While many cybercriminals complete data retrieval in a matter of minutes or less, others prefer a long-haul approach to harvesting protected information. The recent surge in advanced persistent threats (APTs), ransomware, and other sophisticated crime is an indicator that well-hidden viruses are definitely something to watch out for.
Three out of ten organizations believe they were hit by an APT in 2015, according to Galois research. The latest security threats are characterized by their ability to remain undetected for long periods on a company's network. In some cases, criminals have gone unnoticed for years.
IT pros need to be prepared for a new generation of malware and ransomware that are subtle, but dangerous. Join us as we review where APTs, ransomware, and other sophisticated malware can hide in your network and how to be prepared to protect your organization.
Where Malware and Ransomware May Hide
1. Critical System Files
One of the most dangerous and innocuous spots highly sophisticated malware can hide is your critical system files. Traditionally, many malware files that were used to replace or modify existing critical system files were distinguished by a foreign signature or metadata that is visible in the attribute certifiable field (ACT) of signed files.
Noted by PCWorld, security researcher Tom Nipravsky recently discovered signatures are no longer foolproof. Cybercriminals have now discovered how to accomplish "file stenography" by hiding malware in signed files without modifying the ACT.
While the file stenography practices used by highly sophisticated cybercriminals can bypass most traditional methods of detection, there are some traces left behind. With technology that can detect changes in file size or contents in addition to signature changes, it's possible to detect these negative changes.
2. Windows Registry
Some malware will modify Windows Registry keys to establish a position among "autoruns" or ensure the malware launches each time an OS is launched. InfoWorld's Roger A. Grimes wrote in 2015 that the vast majority of malware today modifies registry keys as one mode of ensuring long-term residence within a network.
Manually auditing your Windows registry keys to detect abnormalities is a massive task. It would theoretically require the comparison of log files to the tens of thousands of autorun settings. While there are some possible shortcuts, efficiently determining modifications to your registry keys is typically best achieved with a file integrity monitoring solution.
3. Temporary Folders
Operating systems contain a host of temporary folders, which range from internet caches to application data. These files are an inherent part of the OS, allowing the system to process and compress information to support the user experience. By nature, these temporary folders are typically defaulted, writeable for all users to enable internet browsing, the creation of Excel spreadsheets, and other common activities.
Due to the inherently loose security of these temporary folders, it's a common landing place for malware and ransomware as soon as criminals gain entry to your system via phishing, a rootkit exploit, or another method. Ransomware and malware may use temporary folders as a launchpad to immediately execute, or establish various other strongholds within a company's network through permission elevation and other modes.
4. .lnk Files
Also known as "shortcuts", may contain a direct path to a malware or ransomware-laden website or, more dangerously, an executable file. Chances are, your employees have quite a few of these pathways on their desktops to ease access to commonly visited web applications and other tools.
Both malware and ransomware can gain hold within a system after download with cleverly-disguised .lnk files that may resemble an existing shortcut or even an innocuous PDF document. Unfortunately, the average end-user cannot tell the difference since the .lnk aspect of the file isn't visibly displayed.
5. Word Files
Even relatively low-grade spam filters are wise enough to recognize .exe files as potentially malicious. However, cybercriminals have wised up to this practice and are now taking advantage of Microsoft Office VBAs to insert ransomware code within Word document macros, according to KnowBe4. This particular flavor of "locky ransomware" immediately enters temporary files and executes a lock on data and ransomware demands.
Protecting Your Organization Against the Sneakiest Malware and Ransomware
Is it possible to protect your organization against the latest iterations of malware and ransomware by manual review of windows registry keys, education on the dangers of .lnk files, and other safeguards? Possibly, but it certainly wouldn't be the most pragmatic approach. Today's most dangerous cybercrime attacks are more likely than ever before to appear like normal, innocent components of your company's network—even to a well-trained eye.
Today's security landscape demands smarter, more efficient solutions to monitor all aspects of your files, beyond signatures and surface appearances. With the help of CimTrak, security pros gain the ability to understand malicious changes to Windows Registry keys, critical system file contents, and other key hiding places the moment they occur. Not only can you achieve total oversight, but you can also fully remediate changes from the administrative console.
November 3, 2016