"What Is.." Series - Understanding Malware

As internet usage becomes more ubiquitous, the types of attacks are becoming increasingly sophisticated.

In the second article in this new series, Steinar Grøtterød, our Director Of Registry Operations And Compliance, will answer some of the recurring questions we get about this type of DNS Abuse. Which was one of the most prevalent type of attack we saw last year.

Today we take a look at Malware.

What is Malware?

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorised access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy.

Researchers tend to classify malware into one or more subtypes:

  • Computer viruses (is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs)
  • Worms (is a standalone malware computer program that replicates itself in order to spread to other computers)
  • Trojan horses (is any malware that misleads users of its true intent)
  • Ransomware (is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off)
  • Spyware (is software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privacy or endangering their device's security)
  • Adware (is software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process)
  • Rogue software (is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer)
  • Wiper (is a class of malware intended to erase (wipe, hence the name) the hard drive of the computer it infects, maliciously deleting data and programs)
  • Keyloggers (is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored)

Source: Wikipedia

What can we do to reduce risk?

BACKUP & RESTORE

Make regular backups of your most important files

What is needed to backup will be different for every organization. When done, execute a restore from the backup, and test regularly that it is working as expected.

Store backup offsite

Ensure you create offline backups that are kept separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment.

Use different backup solutions

Make multiple copies of files using different backup solutions and storage locations. You shouldn't rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service.

Restore routines

Ensure that backups are only connected to known clean devices before starting recovery.

Scan backups for malware before you restore files. Ransomware may have infiltrated your network over a period of time, and replicated to backups before being discovered.

Backup accounts and solutions

There have been cases where attackers have destroyed copied files or disrupted recovery processes before conducting ransomware attacks. Ideally, backup accounts and solutions should be protected using Privileged Access Workstations (PAW) and hardware firewalls to enforce IP allow listing. Multi-factor Authentication (MFA) should be enabled, and the MFA method should not be installed on the same device that is used for the administration of backups. Privileged Access Management (PAM) solutions remove the need for administrators to directly access high-value backup systems.

My domain name has been reported for malware, what should I do?

If your domain name has been reported for malware, you should follow the guidelines given by the source of notice (Reputation Block List provider).

The goal should be to get your domain name removed from the block list. Below, we've provided a selection of links to Reputation Block List providers and how to get your domain delisted.

Other Useful Links

And that wraps up the second article in our "What Is" series.

Next week, we expand on the Malware theme by providing ways to prevent malware from spreading and how to prepare for an incident

We hope you found it useful and be sure to check soon for the next instalment!

"What Is" Series article archive: