Many requests submitted as links or files to the Kaspersky Threat Intelligence Portal turn out to be Trojans (25 percent), backdoors (24 percent) and Trojan droppers (23 percent) in the analysis
Almost three quarters (72 percent) of the malicious files analyzed and submitted via the free version of Kaspersky Threat Intelligence Portal were Trojans, backdoors or droppers. Analysis of the submitted data also shows that the types of malware that researchers investigate most often do not necessarily match the most widespread ones.
Detecting malicious activity is only the starting point for investigating an attack. To develop response and remedial actions, security analysts need to identify the target, the origin of a malicious object, its popularity, and much more. The Kaspersky Threat Intelligence Portal helps analysts research this background.
Kaspersky experts examined the requests to the Kaspersky Threat Intelligence Portal, which were made free of charge between November 2019 and May 2020, to find out which threats are most commonly associated with malicious objects processed by the portal. In most cases, hashes submitted or suspicious uploaded files turned out to be Trojans (25 percent of requests), backdoors (24 percent) - malware that allows an attacker to remotely control a computer - and Trojan droppers (23 percent), which further install malicious objects. Statistics from the Kaspersky Security Network [3], which analyzes cybersecurity data shared by millions of volunteers around the world, show that Trojans are also typically the most widespread type of malware. Backdoors and Trojan droppers, on the other hand, are not so common - they only make up 7 and 3 percent of all malicious files that are blocked by Kaspersky endpoint solutions.
Early detection versus analysis
This difference can be explained by the fact that security researchers are often more interested in the ultimate goal of the attack, while endpoint solutions try to prevent an attack at an early stage. For example, they do not allow a user to open malicious emails or follow a malicious link, thereby preventing backdoors from compromising the user's computer. However, security analysts need to identify all components within a dropper.
This is also due to the interest in certain threats and the urge of researchers to analyze them more closely. When a lot of news about Emotet appeared at the beginning of the year, many users were actively looking for information about this malware, for example. A number of inquiries also concerned backdoors for the Linux and Android operating systems. These families of malware are of interest to security researchers, but their number is relatively small when compared to threats targeting Microsoft Windows.
Many Trojans in the analysis
"We found that the number of free requests to the Kaspersky Threat Intelligence Portal to scan viruses or pieces of code that compromise other programs is very low - less than one percent," comments Denis Parinov, Acting Head of Threats Monitoring and Heuristic Detection at Kaspersky. “However, based on experience, these are among the most widespread threats detected by endpoint solutions. These replicate themselves and implement their code into other files, which can result in large numbers of malicious files appearing on an infected system. As we can see, viruses are rarely of interest to researchers, most likely because they lack the element of novelty compared to other threats.”
The Kaspersky Threat Intelligence Portal provides access to the company's threat intelligence data and provides all information and intelligence on cyber attacks that Kaspersky has collected over more than 20 years. Free access to selected functions with which users can check files, URLs and IP addresses is available at https://opentip.kaspersky.com/.
Continue to analysis at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/