What is malware? A comprehensive explanation by Digimagg

What is malware?

Malware, short for malicious software, refers to any software code or computer program designed with harmful intent, such as ransomware, Trojan horses, and spyware, aiming to damage computer systems or compromise user security.

Nearly all modern cyberattacks involve some form of malware. These harmful programs vary widely, from highly destructive ransomware to merely bothersome adware, depending on the cybercriminals' objectives.

Cybercriminals create and employ malware to:

1. Hold devices, data, or entire enterprise networks for ransom.
2. Illegally access sensitive data or digital assets.
3. Steal valuable information like login credentials, credit card numbers, or intellectual property.
4. Disrupt critical systems relied upon by businesses and government agencies.

With billions of malware attacks occurring annually, infections can happen on any device or operating system, including Windows, Mac, iOS, and Android systems. Notably, malware attacks are increasingly targeting businesses rather than individual users, as hackers recognize the potential for greater profits by targeting organizations. Businesses often possess significant amounts of personal data, making them lucrative targets for extortion or data theft, with stolen information being exploited for identity theft or sold on the dark web.

Varieties of Malware Software

Cybercrime represents a significant industry, projected to be the world’s third-largest economy by 2025, trailing only the US and China, with an estimated cost of 10.5 trillion USD. Within this industry, hackers continuously innovate, developing new strains of malware with advanced features. These malware strains often evolve into new variants over time to bypass security measures. Since the 1980s, over 1 billion different malware strains and variants have emerged, posing a challenge for cybersecurity professionals to combat. Hackers frequently share their malware through open-source code or by selling it to other criminals. Malware-as-a-service arrangements, particularly among ransomware developers, allow even individuals with minimal technical expertise to engage in cybercrime. Despite the dynamic nature of the landscape, malware strains can generally be categorized into several common types.

Computer viruses

While often used interchangeably, "malware" and "computer virus" hold distinct meanings, with the latter referring to a specific type of malicious software. Essentially, a virus entails malicious code that appropriates legitimate software to cause harm and propagate itself.

Viruses lack independent functionality; instead, they embed segments of their code within other executable programs. Upon launching the program, the virus initiates its operations. Typically, viruses are crafted to erase crucial data, disrupt regular operations, and disseminate copies of themselves to other programs on the compromised system.

Many of the initial malware threats consisted of viruses. For instance, Elk Cloner, possibly one of the earliest malware instances disseminated through public devices, represented a virus targeting Apple computers.

Cryptojackers

A cryptojacker refers to a type of malware that seizes control of a device to mine cryptocurrency, such as bitcoin, clandestinely. In essence, cryptojackers establish cryptomining botnets.

Cryptocurrency mining is a highly resource-intensive and costly endeavor. Cybercriminals reap profits, while users of compromised computers endure performance degradation and system crashes. Frequently, cryptojackers aim at enterprise cloud infrastructure, enabling them to amass more resources for cryptomining compared to targeting individual computers.

Fileless malware

Fileless malware denotes a type of assault exploiting vulnerabilities in legitimate software applications, such as web browsers and word processors, to inject malicious code directly into a computer's memory. As this code operates in memory, it does not leave any traces on the hard drive, often eluding detection due to its use of genuine software.

Many fileless malware attacks leverage PowerShell, an integral command-line interface and scripting tool within the Microsoft Windows operating system. Utilizing PowerShell scripts, hackers can alter configurations, pilfer passwords, or inflict other forms of damage.

Another prevalent avenue for fileless attacks involves malicious macros. Applications like Microsoft Word and Excel enable users to define macros, comprising sets of commands automating tasks like text formatting or calculations. Hackers embed malevolent scripts within these macros; upon opening the file, these scripts execute automatically.

Botnets

A botnet comprises a network of internet-connected devices infected with malware and controlled by a hacker. These devices can encompass PCs, mobile devices, Internet of Things (IoT) devices, and various others. Often, victims remain unaware that their devices are part of a botnet. Hackers frequently utilize botnets to execute DDoS (Distributed Denial of Service) attacks, inundating a target network with excessive traffic to impede its functionality or induce a complete shutdown.

Mirai, among the most notorious botnets, instigated a significant attack in 2016 against the Domain Name System provider Dyn. This assault led to the disruption of popular websites such as Twitter and Reddit for millions of users across the United States and Europe.

Alternative forms of malware software

Remote access malware

Hackers employ remote access malware to infiltrate computers, servers, or other devices by establishing or exploiting backdoors. According to the X-Force Threat Intelligence Index, the most prevalent objective for hackers is implanting backdoors, constituting 21% of attacks.

Backdoors offer cybercriminals extensive capabilities. They can pilfer data or credentials, assume control of a device, or deploy even more perilous malware like ransomware. Some hackers develop remote access malware to create backdoors, which they then vend to other hackers, fetching several thousand US dollars each.

Certain remote access malware, such as Back Orifice or CrossRAT, is deliberately designed for malicious purposes. Hackers may also manipulate or misuse legitimate software to gain remote access to a device. Specifically, cybercriminals exploit stolen credentials for Microsoft Remote Desktop Protocol (RDP) as backdoors.

Ransomware

Ransomware encrypts a victim's devices or data, demanding a ransom payment, typically in cryptocurrency, for decryption. According to IBM's X-Force Threat Intelligence Index, ransomware ranks as the second most prevalent cyberattack type, comprising 17% of attacks.

Basic ransomware attacks render assets inaccessible until the ransom is paid, but cybercriminals may employ additional tactics to intensify pressure on victims.

In a double extortion scheme, cybercriminals pilfer data and threaten to disclose it if the ransom is unpaid. In a triple extortion scenario, hackers encrypt the victim's data, exfiltrate it, and threaten to disrupt systems through a distributed denial-of-service (DDoS) attack.

Ransom demands vary from tens of thousands to millions of US dollars. As per a report, the average ransom payment amounts to USD 812,360. Even in cases where victims refuse to pay, ransomware proves costly. According to IBM's Cost of a Data Breach report, the average ransomware attack incurs a cost of USD 4.54 million, exclusive of the ransom itself.

Scareware 

Scareware employs intimidation tactics to coerce users into downloading malware or divulging sensitive information to fraudsters. Typically manifesting as sudden pop-up messages with urgent alerts, scareware often falsely accuses users of unlawful activities or notifies them of purported virus infections. The pop-up instructs users to remit a "fine" or install counterfeit security software, which, in reality, constitutes actual malware.

Worms

Worms are malicious programs that propagate among apps and devices autonomously, requiring no human intervention. (In contrast to viruses, which necessitate user execution of a compromised program.) While certain worms solely proliferate, numerous others yield more significant repercussions. For instance, the WannaCry ransomware, responsible for an estimated USD 4 billion in damages, exemplified a worm that augmented its impact by autonomously disseminating across interconnected devices.

Trojan

Trojan horses masquerade as legitimate software or embed themselves within useful programs to deceive users into installing them. A remote access Trojan, or "RAT," establishes a concealed backdoor on the compromised device. Another variant known as a "dropper" installs additional malware subsequent to gaining access. Ryuk, a highly destructive ransomware strain, utilized the Emotet Trojan to infect devices.

Rootkits

Rootkits represent malware bundles enabling hackers to attain privileged, administrator-level access to a computer's operating system or other resources. With elevated permissions, hackers can execute a multitude of actions, such as adding and deleting users or altering application configurations. Rootkits are commonly employed to conceal malicious processes or disable security software.

Adware

Adware inundates devices with unwanted pop-up advertisements. Frequently bundled with free software without user consent, adware is unwittingly installed alongside the intended program. While most adware merely proves an annoyance, some variants pilfer personal data, redirect web browsers to malicious sites, or facilitate the download of additional malware if users interact with the pop-ups.

Spyware

Spyware clandestinely lodges itself on an infected computer, surreptitiously harvesting sensitive data and transmitting it to attackers. A prevalent variant, known as a keylogger, records all keystrokes made by a user, enabling hackers to harvest usernames, passwords, financial details, and other confidential information.

Malware attack vectors

A malware assault consists of two main elements: the malware payload and the attack vector. The payload refers to the malicious code that hackers aim to implant, while the attack vector pertains to the method employed to convey the payload to its target.

Here are some of the most prevalent malware vectors:

Counterfeit software and file downloads

 Numerous forms of malware, such as Trojans and adware, masquerade as legitimate software or free copies of media content. Ironically, they often pose as free antivirus programs or apps promising device enhancement. While torrenting networks notorious for sharing pirated media are favored playgrounds for cybercriminals, hidden malware can infiltrate legitimate marketplaces as well. For instance, the Goldoson malware infected millions of devices by concealing itself in apps available via the Google Play store.

Social engineering schemes

Social engineering assaults manipulate individuals psychologically, coaxing them into undertaking unauthorized actions such as downloading malware. Phishing attacks, employing deceitful emails or text messages to dupe users, are prevalent. According to the X-Force Threat Intelligence Index, phishing contributes to 41% of malware infections.

Phishing correspondence often mimics trusted brands or individuals, exploiting powerful emotions like fear ("We've detected nine viruses on your phone!"), greed ("You have an outstanding payment awaiting you!"), or urgency ("Time is running out to claim your complimentary gift!"). These tactics prompt users to take the desired action, typically opening a malicious email attachment or visiting a corrupt website that installs malware on their device.

System vulnerabilities

Cybercriminals continually seek out unpatched flaws in software, devices, and networks to inject malware into the target's software or firmware. IoT devices, frequently deployed with minimal or no security measures, represent a particularly fertile ground for cybercriminals to sow malware.

Supply chain assaults

In the event of a vendor's network compromise, malware may infiltrate the networks of companies utilizing the vendor's products and services. For instance, cybercriminals exploited a vulnerability in Kaseya's VSA platform to disseminate ransomware to customers under the guise of a legitimate software update.

User devices

Within corporate networks, users' personal devices serve as prime vectors for malware. Users' smartphones and laptops may become infected during personal usage, especially when connected to unsecured networks lacking the company's security solutions. When users bring these devices into the workplace, malware can spread to the corporate network.

Malvertising and drive-by downloads

Malvertising involves hackers inserting malicious ads into authentic ad networks or hijacking legitimate ads to dispense malicious code. For instance, the Bumblebee malware propagated through a deceptive Google ad posing as Cisco AnyConnect. Users seeking the genuine product would encounter the ad in their search results, clicking it unwittingly and downloading malware.

A related tactic, "drive-by downloads," initiates the download automatically when users visit a corrupt website, eliminating the need for user interaction.

Removable media

 Employing a tactic known as "baiting," hackers may leave infected USB drives adorned with enticing labels in public locales like coworking spaces or cafes. Intrigued by these drives, unsuspecting users may connect them to their devices, inadvertently infecting their systems with malware. Recent research indicates that 37% of recognized cyberthreats are tailored to exploit removable media.

Detection of malware software

Some malware infections, such as ransomware, may make their presence known, but the majority strive to operate covertly while causing disruption. Nonetheless, malware infections often leave behind indicators that cybersecurity teams can leverage for identification. These indicators encompass:

Altered configurations: Some strains of malware modify device configurations or deactivate security solutions to evade detection. IT and security teams may notice changes such as modifications to firewall rules or the elevation of account privileges.

Performance degradation: Malware applications utilize the resources of the infected computer, consuming storage space and disrupting legitimate processes. The IT support team may observe an increase in user complaints regarding sluggish performance, system crashes, or inundation with pop-up notifications.

Unusual network behavior: IT and security personnel may detect anomalous patterns, such as processes consuming more bandwidth than usual, devices communicating with unfamiliar servers, or user accounts accessing resources they typically don't use.

Security event alerts: For organizations equipped with threat detection solutions, the initial indication of a malware infection is likely to be a security event alert. Solutions like intrusion detection systems (IDS), security information and event management (SIEM) platforms, and antivirus software can flag potential malware activity for the incident response team to investigate.

Protecting against and eliminating malware software

Malware assaults are unavoidable, yet organizations can bolster their defenses by taking several measures:

Incident response plans: Developing comprehensive incident response plans tailored to various malware types enables cybersecurity teams to swiftly contain and eradicate malware infections when they occur.

Security policies: Implementing robust password requirements, multi-factor authentication, and VPN usage for accessing sensitive assets via unsecured wifi can hinder hackers' access to user accounts. Enforcing regular patch management, vulnerability assessments, and penetration testing schedules aids in detecting and mitigating software and device vulnerabilities before exploitation by cybercriminals. Policies governing BYOD (bring your own device) management and shadow IT prevention can thwart inadvertent introduction of malware onto the corporate network by users.

Backup protocols: Maintaining current backups of critical data and system images, ideally stored on disconnected hard drives or other offline devices, facilitates recovery from malware attacks.

Security awareness training: Educating users on identifying social engineering attacks, malicious websites, and counterfeit apps can curb malware infections stemming from user actions like downloading fake software or falling for phishing scams. Such training also empowers users to recognize malware threats and report them promptly.

Zero trust network architecture: Adopting a zero trust approach to network security ensures users are continually verified rather than trusted, implementing principles like least privilege, network microsegmentation, and continuous adaptive authentication. These measures restrict unauthorized access to sensitive data or assets by users or devices, limiting the lateral spread of malware within the network.

Malware and cybersecurity technologies

In addition to the manual approaches discussed earlier, cybersecurity teams can leverage security solutions to automate various aspects of malware detection, removal, and prevention. These tools include:

Antivirus software: Also known as "anti-malware" software, antivirus programs scan systems to identify signs of infections. Many antivirus tools not only alert users to potential threats but also automatically isolate and eliminate malware upon detection.

Endpoint detection and response (EDR) platforms: EDR platforms monitor endpoint devices, such as smartphones, laptops, and servers, for signs of suspicious activity and can automatically respond to identified malware threats.

Attack surface management (ASM) tools: ASM tools continually discover, analyze, remediate, and monitor all assets within an organization's network. ASM can assist cybersecurity teams in identifying unauthorized shadow IT applications and devices that may harbor malware.

Unified endpoint management (UEM) solutions: UEM software oversees, manages, and secures all end-user devices within an organization, including desktops, laptops, and mobile devices. Many organizations rely on UEM solutions to ensure that employees' BYOD devices do not introduce malware into the corporate network.

Firewalls: Firewalls serve to block malicious traffic from accessing the network, acting as a barrier against potential threats. In instances where malware infiltrates a network device, firewalls can help thwart outbound communications to attackers, such as preventing a keylogger from transmitting captured keystrokes.

Security orchestration, automation, and response (SOAR) platforms: SOAR platforms integrate and coordinate different security tools, enabling the creation of semi- or fully automated response playbooks for addressing malware in real-time.

Security information and event management (SIEM) platforms: SIEM platforms collect data from various internal security tools, consolidate it into a central log, and highlight anomalies. By centralizing alerts from multiple sources, SIEMs facilitate the detection of subtle indications of malware.

Extended detection and response (XDR) platforms: XDR platforms unify security tools and operations across all layers of security—covering users, endpoints, email, applications, networks, cloud workloads, and data. XDR solutions automate complex processes related to malware prevention, detection, investigation, and response, including proactive threat hunting.