Cybercrime

EXPERT ADVICE

Containing the Zombie Malware Outbreak

Malware has been turning computers into what security pros calls “zombies” since the turn of the century. Ever since, the security industry has struggled to keep pace with new malware variants to keep the threats in check. An approach called “containerization” adds a promising new way to control the zombie outbreak once and for all.

Just as zombies in pop culture suck the brain power from their victims, certain malware can turn your PC into its own oblivious slave. It creates a zombie-like machine running in the background without you even knowing, enabling cyberattackers to tap the power of your computer to spread spam, viruses and spyware across the globe.

Your computer could be operating as part of a botnet, sending out email spam, stealing confidential information, or furthering the spread of malware at this very moment.

Computers can become zombies in many ways, but the most common technique is through a Trojan virus installed via malicious email attachments or drive-by downloads from infected websites.

For instance, after you download and open a seemingly innocent email attachment, the Trojan runs quietly in the background and allows the attacker full access to everything on your computer. When antimalware technology isn’t used to protect against unknown threats — or if it is not continuously updated — users are at risk of a zombie takeover.

Consequently, the best new way to stem zombie infections both online and offline is with a four-layer approach.

Layer 1: Filters and Firewalls

Given that roughly 80 percent of corporate infections originate from email attachments and webpage links in emails, start with an email filter to begin setting up your preperimeter defenses.

Make sure to automate hardware and software maintenance to keep virus pattern files updated in real time. Reinforce your spam filter with a content/Web-page filter that disallows access to known infected pages. A cloud-based approach will make this automation much easier.

With your preperimeter defensive layers in place, use a properly configured firewall or unified threat management (UTM) tool at the network perimeter. Set firewall rules to deny any unsolicited traffic either inbound or outbound.

UTMs, with an antivirus gateway feature, also will help to identify any infected attachments that your antispam filter may miss. Optionally, add an intrusion detection system (IDS) or network intrusion detection system (NIDS) with deep packet inspection (DPI) and a network access control system (NACS).

Layer 2: Internal Defenses

Next focus on your internal defenses. Standard antivirus tools have a role to play in desktop defense, but they are not enough anymore. These defenses are key to preventing malware because the zombie battle is won or lost on the desktop. It is the place where the infected attachment is opened, the link to an infected Web page is clicked, and where the infected USB stick is inserted.

Your desktop’s arsenal in the zombie war should include an antivirus tool to weed out the known bad (blacklisted) files, and it should include a whitelist component to identify known good files and not inhibit their operation.

While whitelisting employs a default-deny approach to containing files, it’s not 100 percent effective either. The whitelist’s inherent limitations make it difficult to keep up with new, legitimate applications and updates.

Layer 3: Automatic Containment

This is where automatic containment comes into play. It is the third and most critical weapon in the arsenal because it isolates and contains any other files, the ones that are neither known good nor known bad. These are the zombies in disguise.

Containerization changes the default method of handling unknown files. Instead of always allowing them into an endpoint (default-allow), it automatically isolates them in a virtualized environment on your computer where they can be safely run, analyzed and classified as good or bad.

Containerization is a security mechanism for isolating a running program, such as an unknown file, in a tightly controlled environment. Like whitelisting, a container employs a default-deny strategy to restrict access of all unknown applications to important files, folders and settings.

Containing a program prevents malware from installing any botnets or other zombie utilities on your system. If the program turns out to be malicious, no harm is done. While blacklists cannot protect against these new zombie threats because they haven’t yet been identified, a container can. If an exploit downloads malicious software while in a sandbox, it will be isolated and unable to spread.

Unlike traditional whitelist solutions, a container’s default-deny approach refuses all zombie-containing files permission to install or execute outside of its virtual container, except when specifically allowed by the user, or when the file is identified to contain binaries that are known to be safe, such as signed code.

Layer 4: Data Backup

Your final layer of defense is your critical data backup system. If the zombies do get through, you can always fall back on the Nuke All button and rebuild from scratch. (But who really wants to do this?)

Preventing your computers from becoming part of the walking dead of botnets, spreading spam, malware and other havoc, requires a new four-layer approach to containment.

Combining traditional antivirus tools, whitelists and backup with new containerization techniques for unknown file security will enable users to access and work with the files as they execute within the container’s virtual environment. The result is complete protection without the loss of time, money or productivity.

Michl Bechard is director of service provider technologies at Comodo, a developer of cybersecurity solutions. Contact him at [email protected] .

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by
More in Cybercrime

E-Commerce Times Channels