Data Security (Inc. Data Loss Prevention), Cyber Security, Privacy, Website Security, Email Security, Malware/Viruses, Open Source Intelligence, Cyber Security/Product Training

Advanced Malware

Details
Just when you have seen everything, the next week, a new method comes along which evades detection. Say you wanted to break into a data centre; you could come through the front door, parachute in, or drill underground. Malware is similar regarding entry methods. The main entry methods for general and more targeted attacks are email, web, Wi-Fi, files, and physical (CD, DVD, USB, etc). Defences need to be layered and varied with not just a few antimalware engines.

Patch, patch, patch
Patching is not just for the core Windows or Mac operating system but for applications and plugins under them. These days, you can automate core patching, and even so, it is a good idea to spot-check that patches are installed weekly. On top of these, ensure software, including app stores, is updated. Lastly, check plugins within browsers as they can be vulnerable as well. If you are a larger business, use software to manage updates.

Go beyond standard antimalware
Standard antimalware for consumers or business users is quite signature-focused. EDR (or MDR) or XDR goes beyond signature lookups to try to catch unknown malware or exploits. On top of this, it builds a picture of the attack and can revert to a known good state. A list of “new age” products can be found here: https://www.gartner.com/reviews/market/endpoint-protection-platforms.

Block file types
Not all attacks are advanced, and some just use old-fashioned methods, so blocking a long list of dodgy extensions will help a little. Filters should check all parts of the file name and within archives. A decent list is as follows: ade, adp, app, asp, bas, bat, bhx, cab, ceo, chm, cmd, com, cpl, crt, der, docm, dotm, enc, exe, fxp, hlp, hta, inf, ins, isp, its, jar, js, jse, lnk, mad, maf, mag, mam, mar, mas, mat, mde, mim, msc, msi, msp, mst, ole, pcd, pif, potm, ppam, ppsm, pptm, reg, scr, sct, shb, shs, sldm, vb, vbe, vbs, vsw, wmd, wmz, ws, wsc, wsf, wsh, xlam, xltm and xxe. This applies to web downloads and emails.

Use multiple engines
For endpoints, typically, just one is used, but for web and email gateways, it can be 2-5 engines. Check that each engine comes from a different vendor so that you get multiple opinions. Lastly, ensure the engines update hourly.

Block outbound ports
Some mass-market malware uses obscure ports to communicate outbound to either download the payload or communicate. Some malware may simply keep trying until it gets through. If possible, keep 80 and 443 outbound open only.

Turn off autorun
Smuggling in malware via USB, CD, or DVD is uncommon. That said, auto-run should be turned on to reduce the chance of it running without interaction.

Use a dedicated email security gateway
Hardware, virtual, software appliance or cloud – don’t just rely on the basic inbuilt single engine or spam detection engine.

Consider security-focused DNS
Cloudflare, Quad9, Cisco Umbrella and others which are installed on the network or endpoint can block bad websites, CNC, or payload downloads. Intelligence can give you a clue about infections later on.

Disable macros
Macro malware has not gone away. Disabling it in the Office Suite, including Outlook, can help. Disabling auto download of images and inbuilt auto preview is also wise.

Use strong encryption
Strong encryption with equally strong authentication can thwart some leaks even if someone is inside your network. Encrypt critical files using hardware-based encryption, i.e. a physical token instead of a password, which can be cracked or logged.

Scan links
You scanned the contents and attachments but what about links? They can host exploits or downloads. Use an email security gateway with on-click scanning so that links are scanned each time they are opened, not just on entry.

Use web security
Antimalware on the endpoint checks endpoints, and the email security gateway checks email. Have all traffic scanned and filtered, including TLS, by a dedicated web security product/service. Block a long list of file extensions and outright block archives. These days you can use cloud services so no server is needed on-site.

Tweak all settings in email security gateways
Go through settings with a fine-tooth comb. DKIM, SPF, URIBLs, DMARC, greylisting, reverse lookups, RBL, geo-blocking, reputation lists, file types, URL categories can all help in your defence plan. Hold password-protected emails or corrupted ones for inspection.

Use anti-exploit technologies
A few years back these products were standalone, and now the main vendors have integrated them into suites. They typically work without signatures and look for hidden downloads or new file processes at launch. Browsers, plugins, PDF and Office are covered.

Use whitelisting
An increase in security brings along an increase in cost and lower productivity. Whitelisting can be annoying but is very strong compared to general endpoint antimalware. Memory exploits may not be caught by this method, but the above method will help.

Login as a user
Login as a user account not administrator or domain admin. Why? Hand out admin access and users can install what they want or make malware infections worse. If you need to perform an admin task, login as the admin or do ‘run as’ from within the user session which saves you logging in and out again. This is something I learned in my first real job back in 2004 and it stuck with me.

Look into your supply chain
Just looked at Target Corp, which was… targeted in 2013 via their HVAC contractor named Fazio Mechanical Services. Before selecting a partner, outsourcer, or supplier, run through supplier assurance checks.

View your logs
Email logs, web browsing, endpoint security, endpoint, cloud, firewall, and IPS logs should all feed into your SIEM. If you cannot afford a SIEM or the resources to manage it, then outsource it. With correlation, ML/AI, and an analyst, you can catch past or present infections. Think: why is a catering user account looking at credit card data?

Subscribe to threat intelligence
Wouldn’t it be great if you could pre-emptively block some attacks? You somewhat can. Certain sectors (finances and pharmaceutical) share about attacks. For example, if x pharma firm is hit, there is a good chance y firm will be hit next week. If such relationships are not available, subscribe to lists of bad known hashes, file names, email addresses, email domains, domains, and IPS. Then have your defence ingest these and block access.

Take it offline, simple!
If your data is so critical, use a separate network with no Internet or links back. If it’s not online, you can’t hack it – not 100% of course.

Code stripping (Content Disarm & Reconstruction)
This has been around for years, though the uptake is not great. Forget signatures and just assume everything is bad even if it is not. Remove background code (inc. exploit), malicious files, links and QR codes from downloads & emails. CDR is 99.9%+ since it takes no prisoners and just does its job.

Use a sandbox
Sandboxing is not just for big businesses, and these days, physical firewalls for a few hundred pounds can connect to cloud sandboxes. Have files or emails which the firewall or email gateway is not sure about sent a physical, VM, or cloud sandbox for safe detonation.

Mobile security
Malware of smartphones, mainly Android, is a concern though less of an entry vector than Windows or MacOS. Secure your phone and use antimalware as well. Of course, patch core O/S and apps as well.
© Copyright 2012-2026 DataSecurityExpert.co.uk

Sorry, this website uses features that your browser doesn't support. Upgrade to a newer version of Firefox, Chrome, Safari, or Edge and you'll be all set.