As long as there is software there will be vulnerabilities and those vulnerabilities will be exploited. It’s a bold statement, and oddly enough technically incorrect. In simplistic terms, a malware’s arrival on an endpoint takes a significant journey and trades hands many times.
There are a lot of misconceptions about malware, so here are some of the key things we do know.
1. Malware exploits a system vulnerability or user vulnerability for access
This is perhaps the first misconception about remote access Trojan programs or Cryptolocker. These are after-the-fact symptoms of system exploitation. Remote access Trojan programs, and even Cryptolocker, have to find their way onto a system. This is usually accomplished by an exploit kit, which attacks the system vulnerability (usually Adobe Flash) and then installs the payload.
In the most basic analysis, there are three components to a malware infection: the exploit (how it get’s on to the system, usually through an email attachment or web link); the payload (the program that installs on the system after exploitation); and, for lack of a better term, “the result” (a backdoor to the system, or ransomware infection).
2. Malware runs code in system memory
Exploit kits such as Angler or Nuclear are designed to provide a way onto the system through remote code execution. The exploit (website or email attachment) “tricks” the targeted computer system into running inserted code. This can be done in a number of technical ways, but the end result is usually the same: a piece of code you didn’t authorize ends up running on the system and installing the payload. Despite antivirus on the targeted system, the criminal exploit kits are designed to bypass the majority of security programs and target an unpatched system vulnerability (Adobe Flash, being a favorite target about 80% of the time).
It should also be noted that this stage can be bypassed entirely by just asking a person (nicely) in a Phishing email to run the attachment. In almost all cases exploit kits require the user to visit a dangerous website or interact with an email attachment; sometimes a system-level protection needs to be bypassed, such as answering “Yes” to enable macros inside a document. Oops.
3. Malware modified the registry or WMI for persistence
Malware, such as a remote access Trojan, once installed on a system through exploitation wants to remain on the system, and it digs in like a cyber wood tick. The art of making a persistent infection (one that survives reboots) is instructing the computer to launch the remote access Trojan, every time it boots up. Sometimes the remote access Trojan extensively checks the environment to ensure it’s not in a laboratory machine for analysis.
Many Trojans try to blend into regular system activity, frequently mimicking common windows programs. At any rate the remote access Trojan is the tangible piece of software designed to cause you grief. More sophisticated remote access Trojans will ensure antivirus software is disabled, or exploit the antivirus program to convince it that it is a legitimate program.
4. Malware generates network traffic to a C&C node
This is perhaps the easiest way to identify remote access Trojan activity on a system. Once the exploited system is running the remote access Trojan, it has to reach out to the cyber bad guy command and control (C&C) servers. These servers send instructions to the target system, like “find and zip all the credit card numbers on the system and send these to me” or “run ransomware on the targeted system”. This is where the remote access Trojan will betray itself at the network layer.
Network Intrusion Prevention Systems (NIPS) identify suspicious and hostile network traffic and block it, warning system administrators “something is wrong with the workstation as it is not doing regular activity”. If you have a threat Intel feed of “bad IPs” updating your firewall or endpoints, this is the last chance. The system may be exploited by an unpatched vulnerability, the antivirus program may miss the installation of the remote access Trojan, but the network protection or NIPS may block the IP address(s) of the C&C servers. Layered defense is important.
5. Malware possibly drops file(s) onto the system
As part of both the exploitation and of maintaining the persistent activities of both the exploit and payload cycle, there is a possibility (indeed a high probability) of file creation or the delivery of an attachment. This is where antivirus at its most basic level functions well; with both heuristic capabilities (that system activity looks wrong – stop it) and virus definitions (that file is known to be bad – quarantine it).
There is the opportunity for antivirus to prevent an exploit from occurring and the remote access Trojan from installing. The challenge for antivirus is that exploit kits can create thousands of “different” looking email attachments, and the more sophisticated remote access Trojans can create thousands of different versions of the remote access Trojan. This is why keeping antivirus up-to-date is critical to detect malware iterations.
The key take away here is to use a layered defense to make it as difficult as possible for bad guys to implant a remote access Trojan and mess with your computer (stealing or encrypting your data). Patching and updating your system and applications, keeping your antivirus up-to-date, using web protection or network intrusion prevention system to prevent command and control signals. Maintaining robust system and data backups will allow you to recover quickly if the bad guys get through all your cyber defenses.