Malware Mousetrap – how to catch a hi-tech hacker

Technology is a beautiful thing. Every day, we’re celebrating a new innovative product and rejoicing as  technology becomes more and more accessible to people all over the world. We often forget, however, that with this progress comes even greater risks and, despite advances in antivirus software, launching a malware attack has never been easier.

[easy-tweet tweet=”Launching a malware attack has never been easier.” hashtags=”tech, cloud, malware, hacking”]

You don’t have to look far to see that malware creation is on the rise and there are new types of malware created every single day that slides under the radar of traditional antivirus programs. From adware and spyware to zombie computers and ransomware – it seems that no device is safe, and in order to protect our data, we need a lot more vigilance than simply installing an antivirus solution.

At OVH, we have been working to put the brakes on the proliferation of malware and ransomware, with the latter being especially popular over the past three years. These malicious programs infect computers and servers, encrypting their data and ransoming it from their owners, or sending it to third parties through an array of complex methods, comparable to that of offshore financing.

To catch the authors of these programs, hosting providers must get clued up and start using clever approaches, often combining computer science, reverse engineering, and some good old-fashioned police work. Here are a couple of our tried and tested methods:

Bait with cheese: malware traps and spam nets

Based on the principle of a mousetrap – baiting undesirable rodents with a piece of cheese – hosting providers can intentionally place easily hackable machines on their networks. These machines record all activity and can help gain a better understanding of how users’ servers are compromised and what purpose they serve afterward. Here at OVH, we have created and released on the web (forums, mailing-lists…) thousands of valid email addresses – and even entire domains – so that they are available to spammers. All we need to do is raise our nets on a regular basis – we analyse the emails received and those containing interesting attachments are stored, grouped and dissected. This allows us to recognise current campaigns and identify those involving servers present on OVH infrastructures.

[easy-tweet tweet=”Hosting providers can intentionally place easily hackable machines on their networks to act as ‘bait'” hashtags=”tech, cloud, malware”]

Follow the breadcrumbs: reverse-engineering

Any good hosting provider will do everything it can to stop the propagation of malicious software and the theft and sale of data through machines which are under its authority. However, there are some cases where servers distributing certain ransomware are permitted to continue to operate temporarily in order to collect evidence.

Tracking cyber-criminals is necessary, but it’s a lengthy process. Just like Hansel and Gretel, these malicious actors leave a long trail that can be traced back to the source. ISPs need to intervene and make the most of the evidence provided as quickly as possible before the URLs sent are already no longer valid, the servers involved have been returned and for the most part the malware campaign over.

One thing we do is reverse-engineer the malware that we’ve captured in our traps or that which have been sent to us by other security researchers. The goal is to adopt a proactive approach, capturing weak signals to identify new operating methods and pull the carpet from under the cybercriminals’ feet. If we can detect malware before it can be used, it can be very offputting to them.There have been numerous occasions where we managed to understand how the hacked servers were configured to do harm and were, therefore, able to cut them off before they were even used. After that, we never saw this strain of malware return to us again.

Food for thought: educate users

Finally, on the education front, there is work to be done. Often the cause of infection or invasion is down to human error – or at least a lack of vigilance. When it comes to PCs, e-mail still proves to be the biggest point of contamination. Whether through malicious banner ads (malvertising) or the exploitation of software vulnerabilities (exploit kits). Regarding the servers, there are two types of offending administrators: those who leave the key in the door – i.e using very simple passwords, and those who leave the windows open – i.e forgetting to update the programs they use to the latest versions. Hackers are people like everyone else, they are concerned about efficiency, and with more people looking for security vulnerabilities, there are more to be found.

[easy-tweet tweet=”Often the cause of infection or invasion is down to human error” hashtags=”security, cloud, tech, malware”]

So there you have it, a few mousetraps hosting providers can set in order to identify hackers and protect both their and their customer’s data. As technology continues to advance, malware is becoming more and more of a threat, proving more dangerous than the widely feared DDoS (Distributed Denial of Service). ISPs have to start taking a proactive approach to ensure these perpetrators don’t nibble holes in their infrastructure and get away with the cheese.

Frank Denis, Security Expert, OVH

Cloud Industry Forum presents TWF! Fanny Bouton


Related articles

Securing Kubernetes in Multi-Cloud

If you want to secure Kubernetes, you have to...

How database replication keeps enterprises agile

There is a pervasive challenge confronting businesses across all...

Ethical, Compliant, Innovative AI Deployment Strategies in Cloud

Recently, government entities have been discussing AI regulation and...

Start Bridging the Cloud Skill Gap Today

In today's rapidly evolving digital landscape, cloud computing has...

How Data Fabric Helps Address Multi-Cloud Sprawl

The abundance of data facilitates good decision-making, but too...

Subscribe to our Newsletter