Force, a unit of the US Cyber Command. Hopefully, the security vendors will make quick use of these updates for their customers and make life more difficult for the attackers.</p>

Last edited 2 years ago by Bill Lawrence

Recent Posts

Would love your thoughts, please comment.x