Back to Top

Fighting new malware species

new malware

As a network security researcher, I get to see all sorts of malware species. Some of their creators are quite funny, leaving encrypted jokes and messages in virus bodies, for example. Others are much more aggressive, though, creating tiny, and yet extremely clever pieces of software that can wipe out an entire hard drive within seconds! Here's how I analyze new malware species.

The first step is to get a copy of the virus. This can be a difficult task if the malware is active in memory, but it's quite easy to do it if I can boot the system off a clean drive unit. For Windows-based computers and laptops, I can use a bootable, Live Linux desktop distribution, which allows me to run an OS in which the virus simply can't live, because it wasn't built for Linux. The process is a bit more complex for mobile devices, especially for the ones that utilize iOS, but it's not impossible to do it.

Once that the virus is isolated, I try to figure out how it managed to infect the device. Did the user click a link that led to a shady website? Did he or she click a pop-up, install a plug-in, a so-called "malware scanner", and so on? Or did the hacker use an existing operating system vulnerability to plant the malware? Depending on the answers to these questions, I can take appropriate measures to make sure that the mistakes aren't repeated in the future.

If the malware piece got installed by clicking an email link, for example, I can train the users and install some custom-made tools that will prevent accidental clicks from happening in the future, by comparing any of the clicked URLs with the addresses that are stored in a local blacklist. Pop-up clicks and plug-in installs can be prevented by implementing a tight access control policy, which requires access approval for all the operations that could lead to trouble.

Finally, if cyber criminals have managed to infect the computer by making use of an existing operating system and/or application vulnerability, I install a piece of software which ensures that both the OS and the apps get upgraded in the background whenever new versions become available. Sometimes I may discover unknown vulnerabilities; if this is the case, I will contact the software authors to let them know about the problem, and sometimes I may even take the time to help them fix it.

It's time to analyze the virus; I will use a virtual machine, a copy of the operating system which runs in a safe environment, and can be terminated anytime I want to. I will study its behavior, asking lots of questions like these: "what does the virus do?", "what type of files does it access?", "does it open certain URLs?", "does it make use of other applications?", "does it travel across the network?", and so on. Wireshark is one of the main applications I'm using for this step of the process. By using tools like these to get the answers to those questions I can determine the consequences of the attack.

Armed with all this information, I can clean up all the devices which have been affected by the malware. Some ransomware variants will be much harder to disinfect, but not impossible. Hopefully, the companies I work with have got backup copies of their important data, in case that something goes wrong.