Zombie malware attacks are compromising large amounts of users and leaving IT security and operations at odds as everyone scrambles for a cure. The answer may seem simple: stop the affected software from running. But, IT teams use this software to maintain the machines in their care.
The actual answer? Prevention. Sumir Karayi, CEO of 1E, an endpoint management platform, tells Digital Journal eliminating the risk of zombie malware attacks and the power of real-time IT when breaches occur.
Digital Journal: How serious are cyberattacks becoming?
Sumir Karayi: Cyberattacks are a serious threat to businesses, costing some $45 billion in losses worldwide last year, not to mention the damage caused by having trade secrets, IP and PII data stolen. This is compounded by the fact that producing malware is ridiculously cheap—anywhere from a few hundred dollars to just $1,000 for ransomware. This low barrier to entry amplifies the threat, allowing malware to proliferate quickly and easily.
With those numbers, it’s easy to see why almost 60% of companies have experienced some form of cyberattack. Small businesses are especially vulnerable, because many don’t have the resources to invest in sophisticated protection.
DJ: What is a zombie malware attack and how does it differ from other forms of cyberattack?
Karayi: Zombie malware is a variation that turns a compromised computer into a “slave” device, using it to perform malicious tasks remotely. For example, a hacker might infect a machine with a malicious zombie script that causes it to distribute additional malware to other machines both inside and outside the network.
LOLBAS are one particular type of variant that can wreak tremendous havoc. These Living Off the Land Binaries and Scripts can take control of “good” software, such as PowerShell, Command Prompt, or Remote Desktop Protocol (RDP) to perform malicious tasks. Nodersock/Divergent is one recent example that used a multi-stage process that leveraged PowerShell to disable Windows Defender and Windows Update and elevate the malware’s permissions to SYSTEM level. Once in, the hackers could use this privilege and access to perform insidious tasks or deploy secondary malware. This obviously had disastrous consequences for thousands of machines around the world.
There are two serious problem with LOLBAS and Zombie variants that make them so dangerous:
They commandeer otherwise beneficial tools that are critical for IT admin and maintenance. IT relies on tools like PowerShell, Command Prompt and RDP to perform necessary tasks and customizations. This creates a massive attack surface because these are so widely used. Hackers know this, and therein lies their advantage: they can count on these tools being readily available for hijacking.
They can sit quietly on a machine to do things slowly and methodically without detection. Zombie malware is a bit like a cold or flu virus compared to something like Ebola. Where Ebola is extremely virulent and lethal, its victims are quickly quarantined and isolated to halt propagation. This is what happened with WannaCry or NotPetya—it was so obvious and destructive, companies were able to stop it relatively quickly. But the common cold or influenza are less aggressive up front, people walk around infected with them and they are easily spread to far more people as a result. This stealth is exactly how Zombie and LOLBAS are able to propagate.
DJ: Where are these attacks originating from?
Karayi: The biggest culprits are cybercriminals, which operate with the same structures and business models as legitimate companies. They write malware, offer it for sale on the dark web and can do it with such speed and scale that they become prolific and highly profitable.
There are nation-state actors as well, in the form of government funded cyber espionage from places like China, North Korea and Russia. But these are mostly highly targeted operations aimed at specific political or economic targets.
DJ: What can businesses do to protect themselves?
Karayi: The obvious answer is to disable PowerShell, Command Prompt and RDP to eliminate that threat surface. However, this blanket approach isn’t feasible because it renders IT unable to do their jobs.
It takes a two-pronged approach. First, IT must assess what types of admin tools are running on each machine. PowerShell is the primary LOLBAS of choice, but JavaScript and RDP are also prime targets. Do these need to be running at all times? Absolutely not; they’re only necessary when official IT business needs to be conducted on the machine. Otherwise, they should be disabled.
However, that’s not very practical when you’re managing thousands or tens of thousands of machines. This calls for the second prong: you need a real-time solution, one that can automatically enable a particular admin tool, run the intended script, and then immediately disable the tool to put the machine back into a protected state.
DJ: Are there specialist services that can help?
Karayi: Most conventional antivirus tools are completely ineffective against LOLBAS and zombie malware because they operate based on signatures—they are trained to recognize known malware based on its unique signature. However, PowerShell, RDP, etc. are legitimate tools, so they would never be detected by A/V because they contain no malicious signature.
The only solution that can help is one that can automate enabling/disabling of these tools. 1E’s Tachyon endpoint management solution is uniquely capable of performing this service. IT admins can queue up a script to run on one or multiple machines, and Tachyon can automatically enable PowerShell, run the script and disable PowerShell. This keeps the window of opportunity extremely tight for hackers to infiltrate.
DJ: How about the general public, can they do anything to avoid this form of malware?
Karayi: First, you should know that individuals are not typically the target of malware—businesses are much more lucrative targets—and, because they’re almost always connected to the internet, personal users get updates and patches directly. That means they’re typically much better protected than corporations, who have to test patches before they can be deployed, and many are woefully behind in getting that done.
The single biggest thing the general public can do is to let their machines do the work: enable that automatic updates and patching for OS and anti-malware software that are pushed out by manufacturers. Even though conventional anti-malware can’t protect against zombie malware and LOLBAS attacks, this approach can do two things:
It ensures your machine is up to date with the latest OS patches and anti-malware updates, which means you have the manufacturer’s most current protection available and this lowers your threat surface.
It allows the OS and A/V manufacturers to examine your machine’s behavioral data and incorporate this analysis into their protection. When they can learn what normal behavior looks like, they can discern this from abnormal/potentially malicious behavior. This allows their tools to get smarter and able to stop more attacks before they do serious damage.
