The bad guys no longer need to trick you into downloading malware onto your PC, says Jérôme Segura. They can do this without your knowledge by using exploits, meaning the tools you used to prepare against attacks are no longer sufficient
Let’s compare exploits to visitors at your business HQ. Guests come in through the front door, often with a visitor pass confirming their registration at reception. These are guests that you openly welcome into your business.
But what if a visitor tried to access your office from an open window that should be locked, or tried to bypass reception without a visitor pass? In essence, exploits are unwanted guests that behave in peculiar ways, trying to infiltrate your business.
Businesses are very familiar with malware and the disruptions it can cause. Investing time and money on security programs and employee training won’t prevent malware, which usually arrives subtly and innocuously, defeating employee awareness or traditional security solutions.
The complex and dynamic nature of software development is a reality that leads to programs having bugs or flaws. Malicious actors leverage these weaknesses (also known as vulnerabilities) to distribute malware.
These threats, known as exploits, are the number-one infection vector leading to malware. Exploits can be distributed via email or, most commonly, via websites, requiring little to no user interaction at all.
A common problem is that a number of companies are dependent on an internal business platform that may only operate on older versions of Java or other similar programs. As they’re unable to update the software they cannot apply security patches either.
In addition, when updates can be applied, they sometimes cause undesirable effects. Case in point: this year there have been three months where Microsoft has had to pull back on its monthly updates because they were causing major stability issues.
This means companies (and home users) are more likely to wait some time before applying updates to make sure those updates will not render their machines useless.
Contrary to popular belief, users do not have to visit the shady parts of the internet to get infected with malware. We have seen a dramatic increase in malicious advertising (malvertising) on mainstream sites such as Yahoo, YouTube, the New York Times and others, triggering exploits that download banking trojans and even ransomware.
Ransomware is perhaps the worst strain of malware because it encrypts all documents on a computer or even an entire network, and holds those files for ransom. While it may be devastating for a home user to lose their family photos, it could also severely affect a business and have a lasting impact.
Exploit attacks will continue to increase because the criminals know it’s an easy way to infiltrate a business’ IT systems as human error isn’t part of the equation.
There are many ways you can protect your business against exploits and therefore malware. To begin with, you should also have backups, and preferably have them offsite or perhaps in the cloud. When disaster does strike, backups can be lifesavers.
"Contrary to popular belief, users do not have to visit the shady parts of the internet to get infected with malware"
But you also need to ensure that you regularly apply security updates to the systems that can be updated right away. In the case of legacy applications, they need to be shielded so that attackers cannot exploit their inherent vulnerabilities. Ideally, they should reside on their own network and be contained there.
In addition, all Internet-facing applications can benefit from exploit mitigation technology. This is especially important since even up-to-date systems can get exploited when criminals use a vulnerability that has yet to be patched.
This particular scenario is called a zero-day, and unfortunately zero-days are becoming more and more common.
The takeaway from this is to block exploits before they enter your PC, rather than reactively cleaning the system (by which time it would be too late).
About the Author
Jérôme Segura is senior security researcher at Malwarebytes where his duties involve collecting zero-hour malware samples, analyzing web exploits and writing about online threats. He has always had a particular interest for web threats, having designed and built automated systems (honeypots) to collect malicious payloads served by drive-by downloads. He is also knowledgeable in Linux malware and has cleaned more WordPress and Joomla! websites than he can remember.