Things website owners should know about malware. (And a few notes on those weird names.)

By Mike Turner | August 23, 2019

Hackers have devised any number of ways to get their digital destroyers to find cracks in websites. Below we take an illuminating overview of malware, including a few observations on those weird names.

Viruses and malware are here to stay.

We recently notified our website hosting customers that we were installing crucial updates on their servers to prevent the scourge of 3 malware threats: Zombie Load, Meltdown, and Spectre. We didn’t send the notification just so we could feel like heroes (though we are not above that). We did it to keep everybody aware that vicious digital attack dogs are always roaming the web, and even companies wise enough to hire us for hosting and maintenance should never forget that the threat is a permanent feature of the Internet.

Why are malware names so often stupid?

Let’s pause here to note the downright silliness of those sc – a – a – a – ry names. My Doom. Storm Worm. Cryptolocker. You can picture a posse of punks in their basement lair, jumping off their musty sofa for a round of high fives after coming up with these ridiculous monikers. They’re like the goth guy in high school who thinks the tattoo of a dagger running down his nose is just disturbing enough to attract girls, who are rumored to find bad guys irresistible. (Among other mistakes, he got mixed up about the distinction between “goth” and “carny.”)

The common image of hackers is a little hackneyed.

It’s fun to imagine the stereotype hacker dudes in their hoodies—especially if you imagine them getting arrested and thrown in jail. Alas, it turns out that a lot of the picture I painted above is a fallacious cliché. A) Not all hackers have hoodies, musty sofas or tattoos; B) girls generally avoid bad guys; and C) virus names originate in a variety of ways, not all of which involve losers seeking revenge on the jocks who beat them up in high school.

Names of malware have many authors.

Indeed, it is sometimes the good guys who come up with malware names. The theory is that when Team White Hat wants to warn decent, non-vandal citizens that a new scourge has been unleashed on the world, giving it a clever name that sounds like a movie title will help spread the word. (Thanks, wearers of white hats!)

Some malware names have colorful backstories.

The saboteur who devised the Melissa virus named it after his favorite stripper. We hope she was impressed. On the other hand, some names are pretty pedestrian: the Samy worm was given that name by its creator—a guy named, um, Samy. When digital despoiler Chen Ing-Hau christened his work, he could think of nothing more imaginative than his initials, CIH. Some names, though, are a version of digital poetry. Some system administrator who knows what CVE-2014-0160 means—(not making that up)—actually had enough romance in his soul to name a bug Heartbleed. The glitch so named allowed secure information to leak from the deepest recesses of the system—to bleed from the heart. Awww.

There’s nothing colorful about the damage viruses do.

It’s ugly. We wish people didn’t do this horrible thing, but if wishes were horses we’d all have very high oat expenses. You can’t make viruses go away—all you can do is be vigilant. That includes, of course, ongoing updates of your website core and plugins, as well as hosting with a reputable hosting company. (Please don’t get us started about the folly of hosting your own site in-house.)

Complacency is a hacker’s best friend.

Security magazine reports there is an attack on the Web every 39 seconds. Whether a virus succeeds in its evil plot depends a lot on what its targets do to protect themselves. Sucuri’s 2018 Hacked Report reveals that the leading causes of website infections are poorly configured plugins, modules and extensions inside the more common CMS (Content Management System) platforms; abused access control credentials (including poor password control and management); and a lack of knowledge around security best practices. Attending to these potential weak spots might sound like a headache, but it’s a headache that could save your business from destruction. That’s much better than a regular headache, which really doesn’t have an upside.

563 simple steps to stop hackers. Wait—it’s just four steps. Even better.

Four relatively simple actions you can take will create enough of a barrier that most hackers will move on to some poor schmuck who didn’t bother.

  • Keep your site’s CMS and plugins updated. For clients using our OverSite™ service, it’s not unusual for even a small site to receive 6-10 updates in a month.
  • Implement urgent updates right away. CMS platforms like WordPress will issue high-priority updates as necessary to block new threats. Those updates should be installed immediately.
  • Add a WAF (Web Application Firewall) to your site. It’s an extra layer of security.
  • Please, don’t be stupid about passwords and access. Using a password like MyCompanyName123 that’s easy to remember is like hanging a sign on your front lawn saying “There’s cash under my mattress and the door is unlocked.” Closely manage website access and keep it updated. (That employee that left to go work for a competitor – did you delete their access credentials?)

There are other steps you can take to shield your site from attacks.

They are greater than four but less than 563. You could reduce the number to a simple “one” by just turning the problem over to a team of digital marketers who will stay on top of everything full time. By the way, we are a team of digital marketers. Just putting that out there.