Contain the next malware outbreak and learn how endpoint vaccination works magic in your incident response.

In May of 2017, thousands of people across the world logged onto their computers to see the now infamous WannaCry ransomware popup screen demanding payment in Bitcoin. The infection ran rampant across the globe, eventually affecting over 200,000 systems.

Many malware developers continuously create new evasive attack methods to minimize the chances of being caught. By having the malicious program leave infection markers on already infected endpoints, attackers ensure they don’t infect the same system twice, minimizing the risk of operational issues and detection.

In fact, malware is often designed to avoid re-infecting the same endpoint twice for a number of reasons, including performance issues, inconsistent functionality, system stability issues, and version tracking. This characteristic gives defenders an opportunity to employ the principle of malware endpoint vaccination, which can effectively contain many types of malware outbreaks.

An infection marker acts as a sort of digital flag, such as a particular process name, registry key, or mutex that the malware leaves on the endpoint to signal its presence. If the malware detects its marker on the host, it will assume that it’s already active on the machine and won’t attempt to re-infect the system.

The good news is that more and more malware families, including the high-profile outbreaks such as WannaCry and NotPetya, are using infection markers to mark victims’ systems and avoid double-infections.

How Does Malware Vaccination Work?

Malware vaccination is a technique that exploits the characteristics of infection markers to contain malware outbreaks.

The idea behind vaccination is simple. By simulating infection markers across endpoints, enterprises can deceive the malware into believing that the endpoint is already infected, resulting in the malicious program automatically terminating its execution.

Until recently, the implementation of malware vaccination mechanisms was complicated and often impractical. Actually generating infection markers clutters the endpoints, interferes with user experience, impacts system performance, and conflicts with security tools. The key to making vaccination practical in a real-world enterprise setting lies in simulating infection markers, as opposed to actually generating them. Simulating these markers has the same deterrent effect on malware as real markers, but because it’s only a simulation, it doesn’t consume system resources.

Spora is another example of a malware family that can be controlled by vaccination. Variants of Spora and similar malware families create a dynamic mutex which can change between systems. Spora’s mutex is comprised of the letter “m” concatenated with the volume serial number. This mutex was used across all Spora variants, meaning vaccinating endpoints against the first “generation” of Spora immunized the endpoint against all its successors.

Thinking Beyond IOCs

Enterprise defenders are now accustomed to obtaining or generating indicators of compromise (IOCs) to look for infected systems and adversarial activity within the organization. While such an approach is an essential part of incident response, it is still a reactive approach to security. The concept of malware vaccination suggests that a subset of IOCs could be used as a preventative measure, allowing enterprises to avoid infections and stopping the corresponding malware variants from spreading across the enterprise.

To employ vaccines, the organization needs to obtain the infection marker data, which is sometimes available from the same threat intelligence sources that provide IOC data. Infection markers’ information is also often shared within the cyber security community.

When responding to a localized malware incident, infection markers can be distilled from malware sandbox environments and manual analysis, requiring inputs from the internal incident response (IR) teams. To facilitate this process, Minerva developed an open-source tool called Mystique that automatically extracts mutex infection markers.

Getting Vaccinated Today

Minerva Labs’ Anti-Evasion Platform offers a practical way of distributing vaccines without inconveniencing users, slowing down systems, or damaging legitimate applications.

The strength of this approach relies on its unique ability to simulate, rather than actually generate, the infection markers. It enables enterprises to prevent infections even when the attack has successfully evaded the organization’s existing security solutions.

Malware vaccination can play a powerful role in stopping the spread of malware outbreaks to help incident response teams gain control over the attack and clean malware infested networks. Read more about the real-life use of Minerva Labs and how it helped the incident response team at Cybersecurity Services firm BlueVoyant, contain and clean up an infection that made its way onto 1,400 endpoints 60-70% faster than previous methods used.