This week LucidView identified an increase in a malware type not often seen. This malware is much smarter and much more difficult for cybersecurity staff to identify and remedy.
Its results can mirror that of a typical DDOS attack but, unlike most DDOS attacks where the source is outside the network, in this instance the attack comes from infected hosts inside the network.
This malware is smart, constantly changing the domain it uses to “phone home”, making it very difficult for security staff to nail down the offending IP address or domain and block or poison it.
This malware makes use of a Domain Generation Algorithm (DGA) to randomly generate millions of DNS requests. At the same time, Command and Control (home for the malware) generates the same sequence of domains and, at random, registers a few of them. The legitimate Domain is resolved and accepted by the target DNS servers and Firewall that allow the malware to dial home, effectively putting the hacker inside the compromised network. Since the IP address of Command and Control can change at any time, and the domain used to “phone home” can change at any time, network engineers are rendered incapable of blocking the traffic of this malware. The result is that they cannot block the access of Command and Control (the malicious hacker) to the network.
However, with the help of LucidView, there are steps that can be taken to mitigate the risk of this sophisticated malware:
- The first layer of defence provided by LucidView is visibility. Visibility is critical to spotting deviant traffic. Additionally, any interesting and persistent connection to and from the network is flagged and thus becomes available for analysis through the Lucidview Portal.
- The second layer of defence is sophisticated Content Filtering. Using the LucidView Content Filter all suspicious connections are flagged and blocked in the LucidView Cloud before they can propagate and create further havoc.
- And lastly, with the visibility offered by the LucidView Solution, it is possible to identify infected hosts on the network and remove and quarantine them until such time as the malware can be removed.
In summary, this new sophisticated malware will not be picked up by anti-virus software and it will behave much like a DDOS attack although the objective could be malicious ransomware or other malware planted for nefarious reasons. The fundamental difference between this malware and other DDOS attacks is that the attack will come from inside the network as opposed to coming from the outside. There are, thus, limited steps that can be taken to mitigate this malware.
However, a strategy based on complete visibility of all in and out connections, the flagging of any deviant connections and a robust Content Filter that blocks suspicious connections should provide security personnel with the ability to identify infected hosts and quarantine them before they can impact the entire network. These hosts can be reintroduced to the network once the malware has been removed and when they no longer pose a threat.