Story image

How to be the cat - not the mouse - in the fight against zero-day malware

11 Oct 2016

Zero-day malware mutations can spell disaster for networks, as they can often get in completely undetected by traditional security protection. According to security company Ixia, combatting zero-day attacks involves a continous monitoring solution that tracks originating and target IP addresses for all network traffic.

The consequences of not doing so can turn into the next case of the Locky malware threat. The threat turned into a zero-day mutation that was detected by only 10% of all antivirus programs, which Ixia says a demonstration of new attacks and the need for new defences.

“As hackers develop new attack techniques, security professionals work to strengthen defences. This game of cat and mouse creates a cycle of adaptation and change, resulting in malware capable of changing itself to avoid detection by traditional antivirus systems," comments Scott Register, vice president, product management, Ixia.

“Zero-day mutations have different characteristics to existing malware. Antivirus systems can only protect against malware they can identify, which is why new strains, or zero-day mutations, can pass undetected and infect the network," he says.

The Locky ransomware conducts what Ixia calls a multi-stage attack. It starts as a phishing email. If opened, document macros connect to an attacker's remote server to download ransomware. The encryption process begins, and the ransomware demands are made.

“These multi-stage attacks are especially dangerous, as they can bypass detection by virtualised sandboxes. Most sandboxes do not flag macros as malicious. Furthermore, they only inspect email-based traffic. Once a macro has been activated on the user’s PC, the malicious payload is delivered by a different route, avoiding the sandbox entirely, Register explains.

The Locky ransomware is an example of mutated malware, which the company says can be 'near impossible' to remove from IT systems. Therefore, it's imperative that security vendors catch it before it does major damage.

Register believes that organisations need to focus on the origin of malware, not only what its type is and how it's delivered. He says that 'bad' IP addresses can be easily identified.

“Rarely will a ‘bad’ IP address become trustworthy. Cyber-criminals’ potential IP addresses are scarce. Hackers must either find and compromise an individual server, or hijack a range of IP addresses via Internet routing manipulation. This is neither simple nor easy and, as a result, IP addresses are continually reused for criminal purposes. Even brand-new malware variants are invariably connected to a relatively small number of known compromised IP addresses, which comprise tens of millions out of 4.3 billion IPv4 addresses," he says.

Once those IP addresses are identified, they can be completely blocked using a threat intelligence gateway that offers continuous monitoring and intelligence about known bad addresses.

“Even if a user falls victim to a phishing email and opens a document with macro ransomware inside, the threat intelligence gateway will stop the macro from communicating to the IP address. This nullifies the danger to the user and the wider enterprise network," Register says.

Ixia recommends organisations use three detection layers, as well as malware identification, delivery and origin for protection against new malware or zero-day malware mutations.

Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”
CylancePROTECT now available on AWS Marketplace
Customers now have access to CylancePROTECT for AI-driven protection across all Windows, Mac, and Linux (including Amazon Linux) instances.