Significant security threats emerged in 2014. Closing out this epic year with a bang is Destover, aka Wiper. Wiper, as far as security threats go, is significant. Significant enough that the FBI quietly sent a memo to businesses and government agencies advising vigilance against Wiper based attacks. In this post I’ll provide five clear steps every organization can employ to harden their defenses against Wiper.
First, a little background on the Wiper malware. Paraphrasing the great poet Robert Frost, I’ll say Wiper walks the road less traveled. Most modern malware avoids detection for as long as possible. Wiper’s goal, on the other hand, is nothing short of completely erasing an infected system. Wiper’s name aptly derives from this very destructive nature. Armed with an understanding of what makes this malware uniquely dangerous, here are five steps to help protect you from becoming Wiper’s next victim.
Step 1: Update malware protection
Malware protection is somewhat like a flu shot. Each year a new shot is developed against that year’s predominate virus strains. Malware protection updates similarly provide protection against the latest malware threats. Configure client anti-malware systems to update signatures daily. Servers deserve more stringent protection, so have them update hourly. Firewalls with embedded IPS or other malware protection should update every 15 minutes if possible.
Step 2: Educate users
Informed users are the best defense against most attacks. Users are on the “front lines,” barging their way daily through email and web browsing activities. Teach them to identify odd attachments, phishing attempts, URL anomalies, and other attack vectors. Encourage them to “ask first, click second.” Diligent, educated users may prevent malware from ever getting a foothold inside an organization. Distracted, uneducated users, on the other hand, may expedite an infection.
Step 3: Backup regularly
The difference between major event and minor annoyance is a strong disaster recovery strategy. A good DR plan well implemented reduces an attack’s impact. Recovery time and data loss are minimized. Business continuity plans ensure operations continue regardless of the systems lost. Data de-duplication and virtual desktop infrastructure offer modern technologies for enhancing DR strategies. Take advantage of these technologies when practical to augment current systems.
Step 4: Patch OSes and software
Operating system updates don’t just add features and functionality. In fact, most OS updates are security, not feature related. These patches provide necessary protection against vulnerabilities identified since an OSes release. Likewise, updates to software such as Office, Adobe Acrobat, and Java are key in preventing attackers from leveraging these applications for system access. Microsoft and Adobe both release patches monthly for their products. Test and deploy these updates quickly. Being attacked is bad. Being attacked by an exploit that was patched, but you never deployed, is much, much worse.
Step 5: Monitor for changes
While performing its nasty deeds, Wiper changes a system. Monitoring for changes can significantly enhance detection efforts. Products like Netwrix Auditor ease the administrative burden associated with change monitoring. Properly configured, these products keep an eye out for changes, alerting admins when they’re spotted. Things to be on the lookout for include:
- Creation and startup of a service named brmgmtsvc also called “Backup and Restore Management”
- Creation of a file share to C:\Windows or wherever the %SystemRoot% environment variable points
- A file named igfxtrayex.exe being created or modified
- Activation of a web server on port 80 on machines where no web server should be running
- Network traffic destined for 18.104.22.168, 22.214.171.124, or 126.96.36.199
There’s no doubt Wiper is a nasty piece of malware. Its recent use in attacks against Sony Pictures Entertainment cost them significantly. Lost files, leaked movies, and cancelled press tours and movie premiers all direct outcomes of the Wiper based attack. Taking the few simple steps outlined above will enhance your system’s protection against Wiper. Don’t be surprised when Wiper shows up on your network; be prepared!