Advanced Malware

Malware has changed drastically over the last few years; hence a new topic has been written and added in 2015. Just when you have seen everything, the next week a new method comes along which evades detection. Say you wanted to break into a data centre, you could come through the front door, parachute in or drill underground and malware is similar in regard to entry methods. Main entry methods for general and more targeted attacks are: email, web and physical (CD, DVD, USB etc). Defences need to be layered as well as varied and not just a few antivirus engines.

Patch patch patch
Windows has potentially got a bit more secure over the years and now flaws are mainly in third party plugins. Mainly: Microsoft Silverlight, Oracle Java, Adobe Flash, Adobe PDF and still Microsoft products like Office. Updating the operating system should not be forgotten though. Use patch management software to ensure third party plugins are updated regularly and Windows inbuilt updates are applied.

Block file types
Not all attacks are advanced and some just use old-fashioned methods, so blocking a long list of dodgy extensions will help a little. Filters should check all parts of the file name and within archives. A decent list is as follows: ade, adp, app, asp, bas, bat, bhx, cab, ceo, chm, cmd, com, cpl, crt, der, docm, dotm, enc, exe, fxp, hlp, hta, inf, ins, isp, its, jar, js, jse, lnk, mad, maf, mag, mam, mar, mas, mat, mde, mim, msc, msi, msp, mst, ole, pcd, pif, potm, ppam, ppsm, pptm, reg, scr, sct, shb, shs, sldm, vb, vbe, vbs, vsw, wmd, wmz, ws, wsc, wsf, wsh, xlam, xltm and xxe.

Use multiple engines
Ideally five and more using direct lookup technology, which can query anti malware vendors threat intelligence instead of just relying on an hourly signature update. Email security gateways should contain a few and if possible add to whichever email server you are using as a final scanning defence.

Block outbound ports
Some mass-market malware are using obscure ports to communicate outbound to either download the payload or communicate. Some malware may simply keep trying till it gets through. If possible keep 80 and 443 outbound open only.

Turn off auto run
Smuggling in malware via USB, CD or DVD is fairly rare, that said auto run should be turned on to reduce the chance of it running without interaction.

Use a dedicated email security gateway
Hardware, virtual, software appliance or cloud – don’t just reply on the basic inbuilt single engine or spam detection engine.

Consider security focused DNS
Only a few services exist, it monitors all servers, endpoints and more over all ports/protocols. It can block bad websites, CNC or payload downloads. Intelligence can give you a clue to infections later on.

Disable macros
Macro malware has made a comeback in the last year. Disabling it in the Office Suite including Outlook can help. Disabling auto download of images and inbuilt auto preview is also wise.

Use strong encryption
Strong encryption with equally strong authentication can thwart some leaks even if someone is inside your network. Encrypt critical files using hardware-based encryption. I.e. a token instead of a password, which can be cracked or logged.

Scan links
You scan the contents and attachments but what about links? They can host exploits or downloads. Use an email security gateway with on click scanning thus links are scanned each time they are opened not just on entry.

Use web security
Antivirus on the endpoint check, email security gateway check, patch management check. Have all traffic scanned and filtered including SSL ideally by a dedicated web security product/service. Block a long list of file extensions and outright block archives.

Tweak all settings
Go through settings with a fine-tooth comb. DKIM, SPF, URIBLs, CBV, greylisting, reverse lookups, RBL, geo-blocking etc. All can help a little in your defence plan. Hold password protected emails or corrupted ones for inspection.

Use anti exploit technologies
Only a handful of products exist but the ones that do are simple to use once running. They typically work without signatures and look for hidden downloads or new file processes at launch. Browsers, plugins, PDF and Office are covered.

Use whitelisting
Increase in security brings along an increase in cost and lower productivity. Whitelisting can be annoying but is very strong compared to general endpoint antivirus. Memory exploits are not also caught by this method but the above method will help.

Outbreak detection
A few products have access to large feeds or feeds are available. They work by combining billions of transactions and stopping or predicting mass-market outbreaks in minutes. Secure DNS can also predict domains, which may be used in CNC or payload downloading.

Look into your supply chain
Target is a good example. Can’t hack the target (sorry) then go for the smaller fish to get in and jump back to the target. Ensure there are no links or links are tightly controlled.

View your logs
This includes higher than normal emails, web traffic, failed account logins*, botnet traffic and more. SIEM is the acronym and product in mind. Don’t simply re-image machines; take a copy for future evidence. Why is a catering user account looking at credit card data? Ensure password are strong and users have only what they need access to.

Take it offline, simple!
If your data is so critical use a separate network with no Internet or links back. If it is not online you can’t hack it – not 100% of course.

Code stripping and emulation
Again not many products do this. They scan away and then emulate the product in a VM or custom made one to see what happens. Code stripping is a simple approach that inspects HTML, Office, WordPad and PDF. Background code thinks macros are stripped out without hindrance.

Mobile security
Similar security should be applied to mobiles such as whitelisting and antivirus or simply don’t use Android to reduce your malware percentages!