As a company with huge volumes of data to process, there are many ways we can choose to present statistical information. During a recent event at SEMAFOR, Poland, we presented the following slide:
What was surprising to us was that the 20-year old Polish malware Prosiak 65 was the most prevalent virus trigger detected by our sensors during the preceding six-month period. During the presentation, the Fortinet presenter flagged that this statistic was anomalous, and indicated to the audience that he had discussed it with a Fortinet Data Scientist to verify the information.
We have seen this same malware jump onto the Top 5 Global Malware list in our FortiGuard Threat Report on multiple occasions (30th June 2017 and 24th November 2017), but why would a dead virus sample from almost 20 years ago be making such a major appearance in our world-wide stats?
Prosiak 65 is a malware that was first seen almost 20 years ago. As with many older malware, it also continues to be in circulation. While the overall prevalence of Prosiak 65 has declined across locations, we have and continue to see repeated activity – including a spike during 2018 and during the recent six months.
There are a few reasons why an old piece of malware like this might be triggering our systems:
To determine which of these reasons apply, the Fortinet threat research team has investigated this in more depth, and believes that the signature W32/BackDoor.Prosiak.65 is correctly identifying the sample found here on VirusTotal. From our in-house testing we have shown that, while very old, this malware can still run and infect files on Windows XP and Windows 7 systems.
Our investigation of the data has shown that while the detection spike is high in volume, it is low in prevalence. For example, in our Threat Landscape Report for Q4 2017, Prosiak 65 was seen on less than 1% of companies. And when measured over the last 30 days, we have seen it on less than 1,000 devices. However, the total number of detections during that same time was around 665,000 hits, with most of the sources of those detections being from the networks some of our largest ISP customers, with no specific focus on region or industry. The exact reasons for this consistent volume of triggers is unclear at this time, and we are still investigating the source.
With over 5 million devices sold worldwide, a trigger from just 1,000 devices sounds trivial. However, 665,000 hits is not. The challenge we face when presenting such information is presenting it in a consistent manner and putting it into context so as to be useful. We also have to ensure we are not manipulating the data to look convenient, or are not bending it to the message we are trying to get across, which is why we also use a peer-review process to ensure the accuracy of information and how it is being presented.
Is the information wrong? We don’t believe so, although we are still investigating. We do, however, think the ranking is skewed by a large number of triggers from a relatively small number of devices. We made this very point in the SEMAFOR conference.
Does it need further investigation? For sure any anomalous information like this is scrutinized by our data scientists and FortiGuard Threat Research team so we can learn more.
Do we need to look at how we present our data? Potentially, however, we do not want to exclude information to make it more convenient and fit a narrative.
Following the presentation, we received feedback from external threat researchers that they also found this information surprising and of particular interest given the Polish malware connection. We welcome such data points from the community, even if they are contradictory, since this helps move everyone’s understanding forward.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.