Posted on November 4, 2021 at 5:24 PM
Recent reports reveal that more researchers are scanning the internet to discover vulnerable servers and software. Senior malware researcher at ESET, Marc-Etienne Léveillé, explained how the company developed a scanning functionality to support the analysis of vulnerable programs. He was speaking at the SecTor security conference being held in Toronto.
According to Léveillé, ESET evaluated the Kolabos malware late last year and found something unique. He stated that ESET discovered a two-step scan used in detecting an uncontaminated system and is about informing organizations that have been affected.
Although web scanning programs are common, Léveillé stated that threat actors could have the ability to survey the entire internet and scan for vulnerable networks. This will provide the hackers with more opportunities to find out where to launch their next attacks.
“We are frequently faced with a single malware sample that we don’t have a lot of contexts around,” he noted, adding that ESET doesn’t know which industry the actors have targeted so far. To make matters worse, the lack of telemetry on non-Windows products is providing more opportunities for hackers to exploit servers online.
More Organizations Scan The Web For Malware
Several universities and organizations usually scan the web to detect vulnerable programs or misconfigured programs.
Most companies use Shodan, a device search engine, to scan for vulnerabilities and open ports on the public internet. Other tools used include University of Michigan startup Censys and Rapid7 through its Project Sonar. These tools are used to create a map of the rapidly changing Internet of Things (IoT).
Apart from the University of Michigan, creator of the Zmap tool, other institutions also have their tools. The University of Pennsylvania and the University of Chicago are amongst the different institutions that scan the web for analysis functions.
But, according to Léveillé, these public institutions are not flexible enough to deal with the complex issue of malware analysis.
He admitted that the company used to use the malware scanning tools of Shodan and Censys in the past. However, ESET had to develop its program to stop bugging them whenever it wants to carry out a new scan on the internet. He said ESET wanted to be independent when it comes to using malware scanning tools on the internet because it’s something the company regularly uses.
ESET Provides A More Focused Malware Scanning System
Léveillé added that using ESET’s system enables the firm to carry out scans using tailor-made modules to locate malware via nonstandard protocols.
Since last year, ESET has used its developed scanning system to comb for malware on the web. Its researchers have used the system to identify particular malware groups. It also identified that Kolabos malware affected the Linux servers earlier this year. ESET also provided a detailed report of a malware campaign involving multiple backdoors in Microsoft’s Internet Information Server (IIS).
Léveillé added that ESET’s malware scanning system is more focused. Other organizations use their internet scanning devices to identify misconfigurations, open ports, and particular gadgets. But ESET’s scanning process is highly focused. They don’t scan regularly and group the IP addresses into part of any particular threat group. But the security team is more involved with scanning and fingerprinting for malware command-and-control servers. As a result, automating the entire process will be much easier. Léveillé noted that such a process enriches the security firm’s existing dataset in the future.
More Organizations Launch Surveys For Malware
ESET and other organizations have intensified their efforts to scan the web to identify malware or vulnerable servers.
According to a recent analysis by Pablo network, some organizations generally take minutes to scan their systems to reveal safety situations after a vulnerability disclosure. It shows the level of progress these organizations have recorded when it comes to the safety and security of their systems
But while these organizations are scanning to protect their systems, threat actors are scanning to find out how to exploit vulnerable systems. They have gotten better and faster over the years. As a result, ESET says organizations have to follow a tougher security routine to make sure their servers are difficult to crack.
The security firm noted that vulnerability may not be avoided in some cases but it’s important to set defensive measures to prevent threat actors from getting inside the system.
“In the past five years, attackers have perfected techniques that scale at speed,” Léveillé noted. He added that organizations should understand that scans are usually the first step threat actors use when attacking internet gadgets. As a result, they should concentrate on improving their frequency of scanning to discover bugs before threat actors do.