Malware is software designed to damage a computer, server, client, or network. Types of malware include viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper, and scareware.
After a device is infected with malware, it often communicates with a command and control (C&C) service on the internet. This service allows the malware to register its infected device and receive instructions from the malware's authors. These instructions could cause the device to delete or encrypt its data stores, participate in distributed denial-of-service (DDoS) attacks, or perform any variety of malicious actions.
Because of malware's potential for significant damage, malware findings have high impact on your scorecard rating.
Remediating Malware Issues
One of challenges with remediating malware issues on your scorecard is that information that helpful for locating malware is not always available. We typically avoid exposing destination IP data to prevent compromise of our scanning, sinkhole, and honeypot infrastructure.
Because our findings are based on externally facing, public information gathered non-intrusively, they are meant to raise a flag and spark an internal investigation.
To understand how SecurityScorecard collects malware signals, you may find it helpful to learn about our scanning process.
Investigative actions that can help you remediate malware issues include the following:
- Look for communication on unlikely ports. Although networks may vary in port use, communication on ports in the 4000 range is typically abnormal and could point to malicious activity.
- Look for communication from an external IP in your digital footprint to a sinkhole.
- Research the particular malware family to understand how it propagates and what specific assets it is likely to target.
- Identify the computers in your digital footprint that connected to the infected domain.
Refuting Malware Findings
You can refute malware findings under three different circumstances (see Issue Resolution Process):
- If these findings are from a guest network, then you should open a refute to resolve them and leave a note regarding your compensating controls. The guest network must be completely segregated from your production network. In the "Resolution" dropdown, select "I have a compensating control" and provide the aforementioned evidence.
- If you conducted an internal scan and could not reproduce the finding, you can challenge it by selecting "I have fixed this".
- If you think the finding is not legitimate, and you cannot reproduce it, select the option "I cannot reproduce this issue and I think it's incorrect".
- If the asset related to the finding is not owned by your organization, select "This is not my IP or domain". In this use case, it may be more efficient to apply to have the asset or range of assets removed from your digital footprint as per IP Attribution Process (Digital Footprint Mapping)