What is Malware? Defending Against Digital Threats and Intrusions
Malware or “malicious software” is a program designed to cause harm to the computers that it infects and its users. Malware can be designed to achieve various purposes — including data theft, sabotage, or remote access — and is used to help achieve the attacker’s goals in various cyberattack campaigns. As a result, anti-malware defenses are an essential component of a corporate cybersecurity strategy.
Table of Contents
Types of Malware
Malware causes a range of problems, including data theft and loss, denial of service (DoS), and similar threats. The following list is some of the most common and significant types of malware that companies may face.
Computer viruses are malware that can spread itself between computers. Once a user opens or runs an infected file, the malware might infect other files, send spam emails, or take other actions to expand its foothold and infect other systems.
Worms are a form of malware defined by the ability to spread itself without human interaction. Often, this is accomplished by scanning for and exploiting vulnerabilities. For example, Wannacry was a famous ransomware worm that exploited vulnerabilities in Windows SMB servers to install and execute itself on computers.
Ransomware is malware designed to threaten an organization’s files or systems, enabling the attackers to extort a ransom. Originally, ransomware did so by encrypting files and demanding payment for the decryption key. However, ransomware operators are increasingly shifting to stealing data and demanding a ransom to not leak it.
Trojans are malware that is designed to look like a legitimate and desirable file. For example, trojan malware may appear to be free versions of office software or a cracked version of a game. The goal of a trojan is to trick the victim into installing and running the program themselves, installing malware on their computer.
Spyware is malware designed to collect and exfiltrate personal information about the victim to the attacker. Once installed, the spyware may attempt to collect passwords, payment card details, personally identifiable information (PII), and similar data from a computer by reading files or monitoring keyboard input. It then transmits the stolen data to the attacker for resale or use in other attacks.
Adware is a type of software that uses advertising to earn money. While some legitimate software uses advertising in this way, the term adware is commonly used to refer to software that serves unwanted and potentially malicious ads. These ads could point users to phishing pages or be designed to earn money from advertisers for attackers.
Rootkits are malware designed to hide the presence of other malware on the system. Rootkits can operate in user or kernel mode and scrub signs of the infection. For example, rootkits can hide the presence of malware files in a folder or conceal the malware in a list of currently running processes.
Keyloggers are designed to collect sensitive information by monitoring keystrokes on the computer. By listening for keystrokes, the malware can identify passwords, payment card information, and other sensitive data that is typed into the computer. This stolen data can either be transmitted to the attacker over the network or — in the case of a physical keylogger — may be stored for later retrieval.
Botnets are collections of compromised computers used to perform large-scale automated attacks such as Distributed Denial of Service (DDoS) attacks, spam email and phishing attacks, credential theft, and more. Botnet malware is used to infect and add computers to the larger network of compromised devices. Once running on a device, the malware listens for commands from the botnet operator and executes the indicated attacks.
Remote Access Trojans (RATs)
Remote access trojans (RATs) are a specific type of trojan malware designed to grant an attacker access to an infected computer. Like other trojans, RATs masquerade as legitimate files to trick themselves onto a target device. Then, they connect to the attacker’s command and control (C2) infrastructure and allow them to send commands and remotely control the infected device.
Cryptojackers make money for an attacker by mining cryptocurrency. The Proof of Work (PoW) consensus algorithm used by some blockchains requires significant computational power to perform cryptographic operations and find blocks. Cryptojacking malware infects a computer and uses its computational resources for the block mining process while the proceeds of block creation go to the attacker.
Wipers are destructive malware used for sabotage or disruption. Wipers can delete files or encrypt them — like ransomware — and destroy the decryption key. One example of wiper malware is Industroyer, which was used to attack the Ukrainian power grid and created blackouts in Kyiv on multiple occasions.
Many antiviruses and other endpoint security solutions identify malware by scanning each file in the filesystem for known signatures or malicious content. Fileless malware attempts to evade these defenses by living only in memory and never storing any data on disk. Often, this malware is designed to “live off of the land” by abusing built-in features and management tools of the computers that they infect.
Traditional antiviruses often identify malware based on signatures, such as the hash of the malicious file. Polymorphic malware is designed to change its shape and signature with every infection, which also causes its hash to evolve. These changes don’t affect the functionality of the malware but make it more difficult to detect, block, and remove.
Common Vectors of Malware Infection
Cybercriminals use a variety of different techniques to deliver malware to a target. These range from social engineering to exploiting vulnerabilities in target systems.
Phishing emails are one of the most common methods for delivering malware to a target computer. They can accomplish this goal in a few different ways, including:
- Malicious Links: Links embedded in the text of the email may point to phishing sites. These sites can serve malware as trojans or attempt to infect a computer by exploiting vulnerabilities in the user’s browser.
- Infected Attachments: Malware may also be attached to an email with the email’s text designed to convince the recipient to open and run the malicious file. One common vector is Microsoft Office macros which, if enabled, allow code to run within a Word, Excel, or PowerPoint document.
- Social Engineering: Phishing emails can also use social engineering to achieve their goals. For example, a seemingly legitimate email may convince a user to search for a particular term on the Internet, leading them to a phishing site.
Cybercriminals can direct users to malicious websites via various means. Phishing emails can contain links pointing to these sites. Cybercriminals can also use search engine optimization (SEO) or paid advertising to cause their pages to rank highly on search results.
These phishing sites can use different means to deliver malware to the user as well. For example, social engineering can trick users into downloading and running trojans. Alternatively, the attacker can attempt to exploit vulnerabilities in the user’s browser to automatically download and run the malware.
While emails are the most famous medium for phishing emails, cybercriminals also use a range of collaboration solutions. Tools like Slack, Zoom, and other Software as a Service (SaaS) tools that offer file storage or the ability to share links have also become vectors for distributing malware.
The rise of remote work and SaaS applications has resulted in many corporate systems and applications being accessible from outside the traditional network perimeter. If an attacker gains access to a user’s credentials — via phishing, a data breach, or other means — they can directly access corporate systems and plant the malware themselves.
Exploitation of unpatched vulnerabilities is a common infection vector used by worms. These types of malware are designed to scan for and exploit vulnerabilities that enable remote code execution (RCE), which allows them to upload and execute themselves on a device.
Smishing attacks are phishing messages delivered by text messages on mobile devices rather than email or other messaging platforms. These messages usually contain links to phishing sites or malicious apps and take advantage of link-shortening services — which conceal the targets of links — and the fact that many people are constantly using their mobile devices.
Software bundling is a common method for distributing potentially unwanted programs (PUPs). When downloading a legitimate, desirable program, a user will also get browser toolbars and other unwanted programs. These can include malware that uses the legitimate program to trick its way onto a computer.
Malvertising is advertising turned to malicious purposes. This could be used to direct users to phishing sites or to push malware. In some cases, clicking on an advertisement may allow malicious code to run in the user’s browser.
Removable media such as USB drives can be used to infect a computer with malware when the device is plugged into it. If the target computer has Autorun enabled, a USB drive can be configured to automatically run the malware when it is plugged in. Another common tactic is to include a malicious file with an enticing name on the drive in an attempt to trick the target into opening the file and infecting their computer with malware.
The Impact of Malware
Malware comes in many different forms, and each of these types has different goals. As a result, a malware infection can have various impacts on an organization and its users.
Data Theft and Privacy Breaches
Data theft is a common goal of cyberattacks using malware. For example, infostealers, keyloggers, and ransomware are three types of malware that include an information-stealing component. Once data has been stolen and exfiltrated, the attacker can sell it on the Dark Web or use it in later attacks.
Malware infections can cause financial losses for a company in different ways. Ransomware demands payment to decrypt data or keep it private. Data stealing malware could cause a loss of sales or competitive advantage if the data is leaked or the breach harms brand reputation.
Disruption of Operations
Some types of malware — such as ransomware and wipers — are designed to cause disruption to an organization’s operations by encrypting or deleting valuable data. However, any malware infection can cause disruptions to an organization’s operations as resources directed to incident response are taken away from other initiatives.
Reputational damage is also a potential negative impact of a malware infection. When an incident becomes public, the organization may lose customers due to the perception that the company failed to adequately protect their data. Additionally, malware infections could negatively impact partner and supplier relationships if an organization is unable to fulfill its contractual duties.
Defending Against Malware
Malware infections pose a significant risk to an organization, its customers, and its employees. Companies can take various steps to help protect themselves and their users from malware attacks.
Antivirus and Anti-malware Software
Antivirus and anti-malware software are designed to identify, contain, and remediate malware infections on a system. By deploying these solutions, keeping them up-to-date, and performing regular scans, an organization increases the probability that it will be able to identify and block a malware infection before it causes damage to the organization.
Keeping Software and Systems Updated
Worms and other types of malware gain access to an organization’s systems by exploiting unpatched vulnerabilities. Regularly applying updates and patches can help prevent malware infections and limit the damage that a successful infection can do to the organization and its systems.
Safe Browsing Practices
Malicious websites are a common method of distributing malware, and cybercriminals use various methods to trick users into visiting these sites, downloading malware, or clicking on malicious ads. Training employees to embrace safe browsing practices and deploying web security solutions can help prevent users from visiting malicious sites and block malware from being installed on users’ devices.
Educating Users about Phishing
Phishing attacks are a form of social engineering, which targets the human rather than software. Trickery, coercion, and other forms of psychological manipulation are key to the success of these attacks. By training users on the risks of phishing and best practices for managing suspected phishing emails, an organization can dramatically reduce its phishing risk.
Regular Data Backups
Some forms of malware — including ransomware and wipers — are designed to destroy or deny users access to their data. By performing regular data backups, an organization can ensure that it can recover any lost data without the need to pay a demanded ransom.
Network Security Measures
Most malware infections occur over the network, and malware uses the network to communicate with its operator, exfiltrate data, and download additional malicious code. Network security solutions can help an organization detect, block, or remediate a malware infection.
Best Practices for Preventing Malware Attacks
Malware needs to reach and run on a computer to achieve its goals. Below, we take a look at some best practices for preventing an intrusion into an organization’s network and systems.
Firewalls are a key component of an organization’s network security architecture. By controlling the types of traffic that enter and leave the network, firewalls can help block malware infections or prevent exfiltration of an organization’s sensitive data. Configuring firewalls to minimize external access to corporate resources and the types of traffic that can cross the network boundary helps to reduce an organization’s exposure to malware attacks.
Malware communicates over the network at multiple stages of its attack lifecycle. Network monitoring can help to identify the initial delivery of malware to the target system, command and control traffic between the malware and its operator, and attempted data exfiltration by the malware. This information can help to prevent, remediate, or determine the scope of a malware infection.
Access Control and Authentication
Malware commonly exploits compromised accounts to gain initial access to an organization’s systems or move laterally through the network. Implementing strong access control and authentication — including zero-trust network access (ZTNA) and multi-factor authentication (MFA) — can make it more difficult for malware to gain the access and privileges required to achieve its goals.
Incident Response Plan
Every organization will eventually suffer a malware infection, and a fast, accurate response is essential to minimizing the impact of the security incident. To ensure a smooth response, an organization should have an incident response plan and team in place in advance to reduce the risk of delays or mistakes.
CATO Protection Against Malware
Cato offers a range of network-level defenses against malware attacks. Secure Access Service Edge (SASE) converges network security functions like NGFW, IPS, NGAM, etc. to provide advanced threat protection, zero-trust network access (ZTNA), and other key cybersecurity functions. Learn more about how Cato SASE Cloud can help your organization protect itself against malware and other critical cybersecurity threats.