Article | How to deal with the proliferation and complexity of malware?

While we welcome technological innovation and widespread access to new technologies, we often forget that the benefits of innovation are also available to cybercriminals of all kinds. Launching malware has never been easier. The speed and creativity with which it evolves and improves makes life difficult for IT security departments that struggle to keep up. So, what exactly is malware and how can you deal with it efficiently?

What is malware?

Definition

Malware stands for malicious software, which is just software designed to spy on, steal, manipulate or destroy data, digital systems and even hardware. In other words, it is software that breaks through IT protections to access private, state or business data or networks without knowledge or consent from the users of the infected system.

Malware types

1) Viruses

Virus is a malware that relies on human action to activate and propagate on the host computer or network. The first computer viruses appeared in the 1980s with the emergence of the personal computers. At that time, computer networks were not yet so widespread within organizations, and non-existent at home, so users shared files using removable storage media. Virus used that media to propagate from one computer to another by relying on users that copied files and shared them with others.  The emergence of computer viruses as a threat ushered the growth of the modern information security industry in the form of antivirus companies. The signs showing you might be infected with a virus were missing or corrupted files, quickly depleting hard drive space, slow service, etc.

 

2) Worms

Worm is a malware that propagates autonomously. It spreads through a network or a host system by replicating itself without human action. It behaves more or less like a virus. It is usually developed to access as many systems as possible, steal data, spy on users or even to install other malware like ransomware.  Worms became a serious threat during the 1990s, when computer networks grew within organizations and connecting to the Internet became a requirement to successfully conduct business with a global scope. One of the earliest worms, called the RTM worm (after the initials of its author, Robert Tappan Morris) spread over most of the Internet in 1989. Over the next decade and a half, multiple worms appeared and propagated rapidly on the Internet, affecting users and organizations worldwide.

 

3) RATs

RAT (Remote Access Trojan) is a malware that allows an intruder to gain administrative control of a target computer or system. Attackers use different ways to get the malware into target systems, usually through booby-trapped documents sent by email or programs downloaded from attacker-controlled websites on the Internet. Once installed by the user, this type of malware provides the attackers with further access to the systems allowing them to install other malware or to control the compromised system as if they had physical access to it. The most famous RAT, called “Back Orifice”, was published by the “Cult of the Dead Cow” (cDc) hacker group in 1998. In the same year, Microsoft launched Windows NT 4.0 which included a legitimate remote access capability under the name Terminal Services. Since then, until today, thousands of different RATs have appeared year after year.

 

4) Trojan 

Trojans can look like anything and everything from free software to Google ads and legitimate-looking applications. Trojan software doesn’t replicate by itself and is used by attackers to gain access to a targeted system, to leak data, or to spread various threats such as viruses or ransomware. The defining characteristics of Trojan software is that is software that pretends to have a legitimate purpose but in reality, implements a malicious one. For example, you want to use a flashlight on your smart phone. You download a flashlight app from your App Store or Play Store. What do you expect from it? To light up and nothing else. But what happens if the application gives you light and in the meantime copies all your contacts and sends them to an external server? By turning on the light, you have activated the trojan which does something you have not signed up for in the first place: getting your data stolen from your phone.

 

5) Ransomware

Ransomware is a type of malware that blocks users from accessing their system or files by encrypting them. The attackers then request payment of a ransom in exchange for restoring access. Any type of organization ranging from private companies, critical infrastructure operators to public administration or even individuals, can be targeted. Payment of ransom is nowadays demanded in crypto currency as an attempt for the attacks to remain anonymous and to facilitate quick and easy fund transfer across borders.

 

The multiple purposes of malware 

Security practitioners and cybercriminals use malware for various reasons:

  • To improve information security: to test the security or defense status of an organization, to identify and fix flaws in the detection or containment measures.
  • Criminality: to obtain access to systems or data as part of “traditional” criminal activities such as fraud, extortion, child pornography, etc.
  • Espionage: to obtain access to sensitive or confidential information to support corporate or state-level espionage
  • Hacktivism: to obtain and publish data as a mean for political activism.
  • Personal disputes: to expose or cause damage to a person.

There are many uses for malware but in the case of criminals it is used mainly because they see an opportunity of profit at little risk.

 

Malware and business: a disrupting story

Modern organizations depend more and more on gathering and processing vast amounts of data and their operations are intrinsically linked to this. So, why do organizations have to deal with so much malware? “Because that’s where the money is,” famed bank robber Willie Sutton might have said.

Being targeted by cybercriminals can cost a company money and effort. Recovering data and access to systems can take days with sometimes dramatic consequences, especially when vital services such as hospitals are targeted. Once access has been restored, it also takes time for operations to resume normally.

The impact of an IT incident is not only the cost of repair and/or ransom payment, but also the cost of business interruption and possible damage to users. Let’s take the example of an international carrier that ships containers around the world: when suddenly all the logistics systems are blocked by ransomware, hundreds of containers end up paralyzed all over the world with no way of knowing where they are or how to move them. The downtime of these containers will incur late deliveries, storage costs, possible lost or damaged goods, and most importantly, there may be long-term consequences such as loss of customer and partner trust.

Malware attacks are on the rise due to technological evolution. As organizations are becoming increasingly connected and interconnected, and transactions are increasingly online, opportunities open for malware to easily sneak into systems. And because of its rapid proliferation and diversification, malware is also becoming more complex for IT departments to detect.

 

How to protect your systems from malware?

Malware is growing faster than IT security teams in organizations. The problem is not that companies are unaware of the threat posed by malware; it’s that they are unable to protect themselves effectively because the problem is developing faster than they are able to react. Hopefully, there are 2 technological solutions allowing them to be more efficient in preventing cyberattacks.

 

Artificial Intelligence against cyberattacks

Since humans cannot keep up with the pace, Artificial Intelligence (AI), and specifically Machine Learning is often proposed as a solution to automatically detect malware at scale, effective even for new or previously unknown malware variations:

By using large data sets that describe malicious and benign program behavior to model malware code using sophisticated machine learning algorithms, “AI-based” systems are able to recognize even the latest generation malware.

However, the problem with these AI-based detection systems is that IT companies that provide malware protection products do not clearly describe how their models were built, how they are updated and how effective they really are. Additionally, many of these solutions usually rely on a cloud-based component that runs on the product vendor’s infrastructure. This combination of opaqueness and external dependency doesn’t easily allow IT security departments to remain on top of malware evolution trends and provides few capabilities to tune the effectiveness and efficiency, and thus cost, of the solution. 

This brings two major drawbacks. The first is that it is difficult for IT security departments to build their defense infrastructure when they do not understand the extent to which their cyber security solution is protecting them. The second is the loss of control over what data is actually sent to the vendor (event logs, file hashes, files, etc.), which poses a privacy problem.

 

Malware analysis software

A different approach is to use a malware analysis platform to augment the capabilities and the capacity of an existing IT security team. A malware analysis software is designed to detect malware and provide security analysts with the information to better understand the behaviour, origin and potential impact of a malware sample.  By combining the use of multiple tools and techniques in a scalable manner, an organization can automate the most common malware detection and analysis tasks, enforce a certain methodology. It allows more efficient operations, so that the team can focus its usually most scarce resources, the humans with high levels of expertise, on the most sophisticated workloads.  

Solution of this type generally rely on automation and orchestration capabilities specifically focused on malware analysis, built into a flexible platform that can be installed directly on your servers, hosted in the cloud, or used as SaaS. The key characteristic of such a system is that it does not depend on a single tools or IT provider, and that it can easily increase its analysis capacity to match any increase of the required workload.

A solution of this sort does not seek to replace an IT security team with opaque technology from a single provider but rather to help them be more efficient and able to handle the increasing workload volume.

The benefits offered by such a solution:

  • Automation of common task via an UI or using APIs
  • Extensibility and flexibility to incorporate multiple tools and techniques.
  • Integration with existing systems
  • Defining and enforcing baseline analysis methodologies across the entire organization

IT security incidents are becoming more frequent and can significantly disrupt your business, which is why it is critical that your IT security investments are both effective and efficient. No single tool can protect you fully, combining multiple tools on a single scalable platform will increase your ability to prevent attacks disregarding of their volume and nature, and ultimately allow you to operate with a better grasp of how you are managing the overall risk that your organization is exposed to. With QFlow, a customizable and scalable file analysis platform, you can get the most out of your IT security investment.