As part of my job, I manage an incident response team that was engaged by a significant organization in Georgia whose network was infected by the QBOT (a.k.a. QAKBOT) malware. The customer had been infected for over a year, several teams before ours had failed to solve the problem, and they continued to get reinfected by the malware when they thought they had eradicated it. Over time it had spread to more than 1,000 computers in their ecosystem stealing user credentials along the way. Malware is a real problem for businesses and consumers, but how many people really understand what it is? I was recently asked this same basic question and realized that even my answer as a security subject matter expert was not as clear as it could have been. So, I thought it was time to put together this article to answer not only what malware is, but what it does, how to eradicate it and what are the best practices to remain secure.

To begin with, malware is a generic industry term that refers to malicious software designed to do harm to computer systems. Many people use the terms malware and computer virus interchangeably but technically that would be incorrect. The three most common categories malware falls into are viruses, worms and trojans. Ransomware, a specific type of malware, can result from any of these three malware categories’ but typically is the result of a trojan. A computer virus is a malicious software that, when executed, replicates itself by modifying other computer programs and inserting its own code. Computer viruses typically need a human to execute them for a computer system to get infected. A computer worm is a malicious software whose primary function is to infect other computers while remaining active on infected systems. A computer worm is a self-replicating malware that duplicates itself (without human interaction) to spread to uninfected computers and it does not need to attach itself to another program in order to cause damage. Lastly, a trojan is malicious software that looks legitimate but can take control of your computer. A trojan is designed to damage, disrupt, steal, or in general inflict some other harmful action on your data or network, much like other types of malware. The QBOT malware I referenced earlier is somewhat unique in that it is defined as both a trojan and a worm. It is self-replicating, spreading to other computers on its own, steals user credentials and in this case disrupted the customer’s active directory environment on their network.

Malware can infect your computer in a number of ways. The most common ones are the opening of an infected email attachment, connecting to an infected data source (e.g. thumb drive, network drive, etc.) and going to an infected website. According to Google, they identify and blacklist thousands of unsafe websites every week, which contain some sort of malicious software dangerous to their visitors (Google Transparency Report). It is estimated that nearly three-quarters of all websites have at least one vulnerability. Infected websites can have automatic malware downloads referred to as “drive-by-downloads”, exploit kits that search your computer for unpatched vulnerabilities, JavaScript infections that download malicious software your browser then executes, URL injections commonly embedded inside of compromised WordPress blog sites or browser hijacks that constantly redirect you to other pages, collect personal information, or act as gateways to rootkits. This issue has even impacted well known and reputable websites due to their advertiser’s and included 3rd party content that became compromised without their knowledge. The truly dangerous stuff and luckily less common today either happens before you receive your device somewhere in the supply chain or infects your machine at a level prior to your operating system loading. Some of the newest malware are known to infect your computer’s BIOS or mobile device’s bootloader.

Once infected, the malware is likely to spread through email, file sharing or your network to other workstations, servers, mobile devices or less protected devices like copiers and printers. Imagine everything you copy or print becoming available for sale on the internet. If connected to a network it can take advantage of existing file-transport or information-transport capabilities on the system itself, allowing it to travel unaided. If it can’t find the mode of transport it wants, advanced malware is able to download additional post-exploitation modules to gain access to additional tools of the trade. Don’t be surprised if you see malware utilizing older protocols like NetBIOS, which for today’s operating systems is only used for file or printer sharing on a local area network. Once the new device is infected it doesn’t always require human intervention to activate or launch the malware, many times simply exploiting a vulnerability on the target system. When on a file share, like a network drive, malware will typically infect files (e.g. MS Word or Excel) which it knows a human will eventually launch, activating hidden macros it has infected them with to perform its malicious intent.

To eradicate malware from your environment most incident response teams will implement a multi-step process but all of them should include some type of detection, analysis, containment, mitigation and lessons-learned to be applied after the incident. Our customer in Georgia failed to eliminate their malware issues prior to our involvement, by failing to properly perform two of these steps. They were unable to properly detect the QBOT malware due a lack of internal monitoring capabilities and its self-mutating nature rendering their signature-based tools completely ineffective. They also failed to contain the outbreak allowing it to reinfect systems immediately following their cleaning. There are no shortcuts. Each step in your incident response team’s playbook will be important. Even basic things like changing access credentials and patching software are critical steps in your remediation plan.

If our customer in Georgia had properly segmented their network, it would have eliminated the propagation of exploits to a single segment and the malware’s ability to laterally move around the network. Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer communications) creates serious vulnerabilities, and can allow malware to easily spread to multiple systems. If malware can establish an effective “beach head” within your network, and then spread to create backdoors to maintain persistence, it will be difficult for defenders to contain and eradicate it. Monitoring for this lateral network traffic and external communications with command and control servers can identify a large majority of malware infections on a network.

Best practices to avoid getting infected by malware and reducing the impact if you do become infected include development of pre-establish security policies & procedures, companywide staff training, constant backups, consistent software vulnerability patching, use of a behavioral-based endpoint protection platform (EPP), proper network segmentation, encryption of data, effective monitoring of network traffic and security alerts, implementation of least-privilege based access rights for users, accounts, and computing processes and finally network edge-based protections (e.g. UTM, NGF, DNS, etc.) to block access to malicious sites and exfiltration of data. If you are not utilizing any of these best practice items I highly recommend contacting a qualified vendor to help. The risk is real and after the Target breach in 2013, it is widely recognized that all levels of management can now be held accountable for cybersecurity breaches.