How to spot the three most common types of malware
The rapid spread of the Petya virus today from Europe to the U.S. is just the latest in a growing number of such attacks.
Indeed, according to Gartner, there were between 2 million and 3 million successful ransomware attacks in 2016 and analysts predict that this frequency will double every year through 2019.
These future attacks will inevitably leave security analysts, governments, healthcare organizations and enterprises of all sizes asking how this could have been avoided, how can we stop the proliferation of these types of attacks in the future and what are other common malware infections that organizations should watch out for?
While ransomware attacks are grabbing headlines today, three common infection vectors continue to be a source for the majority of the malware entering our networks on a regular basis. Here is what organizations should look for, and steps to take to keep malware out, for good.
Phishing and Malicious Attachments
In recent years, there has been a significant uptick in successful phishing-driven data breaches across many different industries. A simple phishing email containing a malicious attachment is really all it takes to infect an organization.
By employing the usual social engineering tactics like seemingly important or relevant subject lines, less cautious users can be duped into opening email attachments that appear as normal office documents or compressed (.zip) files. Additionally, instead of attaching malware directly to an email, another common trend is to employ obfuscated script. When executed, this will download the malicious payload onto the system, often leading to a ransomware infection.
How to Spot a Phishing Attack
Look out for:
- Attachments with .wsf, .jse, .vbs, .hta or .js extensions
- Emails that contain links to login pages
- Indicators related to Business Email Compromise (BEC)
- Signs of domain / typo squatting or mismatches in sender domain
- Spikes in traffic to / from specialty domains and less common foreign TLD’s
Malvertising and Malicious Redirects
Some of the biggest cybercrime campaigns of the past were carried out by leveraging malvertising. This includes abuse of large ad platforms and pollution of the advertising ecosystem by rogue ad and content networks. The web advertising industry has since taken note of the problem and we don’t really see Flash ads containing exploits like we used to.
A more common tactic currently used is attacker controlled intermediary domains in conjunction with HTTP redirects to ad and content networks, which then lead to a malicious site (usually an exploit kit). In other words, a lot of the advertising and content network traffic leading to exploit kits are fake and just appear to be advertising traffic.
Most of the time these ads contain no real ad content, only redirects to other hosts or ad networks. This type of redirection is less likely to be noticed as it blends right in with other advertising traffic. This can be a confusing and difficult threat to track as the noise and deception levels are high making it tough to discern between what is and is not legitimate.
What Does Malvertising Actually Look Like?
Look Out For:
- Suspicious domains & subdomains with advertising or cdn themes (i.e. fake traffic)
- HTTP Redirects to or from rogue or complacent advertising & cdn networks
- Ad traffic that results in suspicious redirects or redirects directly to IP address
- Redirects to intermediary hosts and malicious sites
- Spikes in HTTP traffic to suspicious or foreign TLD’s and specialty domains
- Traffic from shady TDS’s (Traffic Distribution Systems)
- Compromised Wordpress, Joomla & Drupal sites
Exploit Kits and Drive-By Downloads
Exploit Kits are the digital landmines of the internet, targeting vulnerable web browsers and plugins with client-side exploits that can force download and installation of malware. Simply loading a page that redirects to an exploit kit can result in infection as systems running vulnerable versions of Internet Explorer, Adobe Flash or Microsoft Silverlight are at risk of compromise. Malvertising and malicious redirects to attacker-controlled sites often result in exploit kits.
Don’t Get Rigged
While the number of active exploit kits has declined, recent updates and branches to exploit kits like Rig and Sundown have kept them at the forefront of the web infection chain. A Rig exploit kit infection chain is when a fake Google search leads to a compromised site, which has a block of malicious script injected at the very bottom. Loading the page results in a GET request to a Rig exploit kit page, which will load a malicious flash file and result in a system compromise.
Look Out For:
- Heavy use of obfuscation in HTTP response content
- Embedded iframes & redirects in HTML
- Suspicious domains and subdomains
- Domain shadowing of legitimate domains
- Redirection involving fringe & foreign TLD’s
- Flash Files that use encryption (i.e., DOSWF)
- Encrypted payloads
Stop, Collaborate and Listen
Always be sure to backup your data both in the cloud and on an external hard drive. Make sure to keep your systems up to date, patch known vulnerabilities and watch where you click and what attachments you open.
Collaboration across organizations is also a highly effective method of prevention and mitigation. Sharing information, experience or research on various types of ransomware will also help to weaken their effectiveness.
How to Keep Out Malware, For Good
Preventing the next security breach will require more than just following best practices, but keeping tabs on how malware is getting in can help you keep it out. Staying on top of infection vectors and techniques used by cyber criminals can also help prevent you from becoming victim.
Access to up to date threat intelligence on these types of threats is a great starting point for knowledge on hosting infrastructure, patterns and techniques used in campaigns. This information can then be used to block threats at various stages of the infection chain.