A preventative, layered approach to head off sophisticated malware threats
It attacked early in the morning without warning, provocation or even a whiff of foreshadowing. Unnoticed, it stealthily wormed through Beefmaster.com’s network searching for and eventually gaining access to FTP credentials. It then modified countless files, redirecting the site’s visitors’ to malicious Web servers. Incredibly, it was able to hole up for 14 hours undetected while infecting hundreds of visitors’ computers with malware.
It was the equivalent of a cat burglar breaking into your home, putting up a sign in your front yard for “Free Muffins” and then stealing the wallet of everyone who came by. It goes by the name Gumblar, but it might as well go by Sauron, Skeletor or Lucifer. It’s pure evil, but it’s also a new highly-sophisticated security threat.
Within minutes of attacking Beefmaster.com, an avant garde art gallery site, Gumblar had stolen the Webmaster’s FTP credentials and started modifying every HTML file, php script and Javascript file on the server, eventually adding a 1,131-byte block of highly-obfuscated code to 1,675 files. The malicious code then redirected all site visitors to another Web server that began the process of running a series of exploits against vulnerable Internet-capable applications in an attempt to push malware to the computers of its victims.
Most troubling is that Gumblar just didn’t steal information and download malware. It also stole login credentials for FTP servers, allowing the burglar to slink off into the night to live and fight another day.
This was a highly-coordinated, highly-sophisticated attack. Gumblar likely infected the network when someone visited a seemingly-innocent Web site from a computer that also had access to Beefmaster.com’s FTP credentials. From there, it wormed its way undetected into the corporate network.
As malware like Gumblar continues to evolve and grow more disruptive, IT security professionals are realizing that even the most robust endpoint security strategy isn’t enough to protect computers from malicious attacks. As more data is created, accessed, stored and archived on the Web and cloud technologies and social media increase in use as viable business tools, an extra layer of protection is needed at the perimeter of the IT environment. As we’ve seen with Beefmaster.com, this is where the tight controls of the corporate network security strategy meets the Wild West “anything goes” rules of Web-based computing.
Traditional malware protection isn’t enough
Endpoint security can be robust. Anti-virus and anti-malware software does a reasonably good job of identifying and cleaning up infected systems. However, any dentist can tell you that a preventative approach is best. Identifying and avoiding potential risks to systems is a much more effective information security strategy. Otherwise, as we saw with the Gumblar attack on Beefmaster.com, waiting to sound the alarm until a malicious threat hits the end point could be too late.
Instead, corporate IT organizations should invest in proactive, preventative information security technologies like Web filtering and vulnerability assessment solutions. Acting as a line of first defense out on the edge of the network, these technologies analyze all Web traffic and determine the risk of infection. If necessary, the content in question is blocked, preventing the risky behavior before it happens.
Emergency response organizations that rely on Web-based diagnostic applications or colleges that cater to a population with varying degrees of Internet security sense can scan, analyze and filter the Web activity of users, ensuring that a simple mistake or ill-advised decision does not jeopardize the entire system.
Along a similar vein, Beefmaster.com could have barred users from visiting the malicious Web site where the Gumblar attack originated. The use of Web filtering and vulnerability assessment software could have prevented the organization from having to shut down the Web site for four days to cleanse the network of the virus. In addition, the hundreds of users who were subsequently infected could have been insulated from the attack.
A new information security approach
After hearing horror stories like that of Beefmaster.com, IT professionals are beginning to understand that endpoint security isn’t enough to protect their networks from malware. As these threats grow more sophisticated, so should your information security strategy. Most important, it is critical that organizations implement a proactive and preventative approach that doesn’t impact the performance of systems or the productivity of end users.
1. Layered approach: A complete and layered information security solution protects the entire IT environment from the end point to the perimeter. Malware is designed to probe network defenses in search of a chink in your armor. Don’t give them a way in. Make sure your entire network is protected with a security software-as-a-service (SaaS) solution.
2. Proactive strategy: Shift your focus from remediation to risk assessment and prevention. Fighting fires is costly, inefficient and disruptive. Instead of using your resources to clean and rebuild infected computers, free your team to focus on more strategic IT projects.
3. Web-based service: Implementing a security SaaS takes processing burden off end points and servers and puts your network protection in the hands of seasoned professionals. Traditional security software solutions sap bandwidth, hijack memory and require constant updating and monitoring. Shifting security to the Web provides cost-efficient and robust malware protection without impacting user productivity.
Lessons learned
Beefmaster.com learned the hard way that increasingly-sophisticated malware threats are changing the rules of war when it comes to protecting your digital assets. Traditional information security solutions are not enough. Instead, IT organizations are advised to implement a more efficient, preventative and layered approach and think about putting their protection in the hands of the security experts.