This week, the industry press is reporting a resurgence of older malware threats with new capabilities. And as usual, the press is making the threats sound like the end of the Internet as we know it. While both threats are serious, there is no need to panic.
What goes around comes around
On Monday November 3, news surfaced about BlackEnergy malware. BlackEnergy is a toolkit that has been used by criminal organizations for several years. Following successful malware trends, it is modular and updateable. This week’s news is that BlackEnergy is specifically targeting routers and Linux-based devices. Part of the problem is that routers are not protected by anti-malware or host-based security software. This is because first, routers lack storage and speed, and were never designed to run applications, so they can’t run anti-virus or security software. And second, routers aren’t set up like file servers that can archive an infected object, so there is little chance for a router to become a “cyber Typhoid Mary.”
The other threat raised this week is the WireLurker malware, which infects iOS through compromised OS X machines. Like BlackEnergy, WireLurker is modular, and it has 467 applications hosted on the Maiyadi App Store (a third-party store hosted in China). This threat can now infect non-jail broken iOS devices simply by connecting an iPhone/iPad/iPod to a computer to sync a calendar or contacts list. This concept is very frightening to many users.
No one is immune
For many years, advocates of the Linux operating system and Apple product lines have taken pride in being immune to malware. In my opinion, this has been a false pride for many years, and is a case of those forgetting history being doomed to repeat it. The simple fact is that computer viruses can be tracked back to IBM mainframes (Christma EXEC), and even further if you count CoreWars as the precursor to viruses. Fred Cohen, the man who coined the name “computer virus,” performed his research on Unix machines. Since those early days, every platform and every OS has had at least one piece of malware written for it.
Keep your defenses up
Even in the trade press, hype sells. More people will click on or read a headline such as “Latest threat means the end of the Internet” than “Year-old malware has new capability.” Journalists and editors want you to read their stories, and the more sensational they sound, the more likely you are to read them.
Our defenses must never be static
So every few weeks or months, there will be a legitimate new threat that must be dealt with because it is not addressed by current policies, procedures or safeguards. The simple truth is: we are network defenders, and attackers have the luxury of time on their side. No matter what defense we put up, attackers will carefully test and analyze for weaknesses. Our defenses must never be static, nor should we overlook the basics. It’s easy to say that anti-virus is dead and has failed us, but if you remove anti-virus software from today’s environment, it could be as little as 40 minutes before those machines are infected (according to recent SANS security studies).
There are legitimate reasons why some platforms cannot leverage host-based security products. As previously discussed, routers do not have the capability to run internal security products such as firewalls and anti-virus. We must recognize this limitation when designing network defenses. If network security is “crunchy exterior and soft interior,” we have to find ways to harden and protect devices that cannot do it natively, or we need to monitor them very carefully.
“The squeaky wheel gets the grease” applies well to computer security. Management may ignore computer security until there is a big incident, a major press release, or a corporate breach. When that happens, the first thing a security analyst should do is to look for indicators of compromise (IOCs) — things like network traffic to and from an IP address, or a file or registry entry on a compromised host. Once you identify key IOCs, ask yourself if you can detect or monitor for them. So the next time when management asks if you have seen the news, you can give them straight answers.
“The squeaky wheel gets the grease” applies well to computer security
We label incident response management as “Prevention, Detection, and Remediation.” Everything we do should be targeted at one of those processes. Prevention includes security software such as firewalls, host intrusion prevention, and anti-malware. (I realize that prevention is also leveraging detection of the threat and remediation by deletion or “cleaning,” but that’s a topic for another time.) Remediation cannot be done until some form of detection has occurred, such as log monitoring, symptom detection or accidental discovery.
Detection is where many defenses fall down; we often overlook the simple but time-consuming task of monitoring activities. In the past, monitoring meant pouring through logs from multiple machines. Today, log analysis is still important, but there are many ways to automate network traffic monitoring and analysis. While it is tempting to look at just the top ten offenders or incidents, the lower ranked abnormalities can often be more informative.
So back to BlackEnergy and WireLurker. For both threats, anti-malware software can detect infected objects on Linux or OS X machines (if it is installed), but the monitoring of abnormal traffic will help identify compromised routers and iOS devices (if they are on Wi-Fi).
When building corporate malware defenses, the one thing that will help you sleep better and panic less than your colleagues is the use of continuous network monitoring. Leveraging tools like network sniffers with customized rules for malware and honeypots (both in physical devices and places like email mailboxes) proved successful in the past. But today’s network monitoring devices are sophisticated and underutilized. Think outside the box, see what you can leverage for earlier detection, and the Internet will be better for it.