Our new 1H 2011 Advanced Threat Report is out!  It is our inaugural report and I think you will find it interesting because it is uniquely focused on the new and dynamic threats. We have thousands of appliances protecting organizations around the world, and they are deployed _behind_ firewalls, intrusion prevention systems, antivirus and Web gateways. So, the threat data we reviewed in this report are the _successful_ malware attacks breaking through traditional defenses.
 
This report really illuminates the sophistication of the new breed of cyber-attacks and the success cyber criminals are having penetrating today’s corporate networks.  Based on 1H 2011 data, we found a significant gap in today’s enterprise IT defenses. After reviewing hundreds of thousands of infection cases, 99% of enterprises had  malicious infections in their network. Plus, 80% of the enterprises facing more than a hundred new infections per week.  The bottom line: Today’s existing traditional enterprise IT defenses are not keeping up with highly dynamic, multi-stage attacks that cyber-criminals now use to attack today’s enterprises and federal agencies.
 
We highlight the top infections for 2011, and the (not-so-surprising) fact that attackers continue to rely on customized malicious code toolkits to develop and distribute their threats. The “Top 50” malware families account for over 80% of successful infections seen in the wild. Please have a read of the threat report and let us know if you were surprised by our findings and other interesting malware research topics you'd like to hear more about.

Rustock's old buddy Harnig is back in action. Harnig is considered to be a very wide spread pay-per-install malware whose sole purpose is to infect PCs and then download and install a variety of other malware on the system for a small fee. There has been a long term relationship between the Harnig and Rustock botnets. For the last two years or so, Rustock has almost always been seen being spread through Harnig.

I reported back in March (right after the Rustock botnet shutdown) that Harnig botnet has abandoned all of its CnCs as well causing suspension of all of its malicious activities.  Rustock hasn't yet tried to claim back its previous position, but this is not true in the case of Harnig. After months of silence, Harnig is finally back in business, resuming all of its usual malicious activities.

A controlled run of Harnig in my lab is showing Harnig downloading a number of malware onto the infected machine.