Blog :: Security Operations

Protecting Yourself from Hidden Malware

malware as trap

Much advice about avoiding malware revolves around only clicking links from trusted sources. Unfortunately, it gets harder all the time to determine who and what is a trusted source. Malware is more insidious than ever. Below, I’ve found some recent instances where malware was tricky to spot, and even nearly impossible to prevent.


I came across this tweet from Lukas Stefanko the other day:

Pictured are two apps from the Google Play store, both called Instagram. Both use the very well-known Instagram logo, the same screenshots, and the same description. Even the star ratings are similar.

Luckily, however, there are some easy tells. The official Instagram app has over 50,000,000 downloads and an “Editor’s Choice” status. But these elements are small and out of the way. It’s likely that many people will be satisfied by seeing the large logo and description screenshots, then proceeding to download the bad app.

Turning your friends against you

Do you trust emails from people you know well? You may have to rethink that mindset.

Ransomware is already infuriating to deal with, but a recent form of it is particularly nasty. Dubbed PopcornTime, it offers victims a choice: pay the ransom, or choose to send the ransomware to friends. If the victim doesn’t mind dissolving a couple of friendships, they can get their files decrypted for free if they infect at least two friends who pay the ransom.

Start examining links and files received from your friends more carefully. Even better, maintain regular backups so that you don’t have to make the choice between paying a ransom and spreading this ransomware.

It's hard not to let hidden malware trap you

Hidden malware from legitimate organizations

Earlier this month, it was revealed that hackers had breached Equifax, one of the major credit bureaus, and stolen the personal information of half the US population.

Equifax set up a website for users to check whether they were one of the victims of the breach. Notably, this website had a different domain—“equifaxsecurity2017”—than Equifax’s main website.

Unfortunately, when Equifax tweeted several times about the verification website, it accidentally switched around the words that made up the domain name. Thankfully, this website wasn’t malicious. Full-stack developer Nick Sweeting had set it up to expose the vulnerabilities that existed in Equifax’s response page. He said, “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on].”

This shows that you shouldn’t assume a link is safe, even if an official and/or trusted organization provides it. If it’s not a domain you’re very familiar with, be wary.

Infection without clicking

The risks above all require some sort of user interaction. But Armis Labs recently revealed a new attack vector endangering major mobile, desktop, and IOT operating systems—anything that has Bluetooth enabled. They dubbed the new vector “BlueBorne,” as it spreads through the air and attacks via Bluetooth.

BlueBorne does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Furthermore, the attack can bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Even air gapped networks are vulnerable to this threat.

Most concerning is that the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack.

The defense against hidden malware

These threats clearly indicate that it’s becoming harder and harder to determine trusted sources, and even that you may be infected without doing anything wrong. Now it’s crucial to expect an infection.

What you can do to protect yourself and your network is know how to detect insidious malware and respond to it. We prefer to gain full visibility into networks with network traffic analytics; you can read more about it in our blog about Network Incident Response with NetFlow and Metadata.