Free file sharing services such as LimeWire, FrostWire and UTorrent in most forms is illegal (note: there are legal sources however this post is focusing on file-sharing of pirated content). The cost of music, software and other applications are becoming more expensive to accommodate lost revenue caused by piracy spread through file sharing. As the price goes up to make up lost revenue, more people join file sharing networks. It’s a vicious cycle. There is however a more important reason besides ethics, law and cost to not be involved with file sharing services. Like my mother use to say … “nothing is free in this world”. Most of the pirated goods from file sharing you believe are free actually come at a very high price to your system and privacy.
Nuclear RAT rootkit
There are many malicious applications used by hackers to gain access to a system. The worst form is a Rootkit. Rootkits gain full control of a system without the victim’s knowledge and typically are very hard to detect and remove. Many popular rootkits include covert channel communication tools to hide phone home attempts from modern security tools. The rootkit example above is called Nuclear RAT (Remote Access Tool found at nuclearwintercrew.com). The image is the RAT server GUI that manages connections from Rootkits placed on systems. Some spy options include seeing the victim’s screen, logging keystrokes, controlling the mouse, opening a remote shell and so on (see images). There are options to hide RAT such as Melt Server (deletes executable) and using Stealth Shell Folders so you won’t see it running. Once installed, an attacker owns your system.
If you search the Internet for anti-malware/Virus or attend security conferences, you will find billions of vendors. Which solution is best? There are endpoint and server solutions, network appliances and embedded upgrades for existing applications. What separates the gazillion anti-whatever solutions outside of price? Many claim reaction time however what separates “X Faster Than Y” when most attacks do damage in milliseconds? It’s best to step away from vendors and understand the DATA you are protecting before considering a solution.
If data on endpoints is the primary focus, consider applications that protect 24/7 regardless of network connectivity. Signature based technology is a commodity and shouldn’t makeup your strategy. The basic principle of signatures is defending documented attacks, which will not catch day zero threats. Behavior technology improves things however must be customized to enforce cooperate policies along with utilizing visibility into all threat vectors to be impactful. Locking down services such as disabling wireless when physically connected and leveraging patch management solutions dramatically decreases the use of anti-virus/Malware services. There are alternatives to endpoint anti-virus/malware solutions such as leveraging proxy-based technology. Proxy solutions act as a middleman between the data and endpoints separating infected machines from the inside network.
Anti-Malware/Virus vendors are targeting appliance solutions at the commercial market. There are Intrusion Detection/Prevention Systems (IDS/IPS) with anti-malware/Virus functions as well as Malware appliances that sit on the wire passively or inline and scan for threats. These solutions can only impact the wire they touch and if inline, typically cause delays. Email and web security appliances usually include native solutions or partner with anti-virus/Malware vendors as part of their suite. Its key that these work together as users could use one to bypass the other (IE avoid cooperate email security by using web email such as Gmail). FireEye took an interesting approach by developing a solution that executes suspicious code/objects in a virtual environment and identifies their intent prior to releasing things to the real network. Cisco Ironport offers a layer 4 traffic scanner in their web security appliance that scans SPAN ports for malware/bot phone home activities from compromised devices. The list goes on regarding anti-malware/Virus appliance solutions so consider where sensitive data sits and how that data moves before dropping appliance technology on the network.
The most important thing to realize is the threats are real. Attackers don’t want to be known and will utilize multiple attack vectors to access your data. Best practice for choosing security solutions focus on likely hood of being compromised verse impact to your business from data being lost. Building security into the data handling process rather than after the fact or around where it sits will save you tons of money. Including your agency’s policies in security planning is a must and education is key to success. Users are the weakest link so choosing solutions that are transparent will be the most successful. Detection is critical which typically is a monitoring solution utilizing Security Information and Event Monitoring (SIEM) technology. Tuning out false positives and developing workflows for handling incidences will determine how successful you are protecting what matters most … the DATA. Anti-Virus/Malware is only one of many attack vectors so look past the vendors and understand your data before you drop the money on a solution.