Malware, or malicious software, is any program or file that harms a computer or its user. Common types of malware include computer viruses, ransomware, worms, trojan horses and spyware. These malicious programs can steal, encrypt or delete sensitive data, alter or hijack key computing functions and to monitor the victim's computer activity.
Cybercriminals use a variety of physical and virtual means to infect devices and networks with malware. For example, WannaCry, a famous ransomware attack was able to spread by exploiting a known vulnerability. Phishing is another common malware delivery method where emails disguised as legitimate messages contain malicious links or email attachments that deliver executable malware to unsuspecting users.
Sophisticated malware attacks use a command-and-control server to allow attackers to communicate with the infected computer system, steal sensitive information from the hard drive or gain remote access to the device.
Emerging strains of malware cyber attacks include evasion and obfuscation techniques designed to fool users, security administrators and anti-malware products. Evasion techniques can be simple tactics to hide the source IP address and include polymorphic malware, which changes its code to avoid detection from signature-based detection tools. Another example is fileless malware that only exists in a system's RAM to avoid being detected.
Different types of malware have unique traits and characteristics, we'll cover 22 in this post.
Table of contents
- What are computer viruses?
- What is a computer worm?
- What is a trojan horse?
- What are rootkits?
- What is ransomware?
- What is a keylogger?
- What is grayware?
- What is fileless malware?
- What is adware?
- What is malvertising?
- What is spyware?
- What are bots and botnets?
- What is a backdoor?
- What is a browser hijacker?
- What is crimeware?
- What are malicious mobile apps?
- What is a RAM scraper?
- What is rogue security software?
- What is cryptojacking?
- What is hybrid malware?
- What is social engineering and phishing?
- What are bugs?
- How does malware spread?
- How to find and remove malware
- How UpGuard can help prevent malware
A virus is a type of malware that, when executed, self-replicates by modifying other computer programs and inserting their own code. When this replication succeeds, the affected areas are then said to be infected.
Virus writers use social engineering and exploit vulnerabilities to infect systems and spread the virus. The Microsoft Windows and Mac operating systems are the targets of the vast majority of viruses that often use complex anti-detection strategies to evade antivirus software.
Viruses are created to make profit (e.g. ransomware), send a message, personal amusement, demonstrate vulnerabilities exist, sabotage and denial of service, or to simply explore cybersecurity issues, artificial life and evolutionary algorithms.
Computer viruses cause billions of dollars worth of economic damage by causing system failure, wasting resources, corrupting data, increasing maintenance costs, logging keystrokes and stealing personal information (e.g. credit card numbers).
A computer worm is a self-replicating malware program whose primary purpose is to infect other computers by duplicating itself while remaining active on infected systems.
Often, worms use computer networks to spread, relying on vulnerabilities or security failures on the target computer to access it. Worms almost always cause at least some harm to a network, even if only by consuming bandwidth. This is different to viruses which almost always corrupt or modify files on the victim's computer.
While many worms are designed to only spread and not change systems they pass through, even payload-free worms can cause major disruptions. The Morris worm and Mydoom caused major disruptions by increasing network traffic despite their benign nature.
A trojan horse or trojan is any malware that misleads users of its true intent by pretending to be a legitimate program. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
Trojans are generally spread with social engineering such as phishing.
For example, a user may be tricked into executing an email attachment disguised to appear genuine (e.g. an Excel spreadsheet). Once the executable file is opened, the trojan is installed.
While the payload of a trojan can be anything, most act as a backdoor giving the attacker unauthorized access to the infected computer. Trojans can give access to personal information such as internet activity, banking login credentials, passwords or personally identifiable information (PII). Ransomware attacks are also carried out using trojans.
Unlike computer viruses and worms, trojans do not generally attempt to inject malicious code into other files or propagate themselves.
A rootkit is a collection of malware designed to give unauthorized access to a computer or area of its software and often masks its existence or the existence of other software.
Rootkit installation can be automated or the attacker can install it with administrator access.
Rootkit detection is difficult because it can subvert the antivirus program intended to find it. Detection methods include using trusted operating systems, behavioural methods, signature scanning, difference scanning and memory dump analysis.
Rootkit removal can be complicated or practically impossible, especially when rootkits reside in the kernel. Firmware rootkits may require hardware replacement or specialized equipment.
5. What is Ransomware?
Ransomware is a form of malware, designed to deny access to a computer system or data until ransom is paid. Ransomware spreads through phishing emails, malvertising, visiting infected websites or by exploiting vulnerabilities.
Ransom payment amounts range from a few hundred to hundreds of thousands of dollars. Payable in cryptocurrencies like Bitcoin.
Keyloggers, keystroke loggers or system monitoring are a type of malware used to monitor and record each keystroke typed on a specific computer's keyboard. Keyloggers are also available for smartphones.
Keyloggers store gathered information and send it to the attacker who can then extract sensitive information like login credentials and credit card details.
The term grayware was coined in September 2004 and describes unwanted applications or files that aren't malware but worsen the performance of the computer and can cause cybersecurity risk.
At a minimum, grayware behaves in an annoying or undesirable manner and at worst, monitors the system and phones home with information.
Grayware alludes to adware and spyware. The good news is most antivirus software can detect potentially unwanted programs and offer to delete them.
Adware and spyware are generally easy to remove because they are not as nefarious as other types of malware.
The bigger concern is the mechanism the grayware used to gain access to the computer, be it social engineering, unpatched software or other vulnerabilities. Other forms of malware such as a ransomware can use the same method to gain access.
Use the presence of adware to serve as a warning that the device or user has a weakness that should be corrected.
Fileless malware is a type of malware that uses legitimate programs to infect a computer. Unlike other malware infections, it does not rely on files and leaves no footprint, making it challenging for anti-malware software to detect and remove. It exists exclusively as a computer memory-based artifact i.e. in RAM.
Fileless malware emerged in 2017 as a mainstream cyber threat but has been around for awhile. Frodo, Number of the Beast and the Dark Avenger were all early fileless malware attacks. More recently, the Democratic National Committee and the Equifax breach fell victim to fileless malware attacks.
Fileless malware does not write any part of its activity to the computer's hard drive making it resistant to existing anti-computer forensic strategies to incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis or time-stamping.
It leaves very little evidence that can be used by digital forensics investigators to identify illegitimate activity. That said, as it is designed to work in-memory, it generally only exists until the system is rebooted.
Adware is a type of grayware designed to put advertisements on your screen, often in a web browser or popup.
Typically it distinguishes itself as legitimate or piggybacks on another program to trick you into installing it on your computer, tablet or smartphone.
Adware is one of the most profitable, least harmful forms of malware and is becoming increasingly popular on mobile devices. Adware generates revenue by automatically displaying advertisement to the user of the software.
Malvertising, a portmanteau of malicious advertising, is the use of advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate advertising networks and webpages.
Advertising is a great way to spread malware because significant effort is put into ads to make them attract to users to sell or advertise a product.
Malvertising also benefits from the reputation of the sites it is placed on, such as high-profile and reputable news websites.
Spyware is malware that gathers information about a person or organization, sometimes without their knowledge, and sends the information to the attacker without the victim's consent.
Spyware usually aims to track and sell your internet usage data, capture your credit card or bank account information or steal personally identifiable information (PII).
Some types of spyware can install additional software and change the settings on your device. Spyware is usually simple to remove because it is not as nefarious as other types of malware.
A bot is a computer that is infected with malware that allows it to be remotely controlled by an attacker.
The bot (or zombie computer) can then be used to launch more cyber attacks or become part of a botnet (a collection of bots).
Botnets are a popular method for distributed denial of service (DDoS) attacks, spreading ransomware, keylogging and spreading other types of malware.
A backdoor is a covert method of bypassing normal authentication or encryption in a computer, product, embedded device (e.g. router) or other part of a computer.
Backdoors are commonly used to secure remote access to a computer or gain access to encrypted files.
From there, it can be used to gain access to, corrupt, delete or transfer sensitive data.
Backdoors can take the form a hidden part of a program (a trojan horse), a separate program or code in firmware and operating systems.
Further, backdoors can be created or widely known. Many backdoors have legitimate use cases such as the manufacturer needing a way to reset user passwords.
A browser hijacker or hijackware changes the behavior of a web browser by sending the user to a new page, changing their home page, installing unwanted toolbars, displaying unwanted ads or directing users to a different website.
Crimeware is a class of malware designed to automate cybercrime.
It is designed to perpetrate identity theft through social engineering or stealth to access the victim's financial and retail accounts to steal funds or make unauthorized transactions. Alternatively, it may steal confidential or sensitive information as part of corporate espionage.
Not all apps available through the App Store and Google Play are legitimate. That said, the App Store is generally safer due to better prescreening of third-party apps.
Malicious apps can steal user information, attempt to extort users, gain access to corporate networks, force users to view unwanted ads or install a backdoor on the device.
A RAM scraper is a type of malware that harvests the data temporarily stored in-memory or RAM. This type of malware often targets point-of-sale (POS) systems like cash registers because they can store unencrypted credit card numbers for a brief period of time before encrypting them then passing them to the back-end.
Rogue security software tricks user into thinking their system has a security problem such as a virus and entices them to pay to have it removed. In reality, the fake security software is the malware that needs to be removed.
Cryptojacking is a type of malware that uses a victim's computing power to mine cryptocurrency.
Today most malware is a combination of existing malware attacks, often trojan horses, worms, viruses and ransomware.
For example, a malware program may appear to be a trojan but once executed it may act as a worm and try to attack over victims on the network.
While social engineering and phishing aren't malware per say. They are popular delivery mechanisms for malware attacks. For example, a phisher may be trying to get a user to log into a phishing website but may also attach an infected attachment to the email to increase their chances of success.
Like social engineering and phishing, bugs aren't malware but they are can open up vulnerabilities for malware to exploit. A great example is the EternalBlue vulnerability that was in Windows operating systems that led to the spread of the WannaCry ransomware cryptoworm.
There are six common ways that malware spreads:
- Vulnerabilities: A security defect in software allows malware to exploit it to gain unauthorized access to the computer, hardware or network
- Backdoors: An intended or unintended opening in software, hardware, networks or system security
- Drive-by downloads: Unintended download of software with or without knowledge of the end user
- Homogeneity: If all systems are running the same operating system and connected to the same network, the risk of a successful worm spreading to other computers is increased
- Privilege escalation: A situation where an attacker gets escalated access to a computer or network and then uses it to mount an attack
- Blended threats: Malware packages that combine characteristics from multiple types of malware making them harder to detect and stop because they can exploit different vulnerabilities
The increasing sophistication of malware attacks means finding and removing them can be harder than ever.
Many malware programs start out as a trojan horse or worm and then add the victim's computer to a botnet, letting the attacker into the victim's computer and network.
If you're lucky, you can see the malware executables in your active processes but as we know the rise of fileless malware is making this more difficult.
Unfortunately, finding and removing is becoming more difficult because you may never know the extent of the infection. Often you're better off backing up any data and reimaging the computer.
Prevention is key. Keep your systems patched, continuously monitor for vulnerabilities and educate your staff on the dangers of executing attachments and programs from suspicious emails. And remember, third-party risk and fourth-party risk exist.
You need to make sure your third-party risk management framework and vendor risk management program forces your vendors to keep their systems secure and free of malware like you do. Customers don't care whether it was you or your vendors who caused a data breach or data leak. Don't join our list of the biggest data breaches.
UpGuard BreachSight's typosquatting module can reduce the cyber risks related to typosquatting and vulnerabilities, along with preventing breaches, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
We can also help you continuously monitor, rate and send security questionnaires to your vendors to control third-party risk and improve your security posture, as well as automatically create an inventory, enforce policies, and detect unexpected changes to your IT infrastructure.