When many people think of cyberthreats, they think of viruses. A virus is an executable file that spreads within a machine. One virus could infect multiple files or programs, and do such things as delete data or modify sensitive information on a machine. Some viruses are harmless, but it’s never worth the risk of leaving one be.
While viruses spread between files on a computer, worms spread to other machines on a network. These can take down networks, or at least create enough bottlenecks to hamper productivity. Worms can be lethal—the 2003 SQL Slammer worm infected tens of thousands of servers in minutes. In short, if you find a worm, make sure to quarantine the file and fix it before it takes your customers’ networks down.
You may be familiar with the ancient Greek story of the Iliad, by Homer. In the story, the Greeks fight the Trojans in a long siege. At the end of the story, Odysseus creates a horse statue as a surrender gift to the Trojans. However, hidden within are a group of Greek soldiers who escape the statue at night and destroy the city from within. Trojans are named after Odysseus’s invention. They refer to files other than executables that run malicious processes. Typically, they come in the form of something positive, such as an audio file that you’ve requested or a document you downloaded. The point is that these disguised files appear benign, but have a malicious intent.
Spyware captures information about a machine and transmits it to another source. Spyware can record almost anything done on a computer, from accessed files to visited websites. One form of spyware includes keyloggers, which record everything typed by the victim. This could easily lead to stolen passwords, bank account information, or health data.
Rootkits are the “root canals” of malware—you run into one and you’re going to feel a lot of pain. Rootkits attempt to modify the operating system directly and build a backdoor into the system. They’re hard to discover and, if done correctly, VERY hard to remove.
Over the past few years, we’ve seen a major rise in the number of ransomware attacks. While spyware and several other forms of malware attempt to steal data and resell it, ransomware locks the computer or data and demands a payment to release the machine. Ransomware can often be dealt with by restoring data or the system to a safer state from a backup.
Cryptomining is an activity where computers attempt to generate new cryptocurrencies like Bitcoin, Ethyreum, or Monero. Generating cryptocurrency requires significant processing power, and many criminals place cryptomining malware on computers to steal processing power for the job. However, just because they steal processing power only doesn’t mean you can ignore them—they could just as easily install other more nefarious malware if they want.
- Fileless malware
Fileless malware uses legitimate processes or systems within a machine to destroy it from within. These attacks typically run in memory, and typically slip past traditional antivirus and antimalware. A fileless attack may create a new user account with admin rights to establish a foothold in the system, then delete or modify local logs to make them harder to detect.
Malware: betcha’ don’t have just one!
Understanding the basic attack types can help. But the most successful attacks combine multiple types into a sophisticated attack. Let’s say a hacker is determined to turn a profit off one of your customers (or just ruin their lives). They send an email containing a malicious file. The user downloads this, and the file both establishes a foothold on the machine and installs a keylogger, stealing personal financial data. They sit on the customers’ systems, and gather passwords or sensitive company data. One day, after stealing enough data, they decide to download ransomware to your machines. They may have been silent for a while, but now, they’ve disrupted business operations. You could attempt to remove the ransomware infection or reinstall from a backup, but if you don’t catch the other parts of the attack, they can just do it again.
This is an extreme example, but many successful attacks use multiple methods to breach their victims. It’s no longer as simple as quarantining a virus and removing the infected file.
What to do about it
Ultimately, you need multiple layers of security to prevent issues from taking hold. However, one essential tool in your arsenal needs to be endpoint protection like SolarWinds® Endpoint Detection and Response (EDR), powered by SentinelOne. EDR is built to help detect, respond to, and remediate malicious activity on the endpoint, whether malware-based or not. If it detects ransomware, it can spring into action and even roll back the system to a safe state on your behalf. Make sure your customers are covered—get a free demo of SolarWinds EDR, available in SolarWinds RMM, today.
Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.