​Malware: the battle that doesn't end

Jim Cook, ANZ Regional Director, Malwarebytes

IT security specialists are fighting a constant battle against malware, and it's one that changes every day.

The tactics used by cyber criminals 12 months ago are different from those in use today. More complex malware code, different delivery mechanisms, and an increasing focus on financial reward mean organisations are continually facing fresh challenges.

Evolving capabilities

Since first appearing around 25 years ago, malware has quickly evolved. Initially designed to cause disruption to IT systems, its creators are now much more focused on financial gain.

Today's malware operates in a variety of different ways. Some types can log keystrokes on infected machines and steal passwords and credentials. Many can also extract these credentials from browser storage.

Other types of malware can take screenshots from an infected machine and send these to the attacker. This technique is particularly effective when a VDI system is being used. While VDI itself is very secure, if an attacker can simply observe what is one the screen they are still able to cause problems. In other instances, malware has been found to be able to piggyback on remote sessions over VPNs, thereby gaining access to central corporate networks.

Other techniques include code that can record audio and video via a computer's s webcam and microphone. This approach has already led to instances of users being caught in compromising positions and then being extorted for payment.

Meanwhile, other types of malware are designed to remotely control infected devices. These could then be used as part of a large botnet to attack third-party IT infrastructures.

With the capabilities of malware continually evolving, it's become a constant arms race for IT security professionals. Only by taking a co-ordinated and consistent approach will they have any hope of ensuring their systems remain secure.

Key threat vectors

The ways in which malware is being delivered are also constantly changing, however the primary vectors still include web browsers, email and removable media.

Browsers are perhaps of the most concern to IT security professionals as exploit kits can use them to gain system access with no human interaction. Exploit kits use security holes found in browsers and use them to spread malware and infection can occur simply by visiting an infected website.

Email message and associated attachments have been used by cyber criminals for years, and are still proving a popular method for malware distribution. More recently, channels such as instant messenger apps and Skype are also being used to encourage people to click on links that take them to infected sites.

To ensure they have the best chance of success, cyber criminals are constantly battling with IT security professionals to overcome any new measures put in place. This tussles sees the balance of control switch from one side to the other.

For example, a 'sandboxing' approach was developed and used by many organisations. This involves suspect code being run in a protected environment and checked before being allowed into a corporate network. In response, malware writers created code that detects it is in a sandbox and lies dormant until being released into the wider IT infrastructure.

Some malware variants can hide from security teams by making slight changes to themselves and therefore avoiding known malware lists. This so-called 'just-in-time' malware can change itself slightly so it is actually unique on every device it infects. Even if it is found on one by security tools, it may go undetected on others.

A constant battle

Protecting an organisation's IT infrastructure from malware threats requires constant attention. It's about putting in place a multi-pronged strategy that can provide the maximum amount of protection. Some of the prongs such are strategy should contain include:

  • User awareness: Many attacks rely on tricking users into opening infected attachments or visiting compromised websites. By making them more aware of the potential threats through education, the likelihood of this occurring can be reduced. However, it must be remembered that some spear phishing attacks, where messages are tailored for specific recipients, can be very convincing. For this reason, education is only ever a part of the answer.

  • Regular patching: A high proportion of malware relies on known vulnerabilities in software. For this reason, it is important to apply updates and patches as soon as they are released by software vendors. Consider deploying automated tools to assist in this process and remember it must cover everything from operating systems and web browsers to third-party applications.

  • Two-factor authentication: Improve access securing by requiring two-factor authentication from all users. This could include, for example, a password and a uniquely generated code delivered via SMS. This makes it more difficult for criminals to gain access even if they are able to steal log-in and password details.

  • Decommission old accounts: When staff or contractors leave an organisation, ensure their access to IT resources is revoked. Having old accounts active provides unnecessary extra methods for criminals to gain access. whenever possible. Remember to decommission accounts when people leave the organisation. Ensure infrastructures are segmented and protected with firewalls.

  • Careful tool selection: There are a large number of security tools on the market, and choosing the most effective for your organisation is very important. Rather than simply buying point products to perform particular tasks, take time to ensure the selected products can also work together as a cohesive whole.

Above all, remember that there is no 'magic bullet' when it comes to IT security. Only by formulating and undertaking a comprehensive security strategy can your infrastructure be best placed to withstand attacks.

Tags malwarecyber criminalsIT Securityvpnmalware attackssandboxing

Show Comments