6 Ways to Stop Malware in its Tracks

As a CISO or CEO of a business, it's your job to protect the company from all potential attacks – including malware. Malware is one of the most prominent security threats businesses face today, and hackers are constantly coming up with new ways to try and gain access. Fortunately, there are several steps you can take to help you spot – and stop! – malware in its tracks. In this blog post, we'll explore 6 powerful techniques that will make sure your data stays safe - even against the most determined hackers. Ready? Let's get started!

What is malware?

A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.

Malware is malicious software, which - if able to run - can cause harm in many ways, including but not limited to:

• Causing a device to become locked or unusable
• Stealing, deleting, or encrypting data
• Taking control of your devices to attack other organisations
• Obtaining credentials which allow access to your organisations systems or services that you use
• 'mining' cryptocurrency
• Using services that may cost you money (e.g. Premium rate phone calls).

‍Why should you care about Malware?

An Australian man was recently charged with creating and stir busting a Remote Access Trojan software kit. The software was either installed on victims’ machines when they opened an email or when they clicked a link in an email. Once installed the malware could control the user computer without them knowing. This gave the man access to do things like turning on webcams and capturing what they typed into their keyboard.

According to the Australian Federal Police the young man engaged with a network of individuals and sold the spyware, named Imminent Monitor (IM), to more than 14,500 individuals across 128 countries.

He sold it 201 times in Australia and of those sales 98 were paid through PayPal. Of these 98, 15% were purchased by either a) a person who had been involved in a domestic violence event (14) or b) was a registered child sex offender (1). Not great!

How to stop yourself from becoming the victim of malware?

While covering you webcam with a high-tech device called a post-it note may protect your privacy (to some extent) others ways to protect yourself include:

• Ensure you have reputable anti-malware running on your computer.
• Most operating systems come with detection tools however if your computer is not up to date with the latest operating system then your software won’t know about the latest threats it should be looking for.
• Don’t open emails or click on links in emails from people or companies you don’t know.
• A good way to know if an email is from the domain it says it is from is to check the email address.  If you are expecting an email from Kmart and you get an email from iamkmart@xyanythingotherthankmart.com.au then this is a good sign it is not legitimate.  The important part of the email to look out for is the domain after the @ symbol, not the Text before.

6 Ways to Stop Malware in its Tracks

Recommended practices for avoiding malware incidents include:

1. Not opening suspicious emails or email attachments, avoid clicking on hyperlinks, etc. from unknown or known senders, or visiting websites that are likely to contain malicious content
2.  Not clicking on suspicious web browser popup windows
3. Not opening files with file extensions that are likely to be associated with malware (e.g., .bat, .com, .exe, .pif, .vbs)
4. Not disabling malware security control mechanisms (e.g., antivirus software, content filtering software, reputation software, personal firewall)
5. Not using administrator-level accounts for regular host operations
6. Not downloading or executing applications from untrusted sources

Organisations should also implement other host hardening measures that can further reduce the possibility of malware incidents, such as the following:

• Disabling or removing unnecessary services(particularly network services), which are additional vectors that can be used to spread malware
• Eliminating unsecured file shares, which are a common way for malware to spread
• Removing or changing default usernames and passwords for OSs and applications, which could be used by malware to gain unauthorised access to hosts
• Disabling automatic execution of binaries and scripts, including AutoRun on Windows hosts
• Changing the default file associations for filetypes that are most frequently used by malware but not by users (e.g., .pif,.vbs) so that such files are not run automatically if users attempt to open them.

How do you know if you are a victim of malware?

• Are there unfamiliar processes running on your computer?  If you are using windows, you can simply check this by selecting Cntl+alt+delete on your keyboard and opening task manager then going to the processes tab.
• Are there unfamiliar applications or software running on your computer?  If you are using windows, you can check this by selecting the windows logo in the bottom left corner, then simply typing “applications” into the search bar and selecting add or remove programs. From there you can scroll down to find all applications downloaded on the device.
• If your machine is running really slowly or if you are left wondering where files that were there yesterday have now disappeared too
• Have you been the victim to multiple financial fraud transactions and you don’t know how it happened (be honest)?

Steps to take if I believe my computer is infected with malware!

Here are some steps that your organisation or network could take if it is already infected with malware to minimise the impact:

• Immediately disconnect the infected computers, laptops or tablets from all network connections, whether wired, wireless or mobile phone based.
• In a very serious case, consider whether turning off your Wi-Fi, disabling any core network connections (including switches),and disconnecting from the internet might be necessary.
• Reset credentials including passwords(especially for administrator and other system accounts) - but verify that you are also not locking yourself out of systems that are needed for recovery.
• Safely wipe the infected devices and reinstall the OS.
• Before you restore from a backup, verify that it is free from any malware. You should only restore from a backup if you are very confident that the backup and the device, you're connecting it to are clean.
• Connect devices to a clean network in order to download, install and update the OS and all other software.
• Install, update, and run antivirus software.
• Reconnect to your network.
• Monitor network traffic and run antivirus scans to identify if any infection remains.

The NCSC has jointly published an advisory: Technical Approaches to Uncovering and Remediating Malicious Activity, which provides more detailed information about remediation processes.

And if you are really keen you can read NISTs 101 page guide to Malware Incident Prevention and Handling.

Types of Malware

Malware has become the greatest external threat to most hosts, causing damage and requiring extensive recovery efforts within most organisations. The following are the classic categories of malware:

Viruses

A virus self-replicates by inserting copies of itself into host programs or data files. Viruses are often triggered through user interaction, such as opening a file or running a program. Viruses can be divided into the following two subcategories:

Compiled Viruses.      

A compiled virus is executed by an operating system. Types of compiled viruses include:

• File infector viruses - attach themselves to executable programs.
• Boot sector viruses - infect the master boot records of hard drives or the boot sectors of removable media.
• Multipartite viruses - combine the characteristics of file infector and boot sector viruses.

Interpreted Viruses.

Interpreted viruses are executed by an application. Within this subcategory:

• Macro viruses take advantage of the capabilities of applications’ macro programming language to infect application documents and document templates,
• Scripting viruses infect scripts that are understood by scripting languages processed by services on the OS.

Worms.

A worm is a self-replicating, self-contained program that usually executes itself without user intervention. Worms are divided into two categories:

Network Service Worms.

• A network service worm takes advantage of a vulnerability in a network service to propagate itself and infect other hosts.

Mass Mailing Worms.

• A mass mailing worm is similar to an email-borne virus but is self- contained, rather than infecting an existing file.

Trojan Horses.

A Trojan horse is a self-contained, nonreplicating program that, while appearing to be benign, actually has a hidden malicious purpose. Trojan horses either replace existing files with malicious versions or add new malicious files to hosts. They often deliver other attacker tools to hosts.

Malicious Mobile Code.

Malicious mobile code is software with malicious intent that is transmitted from a remote host to a local host and then executed on the local host, typically without the users explicit instruction. Popular languages for malicious mobile code include Java, ActiveX, JavaScript, and VBScript.

Blended Attacks.

A blended attack uses multiple infection or transmission methods. For example, a blended attack could combine the propagation methods of viruses and worms.

Many, if not most, instances of malware today are blended attacks. Current malware also relies heavily on social engineering, which is a general term for attackers trying to trick people into revealing sensitive information or performing certain actions, such as downloading and executing files that appear to be benign but are actually malicious. Because so many instances of malware have a variety of malware characteristics, the classic malware categories listed above (virus, worm, etc.) are considerably less useful than they used to be for malware incident handling. Once upon a time, there used to be very different procedures for handling incidents of each malware category; however now there is largely one set of procedures and policies for handling all malware incidents, thus nullifying the primary need for having categories.

‍