Late last year I attended a seminar titled “Anatomy of an Attack – How Hackers Threaten your Security” by Sophos – stay with me it is important.
Malware (Viruses, spam etc.) used to be distributed by running programs or accessing Word documents they were designed to specifically attack your systems and cause problems with your network. Sophos have now seen a change where theft of data is now the focus and most malware attacks come from infected web pages.
“There is now more new malware per day, than there were for the whole of 2006”
“83% of malware infected web pages are on legitimate websites”
Sophos’ experience has shown that:
- Networks that use forums or blogs are getting inundated with links to fake antivirus and other malware sites.
- Very professional looking fake antivirus sites falsely identify viruses on your local machine then recommend you install their fake antivirus to clear them, thus installing the malware.
- MAC malware is now a reality, and malware sites differentiate between operating systems and attack them with appropriate malware.
- Targeting of applications, especially the growing Web 2.0 applications, including Adobe, PDF and Flash, Quicktime and Java.
- Malware distributers are aware that users now install updates and multimedia plug-ins regularly so build websites that require these, getting the site user to install the malware.
- Hackers are targeting un-patched unsecure websites, especially the ones that are database driven.
There are a number of ways to limit the possibility of malware attack.
- Ensure not just the Windows operating systems and applications are kept up to date, but also the applications that are used regularly, Internet browsers, Adobe Flash, Adobe Acrobat Reader, Quicktime and Java etc. Hackers know which applications are used, which versions have vulnerabilities and then target their attacks.
- Set the workstations to operate at user level, do not get the users to logon with workstation administrator access rights.
- If hosting websites ensure the server is secure and patched to block all know vulnerabilities.
- Ensure passwords are appropriate; the administrator passwords should be at least 8 characters long, with a mix of alphanumerical characters and a mix of upper and lowercase characters. (The Conficker virus spread from one computer to another over local area networks using a database of standard passwords.)
- Ensure the Anti-Virus client is up to date with the latest update.
For Sophos:
- On Standalone versions of Sophos:
To update, double click the Sophos shield in the bottom right of the task bar.
To check the update, right click on the Sophos shield and click Open Sophos Anti-Virus. The Sophos Status section is displayed on the left.
- On network installations of Sophos, check Sophos Enterprise console. (Ensure your network team is monitoring this.)
New malware term:
Server-side polymorphism.
New hacking techniques are emerging making malware increasing difficult to detect and clear one of these is server-side polymorphism. Polymorphism based malware included a polymorphic engine that allowed the malware to replicate and change making it more difficult to identify and block. Server-side polymorphism is where the engine of the malware is not left on the system so the engine can now also be altered, and allowing the malware to change rapidly and harder to detect, making content analysis not enough to clear the malware.