How to Combat Document-Based Malware

Businesses and home users alike are doing their best to stay safe in an ever-shifting world of online threats. Malware comes in all shapes and sizes, ranging from relatively benign potentially unwanted programs to data-wiping ransomware. However, there seems to be a growing trend to find malware not directly in executable files but in documents that deliver the payload instead. Researchers with Barracuda Networks recently published a report that states nearly 50% of all new malicious detections over the past 12 months were document files. The increase on a year-over-year basis is more evident in the numbers for the latest three-month period - 59% for 2019 against just 41% in 2018. This amounts to a nearly 50% increase and it's definitely something to look out for.

The payload delivered through the malicious document can be anything, from Trojans to viruses, to ransomware. The malicious documents can also be anything - an image file, an office document or a PDF invoice. Once opened, the malicious document usually downloads the real payload from a remote site and executes it. Social engineering and spam campaigns work hand in hand in an attempt to deliver the harmful payload to as many systems as possible. What can be done to counter this? The report suggests a number of approaches, all equally important.

Blacklisting IPs: Bad actors using large-scale spam campaigns are often using the same ranges of IP addresses to launch multiple attacks, so blacklisting can work well in preventing future attacks, originating from the same source. Obviously, this is mostly applicable on a larger, company-scale level and is something network admins should worry about.

Implementing an anti-phishing / spam detection system: It is no secret that the majority of ransomware infections over the last couple of years happened due to human error and employees opening the wrong file on their work computer. Having a reliable, well-designed automated system that can sift through incoming emails and scan for phishing clues can help cut down on the amount of bad emails that make it to the employees' mailboxes in the first place.

Anti-malware suite that has both static and dynamic analysis capabilities: Having a fully-featured anti-malware suite installed on individual computers is also a significant factor in keeping a network safe from document-based malware. A reliable anti-malware suite should be able to pinpoint and block any malicious document that runs code trying to either download or run an executable. Functionality such as heuristic analysis and obfuscation detection algorithms are also a great help in stopping a malicious document from running bad code on a system.

Advanced firewall features: Certain firewalls have capabilities that go beyond those contained in the default Windows firewall. With a more advanced firewall, network administrators can rely on an additional layer of detection and protection, where the firewall itself can analyze a file before it lets it through.