Malware Servers Risk Vector: Core Overview – BitSight Technologies SANDBOX

The Malware Servers risk vector is an indication that a system is engaging in malicious activity, such as phishing, fraud, or scams. A company’s network is hosting malware that is meant to lure visitors to a website or send a file that injects malicious code or viruses.

The Malware Servers risk vector is part of the Compromised Systems risk category. Understanding how this affects your rating is key to prioritizing your remediation:

Weighting: This vector is weighted evenly with other Compromised Systems risk vectors, which account for 27% of your Bitsight Security Rating.
Lifetime: Findings remain active for 180 days from the last observed date.
Point Recovery: As a finding ages without a new observation, its negative impact on your score gradually decreases.
Rescan Policy: Because these findings rely on external observation data, user-requested rescans are not available. The finding will automatically update when our sensors no longer detect the activity.

What is Malware?

Malware is short for “malicious software.” It refers to programs designed to damage, disable, or exploit computers and systems. It can take the form of executable code, scripts, active content, and other software.

Displays advertisements, redirects search requests to advertising websites, and collects marketing data.

A botnet (combination of “robot” and “network”) is a network of computers that perform coordinated actions. Instructions are received from a Command & Control Server (C&C Server). Computing power and network connections are harnessed through host computers. The effectiveness of a botnet is based on its size, network bandwidth, and processing power.

Each type has different methods and goals, but all are harmful to your systems.

How Bitsight observes Malware Server activity

Malware server activity is observed by:

Monitoring the traffic going to and from known malicious servers.
Working with data sources that perform content analysis to locate malicious code.

What criteria is considered when classifying observations as Malware Server events?

Bitsight uses lists of restricted IP addresses and file hashes.

Safe browsing and lists of restricted IP addresses are publicly used by security organizations to identify network points that are distributing files. Brand monitoring services continuously observe new domains or online activity on behalf of their clients and report such activities to search engines.

File hashes become known and traceable to a specific malware family.

Malware servers can host different types of exploits, including:

Drive-by Downloads: These often hide in popup windows or dialog boxes, to be downloaded without the user’s consent.
Fake Antivirus Software: The malware pretends to detect threats on the machine, and claims that it can only be removed by buying the software. The threats are often fake and intended only to scare the user into purchasing the software, which does not actually protect the user’s device.

Phishing Websites: Tricks the user into giving information, by presenting itself as a trusted service. For example, a phishing site might have a URL that’s similar to a legitimate banking website. It then prompts the user for their account information and credentials.

What is Malware?

How Bitsight observes Malware Server activity

What criteria is considered when classifying observations as Malware Server events?

Related articles