What Is Malware?

Malware is a common cyber-attack and an umbrella term for various malicious programs delivered and installed on end-user systems and servers. These attacks are designed to cause harm to a computer, server, or computer network, and are used by cybercriminals to obtain data for financial gain.

Most computer historians say that the first virus was created in 1970. The Creeper Worm self-replicated and copied itself across ARPANET (an early version of the internet). When activated, it displayed the message, “I’m the creeper, catch me if you can!”

The term “virus” wasn’t coined until 1986, when Ph.D. student Fred Cohen described a computer virus as a program that can infect other programs and create an evolved version of itself. Most early viruses destroyed files or infected boot sectors. Today’s malware is much more sinister and designed to steal data, spy on businesses, create a denial-of-service condition, or lock files to extort money from victims.

Types of malware programs fall into commonly referred to categories such as:

• Ransomware: Encrypts files that cannot be recovered unless the victim pays a ransom. Ransomware attacks are all too common these days.
• Adware: Display ads (sometimes malicious ads) to users as they work on their computers or browse the web.
• Fileless malware: Instead of using an executable file to infect computer systems, fileless malware uses Microsoft Office macros, WMI (Windows Management Instrumentation) scripts, PowerShell scripts, and other management tools.
• Viruses: A virus infects a computer and performs a variety of payloads. It may corrupt files, destroy operating systems, delete or move files, or deliver a payload at a specific date.
• Worms: A worm is a self-replicating virus, but instead of affecting local files, a worm spreads to other systems and exhausts resources.
• Trojans: A Trojan is named after the Greek war strategy of using a Trojan horse to enter the city of Troy. The malware masquerades as a harmless program, but it runs in the background stealing data, allowing remote control of the system, or waiting for a command from an attacker to deliver a payload.
• Bots: Infected computers can become a part of a botnet used to launch a distributed denial-of-service by sending extensive traffic to a specific host.
• Spyware: Malware that installs, collects data silently, and sends it to an attacker that continuously “spies” on users and their activities. Spyware aims to gather as much important data as possible before detection.
• Backdoors: Remote users can access a system and possibly move laterally. Trojans deliver backdoor payloads during installation.
• Banking Trojans: View or steal banking credentials to access accounts. Typically, they manipulate web browsers to trick users into entering their personal banking information.
• Keyloggers: Capture keystrokes as users type in URLs, credentials, and personal information and send it to an attacker.
• RAT: “Remote access tools” enable attackers to access and control the targeted device remotely.
• Downloaders: Download other malware to install locally. The type of malware depends on the attacker’s motives.
• POS: Compromise a point-of-sale (PoS) device to steal credit card numbers, debit card and PINs, transaction history, and contact information.

More sophisticated types of malware contain several of the above types to deliver a combination of payloads, mainly to ensure attack success. Most malware are developed with evasion features to avoid detection from antivirus programs.

Identifying malware evasion techniques is critical because, when successful, they decrease security tool effectiveness. Proofpoint provides a comprehensive malware protection suite with a subset of these malware attack techniques included below:

• Code obfuscation: Use encoding to hide code syntax from detection.
• Code compression: Use compression formats like gzip, zip, rar, etc., to hide code from antivirus and detection in email messages.
• Code encryption: Apply any number of encryption techniques to hide code syntax.
• Steganography: Hide code or programs in images.
• Domain or IP range avoidance: Identify domains or IPs owned by security companies and deactivate malware in those locations.
• User action detection: Look for actions like right or left clicks, mouse moves, and more.
• Time delays: Lie dormant for a period of time, then activate.
• Recent file detection: Look for past actions like opening and closing files from multiple applications.
• Device fingerprinting: Only execute on specific system configurations.

Attackers can employ one or more of the evasion techniques to give their malware a better chance of avoiding detection and only deploy on human-run systems.

Cyber-attackers use malware for a variety of malicious intentions. In most cases, its purpose is to steal critical information or resources for monetary gain. For instance, hackers use malware as a tool to compromise computer networks or specific devices to steal or compromise sensitive data, like credit card information or confidential login credentials. But in some scenarios, malware is merely intended to cause havoc and sabotage its victims’ computer systems to disrupt a system’s operability.

Since the pandemic lockdowns, malware authors have increased their attacks to exploit poor cybersecurity practices. AV-TEST researchers detect over 450,000 new malicious programs every day. In 2021, AV-TEST registered over 1.3 billion malware applications compared to a little over 182 million malware applications in 2013. The number of malware applications is projected to double in 2022 compared to 2021. In fact, according to the Ponemon Cost of Phishing Study, costs due to the inability to contain malware have almost doubled, going from $3.1 million to $5.3 million.

Google provides a malware crawler to the general public to find malicious websites and block them from being indexed. These safe search efforts detect that 7% of websites host malware or are infected with malware. In just the first half of 2020, 20 million IoT malware attacks were detected, and that number continues to climb. Symantec estimates that three out of four infected IoT devices are routers.

Unfortunately, many organizations are ill-equipped to effectively prevent and handle catastrophic cyber-attacks related to malware. A 2022 ISACA State of Cybersecurity report found that 69% of cybersecurity professionals believe their organization’s team is sorely understaffed. That could intensify the strain on existing staff and further exacerbate risks from devastating malware attacks.

These cyber threats are showing no signs of slowing down. As malware attacks continue to increase in volume and sophistication, reports by Cybersecurity Ventures estimate global cyber crime costs to grow by 15% year-over-year for the next five years, reaching upwards of $10.5 trillion in damages by 2025. Largely fueled by ransomware-related attacks, these trends indicate the greatest transfer of wealth in history. Fueling the malware momentum are alarming data and trends, including:

Examples of malware attacks date back several decades to the early days of the first personal computers. The first PC-based malware attack, “Brain,” was released in 1986 and infected the original 5.2" floppy disks of IBM Personal Computers. This early computer virus catapulted a deleterious trend in emerging malware attacks that would become increasingly sophisticated over time.

Other notable examples of historic malware attacks include:

• The 1999 Melissa virus was an email-based malware attack that used an infected Word attachment to deceive victims. Melissa was one of the earliest forms of malware to use social engineering and caused damages of $80 million.
• The ILOVEYOU worm of the early 2000s was another socially-engineered email attack disguised as a love letter. Infecting over 45 million people, the ILOVEYOU worm racked up $15 million in financial damages.
• The 2018 Emotet Trojan was deemed “the most threatening and devastating malware attack” by the US Department of Homeland Security, stealing sensitive financial information of governmental organizations through the spread of spam and phishing. Remediation of Emotet malware attacks cost roughly $1 million per incident across numerous cases.
• The WannaCry attacks of 2017 were one of the most sophisticated and costly of its time, duplicating itself without any suspicious file modification. By infecting over 230,000 computers in less than a day, WannaCry was responsible for $4 billion in ransomware losses.
• The CovidLock ransomware attacks of 2020 were a testament to one of the most active eras among hackers as they exploited the COVID-19 pandemic. Disguised as offering information about the disease, the CovidLock ransomware installed infected files that encrypted all data on devices and denied access to users. A $100 ransom payment was required to recover each infected device.

Hacking is a business, and malware is one tool hackers use to steal data or control devices. Cybercriminals use specific malware to perform certain functions. For example, ransomware helps extort money from businesses, while Mirai is used to control IoT devices in a distributed denial-of-service (DDoS) attack.

Why attackers use malware:

• Trick users into entering personally identifiable information (PII).
• Steal financial data such as credit card numbers or bank accounts.
• Give attackers remote access and control to devices.
• Use computer resources to mine Bitcoin or other cryptocurrencies.

A good antivirus stops malware from infecting a computer, so malware authors develop several strategies to bypass cybersecurity installed on the network. A user can become a victim of malware from numerous vectors.

How to be a victim of malware:

• You download an installer that installs a legitimate program, but the installer also contains malware.
• You browse a website with a vulnerable browser (e.g., Internet Explorer 6), and the website contains a malicious installer.
• You open a phishing email and open a malicious script used to download and install malware.
• You download an installer from an unofficial vendor and install malware instead of a legitimate application.
• You click a web page ad that convinces you to download malware.

Even though malware runs silently in the background, the resources it uses, and its payload display are telltale signs your computer is infected. While some infection detection may require an experienced user, you can still recognize specific signs to investigate further.

Here are a few signs that you might have malware:

• Slow computer: Some malware, like cryptojackers, require extensive CPU and memory to execute. Your computer will run unusually slowly even after a reboot.
• Constant pop-ups: Adware embeds into the operating system, so your browser constantly displays ads. After you close an ad, another one pops up.
• Blue screen of death (BSOD): Windows crashes to a blue screen and displays an error, but this issue should rarely happen. Constant BSOD issues could mean the computer has malware.
• Excess disk storage or loss: Malware might delete data, releasing large amounts of storage space or adding several gigabytes of data onto storage.
• Unknown internet activity: Your router shows excessive activity even when you’re not using your internet connection.
• Change in browser settings: Malware will change browser home pages or search engine settings to redirect you to spam websites or sites containing malicious programs.
• Antivirus is disabled: To deliver its payload, some malware disables antivirus that remains disabled even after being enabled.

Most desktop computers already have antivirus either from a third party or provided by the operating system. Smartphones and tablets don’t have the same type of default protection, making them perfect targets for attackers. Installing malware on a smartphone is an increasingly popular strategy for attackers. Apple and Android include security with their operating systems, but it’s not enough to entirely stop all malware.

Although extremely rare, iPhones can be infected with malware. It’s typically the result of manually “jailbreaking” an iPhone and disabling its built-in protections, thereby leaving iOS vulnerable to unapproved app installs. However, iPhone malware is highly unlikely, mainly because most owners can only download apps vetted and approved by Apple’s App Store to ensure user safety.

Yes, Android devices are far more vulnerable to malware attacks. Downloading apps from unofficial, third-party app stores is one of the main risks Android users encounter, as some apps may conceal malicious software until downloaded and installed. Once downloaded, these apps can infect the device with malware, resulting in many symptoms like quickly drained batteries, increased data usage, and random pop-ups.

Smartphones carry more private data than computers due to their popularity. Users take their phones with them everywhere, so they contain financial information, travel locations, GPS tracking, shopping history, browsing history, and so much more that could be useful to an attacker. Users are more likely to install applications on their smartphones, thinking it’s safer than installing software on a desktop. All these factors make smartphones bigger targets than desktops for some threats.

Threats take advantage of a smartphone’s constant connection to either Wi-Fi or cellular data, making the internet always available. As malware runs in the background, it can silently upload stolen data and credentials to an attacker-controlled server regardless of the smartphone owner’s location.

Individuals and corporations must take the necessary steps to protect desktops and mobile devices. That means running antivirus software on computers and mobile devices to significantly reduce the risk of malware threats.

More ways to prevent malware from affecting devices:

• Include multifactor authentication (MFA) such as biometrics (e.g., fingerprints or face recognition) or text message PINs.
• Employ strong password complexity and length rules to force users to create effective passwords.
• Force users to change their passwords every 30-45 days to reduce the window of opportunity for an attacker to use a compromised account.
• Use administrator accounts only when necessary, and avoid running third-party software using administrator privileges.
• Update operating systems and software with the latest patches as soon as vendors release them.
• Install intrusion detection systems, firewalls, and communication encryption protocols to prevent data eavesdropping.
• Use email security to block suspicious messages or messages determined to be phishing.
• Monitor a corporate network for any suspicious traffic.
• Train employees to identify malicious emails and avoid installing software from unofficial sources.

If you think your computer has malware, you must take steps to remove it. For enterprise workstations, malware removal can be done remotely with business antivirus tools. More sophisticated forms of removal might be necessary for malware that evades antivirus.

The first step in removal is updating the machine’s antivirus software and running a scan on the entire system. Ensure your antivirus is enabled before beginning a scan because some malware disables antivirus. Scanning a computer can take several minutes, so it’s best to leave it running overnight if you need it for work.

After the antivirus completes the scan, it produces a report on its findings. Most antivirus software quarantines suspicious files and asks you what to do with quarantined files. After the scan, reboot the computer. The antivirus software should have a setting that tells it to scan the computer periodically every week. Scanning your computer at a set schedule ensures that malware is not installed unknowingly again.

At worst, you might be forced to re-image or reset a computer to factory settings. If you have a complete backup of your operating system and files, you can re-image it. Re-imaging installs everything, including files, so that you can recover from your last storage point. If you don’t have this type of backup, you can reset the PC to factory settings. Remember that you lose all files and software this way, and the computer is returned to the state when you first purchased it.

It’s important to ensure that malware is completely removed. If you do not completely remove malware from an environment, it could be coded to re-infect a newly scanned and cleaned computer. To stop malware from re-infecting a computer, always have monitoring and data protection running across all network resources. Intrusion detection systems actively monitor the network for suspicious traffic patterns and alert administrators of potential threats to prevent cybersecurity incidents from becoming data breaches.

Malware has been seen attacking organizations in nearly every vertical. While some criminals use malware to attack an organization directly, we’ve seen malware attacks attempt to sidestep the normal delivery via email. Malware attacks can cause significant damage to organizations and their employees.

In addition to sabotaging computer systems and compromising critical data, malware attacks can:

• Exfiltrate sensitive data, such as email addresses, passwords, and other business assets
• Lock up organizations’ networks and PCs, making them inoperable.
• Cause operational issues like disrupted productivity and catastrophic data loss.
• Replicate and spread throughout devices connected within the network.
• Encrypt information that can be opened by a key known only by the attacker (ransomware).
• Compromise the confidentiality, integrity, or availability of the organization’s data and assets.

Companies that rely on exchanging external documents are a good target for attackers. As every organization depends on people, criminals have directed their malware attacks toward the company’s HR function. By directly uploading or sending resumes through recruiting job sites, attackers deliver resumes directly to HR employees while avoiding the secure email gateway, a key detection mechanism.

Proofpoint employs several anti-malware strategies and infrastructure tools that stop threats before they can install and infect an entire environment. We take a multi-layer approach to cybersecurity and protecting your network.

A few strategies Proofpoint uses in its enterprise security:

• Email protection and quarantines of malware attachments and phishing.
• Targeted Attack Protection (TAP) detects and blocks ransomware, malicious email attachments and documents, and URLs.
• Information protection and easy management of sensitive content.
• Encryption of communications.
• Threat Response Auto Pull (TRAP) of potential malware sent in email or hosted on a malicious website.
• Threat intelligence: using dynamic threat analysis of collected data from various sources.