Malware Attack and Detection is a Cat and Mouse Game

Malware outbreaks have several characteristics:

First, the vulnerabilities that are being used are 0-day or n-day exploits on commonly used software. The widespread use of these commonly used software means there are lots of potential targets. Because not everyone may patch their software in a timely manner, there are many unpatched systems on the network. That makes it a fertile ground for virus propagation. The Wannacry ransomware outbreak makes use of a Microsoft Windows vulnerability that was discovered and patched in March, but there are still a lot of systems that have not upgraded to fix this issue.

From attack delivery, usually the virus that propagates through active attacks spread more quickly and causes more damage. 2016 is a banner year for ransomware, but of late, the threats have been contained prior to this most recent attack. It used to be that these ransomware spread through phishing and malicious emails, malicious websites ,etc. And it needed an improper user action to trigger. With the increasing awareness of these attacks, the affected user group is getting smaller. On the contrary, the Wannacry ransomware does not need user interaction to scan and exploit systems on the network, and the outbreak and damage is more serious.

Lastly, the purposes of malware outbreaks have been changing over time. This clearly indicates that the business model of the hacking underworld is evolving. Before, the purpose of this kind of network attack was to take control of the target system and turn them into bots. Hackers organized these systems into botnets and profitted through sending spam emails and performing DDoS attacks. The effect to the owner of the systems are therefore indirect. The system owners tend to remain unaware that their systems have been hacked for months or years. Today, these attacks often profit through ransomware. The users are directly affected and business operations are interrupted. This is the primary reason that these attacks are increasingly gaining attention.

There are several aspects in preventing and controlling the malware outbreak and the responsibilities fall on different players.

As we have seen, the network is the medium through which these malware propagate. ISPs and ICPs can take device measures to detect and prevent the malware attack and communication traffic. For known vulnerabilities, detection signatures can be updated promptly to defend attacks on unpatched systems. Honeypots can be deployed to detect increasing frequency of attack traffic. And heuristic behavior analysis can be used to detect behaviors that often accompanies malware outbreaks, such as increasing and large number of failures to certain IP or domain names.

Organizations need to adopt security best practices, including:

  • Patching vulnerable systems promptly will go a long way in preventing network attacks.
  • Adopting layered defense through a mixture of network and endpoint security solutions aid in catching the attack at different phases of the attack cycle.
  • Training users on security awareness to reduce unsafe use of the internet.
  • Implementing incident response procedures and policies to deal with potential breaches.

Malware attack and detection is a cat and mouse game and technologies are evolving on both ends. Enterprises and users need to keep up to date on prevention measures to reduce and curb the damage from these attacks.