Malware Defense Part 1: Identify the Attack

This is a part of the THiNC.technology blog series. THiNC.technology is located in East Lansing, MI and develops custom software including mobile apps and websites. Today’s topic specifically covers the Malicious Attack Types most commonly found.

So how many of us have had THIS problem? You wake up one morning and try to load your website and...

...it’s been hacked!

And if you’re like most of us, you have no idea how it happened. All you can think about is what horrible things they may be doing on your website. Is your information secure? Are they infecting your users with malware? Did they steal anything? Did they hold your information and content for ransom?

Well over the years of fixing hacks and thwarting dastardly ne’er-do-wells, we have come up with some signs for identifying what type of attack you are facing. Then, in part two of this series, we’ll address your possible action steps: Tracking them down and stopping them.

First of all, let’s acknowledge the elephant in the room. You’ve been hacked. It’s probably no solace to you now, but it happens all the time and it’s nothing personal (usually). There is no software written by man that can’t be hacked by another person. If they want to get in bad enough they’ll most likely find a way to get in. Most of the time the hackers are lazy and will usually have a “modus operandi” (method of operation) and they leave some tell-tale signs.

There are many different kinds of hacks

There is an army of hackers trying to exploit your website and all your developer’s hard work. They’ll try to inject scripts into your website (to get it to redirect, download malware to infect more machines, etc). They’ll try to “listen” to the information being provided by your website (key loggers & sniffers to get transaction information, usernames, passwords, etc.). They’ll even try to take your website down by flooding it with requests (D.D.O.S., or Dedicated Denial of Service Attacks), and they will try to hold your content for ransom (Ransomware).

Script Injections

Each of the different types of hacks comes with signs we look for to identify and defeat them. This is not an exhaustive list, nor is it prudent to publish all of the tricks we use to defeat hackers. The vast majority of hackers use code injection scripts to do their bidding. The hacker will usually first write a program to search known websites for specific vulnerabilities. For example, let’s say they find out a login script for an old plugin for an older WordPress website has a vulnerability. They’ll write the script to identify those sites with that technology. Then, once they have that list, they’ll turn another program (script) on that will attempt to force entry or force the site to save their information into your database. The next user will be exposed to this when they access that content.

These are usually multi-functional malicious attacks and have several components. In the last year to 18 months, we’ve seen an increasing level of sophistication with these hacks. Some, even are checking their infected files for changes (anticipating you deleting or changing content, or changing permissions to thwart them) and then reverting back to their infected file version.

Hackers don’t build things, they strive to tear things down. Hackers are lazy. They want to find the lowest common denominator to attack and it is preferred if they can automate it. That’s why it’s important to keep your site up to date, and the plugins updated. (We’ll talk about updating in another post). Most of the time we see an SQL injection or “script attack” where they’ll place code to change the intent of the page. For example, you may open up a comment and see that they have redirected you from the page you intended to one selling Viagra. Or, if they don’t redirect you, at least they’ll post content with links in hopes that no one deletes their entry. Usually injections are lower-level of severity on the panic scale and usually aren’t hard to track down and delete. And, these are almost always automated so that the hacker fires the script and forgets.

Loggers & Sniffers

Key-loggers and sniffers are much more devious. In our experience this is usually associated with a live person who had accessed your website. It could have been that someone in your organization clicked link-bait that the hacker then installed a malicious script to spy on you. It could have been someone with weak passwords that allowed the user to sneak in. These are usually the most damaging types of web attacks, in that they can harvest information you store in your database. That means personal data, credit cards, financial status, and even health history.

In our experience, this is usually done with some organization and not just a lone-wolf actor. Getting a script to be published by a website to sell a hacker’s illegal pharmaceuticals is far less effort than getting the program to install on a machine. It also has to be transmittable via browser, and then log and transmit information input on the user’s computer or into the website (front and back end).

Key Loggers track what you type into the website and sniffers try to intercept data as its transmitted for clues as to hacks and operational deficiencies that they can exploit. Both are pretty nasty and can obviously do a lot of damage.

If they can get in, they can take full control over the website and can even record everything you type in or do (even offline). This is usually what happens when you hear of a hack in a news report and usually about them stealing credit card information or identities.

DOS Attacks

Denial of Service Attacks have many versions and tactics. This type of attack doesn’t try to force itself in, but instead tries to force the server to be tied up by its own requests for the webpage to load that it crashes the whole thing. These attacks are dedicated to bringing your site down. They’ll send dummy traffic to you that will overload your server and make it unavailable to use. Sometimes this is easy to stop once it starts, since it may come from one place and targeting one specific function. Sometimes they’ll use a Distributed Denial of Service Attack which sends traffic to your site from random places, making it impossible to single it out. By the time you’ve stopped one IP address, they’ll be on to another.

These shut down websites until they can recover from the load and they can deny requests to malicious files. This you probably have heard about in the news when they mention a “site was taken down.” Anonymous likes to do this, as do terrorist groups. Some foreign actors/states will operate using this type of attack. DDOS attacks happen to everyone, and every day there will be some type of attempt on a major website.

Ransomware

This type of software is a new one, and as such has gotten quite a bit of publicity lately. What happens with Ransomware is someone gets access to your files, then changes all the permissions on the files or downloads them and deletes them from your server. After which they will send you a message ransoming your content for money.

This has been all over the news as of late: A hospital in Kansas has been attacked with one of these malicious hacks. A public utility in Michigan was crippled by another attack, this one in my own backyard. They usually get access by tricking an employee to click on a fake link which is actually an installation link, or by guessing passwords. Police have been a victim of Ransomware themselves, it knows no bounds.

And, even if you comply and send the money they may hit you up for more. That has been a trend lately, of the hackers taking the money and not releasing the site. If they have your site, there is little you can do. (We’ll discuss what to do in the next blog).

Identifying the type of attack is important to determining the best course of action. Not all malware is the same, even though some are very similar. At THiNC.technology we handle emergency support requests on a daily basis from our clients and those who are infected. None of them are ever the same, but we have come up with several steps to track down the code on a website and we’ll share that with you in the next blog.