Mass attacks have given way to targeted attacks with unique forms of malware, according to a new report from Cisco, and that trend is accelerating.

Cisco's second quarter Global Threat Report found 287,298 unique instances of malware in June of 2011. That figure is more than double the 105,536 that Cisco found during March 2011. Since the beginning of 2011, unique instances of malware have grown even more. Back in January, Cisco found 72,294 unique instances of malware.

The new Global Threat Report data mirrors findings from a Cisco Security Intelligence Operations report out in July that found a decline in mass email based attacks in favor of targeted attacks. Symantec also found this to be the trend in its research released earlier this year.


The malware infestation also seems to be more likely to target companies with more than 25,000 employees. This group experienced significantly higher malware encounters compared to other size segments

Cisco notes in its report that detecting advanced persistent threats (APT) like unique malware is not an easy task.

"If we could identify APTs by a software signature, we wouldn’t need to call them ‘advanced persistent threats'," Gavin Reid, manager of the Computer Security Incident Response Team (CSIRT) at Cisco, wrote in the report. "If anyone attempts to sell your organization a hardware or software solution for APTs, they either don’t understand APTs, don’t really understand how computers work,or are lying or possibly all three."

One tool that can help as part of a complete defence-in-depth strategy is an intrusion prevention system (IPS). Cisco has identified a number of IPS signatures as being more commonly used for detection during the first quarter of 2011. At the top of Cisco's list for IPS signature firings is Generic SQL Injection at 64 percent.

SQL Injection has topped other lists for IT security this year as well. In June, SQL Injection topped the list of the annual CWE/SANS Top 25 Most Dangerous Software Errors Report for 2011.

Coming in second on Cisco's IPS signature list is malformed SIP packets at 10 percent, SIP is used for VoIP and collaboration applications. Cisco's Unified Video Conferencing system itself was the subject of 6.95 percent of IPS signature firings due to a remote command injection attack.

Attackers also used TCP hijack, which triggered 2.27 percent of Cisco's reported IPS signature firings.

In terms of attacked ports, Port 80 for HTTP topped Cisco's list at 72 percent. Port 5060, which is often used for SIP and VoIP activities, came in second at 16 percent. HTTPS which uses PORT 443, came in at 2 percent. Internet content delivery network vendor Akamai found Ports 80 and 443 to be under attack during the first quarter of this year, as well.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.