Whilst legacy anti-virus or anti-malware solutions may be effective against known threats, they certainly do not provide adequate protection against undisclosed attacks or zero-day exploits – amongst today’s most persistent and devastating attacks. For that you require a more proactive approach to threat detection and sanitization.
Here’s one recent example of how Votiro Secure File Gateway’s patented Content Disarm and Reconstruction (CDR) technology prevented an attack using Valyria, a particularly destructive trojan.
Setting the scene
Email attachments, in the form of documents, spreadsheets, PDFs and image files, are a common vehicle for malicious code. While some are easy to spot, attackers are becoming increasingly sophisticated in their hacking and phishing attempts.
In this particular instance, attackers disguised their identity by using a hacked email account, so the email appeared to be coming from a legitimate source. The email itself included a copy of the company logo in what was a convincing looking signature.
Timeline of events
Because the email was sent from a hacked account it bypassed the usual reputation checks carried out by the organisation’s protected email gateway. Records also show that the McAfee and Sophos tools in place were up to date.
The email included a password protected ZIP file that contained a malicious word document. The unwitting recipient typed in the password to access the file, triggering the phishing attempt. This all sounds very familiar, but this is also where things change. Instead of opening the infected word document and exposing the business to the trojan attack, the document was sanitized by Votiro and the user received a harmless document.
A proactive approach
So, what was different? Votiro Secure File Gateway leverages advanced content disarm and reconstruction (CDR) technology to proactively sanitize incoming files. It’s patented solution adopts a zero-tolerance approach to file content, scanning and removing anything that shouldn’t be there, returning a harmless file with 100% of the original file type functionality intact.
The key difference is that Votiro doesn’t rely upon the threat being previously disclosed to provide protection. In this instance, the malware attempt was launched just 2.5 hours after it was created. The malware was first identified by traditional anti-viruses 6 days after the initial attack.
The Valyrian Trojan
Valyrian malware (named after the indestructible steel in the Game of Thrones) contains a range of functionality that makes it particularly devastating for anyone unfortunate enough to fall victim to it. Valyrian attacks are usually distributed via fake Windows updates, malicious third-party applications or weaponized attachments sent via email or social media.
Valyria is a persistent type of attack. It remains concealed within a user’s system, writing itself to the Windows start-up folder via an installer. When Windows starts, programs in the start-up folder are automatically launched, meaning the malware executes and performs its malicious activities every time the computer is turned on.