Anatomy of a malware attack

Workstation infection: what path does a malware attack take? | Stormshield

It can arrive in computer files, emails, USB sticks & cables, and chips of all kinds... but where does the malware that infects devices come from? And where does it hide once the device is infected? How can you protect yourself? We present an educational paper examining the paths taken by malware.

 

How does malware find its way in?

Malware can use various entry points to reach its target and infect computer systems. It’s therefore a question of the exposure of the information system also called the attack surface. The size of this attack surface will open up a range of options for cybercriminals to create their own route, depending on the level of protection of the intended target.

However, some main infection vectors stand out, with messaging services or the software side of the supply chain. Phishing techniques can be more or less elaborate, and aim either to persuade the user to install malware or to steal their credentials in order to gain remote access to their workstation. This can be done in several ways, ranging from a fake website to a “keylogger” hidden behind a corrupted file. Once the credentials have been obtained, cybercriminals will use them to access the information system. Also on a software level, the main application platforms – Play Store, App Store, Google Play Store, etc. – regularly contain infected applications, many of which are unfortunately downloaded by thousands or even millions of people before being removed from the platforms. From contact database siphoning to web browser hijacking, malware in these applications can also be used to steal temporary passwords; for example, when sent by SMS. Quick tip: before downloading an application, remember to check its origin and the identity of its developer. But it’s not always that simple, and the example of the official application for the 2022 Beijing Winter Olympics – intended for athletes and their staff – raises further questions about this issue of trust. In this case, cybersecurity researchers had identified actual security gaps, such as the lack of encryption of transmitted data or the collection of personal data. At the same time, so-called supply-chain cyberattacks are also on the rise, with devastating effects; cybercriminals then directly infect applications in the hope of then infecting the software’s customers, usually via an update. In late 2020, almost 18,000 customers of the SolarWinds company were infected with the Sunburst malware in one such attack.

More complex – and above all more costly – to implement, threats can also appear at a hardware level, with physical media being used as vectors of infection. The most obvious example of this is the infected USB key used in day-to-day life, and also in more sensitive sectors such as industry, and even nowadays delivered to your home loaded with malware... And even less conventional media also exist. Although examples such as an aquarium thermometer in a casino or smart baby monitors are exceptional and seem somewhat removed from everyday business life, others are much closer to home. Fax machines, printers, computer mice, and even USB and Lightning cables, are now regularly identified as potential points of entry into workstations – and therefore into computer networks. And even if you were to physically block off the USB ports on your devices, they would still not be immune to all threats: in early 2022, a rootkit hidden in the SPI Flash chip of a computer motherboard was discovered... a sort of “anticybersecurity-by-design”.

 

When the malware has infected the machine

But identifying that a device has been infected with malware is not easy, as cybercriminals seek to fly under the radar of cybersecurity solutions. While some signs may be telling – such as a slowdown of the operating system, an unusual number of pop-ups or a sudden increase in blue screens – others are more stealthy. And these are identified via evidence of suspicious behaviour on a workstation.

Once malware has been downloaded, where does it reside on the device? First, it installs itself in the temporary user directories. Operating systems contain a multitude of temporary folders, ranging from application data to browser caches. These files, which by default can be written to by users, have an inherently low level of security, which enables malware to use them as a launchpad. The malware’s goal is then to run malicious code, whether in the form of a script or an executable. It is also possible to find traces of malware installation in the Windows registry.

 

How do you get rid of malware?

Here, the adage “prevention is better than cure” takes on its full meaning, to avoid a complete reinstall on the workstation. The best thing of all, then, is to prevent infection: before even thinking about the device, the first target is generally the user. A cybercriminal’s first window of opportunity when attacking a system is the user’s credulity, attempting to divert the user’s attention or exploiting their lack of knowledge in this area. And this concept of basic digital hygiene standards affects individuals at all levels in a company. Pop-up windows, suspicious attachments from unknown users and software installed via unofficial or “torrent” sites are all potential dangers to be avoided. Above and beyond ordinary caution, regular updates to the operating system and browsers provide a basic level of IS protection against malware.

Similarly, technical solutions exist to provide protection against malware. With regard to network data flows, intrusion detection and email filtering solutions are all good practices. They provide some ability to “clean” links and attachments. As for workstations and servers (such as behavioural protection and/or device control), physically blocking off the USB ports of computers is no longer a necessary measure to counter malware that can be transmitted by physical vectors. Endpoint protection (EPP) functions will offer an initial assurance that the most sophisticated attacks are blocked, after which the detection (EDR) functions will provide information for further analysis.

 

But even if the malware does manage to infect a computer, all is not lost. The first thing to do is to disconnect from the Internet once the malware has been spotted, in order to remove it. The next step is to make sure to delete not only the malicious file itself, but also temporary files and persistence mechanisms such as registry keys. For example, the basic antivirus software present on most Windows workstations can quarantine or remove certain malicious programs – provided that they are capable of recognising them... But in some more complex cases, it will be necessary to take measures such as a complete reinstallation of the system. ... In any case, external help will always be useful – from sources such as the cybermalveillance.gouv.fr system in France, which offers online diagnosis and assistance. It is also vitally important to change passwords and update software and operating systems in order to avoid immediate reinfection.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
To address these endpoint protection issues, our teams have developed the Stormshield Endpoint Security (SES) solution. This standalone protection system is capable of dynamically adapting its security operations according to its environment. And at the same time, it analyses access to applications and company resources in response to the location of the workstation.
Suspicious about that attachment you’re about to open in the email you’ve just received? Our Breach Fighter sandbox solution includes a freely accessible malware detection portal. This free Cloud-based sandboxing service lets you check all your files before opening them.

About the author

mm
Sébastien Viou
Cybersecurity Product Director & Cyber-Evangelist, Stormshield

Fan of fighting sports (ju-jitsu, kick-boxing, ice hockey), Sébastien also has a passion for mechanics. The real thing, the one where all the parts are dismantled and reassembled until all the mechanisms are understood. An obvious parallel with his missions at Stormshield, where he is in charge of shedding light on developments, innovations and trends in the cyber-threats.