Malware is a piece of bad news wrapped up in software. That’s the long and short of it. Malicious software coded with the intent of causing harm to a user, a system, or a network is nothing new, but what’s scary is its continuing evolution into new and invisible forms of threats.
To combat cyber threats in an enterprise, you need a solid foundation of important topics like what malware is, how it spreads, and all its different types that lurk out there in the wild.
This brief guide covers all the basic you need to know about malware.
What is Malware and its Types?
Malware can simply be defined as malicious code. It is a software that is developed with a malicious intent, or whose effect is malicious. This is software that can cripple or disrupt the system’s operation, allowing attacker access to confidential and sensitive information, as well as the ability to spy on personal and private computers.
Cybercriminals specifically program malware to be stealthy so that it can stay on the target system for extended periods of time without the consent or knowledge of the user. Malicious software usually disguises itself as clean programs.
But while the effects of such malicious software often are harmful for users, they are devastating for companies. If spread through a network, malware can cause widespread damage and disruption, necessitating extensive recovery efforts within organizations.
The spectrum of malware is wide — and getting wider by the minute.
History of Malware
As you can imagine, the history of malware goes a long way. The term malware may have been introduced by Yisrael Rada in 1990, but these types of threats had been in existence decades before, referred to as computer viruses. Many of these early infectious programs were written as experiments or pranks, but today, hackers use malware to steal, personal, financial or business information. Worse yet, government agencies are in on the act too, in order to gain access to secrets.
Barely a day goes by now without hearing about increasingly complex malware leaving a trail of destruction in its wake.
Let’s take a look at the scary things you can encounter, both online and offline, from spyware, adware, viruses to worms, Trojans and various other types of threats.
Before we move onto the crucial details, here is a quick look at some of the common terms and abbreviations that you will see when discussing malware.
Ways of Spread
Drive-by download: The unintended download of computer software from the Internet. It either refers to the download that happens without the knowledge of a user, or the download that a person authorizes but without the understanding of the consequences.
Homogeneity: A setup where all the systems are running on the same operating system and connected to the same network. This increases the chances of a worm in one computer to easily spread to others on that network.
Vulnerability: A security defect in software that can be attacked by a malware. It could be a design flaw, programming error, or some other kind of inherent weakness in a software implementation, application or operating system.
Backdoor: An opening or break left in a software, hardware, network or system security by design, usually for debugging purposes.
Types of Malware Attacks
0-Day: A zero-day vulnerability is an undisclosed flaw that hackers can exploit. It’s called 0-day because it is not publicly reported or announced before becoming active.
Exploit: A threat made real via a successful attack on an existing vulnerability. Also refers to software that is developed to target the loopholes on a particular device.
Privilege escalation: Situation where the attacker gets escalated access to restricted data that is on a higher level of security.
Evasion: The techniques malware maker design to avoid detection and analysis of their malware by security systems and software.
Blended threat: A malware package that combines the characteristics of multiple types of malware like Trojans, worms or viruses, seeking to exploit more than one system vulnerability.
Other Important Terms
Botnet: A number of Internet connected devices that are running one or more bots. Botnets are used to perform distributed denial of service attacks, send spam, and steal data.
Containment: The process of stopping the spread of malware, and preventing further damage to hosts.
Endpoint: A security approach to the protection of computer networks that are remotely bridged to client devices. Devices that are not in compliance can thereby be provisioned with limited access.
Payload: The part of the malware program that actually does the damage.
Privilege: In computing, privilege means the access to modify a system.
Signature: Signs that are specific to either a certain type of behavior or a specific item of malware.
Threat: In computing security, a computer or network is deemed under threat when it harbors persistent software vulnerabilities, thereby increasing the possibility or certainty of a malicious attack
Track: Evidence of an intrusion into a system or a network. Advanced malware can clean folders, clear event logs, and hide network traffic to cover their tracks.
Zombie: A computer connected to the Internet that has been compromised by a hacker, computer virus or Trojan horse. It can be used to perform malicious tasks.
Different Types of Malware
Running into the word that starts with mal is a literal sign that something is bad. In general, most experts view the term malware as a contraction of two words — malicious software. The word has bad connotations by deliberate construction, but the actual psychology of malware is a little less clear cut.
That’s because there is a whole range of malicious software that you can encounter on your computing journey, with new types and categories of threats emerging, as the world moves toward a digital future.
So much so that viruses are now just the tip of the iceberg.
Recent studies say that the majority of the malicious software out there in the wild today is Trojans and worms, with viruses having declined in numbers. A 2011 study had Trojan horses amount to 69.99% of all malware tracked, while viruses only made up 16.82%. This is a number that has clearly gone up.
A more recent study in 2017 found that malware aimed at mobile devices like smartphones and tablets is increasing at an alarming late, and even coming pre-installed on devices.
But what are the various types of malware, and how exactly are they classified?
Let’s see how attackers install and deploy these types of threats, as well as a few infamous and destructive examples of these types of malware.
Viruses have been around since the dawn of time — speaking in computer terms, that is. In fact, computing luminary John von Neumann did the first academic work on the theory of self-replicating computer programs all the way back in 1949. The first examples of what can be classified as a virus have been detected since the 70s.
The primary characteristic that a piece of software must possess to qualify as a virus is an urge to reproduce that is programmed into it. This mechanism means that this type of malware will distribute copies of itself, using any means to spread. Another characteristic common to viruses is that they are covert, making it hard to detect their presence on a system, without dedicated security programs called antivirus.
Essentially, they arrive uninvited, hide in secrecy and usually work in obscurity.
And that is what makes them so deadly.
They hide within computer files, and the computer must run that file (execute that code, in other words) for a virus to do its dirty work. At its core, a virus is nothing but a contagious code or program that attaches itself to other software and usually requires human interaction to propagate. This is how viruses are further classified, depending on whether they reside in binary executables, data files, or in the boot sector of a hard drive of a particular system.
1a. System or boot infectors
A virus can infect a system as a resident virus by installing itself as part of the operating system, so that it remains in the RAM from the time a computer is booted up to when it is shutdown. These types of viruses are very rare these days, what with the advent of the Internet, and security procedures built into modern operating systems like Windows 10.
2a. File infectors
Many viruses sneak up into ordinary executable files like .EXE and .COM in order to up their chances of being run by a user. Any program that file type that Windows can call for execution is susceptible, including batch and script files like .BAT, .JS. .VB, and even screensaver files with the .SCR extension.
3a. Macro viruses
These types of viruses are the ones that run inside specific applications that allow macro programs in order to extend the capabilities of a given software. Viruses that targeted Microsoft Office were widespread a few years back, though the threat of macro viruses has also declined in recent times as unsigned macros are automatically disabled in Office and are not allowed to run.
Many users install antivirus software that can detect and eliminate known viruses, and also prevent infections when the computer attempts to download or run the executable files that are either downloaded from the Internet, or distributed as email attachments, or on USB flash drives. This means that the antivirus software needs to be regularly updated in order to recognize the latest threats, as cybercriminals continue to create new viruses.
And although their threat may have diminished in recent years, and other forms of malware may have taken the spotlight, viruses have been the cause of widespread destruction, as they replicate and perform activities like accessing sensitive information, stealing data, and most of all, consuming system resources like CPU and disk space, crippling the systems, often rendering them useless.
Some infamous examples of viruses over the years are the Concept virus, the Chernobyl virus (also known as CIH), the Anna Kournikova virus, Brain and RavMonE.exe.
The second of the two types of infectious malware. A worm is a standalone software that replicates without targeting and infecting specific files that are already present on a computer. Think of worms as small programs that replicate themselves in a computer and destroy the files and data on it. They usually target the operating system files, and work until the drive they are in becomes empty.
Basically, whereas viruses add themselves inside existing files, worms carry themselves in their own containers.
Worms usually show up via email and instant messages, and often confine themselves their activities to what they can accomplish inside the application that moves them. They use a computer network to spread, relying on security failures on the target computer in order to access it, and delete data.
Many worms that have been created are designed only to spread, and do not attempt to change the systems that they pass through. But even these have unintended effects can cause major disruptions by increasing the network traffic.
Examples include Melissa, Morris, Mydoom, Sasser, Blaster, and Mylife.
3. Trojan Horses
A Trojan is a malicious program that misrepresents itself to appear useful. These are spread in the guise of routine software that persuade a victim to install it on their PC. The term is derived from the Ancient Greek story of the wooden horse that was used to invade the city of Troy by stealth — Trojan horses are just as deadly on computers.
The payload can be anything, but is usually a form of a backdoor that allows attackers unauthorized access to the affected computer. Trojans also give cybercriminals access to the personal information of a user like IP addresses, passwords and banking details. They are often used to install keyloggers that can easily capture account names and passwords, or credit card data, and disclose it to cybercriminals. Most ransomware attacks are also usually carried out using a Trojan horse, by housing the harmful code inside an apparently harmless piece of data.
Trojans are now considered to be the most dangerous of all malware, particularly the ones that are designed to steal the financial information of a user. Some insidious types of Trojans actually claim to remove the viruses in the system, but instead introduce viruses.
Notable examples also include Trojan horses developed by governments and government agencies like the FBI, NSA, and GCHQ. Names like Magic Lantern, FinFisher, WARRIOR PRIDE, Netbus, Beast, Blackhole exploit kit, Gh0st RAT, Tiny Banker Trojan, Clickbot.A, and Zeus have been the cause of horror. While an Android malware discovered in 2015, called Shedun, is one of the many that target mobile devices.
A rootkit is a collection of software specifically designed to permit malware that gathers information, into your system. These work in the background so that a user may not notice anything suspicious. But in the background, a rootkit will permit several types of malware to get into the system.
These software work like a back door for malware to enter and wreak havoc, and are now being used extensively by hackers to infect systems. A rootkit installation can either be automatic, or an attacker can install it once they have obtained administrator privileges.
Root access in other words.
Detecting a rootkit is difficult, as this type of malware is often able to subvert the software that locates it. Removing a rootkit is equally complicated, or in some cases practically impossible — more so in cases where the rootkit resides inside the kernel of an operating system. Reinstalling the OS is often the only solution to completely get rid of such an advanced rootkit.
The first malicious rootkit to gain notoriety on Windows was NTRootkit in 1999, but the most popular is the Sony BMG copy protection rootkit scandal that rocked the company in the year 2005. Its discovery and media attention exposed users to even more serious vulnerabilities.
The most devastating type of malicious software, by some counts. Definitely one of the most advanced and constantly on the rise these days. Ransomware blocks access to the data of a victim, threating to either publish it or delete it until a ransom is paid. Worse yet, there is no guarantee that paying a ransom will return access to the data, or prevent it from deletion.
This type of malware basically infects the system from the inside, locking the computer and making it useless. Simpler ransomware may lock a system that may be difficult to reverse for most people, while the more advanced variety of ransomware encrypts the files of a victim, rendering them inaccessible, and demanding a ransom payment to decrypt the files.
Ransomware attacks initially gained popularity in Russia, but these types of scams have now grown in popularity internationally. They are typically carried out using a Trojan that comes with a payload that is disguised as a legitimate file.
Although this manner of digital extortion has been in play since late 80s, it returned to prominence in late 2013 with the advent of digital currency that is used to collect ransom money. Many security vendors classify ransomware to be the most dangerous cyber threat — its detection and removal is a complicated process. And though it is widespread on PC platforms, ransomware that target mobile operating systems has also seen a rise.
Major ransomware like Reveton, CryptoLocker, CryptoWall, and more recently, the 2017 WannaCry attack, have caused no small amount of destruction. While Fusob, one of the most widely used mobile ransomware families, has employed scare tactics to extort people to pay a ransom.
Software that records all the information that is typed using a keyboard. Keyloggers usually are not capable of recording information that is entered using virtual keyboards and other input devices, but physical keyboards are at risk with this type of malware.
Keyloggers store the gathered information and send it to the attacker, who can then extract sensitive information like username and passwords as well as credit card details.
Grayware is a recently coined term that came into use around 2004. It is used to describe unwanted applications and files that though are not classified as malware, can worsen the performance of computers and lead to security risks. At the minimum, these programs behave in an annoying or undesirable manner, and at worst, they monitor a system and phone home with information.
Grayware alludes to both adware and spyware. Almost all commercially available antivirus software can detect these potentially unwanted programs, and offer separate modules to detect, quarantine and remove malware that displays advertisements.
Although ad-supported software is now much more common, and known as adware in some circles, the word has been linked to malware for quite some time. While adware can refer to any program that is supported by advertising, malicious adware usually shows ads in the form of popups and windows that cannot be closed.
It is the perhaps the most lucrative and least harmful malware, designed with the specific purpose of displaying ads on your computer. Adware usage is on the rise on mobile, in particular, with some Chinese firms bundling in adware by default in certain low-cost Android smartphones.
Spyware, as the name gives away, is software that constantly spies on you. Its main purpose is to keep track of your Internet activities in order to send adware. Spyware are also used to gather information about an organization without their knowledge, and send that information to another entity, without consent of the victim.