Malware, short for malicious software, is software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. It can appear in the form of code, scripts, active content, and other software. It is also referred to as ‘Malicious Code’ and is a general term used to refer to a variety of forms of hostile or intrusive software. Malware includes computer viruses, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware and other malicious programs.
With the sophistication of security software in detection of basic viruses, malware usually implies as a more advanced malicious threat in the form of worms, Trojans, rootkits and backdoors, etc.
Malware comes in all shapes, forms and sizes. They can be small hidden pieces of code either delivered through a drive-by-download or full blown legitimate looking software with bits of malicious code. Following is a non-exhaustive list of characteristics that can help classify a threat as a malware based attack:
Phishing: Refers to “fishing” for information through masquerading as a legitimate link or a site trying you to divulge your information.
Spyware: Usually deployed to covertly monitor activities and transmit information of a computer. Sometimes this results in over-exhaustion of resources leading to slow response times.
Trojan horse: A malicious program attempting to act as a legitimate program with the intent of spying, exfiltration, data deletion, take control covertly for malicious activities in the background, etc.
Virus: The intent is usually same as Trojan horse but the difference is in the operations. Virus is a usually a standalone malware which tries to keep its existence hidden without relying on an application payload as opposed to a Trojan Horse.
Worm: Worm belongs to class of virus with replication capability to traverse into the network. This allows a virus infection to travel laterally completely autonomously.
Browser Hijacking: Malware resulting in the modification of browser settings such as homepage, search provider, error page, etc. This is done with the intent to increase/divert web traffic to a particular domain for malicious purposes.
Web exploits: Refers to a range of exploits that can be engineered due to security vulnerabilities in web applications. This can include man-in-the-middle attacks, session hijacking, DNS rebinding, spoofed URL, etc. to name a few.
Malvertising: Injecting malware carrying advertisements into legitimate advertising networks. This techniques has proliferated since 2012 as a method of choice by some unscrupulous attackers because if does not require any action on part of the user. The infection spreads upon display of the ad artefact.
Denial of Service: As discussed in previous section, malware can be used to trigger a Denial of Service attack. Malware is specifically engineered to exhaust target resources on the victim which will eventually force them to stop responding to legitimate requests. Malware can also achieve this by permanently damaging a resource which results in complete replacement of the affected resource/device.
Malware defense strategies can be easily divided into the following. While the proponents of each offering provide merits for their approach, it is ideal to have a combination of both to ensure maximum protection:
- Reactive: Signature based product offerings that rely on known signatures to detect and defend against malware, these range from Anti-Virus installations on end points to deploying specialized anti-malware appliances at the network end points.
- Proactive: Deploying signature-less malware detection tools and technologies can help with proactive protection. Also running periodic security vulnerability scans across your network including all existing and new assets can help manage the baseline and keep it well protected.
Malware Incident Handling Considerations
The following workflow highlights standard practices and techniques used for identifying, managing and handling Malware:
Implement proactive measures to improve threat preparedness
- Install and regularly update Antivirus, Antimalware, Botnet filter and IDS/IPS solutions. Install HIPS on high value targets (Servers and Workstations)
- Perform regular vulnerability scans on recurring basis at least once every week.
- Install and monitor Nexthink agent on all workstation and systems and investigate for identified alert
- Monitor executable and binaries in systems for unauthorized software
- All unauthorised software that has a legitimate business requirement must be signed off prior to installation and added to the risk register.
- Monitor executables run from USB or other removable media using Nexthink.
- All removable media devices must be scanned prior to network connection or restrict the use of removable media (e.g. USB flash drives).
- Require that email file attachments be saved to local drives or media are scanned before they are opened.
- Forbid the sending or receipt of certain types of files (e.g. exe files) via e-mail.
- Restrict or forbid the use of unnecessary software and services that are not needed or duplicate the organization-provided equivalents (e.g. e-mail) and might contain additional vulnerabilities that could be exploited by malware.
- Restrict or forbid the ability to download files from the internet to prevent rogue applications from entering the enterprise network. All files downloaded must be subject to scanning and approval before installation/execution.
- Restrict the use of administrator level privileges by users, which helps to limit the privileges available to malware introduced to systems by users.
- Require that systems be kept up to date with OS and application upgrades and patches.
- Restrict the use of mobile devices on trusted networks or use an MDM system.
Identification & Verification
Correctly identify the threat by monitoring and verification techniques
- Identify the traffic, infection (executable/ binary/ unauthorized programs on affected and/or interconnected systems). The following are some suggestions that may help identify infected systems in a managed environment:
- Users complain of slow access to the Internet, exhaustion of system resources, slow disk access, or slow system boots.
- A number of alerts have been generated by a Host-based Intrusion Detection System (HIDS), or by anti-virus or malicious code detection software.
- Significant increased network usage.
- A number of access violation entries have been noticed in perimeter router logs or firewall logs.
- A surge of out-bounced SMTP traffic originating from an internal IP addresses has been detected.
- A large number of port scans and failed connection attempts have been detected.
- The system administrator notices an unusual deviation from typical network traffic flows.
- Changes to key services on the operating system or applications.
- Changes to web browser configuration (e.g. Default home page has changed or unusual web search tool)
- Security controls such as anti-virus software and personal firewalls have been disabled on many hosts.
- General system instability and crashes.
- Use Nexthink to identify rogue, malicious and nuisance programs by scanning against hash database.
- Verification of the infection should be done in the following ways:
- Obtain Information about the malicious code from anti-virus software vendors’ websites
- Verify Nexthink logs for hash of the authorized program
- Verify web washer logs for file download and its source
- Verify IPS logs for blockage / alert (will fail if the file is encrypted)
- Examine firewall and router log files.
- Leverage anti-virus / anti-malware to scan for hashes, binaries or program over its database to see for anomaly.
- Leverage NextThink to check for changes in operating systems, privileges, programs or applications
- Perform packet sniffing routines to look for the network traffic matching the characteristics of the malicious code.
Limit the damage caused
- The following are common tactics for containing the outbreak:
- By using automated tools: containing the spread of the malicious code can be done with automated tools, such as anti-virus / anti-malware software or other malicious code detection tools, IDS and IPS. The tools usually provide a vault to confine the infection.
- By disabling connectivity: A malicious code outbreak can be effectively contained by quickly disconnecting infected systems from the overall network infrastructure, which can be accomplished by applying access controls on network devices or physically disconnecting network cables. In some cases, in order to contain the spread of malicious code to other sections of the organization, it may be necessary to temporarily disconnect the network segments concerned from the network backbone. However, this containment strategy will certainly affect the operation of other non-infected systems in the segment. This can be overcome by moving infected systems to a quarantine VLAN that allows control of the infection without impacting connectivity for non-infected systems.
- By disabling services: Malicious code may propagate through network services, for example network shared drives. Temporarily blocking or even shutting down the network services used by malicious code helps to contain incidents.
- Keep a record of all actions taken at this stage, because some containment measures may require temporary modifications to the configuration or settings of network infrastructure and systems. These modifications will need to be removed after the incident is closed.
Investigate how the attack happened and detect its origin
- Investigate the malicious code source from firewall, botnet, IPS, web washer logs and other security devices
- Reverse engineer malicious code to investigate the infections in services, ports, data, system files and registry done by the program
- Review web content filtering solution logs to identify malicious code infections to systems and other destinations attacked
- Perform memory based analysis to identify any volatile behavior of the malware.
- Monitor Host based IDS/IPS alert of unexpected system call, data access, port open
- Check for the systems within network which is trying to connect to remote command and control system through log analysis and active monitoring
- Identify the malicious code by reverse engineering (static and dynamic)
- Type of malicious code (Network worm, mass-mailing worm, virus, or trojan horse etc.)
- Medium of propagation Identify the vulnerability exploited by the malicious code
- Identify if the patch for addressing the vulnerability has been released
- Identify if the malicious code plants backdoors on the infected system
- Identify if any removal tools are public available
Remove vulnerabilities and eliminate all causes
Eradicating a malicious code outbreak should be designed to remove the malicious code from all infected systems and media, and rectify the cause of the infection. Prior to carrying out the eradication process, collect all necessary information, including all log files, which may have to be deleted or reset during the cleanup process, and may prove to be useful in subsequent investigations.
- Clean all traces of malware including infected files, binaries, infected code and data.
- Scan the infected system with latest antivirus and anti-malware programs
- Scan for suspicious items discovered on all infected and interconnected systems using updated antimalware used to disinfect the targeted systems.
- Reinstall the system from a trusted source, such as system installation disk or trusted, clean system image.
- Securing newly installed systems, such as checking and ensuring that the latest virus signatures as well as the updated anti-virus detection and repair engines, and necessary security patches have been applied on each machine.
- Restoring data from known, clean backup media.
- Scan for vulnerabilities and malwares with vulnerability and anti-malware program/tools/software.
Recover from the attack and resume normal operations
- Reinstall system / run integrity check for system like registry check / open services and port check/ malware scan and vulnerability scan
- Update patches and activate all protective software’s like Antivirus / antimalware
- Restore all systems for which integrity as affected due to the attack, from last know good backup.
- Eliminate vulnerability by applying security patches.
- Resolve misconfiguration, such as loose access controls on network-shared drives.
- Confirming all systems and services restored to normal operations.
- Restore all data
Conduct post incident activities
- Perform forensics to identify the source of attack
- Create MemoryImages to help in data ex-filtration uses symmetric cipher, as the decryption key will be present in Random Access Memory (RAM)
- Collect evidence from packet captures/networkinformation, logs and infected system browsing history and malicious code and its reverse engineering
- Reverse-engineer attack binaries to help identify attack methods, communication protocols, and attack servers.
- Create images of hard drives from infected hosts.
- Ensure preservation of evidence and maintain chain of custody as required by legal authorities.
- Perform communications (internal/external user groups, public media etc.)