Law enforcement and the information security industry often work together to disrupt and stop the latest malware. The malware is typically detected, sandboxed, reverse engineered and ultimately stopped by a combination of a kill switch (if there is one) or seizing the servers used for the malware’s command and control (C&C). From there, the domains used to communicate between the infected computers can be controlled.
Yet some older malware families continue to impact business today, often exploiting old vulnerabilities and spreading via phishing emails, infected USB drives, suspect email attachments and compromised web pages. For example, in a recent CheckPoint report, the Conficker worm and the Zeus Trojan - both over five years old - featured among the top ten most common malware globally.
Why does old malware continue to prevail? Experts believe it comes down to irregular patching, weak and out-of-date AV and legacy systems that can’t be protected or upgraded. (MRI scanners and proprietary hospital equipment are prime examples.)
Often these older malware families are repackaged, repurposed and then made available for sale on the dark web. “Core components of older malware are still in use today. Malware authors salvage sections of code and make use in 'modern' or recently launched campaigns,” said Richard De Vere, director at The Antisocial Engineer. “It's more a case of if it works then don't change it.”
What do CISOs think?
“All of this makes it hard for CISOs and their SOC teams,” explains Christian Toon, CISO at legal firm Pinsent Masons. “The speed in which old types change to avoid traditional signature based detection is challenging, and normally quicker than enterprises react.”
This comes down to patch management and AV, but also “situational awareness.” The malware evolution, he says, is “beyond the realms of traditional IT folk,” who are under-resourced and too time pressured to truly mitigate these threats. “Less mature organizations just don't have capacity to deal with the history or understand the malware ecosystem. They just fix the immediate problem and move on.”
Geordie Stewart, principal consultant at Risk Intelligence and a consulting CISO, adds, “Historical malware remains a big problem for many organizations. Many are still carrying far too much security debt with high risk out of support operating systems which are perpetually ‘about to be upgraded’. The upgrade date often keeps moving back due to complexity. It can be difficult to discover all the dependencies which need to be addressed before a system can be retired or migrated.”
“The way that we often run projects can make this worse,” Stewart continues. “Typically, the organization sets up projects which are scoped around an application. It’s then difficult to understand the extent of integrations at a platform level, since the knowledge exists in the organization as the sum of all the application projects. We’re much better off implementing security controls for the legacy systems we have and taking all talk of imminent replacement with a large pinch of salt. This means segmenting high risk devices into limited network connectivity, avoiding the use of internet access from these systems and using white-listing if possible to control the code that can run on them.”
Sign up for CIO Asia eNewsletters.