A cyber Christmas carol: The ghosts of malware past, present and future

A cyber christmas carol

Bogdan Botezatu, senior e-threat analyst at Bitdefender, takes a look at past and present cyber threats.

Christmas has traditionally been a time of reflection as well as festivities. It offers a convenient opportunity to evaluate the events of the previous 12 months, and plan for those ahead. Perhaps this is why ‘A Christmas Carol’, the novella by Charles Dickens, has remained enduringly popular for over 150 years.

For those unfamiliar with the tale, it is focused on the character of Ebeneezer Scrooge, an old miser who is visited on Christmas Eve by three ghosts: Christmas Past, Present and Yet to Come. The new perspective that Scrooge gains during these visits causes a complete change in his behaviour, and the way he is perceived by society. Given the longstanding benefits of this period of reflection, it is something that I would urge those responsible for the cybersecurity of their business to also undertake.

From a security perspective, there is plenty that we can learn from evaluating past and current malware strains and breaches (and how they are likely to develop), that can influence our planning for the year ahead. This is because, much like ghosts, vulnerabilities in our business’ cybersecurity have a habit of coming back to haunt us if they are left unaddressed.

So, without further ado, let’s get ready for the visit of our first ghost:

‘The ghost of malware past’

The ghost of malware past is also known as Mirai. Under this alias, Mirai was responsible for some of the most large-scale distributed denial-of-service attacks of 2016. The most infamous attack targeted DNS provider Dyn, and resulted in a large swathe of major internet platforms to be taken offline for an extended period of time.

As a DDoS tool, Mirai worked by enslaving simple IoT devices through logging into them and infecting them with malware. Doing this allowed the devices to be controlled externally as part of a ‘botnet’, which could then be used to target websites and platforms. This would also cause problems for the owner of the device – not only would performance become sluggish, but it would also provide an entry point for hackers to target more sophisticated devices, such as laptops and smartphones, that were connected to the same network.

Whilst Mirai was originally discovered in 2016, its descendents continue to affect us today. So, what can we learn from previous DDoS attacks in order to protect ourselves? Significantly, Mirai works by targeting devices still making use of the default factory usernames and passwords.

The first step towards protecting our IoT devices, therefore, is to make sure that default login setting are changed immediately. Ideally, IoTs should also be connected to a separate network, in order to reduce the risk of them being exploited as an entry point to devices containing more sensitive data.

‘The ghost of malware present’

Following Mirai’s visit, it is now time for our second ghost to arrive – the ghost of malware present. This particular ghost uses a host of aliases depending upon when it has been observed and by whom, but most commonly it is known as ‘GoldenEye’ or ‘NotPetya’.

NotPetya also has roots in the past, coming from a long line of ransomware malware that works by encrypting data stored on endpoint devices, and charging a ransom for its safe return. However, this year’s NotPetya is a particularly nasty form of ransomware, because it is based on an exploit called EternalBlue, which is thought to have been created by the US National Security Agency.

Through using this exploit, Petya can spread particularly quickly. And often, even when a ransom has been paid, it does not return the data it has encrypted. The good news is that a patch to protect against Petya has been developed for Windows operating systems, so installing this is the first step to avoiding attacks.

However, because new strains of ransomware are constantly evolving, effective defence against them must go further. For real peace of mind, a best-in-class cybersecurity solution that recognises and blocks ransomware strains, as well as backing up encrypted copies of data to an external location, is also required.

‘The ghost of malware to yet come’

With these solutions in place, it is time for the arrival of our final ghost, known as ‘Yet to Come’ or ‘Zero Day’. Nobody is quite sure what Zero Day looks like, because it tends to turn up unannounced, and often when you least expect it, causing absolute carnage in the process. And once Zero Day has made itself at home in your software, it can be very difficult to force it to leave.

Whilst Zero Day always varies depending on the timing of its arrival, very often it leaves clues as to its suspicious nature and bad intentions when it turns up at the network threshold. As security experts, we are faced with the challenge of predicting the particular entry point that Zero Day will try to visit, and given the vast number of these, it is a task that we cannot face alone. To stop Zero Day as it continues to develop, we will need to enlist some help from machine learning and AI robots to spot malware’s many guises, and stop it compromising our business.

So, have the three ghosts left you with a new perspective on how your business can effectively approach cybersecurity? If so, your company should be in for many happy and healthy years to come.