Will running one rarely used program stop future attacks? It will in the SolarWinds attack and perhaps stop future compromises too.
It makes sense that malware uses strategies to infect and hide inside of networks undetected. Here is some fascinating insight into that self-preservation: The malware related to SolarWinds attack looks for specific security related software, including a free program named WireShark, before installing itself. If Wireshark is running in Windows, the virus installation terminates itself.
Should you run WireShark on your computers 24×7? Ordinarily, IT Professions remove WireShark in case attackers installed it. Paradoxically, running WireShark will stop the initial activation of the SolarWinds attack. WireShark is not the only choice. Open this Microsoft article and use CTRL-F search for the word WireShark to see the other security related tools that will horrify some malware: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
But, after SUNBURST installs itself, it is too late. It doesn’t look for security related tools after installation.
This message is not a recommendation to run these applications, nor is it intended to dissuade you. If organizations start adopting this strategy to thwart cautious attacks, it will be interesting to see how malware responds.
Forward this article to your friends so they receive this insight into how bad actors strive to avoid detection and discuss implementing this unconventional approach to stopping malware installations.