CHAPTER 1

Malware Evolved—

Preparing for the New Battleground

Fighting cybercrime is now a complex, multi-front endeavor. Cyber attackers have gotten more sophisticated about breaking into your digital kingdom—and more difficult to detect and root out. Nowadays, any device that is network connected can be used to execute malicious activities; anything that runs executable code to process external data can potentially be hijacked.

Linux servers have been major targets for attackers due to their prevalence in web hosting services; mobile phones are common targets; and attacks on routers are becoming a serious threat. Rootkits are getting closer to the hardware (attacks on firmware or UEFI rootkit) and virtualization opens new vectors of attacks (Bluepill, VM escape vulnerabilities). Web browsers and other applications have become as complex as operating systems, and their scripting mechanisms (Win32/Theola) are often used for malicious programs.

Malware is now easier to create than ever. Applications can be purchased that will even build it for you, along with websites that offer “malware as a service” (MaaS). Code is obfuscated, injected into clean processes once a payload is delivered, and executed on the target machine. “In-memory only” malware bypasses file-based security.

Attackers flood the Internet with hundreds of variants of their malware and distribute it to a massive amount of users through spam campaigns, exploit kits on well-known sites, and various other distribution vectors. Clean software components are exploited or malicious code is placed in a well-known app, rebranded and released—making unauthorized code harder to spot.

At the network level, malware makes use of command and control (C&C) servers to send instructions and receive data from compromised systems. Decentralized control of botnets using peer-to-peer services is commonly used, as are domain-generation algorithms and cloud DNS servers that reduce the effectiveness of detection based on blocking known URLs. Attackers take control of legitimate websites with good reputations through the use of exploit kits and even legal advertising services are used to serve up malicious content.

CHARACTERISTICS OF TODAY'S MALWARE:

Utilizes multiple coding languages
Has obfuscated code
Injects malicious code into clean processes
Uses “in-memory only” malware to bypass file-based security
Encrypts communications
Uses domain-generation algorithms

The 9 signs that your endpoint security isn’t working well:

1.

Scans and updates slow your system to a crawl. This obviously affects productivity.

2.

Employees complain about using the anti-virus solution. If resentment builds up, employees will eventually bypass the solution altogether on their company-issued or bring-your-own devices, which can affect both performance and security for the whole network.

3.

Your solution is underperforming. It isn’t detecting viruses or other pieces of malware or it’s flagging non-malicious files as malware; it has a high footprint that equals slower scanning; it creates AV storms on virtual machines or has high bandwidth usage that bogs down the entire network.

4.

Your solution alerts on too many files or links that aren’t actually malicious. This results in false positives that can waste valuable IT resources dedicated to fixing problems that don’t exist.

5.

Removing malicious files and dealing with false positives is too complicated. A 2015 study by the Ponemon Institute found that companies spend an average of nearly 600 hours each week on malware containment.3 You want a solution that delivers silent quarantines and automatic removal of malicious files, not more work for your IT team.

6.

Infections come back after you’ve removed them. This means the solution isn’t doing a good job of cleaning or updating its detection often enough.

7.

It’s difficult to manage the solution across all your platforms and devices. In today’s environments, you need a security solution that’s easy to manage so the burden of protection is minimal. A product that includes remote administration lets you control your entire network of workstations, servers and smartphones from a single location.

8.

Security event alerts or pop-ups prompts interrupt presentations and sales demonstrations. Again, this impedes productivity. Every company and employee needs uninterrupted access to their machine, which includes a malware solution that has a "silent" or "presentation" mode that is easy to use and a good administration tool to restore regular mode when the presentation is over.

9.

Getting technical support and customer service is inconvenient, or communicating with the vendor is difficult. If it’s a pain to get reliable, customer-oriented support, that, too, will impact productivity for end users and IT. It will also contribute to frustrations that could lead employees to circumvent the program, opening their device—and your network—to cyber attacks.

Why a Multi-Layered Defense is Best Back