Are you tired of the never-ending malware infections? Would you like to get rid of the nightmare of the long hours spent troubleshooting? Do you still seem to get repeatedly infected regardless of how often you make malware removals? It’s enough of the reactive protection!
The old way
What would usually happen when a server became infected? People had to buy special security tools, which had really high prices to find malware. If it succeeded, the sysadmins had to spend plenty of hours (or in worse cases several days) to remove the malware. The other option was to pay for someone to do the system cleaning instead of you, but again it also required money. Malware removal can even cost 180 USD for only one domain.
Ok, yes the malware was removed but what guarantees that it won’t happen again? If someone could upload an infected file why would she/he not try it again? Only removing the malware will not fix the problem itself because it means there is a weak point in your system. So it’ll only take a little time for this point to be found by other hackers too.
So, what came next to avoid further infections? Finding the backdoor and the attacker’s IP, then blocking it. Our web hosting company had a well-working procedure for doing this, but it still required time from our sysadmins. Eventually, we had enough of it, so we thought a big and developed a breakthrough feature.
The BitNinja way
We wanted to have a more comprehensive and automated tool, so we made it. The BitNinja Defense Robot is the only one real-time malware root cause analysis solution on the market. This module identifies backdoors and attacking IPs at each malware upload attempts. It doesn’t require any manual intervention. Instead, the Defense Robot will auto-greylist the attack source and set up customized WAF patterns, so the hacker won’t have the opportunity to upload a malware again.
We brought a brand-new concept to the market with our Defense Robot, which will not only harden your defense shield, but it also saves you time and money.
Automatized best practices
Let’s see how the Defense Robot grants you powerful security by the co-operation of 4 active protection modules.
1. Malware Detection
If the Malware Detection module is enabled on your servers, it’ll monitor the file changes. If there is a malware upload attempt, the file will be quarantined, and the module will alert the Defense Robot.
2. Log Analysis (a.k.a SenseLog)
Here is the step when the Defense Robot identifies the date of the attack and the source IP helped by our SenseLog module.
- Time window: The Defense Robot will check the log lines related to the malware upload within the configured time window, which is 30 seconds before the malware is changed. We use the ctime to identify the time of the malware upload, as it can not be modified despite the mtime.
- Loglines related to any private IP addresses will be ignored.
- If a malware upload occurs on HTTP, it’ll be a POST request, so GET requests can be ignored at this step.
- The log lines will be read from the end, which provides a quicker process. As the malware upload is a fresh action at the point of the examination, it’ll be within some of the latest logs. What’s more, if the Defense Robot would try to locate the appropriate logline from the beginning, it would take a lot of time if there is no log rotation.
After these filtering procedures, there should be only 1 logline, which contains the attacker’s public IP and the path where the malware was uploaded. What will happen with this piece of information?
3. IP Reputation
The malicious IP address will be automatically added to the global greylist, so it won’t be able to connect your servers as well as all the other BitNinja protected servers.
After the log filtration, we will also know the path of the malware upload attempt, so we can automatically honeypotify the abused domain/URI. It means that another malware upload cannot happen in the same path. It’s an upcoming feature which will be implemented soon.
(Another option that’s also coming soon: control panel/FTP user password will be changed automatically, then the hackers won’t be able to access your servers via that account.)
Check out our documentation site, if you need more technical details.
Detailed event correlation info
The Defense Robot will create BL_BN_LOG incident type, what you can find in the Dashboard. Simply go to the Network Attacks menu and list this kind of attack:
Search for those logs, which contain the DefenseRobot ID line. Here is an example:
There will also be a new folder created at: /var/log/bitninja/correlations/YYYY/MM/DD/hh_mm_uniqid
In this folder, you’ll find all the details such as:
- IP address
- affected domain
- affected user
- uploaded malware
- collected logs
Coming soon: The correlation information will be available under the Infected files menu. So you’ll also be able to access all the necessary information on the Dashboard.
Enjoy the real-time, automated malware root cause analysis
After we carefully tested the Defense Robot on our servers, we offered a selected closed group the chance to join us and be a part of the testing stage. Over the past few weeks we received extremely great results, so now we have made this feature available for everyone who uses the BitNinja Pro.
From the 1.27.3 agent version, the Defense Robot is enabled by default, so you no longer have to deal with investigating and blocking the source of the malware infection anymore; this module will do it automatically rather than you having to do it manually.
Let’s take your server security to a new level and enjoy this unique, innovative protection system with BitNinja Pro.