To Catch Malware, You Have to Speak Its Language. Here’s How
A robber sneaks into your house at night, able to slip past your alarm system, looking for valuables to steal. He spots your shiny new MacBook Pro and calls his accomplice who is sitting outside in the getaway car to let him know what he found.
Little do the robbers know that you heard them come in and are ready to protect your belongings from theft. You jump out of the closet and tie up the robber. Before calling 911, though, you want to know what else the robbers had planned. So you call back the accomplice, mimicking the robber’s voice, and he tells you he wants to steal jewelry, too.
With this intel, you then call 911 with all the information about the robber and their plans. Now, a robber is off the streets, nothing was stolen, and you have valuable information about their intentions so that you can improve your security in the future. Nice work.
In this analogy, you are malware protection, the robber is malware, and the accomplice is what we call a “command and control server”.
Analogy aside, malware is a real and dangerous threat, and without the right layers of defenses, it can easily rob you of your data or hold your systems hostage. As a defender, you need to not only be able to detect it but then know how to respond. A critical and important step in doing this is being able to communicate with it to understand what’s going on so you can plan your response.
How? With a malware solution like Strongarm that knows how to speak malware. This approach is unlike other defense out there — block-and-drop, antivirus, firewalls, and the like.
In this post, we’ll explain how Strongarm “speaks malware” and why this approach is so effective.
How Strongarm Speaks Malware
As you may know, Strongarm works by monitoring domain names that have been associated with malware. For example, if badsite.biz is caught hosting malware, it will get added to a blacklist, which is a list of domain names associated with malware.
There are many of these lists out there on the internet, and our security experts continually comb them, adding new ones to our blackhole daily, and often hourly. That way, we know what to be on the lookout for. Why do we do it this way? Attackers use the DNS for resiliency in their accesses. When they break in, they want to stay in and we use this fact against them.
So what do we do with this list of bad domains?
First, Strongarm keeps its ears open for communication on your network back to any of the known-bad domains. When a communication of this nature is discovered, it’s a pretty good sign that someone is trying to steal something from your network or system. Strongarm then identifies the specific server the malware is trying to reach, and the fun begins.
Now, Strongarm’s proprietary blackhole impersonates the bad server to interrogate the malware. This communication channel holds the malware “hostage” and allows Strongarm to better assess the level and nature of infiltration that malware has achieved on your network. (All while keeping your systems and data safe from harm.)
In many cases, once the malware is talking, Strongarm can actually eradicate the infection by using the malware’s own communications against it. You see, many forms of malware contain a “kill switch” or “suicide pill” so that its creators can delete it, either to avoid detection or to protect their own systems. Because Strongarm can “speak malware,” it can invoke these kill switches to defend your systems, too. If there’s no kill switch, then we can guide you to manually removing it.
Why Speaking Malware Works
As you can probably tell, this does much more than the traditional block-and-drop approach. At the simplest level, block and drop does not automatically give you the information about which device was compromised. Strongarm provides critical information that saves valuable resource time and accelerates the time to resolution. In addition, blocking and dropping often doesn’t stop an attack from persisting; it could come back via a different channel or using an entirely new tactic and you would have no way of knowing.
Other security defenses such as antivirus and firewall technologies aren’t effective in stopping many kinds of malware, in part because they are unable to see it. Malware can be encrypted, sent via email or loaded on a USB — all techniques which antivirus and firewalls may miss and therefore can not protect against.
The Strongarm Difference
One thing all malware does when its mission is to steal from you, is communicate back to a command and control site, and Strongarm is designed to not miss this! Because no other solution communicates directly with malware, no other solution can identify and protect against every type of malware out there like Strongarm can.
We have written protocols to speak to more than 10 malware families, including Zeus, Poison Ivy, PlugX, Gh0st, and Locky. With tens of thousands of new malicious domains going live every week that host one of these ten types of malware, businesses can’t afford not to have a solution built to detect and communicate with all of them.
Strongarm is free for the first 30 days. Sign up today to see why speaking malware is the most effective tactic against today’s online threats.