Wiper Worms: How To Avoid A Technology Wipeout

Malware development has reached a new threat level with the emergence of destructive ‘wiper’ worms, such as that used in the attack against Sony Pictures. Keith Bird, UK MD for Check Point, explains how firms can defend themselves

Twenty years ago Stephen Hawking, the leading physicist and author, said that computer viruses should be treated as a life form because they exploit the metabolism of the host computers they infect and become parasites.

The intervening decades have highlighted the truth in his statement, with malware infections growing exponentially. And like other forms of life, viruses have evolved. In 2013 we saw the emergence of ransomware, which criminals used to extort businesses by holding their data hostage and demanding payment for its release.

Most destructive

The next stage in that evolution has arrived with the recent attack against Sony Pictures Entertainment, which has been described as one of the most destructive yet seen against a company, taking much of the company’s network offline for a week. The attack used ‘wiper’ malware which overwrites the drives of PCs, rendering them inoperable. It’s costly to fix because each affected PC’s drive has to be replaced or rebuilt, as well as making it near-impossible to recover the overwritten data using standard forensic methods.

The scale and purpose of the attack led to the FBI issuing a flash alert, warning other organisations about the potential threat – especially as the specific malware used was not detectable by conventional antivirus software. It is this last point that is particularly critical: businesses cannot easily protect themselves against threats that their defences cannot ‘see.’

Unseen, unknown

The problem is that new, unknown malware continues to be released at a rapid pace. It’s relatively easy for criminals to make small adjustments to malware code, enabling it to bypass current antivirus signature detection, which in turn leaves businesses vulnerable. Check Point’s 2014 Security Report, which analysed millions of security events from over 10,000 organisations worldwide, found that on average, a business has new, unknown malware inadvertently downloaded to its network every 27 minutes. That’s nearly 50 unknown malware infections every day.

So what can businesses do to protect themselves against unknown, destructive malware? As a first step, it’s important that organisations implement basic security best practices recommended to protect computers from any type of infection:

Ensure anti-virus software is updated with the latest signatures
Ensure operating system and application software patches are up to date
Install a two-way firewall on every user’s PC
Educate users about social engineering techniques, especially involving unknown attachments arriving in unsolicited emails

Even if malware is able to evade detection by anti-virus software, some of its actions may be inhibited or blocked by the PC firewall or latest software or OS patches. However, these best-practice measures do not offer complete protection against new, emerging attacks. It’s all too easy for even a security-aware employee to inadvertently click on an email attachment, triggering an infection.

The sandbox trap

To defend against new, unknown exploits, a security technique called threat emulation, or sandboxing, makes it possible to identify and isolate unknown malware before it can enter the network, so that infection does not occur.

Trojan virusEmulation works by making it possible to look inside the common file types that we all use for business – emails, Word documents, PDFs, Excel spreadsheets and so on – to see if those files contain a malicious payload, as this is the most common vector for propagating new malware. The emulation engine can run either on a company’s main security gateway at the edge of the network, or in the cloud as a service. As files arrive at the gateway or cloud service via email, they are inspected in a virtualised, quarantined area known as a ‘sandbox.’ Here, the file is opened and monitored for any unusual behavior in real time, such as attempts to make abnormal registry changes or network connections. If its behavior is found to be suspicious or malicious, the file it is blocked and quarantined, preventing any possible infection and subsequent damage.

This entire process takes place transparently for the majority of files – so that even in the rare event that a file is inspected and proven ‘clean’, the intended recipient of the file will not notice any pause in email services. Information about detected file activity is then available to the IT team in a detailed threat report.

Threat emulation is a critical layer of protection for organisations against new, destructive malware strains, acting as a barrier that blocks these parasitical life-forms from attacking networks. While we will never be able to truly wipe out these malicious agents, sandboxing can certainly help to stop them wiping companies’ precious data and resources.

How much do you know about tech security? Take our quiz!