Top 9 Malware Variants Targeting the Education Sector

Why Schools Are Targeted

When industries think of cyber targets, often times the education sector is not included.  Why?  Well, it is believed they do not carry the financial weight of bigger targets like enterprises or the healthcare industry.  Although, school systems do still hold a plethora of critical data that can be easily exploited.  Infecting an educational institution may also be easier than executing an attack on another industry.  For example, often times schools lack updated software and have a minimal IT budget.  Pair this with the increased technological role within the classroom, and student who do everything they can to bypass the school’s safe guards, you have a potential gold mine for hackers.

Top 9 Malware Variants Targeting School Systems

CSO Online recently reported the top nine malware threats that are targeting the education sector.  These nine threats are listed below:

1. Zero-Access Botnet: This variant infects devices by exploiting a Windows operating system vulnerability.  It will often lay dormant, or spread throughout interconnected devices.
2. Andromeda Botnet: A malware variant that often spreads other malware such as Zeus trojans, Tropig or Fareit.  This typically injects itself into machines by HTTP websites.
3. Mirai Botnet: The Mirai code was made public, before the creators were found — therefore it is likely different versions of the Mirai botnet will continue to spread.
4. W32/MS04028.fam!: This specific variant is used to exploit Windows XP operating systems.  Since educational institutions often run on outdated operating systems, including XP, which hasn’t been issued Windows updates in years, the vulnerability continues to exist.
5. W32/StartPage.NIK!tr: This malware arrives as a CAB.file, which requires execution to install the malware – like the previous four.
6. Riskware/BitCoinMiner93EA: This particular variant finds infected devices and attempts to steal any bitcoins within the digital wallets on the device.
7. Functions.Definitions.Remote.Code.Execution: Beyond using an executable, an attacker could also use this variant to exploit web servers using Bash shell scripts to execute malicious coding into the device.
8. Tomcat.Arbitrary.JSP.file.Upload: The malware variant exploits a vulnerability in Java.  If executed, the entire system could be compromised.
9. Struts.2.Jakarta.Multipart.Parser.Code.Execution: Used to exploit the Apache Struts vulnerability, the hacker can then execute malicious software.

This is Avoidable

Something one should note is, every single one of these is avoidable.  First, by ensuring programs and operating systems are updated.  Second, IT professionals need to implement a security solution that uses application whitelisting technology and malicious script blocking.

Even if the vulnerability exists, the hackers have to run an executable to install the malware.  This executable would be blocked with the use of the default-deny approach.  Lastly, some malicious events are triggered through scripts, no an executable.  Therefore, by using a security solution that too includes malicious script blocking – you will be fully protected.

But, we’ve all heard it — whitelisting is too much work.  It certainly can be if it is not managed properly.  However, PC Matic Pro offers an automated, global whitelist.  This whitelist is managed by the PC Matic Pro malware research team, minimizing any back-end work for IT professionals.  Also, over the last 12 months, PC Matic Pro has integrated a malicious script block to prevent scripting attack from executing on servers, as well as endpoints.

Cyber threats continue to evolve, shouldn’t your security solution do the same?