Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/17/2017
10:00 AM
Marta Janus
Marta Janus
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

Kill Switches, Vaccines & Everything in Between

The language can be a bit fuzzy at times, but there are real differences between the various ways of disabling malware.

The concept of malware kill switches hit the mainstream in May, when a now-controversial figure in the cybersecurity community managed to halt the spread of WannaCry by registering a domain contained in the ransomware's propagation payload. However, there is still some confusion about what warrants the term "kill switch" and what doesn't. When talking about self-disabling mechanisms in malware, it's important to first distinguish between actual kill switches and so-called "vaccines."

What Constitutes a True Kill Switch?
A kill switch is designed to stop malware from spreading, remove malware and traces of malicious activity from the system, or shut down the command and control infrastructure. These kill switches might be implemented for many reasons. Most often, they serve as a quick way out for attackers in case things go wrong. In the case of something like an eavesdropping campaign, the attackers may use a kill switch to cease their activities and cover their tracks once they've obtained the information they need. These kill switches are fully intentional and provide a level of protection that benefits the attackers, even if there is a possibility of "white hat" researchers using these mechanisms to disrupt malicious campaigns.

A kill switch might also be intentionally implemented during the testing phase of highly spreadable malware. If the attackers were to spot a premature outbreak, they could stop it before it became broadly noticed while continuing to work on developing the malware. Embedding kill switches inside the malware body is not a common practice and usually occurs in more sophisticated examples.

Vaccines are quite different from kill switches in implementation and purpose. A vaccine is basically a technique that can prevent particular malware from infecting a particular system. Such a technique might involve creating a file in a specific location with a specific name and attributes, or creating specific registry keys, values, or system mutexes (that is, programming objects used to share resources between multiple programs). Most families of malware would not install themselves on machines that have already been infected with the same malware and check for infection symptoms — such as files, registry entries, and mutexes — before proceeding with installation. If the potential victim knows the specific symptoms for a given infection in advance, he or she can take measures to "vaccinate" their machine.

We've seen examples of both kill switches and vaccines in recent ransomware attacks. The initial WannaCry samples were equipped with a built-in kill-switch mechanism, while the Petya malware merely checked for its own presence before infecting the system (which is a form of vaccine).

Don't Rely on Discovering a Magic Bullet
Companies should never rely on the existence of a malware-embedded kill switch in case of an outbreak. They should instead take steps to prevent the infection in the first place. Vaccines can be effective against a particular strain of malware but are totally unreliable in the case of polymorphic viruses or frequently updated malware. Moreover, it's physically impossible to apply vaccines for all existing malware to a single machine.

To significantly mitigate the risk of an outbreak, businesses should protect their computers using a sophisticated malware-protection platform, available from a number of vendors, and keep all their systems and software fully up to date. Malware commonly uses vulnerabilities in outdated software as an initial infection vector, so businesses can prevent a great percentage of attacks by applying all updates as soon as they are released. A reliable anti-malware solution should be able to detect and remove threats that can bypass a fully updated system.

The Human Factor
Many businesses tend to treat security as an unnecessary burden until the moment they experience severe inconvenience or loss due to malware. Ignorance, lack of diligence, and human error are major vulnerabilities that greatly increase the odds of a devastating malware attack.

Mitigating risk related to human error requires a few simple steps. If implemented daily, these steps could prevent a great portion of security breaches:

  1. Regularly update the operating system and all running software.
  2. Keep regular backups of all sensitive files.
  3. Use anti-malware solutions, firewalls, content scanning, etc.
  4. Be vigilant when dealing with emails and online content (for example, don't open attachments from unknown senders or click on any link sent via Instant Messenger).
  5. Invest in comprehensive security measures and recovery plans, as well as education for employees on the basic cybersecurity do's and don'ts.

Basic best practices are the best defense against cyberattacks, even if some attacks remain unavoidable for the time being. WannaCry and Petya, which were both based on the patched EternalRocks exploit, proved that even previously disclosed vulnerabilities can cause significant damage. By getting smart about common misconceptions and sticking to the information security basics, businesses can make significant progress toward reducing risk.

 

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Related Content:

 

Marta Janus is a Senior Principal Threat Researcher at Cylance Inc. Marta is an experienced malware researcher and reverse engineer with more than eight years of experience in the anti-malware industry. Prior to Cylance, she was a senior security researcher for Kaspersky Lab. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/17/2017 | 10:47:38 AM
Backups are 1/2 of the puzzle
As an independent consultant, I had off-site systems dedicated to evening backups of my various accounts, a single Dell computer dedicated to account and perfoming remote night backup of server to station.  This saved one 501C3 account that got destroyed by cryppolocker in 2014.  I recovered and restored 98% of serve-workstation data in 3 hours.  The other half of my argument is that backups are great AND when you NEED THEM at 2am, they will often FAIL or be applied wrong because, well, I am not thinking square at 2am either.  TEST TEST and test them to make SURE you have (a) reliable comprehensive backups that (b) WORK when you need them too.  Otherwise, your best efforts are doomed to fail at a crucial time.  "People never plan to fail - but they often fail to plan." - George S. Patton
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...
CVE-2021-20208
PUBLISHED: 2021-04-19
A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credentials of the host. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-27458
PUBLISHED: 2021-04-19
If Ethernet communication of the JTEKT Corporation TOYOPUC product series’ (TOYOPUC-PC10 Series: PC10G-CPU TCC-6353: All versions, PC10GE TCC-6464: All versions, PC10P TCC-6372: All versions, PC10P-DP TCC-6726: All versions, PC10P-DP-IO TCC-6752: All versions, PC10B-P TCC-6373: Al...
CVE-2020-27241
PUBLISHED: 2021-04-19
An exploitable SQL injection vulnerability exists in ‘getAssets.jsp’ page of OpenClinic GA 5.173.3. The serialnumber parameter in the getAssets.jsp page is vulnerable to unauthenticated SQL injection. An attacker can make an authenticated HTTP request to trigger...
CVE-2021-3497
PUBLISHED: 2021-04-19
GStreamer before 1.18.4 might access already-freed memory in error code paths when demuxing certain malformed Matroska files.