Beware Of Exploits, Intercept Them


Sunil Sharma VP India  SAARC Sophos

As India is stepping into the digital landscape with full throttle, cybercrimes are increasing at an equally high rate. In 2015 alone, 8045 cases were registered under the IT Act of which 5102 rogues were arrested. Cyber crooks are leaving no stone unturned to take advantage of the vulnerable state of individuals and businesses operating in the digital world.

Most cyberattacks involve criminals’ exploiting some sort of security weakness. That weakness could be a poorly chosen password, a user who falls for a fake login link, or an ignorant user opening an infected attachment. However, in the field of computer security, the word exploit has a specific meaning: an exploit is a way of abusing a software bug to bypass one or more security protections that are in place. 

Software bugs that can be exploited in this way are known as vulnerabilities, for obvious reasons, and can take many forms. For example, a home router might have a password page with a secret “backdoor code” that a crook can use to login, even if the official password is something unique. Many software bugs cause errors that are annoying but can be detected and handled safely by the operating system. A vulnerability, however, is a bug that can be orchestrated or controlled so that it does something unauthorized and insecure as the program crashes, before the operating system can intervene and protect the system.

When attackers exploit a vulnerability of this sort, they usually do so by tricking one of the applications, such as the browser or word processor, into running a small program or program fragment that was sent in from outside. By using what’s called a Remote Code Execution exploit, an attacker can bypass any security popups or “Are you sure” dialogs, preventing the user from stopping it. Zero day exploits are where the hackers take advantage of a vulnerability which is not yet public knowledge and for which no patch is currently available. As exploits take advantage of often-unknown weaknesses in legitimate software it is often hard to avoid them, even when following best security practices.

Traditional anti-viruses are focused on stopping the malware that uses the exploits rather than the exploits themselves. While there are millions of different pieces of malware in existence, hackers only use top 10 different techniques to exploit software vulnerabilities. With next-gen malware there is a need for next-gen anti-exploit tools to combat such attacks. Today’s malware have come a long way from “The Rabbit” or “Animal” that were written to crash computers and could spread only if permissions existed. Threats today have become more coordinated and unlike traditional anti-viruses, next-gen anti-exploit tools need to be more intuitive, that can help detect, prevent and remediate even the most persistent of attacks.  

While social engineering is the primary method used to trick users into opening emails or clicking on malicious attachments, cyber criminals are looking at exploiting vulnerabilities in software as companies still struggle to keep up with patching their loopholes. 

With signature less, next-gen, anti-exploit and anti-malware tools, a massive number of malware samples can be blocked in one go, even before they enter the system. IT generalists and Infosec professionals can even block exploits that happen over the wire (drive by attacks), or prevent, detect and remediate vulnerabilities that have never been seen before (zero day vulnerabilities).

Incidentally there are exploit kits that are available to attackers which are pre-packaged toolkit of malicious web pages or software that crooks can buy, license or lease for the purpose of distributing malware. In other words, if an attacker has some shiny new malware – ransomware, perhaps, or a Trojan, or a password stealer – one can use an exploit kit to deliver that malware to unsuspecting victims. It’s not illegal to sell exploits, but it is lucrative.

However, following security best practices against exploits would be the right thing to do to protect your network. Here are some tips that you can follow to stay secure:

1. Patch early, patch often - If the holes are already closed that an exploit kit is programmed to try, all its alternatives will fail and the exploit kit will be useless.  Generally, once a vulnerability has been patched its effectiveness as an attack vector should be short lived, because as more users update their software, fewer remain susceptible to the exploit. However, this all depends on how quickly and effectively organizations patch the vulnerabilities

2. Keep the security software up to date - A good anti-virus can block document attacks at many points, including getting rid of dangerous email attachments before they are opened, filtering out booby-trapped web sites and blocking booby-trapped files 

3. Using a stripped-down document viewer - Microsoft’s own Word Viewer for example, is usually much less vulnerable than Word itself. Also, it doesn’t support macros, another Word-based malware trick commonly used by ransomware.

4. Removing unused browser plugins - If one doesn’t need Java (or Silverlight, or Flash) in the browser, uninstall the plugin. An exploit kit can’t attack a browser component that isn’t there.

Remember, beware of exploits and Intercept them!