What is Malware?
Malware is a term used to describe the numerous types of Malicious Software created to attack computer systems. Lots of cybersecurity incidents involve some form of malware attack. There are many ways that criminals can use software to attack servers, network equipment, endpoints, software-defined services, and cloud-based systems. Any software designed to bypass security protections, steal data, deliver financial gain, or simply cause damage and disruption is usually categorized as malware. Examples of malware include viruses, ransomware, and spyware. There are many others outlined below.
The creation of malware of various types has become a shadow industry in its own right. Many cybercriminal groups create malware for sale to others on the dark web. These are known as ransomware as a service (RaaS) offerings, which people without the skills to develop the software themselves use to attack businesses for profit. Then, the malware creators take a cut. The attack on the USA Colonial Pipeline system was a ransomware as a service attack.
We should note that no operating systems are immune to malware attacks. Microsoft Windows, Apple macOS (Mac), Android, iOS, and Linux have all had malware that targeted them at some point. Assume that all systems you use need protection from malware threats.
Reasons for Malware Attacks
The reasons for malware attacks are varied. Financial gain for cybercriminals is a primary driver for a lot of attack activity. This happens either by directly stealing money, obtaining credit card information to use or sell to the highest bidder on the dark web, or by using compromised IT systems to run software to generate value for the attackers (see cryptojacking in the section below).
Data theft is another reason for malware-based cyberattacks. Data of all types has a value to someone, especially sensitive information or personally identifiable information (PII). In addition to the direct sale of information like credit card details, cybercriminals can also sell other data on the dark web. Intellectual property data about scientific research, industrial processes, and upcoming product releases will be valuable to someone. Data exfiltration from compromised systems is also often the first step in the ransomware attack chain. The cybercriminals copy an organization's data before triggering the encryption step in a ransomware attack. They can then use this data to blackmail the attacked company or sell it on the dark web to get additional income.
Nation-state based, or state-backed, cybercriminal groups are increasingly common. They use malware methods to attack and disrupt foreign governments and important infrastructure in countries. These attacks often target major operational technology infrastructure and systems such as power distribution networks. They also frequently attack major corporations within countries. This is often done under the guise of them being typical cybercriminals to provide their nation-state backers with deniability. The 2017 NotPetya malware attack that initially targeted Ukrainian power systems, but that quickly spread globally, falls into this category. State-backed malware is often used to target overseas dissidents, blogs, and news organizations that provide a different narrative to what the government would like people to believe.
Some malware attacks are just made for malicious purposes. Certain cybercriminals take satisfaction in bypassing security systems and causing damage and mayhem to the functionality of systems without ever trying to get a financial return.
Political and social activists also use malware to breach systems of organizations they think are causing harm for some reason. However, even if the motives behind their actions may seem justified to them, they are still engaging in malware attacks. And their activities can have unintended side effects on other people and IT systems.
What Types of Malware Exist?
The table below lists the common types of malware that exist (in alphabetical order).
Adware infects end-user devices and uses web browser history data to display deceptive advertisements and pop-ups. Often the adware simulates clicks on the ads to fool advertisers and extract payments for the attackers. In other cases, the ads try to trick the user into visiting dangerous websites that have other malware attacks ready.
Fireball, Appearch, DollarRevenue, Gator, DeskAd
Botnets are groups of computers (and increasingly other endpoints like IoT devices) that are taken over by cybercriminals to use in concerted attacks which are often denial-of-service attacks. A botnet malware is the 'client' that infects PCs and other systems to conscript them into the wider botnet.
Mirai Attack (2016), GitHub Attack (2018), 3ve (2018)
Browser hijack malware interferes with browser settings to redirect users to sites that benefit attackers.
Babylon Toolbar, Conduit Search, CoolWebSearch, OneWebSearch, Snap.do, and Sweet Page
Cryptojacking involves malware that uses the CPU of an infected IT system to 'mine' for cryptocurrencies like Bitcoin. Some types install on the infected clients, and others use web browser scripts to run when users visit web pages.
Fileless malware uses infected legitimate software installs to deploy into the memory of running systems. It then operates in memory and doesn't write anything to disk, making it difficult to detect with traditional anti-malware and anti-virus software.
SQL Slammer, Stuxnet, UIWIX
Keyloggers record all keystrokes on an infected device. This contains all the information that a user enters, including potentially personally identifiable and sensitive data.
Malvertising uses legitimate ads or ad networks that have been compromised to show ads that deliver malware to users who click on the ads.
Angler Exploit Kit, RoughTed, KS Clean
Phishing attacks target people to steal login and other confidential information by tricking them into clicking malicious links in emails, message apps, or the web. Phishing attacks are designed to look like authentic messages from trusted brands, organizations, or individuals so that the recipients think that they are getting a genuine request for information.
Hillary Clinton Campaign emails, JP Morgan Chase 2014 breach, North Korean Sony Pictures breach 2014, BenefitMall 2018
RAM scraper malware copies data sitting in RAM. It is often used to infect and steal data from Point-of-Sale (POS) terminals and capture unencrypted financial information.
Ransomware is a form of malware that encrypts data on infected IT systems. It demands that a ransom is paid to get a code to decrypt the infected system, usually to an anonymous address using Bitcoin or another cryptocurrency.
Rootkit is a collection of system-level software that gives attackers control over the targeted system.
Scareware is malware that pretends to have taken over a computer and asks the user for info or payment. A sort of pseudo ransomware.
PC Protector, MacDefender, Spyware Protect 2019
Spyware spies on personal data on an infected device. Spyware can steal a lot of information that is useful and valuable to cybercriminals.
CoolWebSearch, Zango, HuntBar
Also known as a Trojan horse, this type of malware tricks users by hiding the dangerous content within another seemingly useful program. Many trojans aim to install backdoors on systems that give the attackers full access in the future when they need it.
Storm Worm, Zeus (Zbot), Magic Lantern
Probably the most well known malware type (before the advent of ransomware!), viruses are programs that inject themselves into other programs and replicate by copying from one infected device to others. Viruses need humans to execute their code (often by opening an infected email or program that has the virus payload).
Melissa, Shamoon, Klez, Concept, Anna Kournikova (and thousands of others!)
Like viruses, worms replicate on the network. Unlike viruses, they don't need a human to run an infected file. Worms are self-contained and contain all the code they need to run and copy themselves. They can self-replicate. They exploit vulnerabilities in network protocols and network implementations to copy themselves from machine to machine.
Morris Worm, Storm Worm, SQL Slammer, Mydoom, Sasser, Blaster, Mylife
A zero-day isn't a specific type of malware, but it is a vulnerability used by cybercriminals to compromise systems. No software is bug free. Some bugs cause security vulnerabilities that attackers can exploit. A zero-day is a discovered vulnerability that has not yet been fixed by the software maker, and that is actively being used by cybercriminals to attack systems.
Stuxnet, Dridex MS Word Trojan
Mobile malware is a collective term for multiple malware types that target mobile devices. As the world has gone mobile, cybercriminals have followed and developed malware to target mobile device users. Android, and to a lesser extent iOS, are vulnerable to mobile malware.
Triada (Android trojan)
Many attacks now use a combination of malware methods in a practice known as hybrid (or sometimes exotic) attacks. The ultimate aim of the attackers is either to steal data, install potentially unwanted programs (PUPS) on systems, or just create disruption.
Protecting Against Malware Attacks
Given that there are multiple types of malware and a wide range (and ever-increasing number) of attack methods in use, malware protection needs to be both broad and deep. Adopting a defense-in-depth strategy is the best approach. Even with this, it is best to assume that an attack will succeed and your network and systems will be compromised. Deploying anti-malware and anti-virus tools to all devices that can run it will reduce the risk from attacks. As long as they are kept up to date so they can detect new malware and know-how to remove the infections.
Here are some measures that will lower the risk from malware attacks in particular, and from other potential cyberattack methods more generally.
Have Documented Policies and Procedures - A crucial part of any strategy used to counter the risk of malware is having an easy-to-understand set of policies and procedures. They should tell everyone what to do in the event of an incident.
Implement Proactive Defense Measures - Cyberattacks rarely happen without the planning leaving telltale markers. Discussions about organizations soon to be attacked, auctions of user account information, and the setting up of dummy domains for phishing attacks occur on the dark web. Monitoring the web and dark web for signs of imminent attack is an ongoing and specialized activity. Many organizations don't have the skill base or the resources to allocate staff to it. IntSights provides threat intelligence services that give warnings about imminent attacks.
Provide Ongoing Awareness Training - Most successful malware infections occur due to phishing attacks, other social engineering methods, or security vulnerabilities. Ongoing security awareness training for staff is vital so they know how to spot suspicious emails, messages, or websites. Users should also be trained not to click on links that offer free downloads. In addition, the training should make end-users aware of social media information leakage and potential information phishing outside of conventional work channels. Cybercriminals often target employees via their social media accounts to get information to aid later phishing and spear-phishing attacks. This awareness training should be frequent, short, easily digestible, and trackable to ensure everyone takes it on board.
Use Password Management Tools - Enforce unique passwords on all systems that a user accesses. Users should not be allowed to use the same password for multiple systems. Passwords should also be strong and hard to guess or brute force.
Use Multi-Factor Authentication - Implementing multi-factor authentication for all systems that support additional authentication safeguards is a crucial best practice. Requiring some other information besides a username and password protects systems if login details are exposed to cybercriminals. Additional tokens, specific device requirements, and biometrics all provide ways to implement multi-factor authentication when logging into IT systems.
Use Protected Access Management - The authentication methods listed above are a core part of Identity and Access Management (IAM). When combined with role-based permissions, IAM gives the authorization to access components of an application or IT system. This is the basis of the core access management that most organizations have traditionally used via Active Directory or a similar directory service. A best practice for protecting critical systems is to take IAM to the next level and implement Protected Access Management (PAM). A PAM implementation adds additional policies and procedures to restrict access to designated systems. PAM also requires a management workflow to authorize anyone to use a logon. No single person can grant access. All PAM login and password combinations are one time use only, and each login request has to start the workflow from scratch.
Use Secure Firewalls - The border between internal networks and the Internet needs to be secured and protected with good firewalls and intrusion protection systems. Modern firewalls can detect known attack methods and any suspicious activity that might indicate an emerging malware attack. Web Application Firewalls (WAFs) should also be deployed between back-end application servers and border firewalls.
Implement Network Deception Technologies - Deception technologies implement dummy systems that fool any cyber attackers who breach the network into thinking they have access to production systems. In reality, the dummy systems are intended as honeypot traps to allow security teams to monitor the attacker's malware activities and gather data without exposing the production systems.
Encrypt Data - All data at rest on servers or devices, and in transit over the network, should be encrypted. With AES-256 as a minimum for data at rest, and TLS 1.3 (or later if available) for websites and transfers over the Internet.
Do Frequent Backups - In addition to encrypting data, organizations should frequently back it up. These backups should also be encrypted and stored in a location not connected to the network. If a ransomware attack is successful and prevents access to data, you don't want this malware to infect the backups. If required, organizations can use these clean backups to restore systems. This is now a key component of business continuity and disaster recovery planning. Clean, timely backups are the ultimate safety net to recover systems after a successful malware attack.
Install Anti-Malware Software - Preventing malware infections is better than cleaning up afterward. Modern anti-malware and anti-virus protection software that protects in real-time against malware and computer viruses should be installed on all systems that can run it. Today’s anti-malware and anti-virus software can also remove malware and other malicious code discovered on an infected computer hard drive.
Use Endpoint Protection - End users are frequent targets for cybercriminals. All end-user devices that are capable of running it should have endpoint security protection software deployed.
Keep IT Systems Up to Date - All IT systems need to be kept up to date with the latest security patches and other operating system updates. The same applies to anti-malware and other security software. These need to be configured to get the latest security updates and definitions every day (or multiple times a day if appropriate).
Secure All WiFi - All WiFi networks should use the maximum security available, and WiFi networks should not advertise their network names for devices to discover. If needed for customers or other third-party users the restricted guest networks should be configured. WiFi security also applies to users working from home. Their WiFi should be secured, or they should be using hardened mobile 4G/5G access points if their home WiFI can’t be secured to an appropriate level.
Use a Mobile Device Management Solution - A lot of business activity now happens on smartphones and tablets. Plus, many people use laptops for their work. All mobile devices (including laptops) should be enrolled and managed in a mobile device management (MDM) solution. MDM systems are often part of more comprehensive IT Security Information and Event Management (SIEM) solutions.