Reinforce antivirus to hunt down bad apps and intruders


Wonder how viruses got started?


Here is a bit of history about viruses and why antiviruses were created: In 1986 the first virus created was called Brian. It would overwrite the boot sector.

In 1988 the first worm virus called The Morris was created. Its purpose was to determine the size of the internet. It used security holes in Sendmail, Unix applications, and weak passwords to spread. It spread so fast it interfered with the normal operation of computers. In just 15 hours it had infected almost all of the internet at the time around 15,000 computers.

In 1991 Michelangelo was released. It would lay dormant until every 6th of March then it would overwrite the first 100 sectors on the storage device and prevent the computer from booting. This is where Antivirus was created for commercial use.

In 1998 CIH was released. It infected 60 million computers and overwrote key system files. In 1999 Melissa was released. This introduced the world to its first Macro virus distributed by email. By the year 2000 it was not a question of if you got infected; But how and by what.

The first antivirus looked for vulnerabilities in the code. They called them signatures. Once identified the signature was added to a list known as the signature list. This list is now used to scan all files when files are found to contain any of these signatures it is quarantined for observation. The file is backtracked and if found to come from a questionable area it is killed or kept in quarantine until further action is decided. It is believed to be neutralized once quarantined; however, with experience, these viruses remain active. No matter, this is how normal antivirus software operates.

When computers were slow this approach was effective but, as viruses increased in speed it worked less and less. Another issue is the antivirus was out-facing. So once the attacker gets past it, the antivirus was very slow to catch them inside the system.

Today’s computer viruses are more advanced and move so fast the old way doesn’t catch them. This is how crypto and ransomware were born.

Files come in looking like a normal application, allowing it to clear anti-virus. Then a trigger goes off, like a bomb. The first thing it does is overtake the antivirus. Since the antivirus reports directly to the operating system, it very quickly overtakes the operating system without resistance. It then poisons or converts all the files. Anywhere the infected machine has rights becomes infected too. All this in less than a second. Attackers also use pop-ups to spread viruses across machines and networks simply by user approval which happens very easily.

Blue Sky combats this with Endpoint Detection and Response (EDR) and Managed Detection Response (MDR). The next generation of antivirus goes beyond signatures and looks at how files behave. It learns behavior and does not require signature updates. It waits for files to try to initiate a crypto event. When an event is detected, it freezes the system and takes it off the network. The machine can then be rolled back before the incident and the infected files removed.

It’s like a computer’s shield. MDR has a hosted Security Operation Center (SOC) or in other words REAL humans at a desk inspecting a system/network for issues. The MDR is looking for programs that send signals to the attacker’s machine to get instructions (phone home) or for people to try to attach to equipment or machines to gain access to them. The program gets past the antivirus by looking normal. Then a trigger or timer activates and receives instructions from the attacker on how and when the virus will attack.

MDR kills the program when it sees the signal going somewhere it shouldn’t be going. In a computer, other programs also send signals to receive instructions however are properly registered so when they phone home the MDR follows them to verify it’s going where it’s supposed to.

Another tactic attackers often use is a program that will make a window to get onto a machine. Once on the machine, they slowly poke around gathering info. Trying to see where else they can go. This is called lateral movement. An MDR kills the program, the window, and the attacker on the system.

On average an attacker can sit on a machine for over 100 days to 4 years without being detected. Because of this the Endpoint Detection and Response (EDR) and Managed Detection Response (MDR) are mandatory tools to employ in your environment to help protect your company from being attacked.