What Is Malware & How to Prevent or Mitigate Its Effects
In today’s interconnected world, malware, short for malicious software, is wreaking havoc, affecting not just large organizations but also medium and small-sized organizations.
What Is a Malware?
Malware, which stands for malicious software, is a code – set of instructions which are executed by a computer – that’s designed to facilitate malicious activities such as gaining unauthorized access to a network, stealing data or damaging systems operation.
A malware typically goes through the following process:
First, the computer user authorizes, such as by clicking a malicious link or malicious attachment in an email, and/or is using a vulnerable software that allows the downloading and installation of the malicious code.
Second, once a computer is infected with malware, the malware then connects with the command and control infrastructure (C2) – could be a website or cloud account controlled by a malicious actor or actors – that sends commands to infected computers.
Third, once the malware establishes connection with its C2, this allows an attacker to perform malicious activities on the infected computer, such as steal data, encrypt data to force users to pay ransom or use the compromised computer as part of a botnet – a group of computers infected by a malware and controlled by an attacker or attackers to conduct malicious activities such as distributed denial-of-service (DDoS) attacks or illicit cryptocurrency mining.
Malware Spotlight: SMB Worms
A worm is a type of malware that replicates itself and spreads to other computers without user interaction. WannaCry is an example of a worm. This worm encrypts data on the infected computer and demands from the victim ransom payment in exchange for the decryption key that purportedly could unlock the encrypted data. In just less than 24 hours on May 12, 2017, WannaCry spread to hundreds of thousands of computers in at least 150 countries.
The WannaCry worm uses EternalBlue, a cyberattack tool that enables malicious actors to install malware on any computer running Server Message Block (SMB) version 1, a communication protocol used for sharing access to files and other resources on a network. On March 14, 2017, nearly 2 months prior to the WannaCry attack on May 12, 2017, Microsoftissued a patch fixing the vulnerability exploited by EternalBlue.
Shodanreported that as of May 13, 2019, more than 2 years after the major WannaCry attack, 998,843 computers were still using the obsolete SMB version 1 protocol, opening these vulnerable computers to EternalBlue exploit. The use of this obsolete SMB version 1 protocol by close to a million computers shows that Microsoft’s March 14, 2017 patch hasn’t been applied on these computers.
In the 1st quarter of 2019, F-Secureobserved 556 million traffic to port 445 – the primary port used by SMB version 1. In the WannaCry attack, using the EternalBlue exploit, attackers look for open SMB port (TCP port 445), install the WannaCry worm on the vulnerable computer and look for other computers within the network with open SMB port and infect them. According to Microsoft, the initial infection of the WannaCry worm can be traced to the tax accounting software from a Ukrainian company.
TrickBot is another worm that spreads by leveraging the vulnerability in SMB version 1. The initial infection of this worm is via malicious emails that trick victims to download the worm from a malicious website or trick the victims into opening the worm through an attachment. It’s also distributed by other malware called “Emotet”. Initially developed to steal data, TrickBot has evolved through the years. In addition to stealing data, it’s being used to deliver another malware on the victim’s computer.
Preventive and Mitigating Measures Against Malware
Here are some of the preventive and mitigating measures in order to protect your organization’s network against malware:
Keep all software up to date with the latest patches
In the case of WannaCry and TrickBot, one of the reasons why these worms are still actively being abused by attackers is that hundreds of thousands of users still use outdated operating systems or server operating systems today. As many of today’s malware leverage on unpatched software, it’s important to keep all your organization’s software up to date.
Stop using SMB
Specific to the group of malware that exploit SMB, one of the ways of blocking this type of malware is by not using this communication protocol. As of April 2018, SMB no longer comes preinstalled in Windows. In case SMB is still needed in your organization, make sure to disable SMB version 1. Also, block TCP port 445 at the network boundary to ensure that SMB communication is limited to the internal network.
Apply the Principle of Least Privilege
The Principle of Least Privilege refers to the practice of only granting necessary and sufficient permissions to users to carry out their activities, with the minimum rights required for their tasks and for a limited time. For instance, preventing non-IT staff to install software could prevent the installation of malware as a result of clicking a malicious link or malicious attachment from a malicious email.
Practice Network Segmentation
Network segmentation refers to the practice of dividing your organization’s computer network into sub-networks. This ensures that when a subnetwork is infected with malware, the other subnetworks won’t be infected.
Navigating cybersecurity space and protecting your organization from malware and other cyber threats is an onerous task and can be overwhelming for your team. Speak with our experts today to simplify the process and free up resources.
Call (416) 920-3000 or email firstname.lastname@example.org