This blog entry collects the information from my recent presentation on Malware.
Let me start by making it clear that the world has recently changed. I’m not talking about Thomas L. Friedman, water on Mars or the 350 new species found in the Eastern Himalayas. No, I’m talking about malware.
Time was when malicious software was written by kids in the comfort of their own home. They were more interested in exploring computing technology and claiming bragging rights than in actually doing something with the systems they took over. If problems occurred, they were mostly accidental. Today it’s different. Today malicious software is written by criminals for the purpose of making money. In yesterday’s world, you could get a computer virus and then launch a cleanup tool. Then, as it removed the infection, you were free to sit and ponder the lovely flying cars that we’d have in the future. Today, you could get a computer virus and never notice, then when you check your bank balance online, all your money could be transferred overseas while you ponder the fact we still don’t have our flying cars.
A lot has been written about different classifications of malware, and the differences between worms, viruses, trojans and the like. I see no need to repeat what’s been done before. Instead, I’d like to look at how malware can get on your system, what it can do once it’s there and what you can do about it.
One way to get malware into the world is to just toss it onto the Web. There tend to three ways this is done. The easiest is for them to just put up their own website. However, if they do this, they have the same problem you might in driving traffic there. Sure, they can do all the basic advertising and search engine optimization (SEO) techniques to drive folks there, but in the end, people just won’t go a boring website. Instead, it helps to have a hook.
Though one would think that all it would take is making a fancy website about the new flying cars out there, the more common hook that we’re seeing today is to play on people’s fears. In this case, fears of malware. Yes, we are seeing sites out there designed resemble anti-malware sites… that exist to spread malware. They’ll even try to leverage current events fears, so if a legitimate company has an issue with one of their products, you’ll probably start seeing ads appear stating things like “Problem with [Company]? Try [Fake Antivirus]!”. You hit one of these sites, and it pops up a little dialog box that there may be a problem and asks whether you’d like to run a scan. When you click “Yes” (or “No”, they’re awfully helpful), it will pretend to run a scan, pretend to find problems and then offer you a lovely little cleanup utility. You download and run it, and promptly get infected. Then, just to pour salt in the wound, you’ll likely get a bill for removal services. Sophos reports that there are 15 new sites like this discovered daily.
A more difficult, but often more successful technique is to target a popular social networking site with a good reputation (not an unpopular one with a bad reputation). Social media sites are successful because regular users can post content. So, once there, they post content and try to get people to download it. If you go to a website and see a friend’s posting something about this cool video about flying cars, you can get infected, and your account starts posting the flying car malware too. That’s when your friends get into the mix. Since the content is being posted as you, it’s viewed as “safe”, so they download it and then they also get infected. In May, there was a quite successful attack of this type that was linked to a viral (in more ways than one) video of somewhat questionable taste.
The most difficult way, but often the most rewarding attack is to take over an already popular website. Most of the big sites on the Internet are pretty well protected these days, but if they manage to get control of one, they can load it up with malware. In fact, recent analysis has shown that some website carry around 18.000 pieces of malware. These attacks go on all the time. Sometimes they are general, as in earlier this year when there was an Internet-wide attack that aimed to find flaws in backend databases. Sometimes, though, sites are specially targeted, as in April when Paul McCartney’s website was hacked and all his visitors were infected with malware that stole their online banking usernames and passwords. Thus, the more interesting you are, the more of a target you will be. (Boring people should be safer.)
Of course, there is more than just web vectors. The second most popular attack is via email. It’s important to remember that email is fundamentally flawed. It was intended to serve email just within a local campus and was neither sufficiently scalable nor secure to be used in the way it is today. One fundamental problem is that anyone can send any email to anyone from anywhere. While there are a few technologies in place that limit this, the vast majority of attacks use this flaw.
So what does that mean? Basically, if an attacker can uncover a trusted relationship between you and someone else, all they have to do is send you an email as if it were from that person. You receive the email from good old Uncle Johnny and without puzzling over the fact that he was killed in that tragic flying falling car accident, you open it and suddenly get infected. Of course, not everyone has a (poor old) Uncle Johnny, so the attackers will use whatever they can to get you to open the email. Often times, this involves riding a popularity wave. Anytime we see news about a natural disaster or a celebrity death, there will be malware-laden spam in it’s wake — earthquakes producing tidal waves of infections.
Remember, organizations like the FBI and IRS send letters, not emails. If there’s a problem with a package delivery, your customer will call you, not UPS or DHL. If you get an email from someone you don’t expect, there’s a good chance that it also contains what you don’t expect.
Of course, the traditional attacks still work, so CDs, DVDs, BluRays, Floppies, media cards and USB are still legitimate vectors. In fact, some enterprising folks have managed to infect a keyboard. The basic principle here is to take over a system through any of the avenues into it. Thus, if you use a cell phone for email or connect an mp3 player up to your system, they can be suspicious too.
Lastly, there is the ever-popular “just break in” method. Every month, Microsoft releases patches. Every quarter, Adobe and Oracle do the same. In the open source world, patches come out hourly. Each one of these fixes a known issue. Some of them are remotely exploitable, meaning that if you don’t have them in place, an attacker can waltz right in and do what they wish. If you use a firewall but don’t keep up on patches, it’s like having a machine gun turret on your flying car, but ignoring the suspension problem. It’s going to catch up to you just like it did to Uncle Johnny.
So, once it infects you, what does this malware actually do? Well, short form: anything it wants. By the time the malware is running, it’s too late. It can grab your passwords as you use them, it can search your disk for sensitive data and copy it offsite, it can wait for you to login to your banking system and start transferring all of your money overseas while simultaneously interfering with your web browser so that everything looks normal. (There’s a lot of this latter going on right now.)
More, it can just sit there and wait for orders. Often, infected machines will gang together and form a “botnet” that is centrally controlled by a small group of attackers. The attackers can use these systems to send spam, steal user names, passwords, account numbers, credit card numbers, and so on. They can also rent these “services” to others if the price is right.
What can you be doing about all this?
In addition to basic server and network hardening (firewall, disable unneeded applications, layers of defense, etc), you should deploy a complete endpoint security solution. Unlike previous versions of anti-malware that just matched signatures, a complete endpoint solution contains multiple features. You need to consider:
Even though the old style of signature matching is considered passe, all those old attacks are still out there. You have to protect against them somehow and this isn’t a bad way.
In addition to signatures, anti-malware systems can also look at what applications are actually doing. This used to be called “heuristics”, but these days tends be something like “suspicious behaviour detection” or “pre-execution analysis”. The way it works is to load a small environment around each application and detect what it’s going to do before it does it. If it’s something bad, it stops it. Please note that it is very important that this functions as “pre-execution” and not “during execution”. If it runs at the same time that the application does, there is a chance that the malicious behavior will run before the anti-malware system can stop it.
This is a different sort of firewall than your Cisco ASA or Astaro (or the kind on a car, flying or otherwise). This is a host-level firewall that protects the server/workstation itself. The problem here isn’t to duplicate what the network firewall does, it’s to protect a layer where the network firewall cannot. If an attacker manages to get in to one of your workstations, in a normal network, they can then attack all the other workstations on that network. A local firewall protects against attacks pivoting within the same zone to take over more and more of your network.
Traditionally, host-based firewalls have been difficult to manage, but modern endpoint protection systems have central management consoles that makes this easier.
The idea behind application control is simply that a central authority can determine which applications may or may not be run on a system. In the ideal world, of course, all users would have minimal privilege levels and not be allowed to run non-approved software. However, since many Windows applications require administrative privileges you need another layer. application control is this layer.
Web Browser Helper Objects
Some malware these days never touches the disk. When you hit a compromised site in your browser, it loads the malware into memory. Once there, it can look at browser traffic, analyze what you’re doing and take over sessions. Since it never hits the disk, it’s not detectable by traditional scanning technologies. Anti-malware solutions that have a Helper Object feature can protect your browser from this sort of malware. It basically wraps the browser and analyzes the pages you visit, providing a layer of protection.
Zero Day Protection
There is necessarily a delay between the discovery of a vulnerability and the availability of a patch. If malware is released during this delay, it’s called a Zero Day Exploit. A system that offers good Zero Day protection combines heuristics with a knowledge of system vulnerability types to catch problems before they take over a system. While it is impossible to ever achieve 100% protection against Zero Day Exploits, the good anti-malware suites are tested against these. You just have to pick one that does well in the independent tests.
Some systems are including the ability to manage local encryption. This can protect important data against casual spying and theft. It’s worth noting that if the malware can manage to run at all, it can just wait until you decrypt the data to view it. However, it does add another layer and if you typically deal with sensitive data, it is worth considering.
Optional: Network Access Control
Network Access Control (NAC) allows your anti-malware system to communicate with your network infrastructure. In the old model, all a machine has to do to connect to the network is be plugged in. With NAC, you layer additional checks such as patch status and whether anti-malware services are running. This would be like a built-in breathalyzer in a flying car. (Can you imagine the drunk driving problem we’d have there?) It’s not been widely accepted yet, but it is growing. In the near future, it will likely be standard, so it would be wise to at least select a vendor that has experience in this field.
Optional: Data Loss Prevention
This technology is aware of the type of data that you work with and will examine it when it is accessed. If there is a rule against allowing that data to leave the network, the DLP system will block access to it. It is worth noting that this technology is still quite new and new technologies generally have a few bumps on the way to adoption. If the anti-malware system includes it, great… but it’s probably not essential quite yet.
Some industries are unregulated and can just get by doing the best business they can. Most anti-malware systems these days have decent consoles that can be used to get a snapshot of activity. This is generally sufficient for most day-to-day operations. But, within a regulated or audited business, it can be important to show trends of activity over time. For this, you need a more robust reporting capability. Sadly, most systems do not include this in the basic package. However, if you have this need, be sure to ask about additional packages. It may be available.
Optional: Lightweight, Frequent Updates
I’ll admit that I’m biased. I like the systems that give me constant updates. If I had a flying car, I’d want to always know about potential problems so I could correct for them. I wouldn’t like it when those updates are big and bring my systems (or my car) down. However, it’s not a requirement per se. If your business doesn’t access the Internet often, slower and bigger updates may work just fine for you. On the other hand, if you have a distributed environment with branch offices or remote workers, consider the impact of pushing out updates.
There are some interesting new approaches in the world of anti-malware. While these are always worth considering, you should also be aware that this is a lot more complex than people think. Even the big vendors have had some pretty embarrassing problems as they grew their business. By all means, check out the newer players, but keep in mind that rocky starts are common in both business and software development. Do you want these rocky starts in your security software?
Also, if you want to check out the newer players, keep in mind that attackers are creating fake anti-malware sites and filling up the search engine listings with links to them. At the very least, pull the list and links from reviews in reputable journals. The last thing you need is to think you’re evaluating anti-malware when in fact you are installing malware itself.
Some anti-malware companies try to reduce their pricing by reducing service levels. From a business perspective, I understand this. It allows you to pick the level of service you want and pay accordingly. However, with security software and service, there is a huge value in responsiveness and operating hours. If there is a new outbreak on the Internet, you want to know that the company is addressing it. If you have a new outbreak, you want to be able to pick up the phone and get help… not an invitation to purchase the new “Uranium Level Tech Support”. (In general I feel that metallurgy belongs in my flying car, not in my technical support.)
Home and Mobile Use
These days, the idea of having a “secure” network are gone. If you allow users to connect to the network from their home or with their various smart phones, there are far too many ways in to the network to keep it secure at the perimeter. This means that the concept of “endpoint” extends out to computers that you don’t own. Luckily, some anti-malware vendors provide “bonus” licenses to cover home PCs and mobile devices. This way you can make sure that all the systems have a level of protection, even if they’re not exactly yours. If you’re advanced enough to be running NAC (above), you can even enforce connection requirements.
Multiplatform and Legacy Issues
If you are completely on the ball, and are only running the absolute latest and greatest operating systems and vehicles, congratulations! Most of us aren’t there (and are still driving pathetic land-bound conveyances). If you have a handful of older systems or systems running different operating systems, you may have a challenge with anti-malware. Many systems still require a separate console for each OS and some of them don’t even support the older systems. Keep this in mind during your evaluations.
In the end, if you have money, you are a target. While running anti-malware isn’t a perfect solution, it is certainly part of a measured response to the problem. As malaware gets increasingly nasty, you have to step up your defenses. I am assuming that you already have a firewall in place and have your servers reasonably configured. The next step would be endpoint protection. Sure, there are many many steps after this, but just having these three layers will get you in a position where there are many easier targets than you… which buys you the time to get proactive about things.
This essay was originally published by Alliance Technologies