Zero cost steps to manage ZeroAccess malware uptick

I’ve see an seven-fold increase in HTTP drive by attacks this month, particularly ZeroAccess and Blackhole variants. If you’re battling the uptick of HTTP drive-by attacks and the modern malware that they deliver, then take the following zero cost steps before you invest in more technology:images

  • Patch your endpoints. I know… it’s easier said than done, especially if you have legacy apps that rely on older versions of Java.  The bottom line is malicious code exploits weaknesses in software. And the situation isn’t going to get any better.  Cyber thugs have found a lucrative model in attacking the end-point, so expect this trend to continue.  Now before you say, “Hey what about zero days!?!” Yes, I hear you.  You can’t patch those, so consider the following additional steps.
  • Dedicate a browser to secure surfing.  I currently use two browsers — Internet Explorer and Firefox.  My IE browser has Java enabled.  I use this browser to access less than 10 sites that are strictly business related or rely on legacy Java.  My other browser is Firefox.  Java is not enabled. I also use a variety of security plug-ins.  NoScript is my favorite. No plugins or scripts run by default, so it’s perfect for Internet research or checking out sites I am not familiar with.
  • Up the sensitivity of your AV solution. There’s at least 40 antivirus products on the market, so this is very generic advice.  It’s possible there’s some extra firepower you can squeeze out of your AV product.  Many organizations are concerned that AV is too intrusive or slows down their systems so they dial back the sensitivity, but that’s a somewhat antiquated notion given the average horsepower of today’s desktops.  (Personally, I think it’s more intrusive to have the help-desk take away your system while it’s wiped due to an infection.) If your AV product supports it, please make sure it’s allowed to automatically block malicious websites when mischief is detected.  One more note on AV… if you’re still doing a full scan once a week, then understand that you’re giving cyber criminals several days to do their worst before your scheduled scan detects the malware.  A shorter interval between scans means faster detection, especially if the “on access” process fails to block the malware.
  • Review your reputation filters.  Check and tweak the paranoia level of your malware gateway.  If you feel like you’ll be swamped with too many requests to unblock sites, consider the time it takes to create an exception for a blocked site versus completely rebuilding a compromised system.  A note about web reputation:  a site that’s been hacked/seeded won’t develop a bad rap until it’s detected by the companies that maintain reputation lists. This means there’s a window of time where an infected site still has an acceptable reputation, so the gateway will grant access.  It’ll be up to your endpoint protection solution to step-in and manage the malware. Reputation lists aren’t perfect, but they are effective once the site is picked-up and placed on the naughty list.
  • Block Internet Ads. Cyber criminals have a great level of success distributing malware through ad banners.  There’s no need to hack the websites users visit with this tactic — you simply create weaponized ads and wait for them to stream across an unsuspecting user’s web session.  The solution is to block Advertising.  Yes, this makes websites look unattractive, but it also keeps malware from slipping through.  I’d rather see webpages with missing Ad banners than inundate the help desk with re-image requests. The executives I’ve spoken with understand how the productivity of end users and the integrity of sensitive data outweighs the aesthetic appeal of websites.
  • Stop surfing as admin.  When you get hit with an HTTP drive-by (or any malware for that matter), the malicious code will piggy-back on your current permissions.  If you’re logged-in as a super user like administrator…well, you’ve given the malware full control of your system.  What to do?  Stop logging-in as an administrator.  There’s no reason to surf the web while logged-in as an admin.  In fact, I’ve not logged-in to my system as an administrator for over 5 years.  If I need to run a program as an admin I elevate my privileges.
This is not a complete list.  I’d love to hear some other zero cost (or even low cost) solutions you’re using to manage HTTP drive-by attacks, so submit a comment.