The cyber threat landscape is constantly evolving and keeping up with those changes is an intense project. Kaspersky Lab has a team of research experts who are relentless in sniffing out the threats before they get to you. Roel Schouwenberg, senior anti-virus researcher, Kaspersky Lab, Americas, is part of Kaspersky’s Global Research and Analysis Team, where on a daily basis he is monitoring the state of malware and the threats that exist. We sent along your malware and cyberthreat questions to Roel to have him answer.
If a piece of malware can be identified by antivirus or through the signature, then why does a creator need to use the “signature?” How does the antivirus actually classify the signature as threatening or not? What is actually being manipulated by malware?
A signature is something which will uniquely describe a piece of malware, malware family, or type of malicious action. Signatures come in many shapes. Perhaps the detection is made on the code which is responsible for using a specific algorithm. The signature can also be created to detect certain behavior on the system. Most of today’s signatures are smart. We can detect tens of thousands of different malicious files using just one smart signature.
We, either the automation system or a human analyst, simply choose how to detect a given file. If a particular piece of malware does particular things to complicate analysis, then creating a signature based on that code or behavior may be a very good way of detecting such malicious files. That means the malware author will have to move on to a new trick to try and evade detection. It’s an endless cat and mouse game.
We use both a smart denylist and an allowlist. By having a huge and ever expanding database, we can speed up scanning, prevent false positives and be more suspicious of files we don’t know.
How do you find malware?
With up to 200,000 new malware samples per day it’s all about automation. We have different types of crawlers which browse the internet looking for new malware. These systems visit websites to see if they’re infected and capture the exploits and malware. We also have various types of honey pots, such as for email and network traffic. When processing malware that’s been discovered we often find URLs leading to more malware, which then automatically get processed. The anti-malware industry also shares the malware it finds, so we get samples from other vendors as well. Last but not least are manual submissions from ‘anti-malware enthusiasts’, professionals and customers.
How can I better protect myself from DDoS attacks?
The DDoS problem is a difficult one. There’s no easy fix. DDoS attacks differ greatly in type and magnitude. If an attacker is trying to flood your service with network traffic than most often you’ll have to work with – or move to – a service provider which has experience with DDoS mitigation. For types of scenario IDS/IPS should be able to do a lot of the heavy lifting.
Are having open ports a vulnerability?
Programs are responsible for opening ports. This means the core question is if you can trust the program which opened the port. If the port is opened by malware then that constitutes a vulnerability. Such open port will generally be used as a backdoor into the system. When a legitimate program opens up a port it becomes a question of what type of program it is and if it (potentially) needs a port that’s open to the internet. Most often the answer to that question is no, which is why it’s important to run a firewall, ideally together with a router, which supports NAT.
What can consumers do to maximize protection against Trojan Horses disguised in PDF files and other attachments?
The most effective method is to simply uninstall any PDF reader. Using the latest version of Adobe Reader and Microsoft Office is paramount. They come with sandboxes which are extremely hard to break. Running the latest version of Windows, which comes with more and improved exploitation mitigations helps as well. Some people recommend using less popular programs as a way of avoiding exploits for more popular office readers. This approach can work for ‘mass malware’ type of attacks. However, it won’t be effective when it comes to targeted attacks.