1 Introduction
In the second decade of the 2000s, malware remains a key threat to standalone computers, businesses, government agencies, and all networked computing environments.
Malware today is more diverse than ever: The starting point most times was file-based malware, which was often delivered piggyback when software was sold or exchanged via floppy disks. Comparable threat scenarios still exist today when using removable storage media such as USB sticks or portable hard disks. With the widespread spread of e-mails and their initial conceptual security weaknesses, which in many cases have not yet been overcome this has become the most important vector for the spread of computer viruses.
Network worms are specialized programs that can spread malware over networks without users having to open files or email attachments. This specialized software created by malicious actors traverses networks from one host to the next by compromising services that allow connections to well-known, published and not properly protected network ports (TCP or UDP).
But the end user also continues to be at the center of a multitude of malware attacks. Unfortunately, it continues to be the case that reluctant and overly trustful users can be encouraged to interact with malware to easily infect their workstations or entire networks. This can happen, for example, by placing malware on high-traffic websites or by sending links to fake websites that look legitimate, damaging frequently used applications, packing malicious executables into otherwise harmless looking data, using macros in Office documents, etc.
In recent years, the ransomware phenomenon has gained importance as a result. Ransomware is a special subspecies of malware that encrypts user files and instructs the user to anonymously pay the malware author a ransom for the decryption keys, usually in Bitcoin. This type of attack often occurs in Office documents with malicious macros. (Beyond technical solutions, the best advice for end users and companies here can only be not to pay the ransom, as the authors do not always provide the decryption keys, and future bad behavior should not be encouraged by compensating the programmers for their fraudulent efforts. Isolated, regular backups are once again a central protective measure here.)
But even in recent times we have experienced yet another phase in the development of malware. The perpetrators are innovative by using the tried and tested distribution technology of worms or even the update mechanism of legitimate software for ransomware. With the Petya/NotPetya attack, we have seen a type of malware that mimics ransomware, but whose goal is to irretrievably destroy data.
The targets of the attackers thus range between individual spying, industrial espionage, blackmail, hacktivism and pure vandalism. This means that the circle of potential attackers is also correspondingly large and includes not only hacktivists, fraudsters and industrial spies, but also actors supported by government sponsors with hostile intentions.
Individuals and businesses today have a growing choice of anti-malware software on endpoints. The earliest antivirus programs were developed by their vendors collecting virus samples and creating signature files that could detect a defined number of virus patterns. This approach is still relevant today, so that customers of such solutions usually receive signature file updates several times a day.
Malware has become much more sophisticated and often uses polymorphic techniques to change its appearance, so signature-based scanning alone today is only a limited effective measure for malware defense. In the endpoint security market, most vendors have added new detection capabilities to help prevent malware infections more efficiently and effectively.
An interesting and still innovative approach is the one implemented in the product line presented in this Executive View document. Based on virtualization technology, temporary virtual hardware environments are created whose goal is to isolate and analyze endpoint computer threats such as viruses, malware, ransomware, and adware without releasing them into the user's real-world runtime environment. This makes it possible to identify processes based on rules and intelligent decision-making mechanisms or when deviations from normal/expected behavior patterns are detected. In these cases such processes are started transparently in an isolated runtime environment.
To achieve this, specialized virtual machines are created, for example for running a browser or an instance of Microsoft Word or Excel, which are also given their own rudimentary, one-time operating system environment. The virtualization layer does not connect to the user's actual session and system environment, but the user can interact with the isolated environment as in a test tube. Furthermore, this environment can transmit valuable analysis results to the client and management components for future phases.