Malware is a common cyber-attack and an umbrella term for various malicious programs delivered and installed on end-user systems and servers. These attacks are designed to cause harm to a computer, server, or computer network, and are used by cybercriminals to obtain data for financial gain.
History of Malware
Most computer historians say that the first virus was created in 1970. The Creeper Worm self-replicated and copied itself across ARPANET (an early version of the internet). When activated, it displayed the message, “I’m the creeper, catch me if you can!”
The term “virus” wasn’t coined until 1986, when a Ph.D. student, Fred Cohen, described a computer virus as a program that can infect other programs and create an evolved version of itself. Most early viruses destroyed files or infected boot sectors. Today’s malware is much more sinister and designed to steal data, spy on businesses, create a denial-of-service condition, or lock files to extort money from victims.
Types of Malware
Types of malware programs fall into commonly referred to categories such as:
- Ransomware: Encrypts files that cannot be recovered unless the victim pays a ransom. Ransomware attacks are all too common these days.
- Adware: Display ads (sometimes malicious ads) to users as they work on their computers or browse the web.
- Fileless malware: Instead of using an executable file to infect computer systems, fileless malware uses Microsoft Office macros, WMI (Windows Management Instrumentation) scripts, PowerShell scripts, and other management tools.
- Viruses: A virus infects a computer and performs a variety of payloads. It may corrupt files, destroy operating systems, delete or move files, or deliver a payload at a specific date.
- Worms: A worm is a self-replicating virus, but instead of affecting local files, a worm spreads to other systems and exhausts resources.
- Trojans: A trojan is named after the Greek war strategy using a Trojan horse to enter the city of Troy. The malware masquerades as a harmless program, but it runs in the background stealing data, allowing remote control of the system, or waiting for a command from an attacker to deliver a payload.
- Bots: Infected computers can become a part of a botnet used to launch a distributed denial-of-service by sending extensive traffic to a specific host.
- Spyware: Malware that installs, collects data silently, and sends it to an attacker that continuously “spies” on users and their activities. The goal of spyware is to gather as much important data as possible before detection.
- Backdoors: Remote users can access a system and possibly move laterally. Trojans deliver backdoor payloads during installation.
- Banking Trojans: View or steal banking credentials to access accounts. Typically, they manipulate web browsers to trick users into entering their personal banking information.
- Keyloggers: Captures keystrokes as users type in URLs, credentials, and personal information and send it to an attacker.
- RAT: Remote access tools enable attackers to have remote access and control of the targeted device.
- Downloaders: Download other malware to install locally. The type of malware depends on the attacker’s motives.
- POS: Compromise a point-of-sale (PoS) device to steal credit card numbers, debit card and PIN numbers, transaction history, and contact information.
More sophisticated types of malware contain several of the above types to deliver a combination of payloads, mainly to ensure success of the attack. Most malware are developed with evasion features to avoid detection from antivirus programs.
Malware Evasion Techniques
Identifying malware evasion techniques is critical because, when successful, they decrease security tool effectiveness. Proofpoint provides a comprehensive malware protection suite with a subset of these malware attack techniques included below:
- Code obfuscation: Use encoding to hide code syntax from detection.
- Code compression: Use compression formats like gzip, zip, rar, etc., to hide code from antivirus and detection in email messages.
- Code encryption: Apply any number of encryption techniques to hide code syntax.
- Steganography: Hide code or programs in images.
- Domain or IP range avoidance: Identify domains or IPs owned by security companies and deactivate malware in those locations.
- User action detection: Look for actions like right or left clicks, mouse moves, and more.
- Time delays: Lie dormant for a period of time, then activate.
- Recent file detection: Look for past actions like opening and closing files from multiple applications.
- Device fingerprinting: Only execute on specific system configurations.
Attackers can employ one or more of the evasion techniques to give their malware a better chance of avoiding detection and only running on human-run systems.
Since the pandemic lockdowns, malware authors have increased their attacks to exploit poor cybersecurity practices. AV-TEST researchers detect over 450,000 new malicious programs every day. In 2021, AV-TEST registered over 1.3 billion malware applications compared to a little over 182 million malware applications in 2013. The number of malware applications is projected to double in 2022 compared to 2021.
Google provides a malware crawler to the general public to find malicious websites and block them from being indexed. These safe search efforts detect that 7% of websites host malware or are infected with malware. Twenty million IoT malware attacks were detected in just the first half of 2020, and that number continues to climb. Symantec estimates that three out of four infected IoT devices are routers.
Why Is Malware Used?
Hacking is a business, and malware is one tool hackers use to steal data or control devices. Cybercriminals use specific malware to perform certain functions. For example, ransomware is useful for extorting money from businesses, but Mirai is used to control IoT devices in a distributed denial-of-service (DDoS) attack.
Why attackers use malware:
- Trick users into entering personally identifiable information (PII).
- Steal financial data such as credit card numbers or bank accounts.
- Give attackers remote access and control to devices.
- Use computer resources to mine Bitcoin or other cryptocurrencies.
How Do You Get Malware?
A good antivirus stops malware from infecting a computer, so malware authors develop several strategies to bypass cybersecurity installed on the network. A user can be a victim of malware from numerous vectors.
How to be a victim of malware:
- You download an installer that installs a legitimate program, but the installer also contains malware.
- You browse a website with a vulnerable browser (e.g., Internet Explorer 6), and the website contains a malicious installer.
- You open a phishing email and open a malicious script used to download and install malware.
- You download an installer from an unofficial vendor and install malware instead of a legitimate application.
- You click a web page ad that convinces you to download malware.
How Can I Tell If I Have Malware?
Even when malware runs silently in the background of your computer, the resources it uses and its payload display are telltale signs of an infection. Detecting some infections might require an experienced user, but you can investigate further after noticing certain signs.
A few signs that you might have malware:
- Slow computer: Some malware like cryptojackers require extensive CPU and memory to execute. Your computer will run unusually slowly even after a reboot.
- Constant popups: Adware embeds into the operating system, or your browser constantly displays ads. After you close an ad, another one pops up.
- Blue screen of death (BSOD): Windows crashes to a blue screen and displays an error, but this issue should only happen rarely. Constant BSOD issues could mean the computer has malware.
- Excess disk storage or loss: Malware might delete data, releasing large amounts of storage space or add several gigabytes of data onto storage.
- Unknown internet activity: Your router will show excessive activity even when you are not using your internet connection.
- Change in browser settings: Malware will change browser home pages or search engine settings to redirect you to spam websites or sites containing malicious programs.
- Antivirus is disabled: Some malware is designed to disable antivirus to deliver its payload, and it will be disabled even after being enabled.
Can Phones Get Malware?
Most desktop computers have antivirus installed either from a third party or provided by the operating system. Smartphones and tablets don’t have the same type of protections installed by default, making them perfect targets for attackers. Installing malware on a smartphone is an increasingly popular strategy for attackers. Apple and Android include security with the operating system, but it’s not enough to fully stop all malware.
Smartphones carry more private data than computers due to their popularity. Users take their phones with them everywhere, so they contain financial information, travel locations, GPS tracking, shopping history, browsing history, and so much more that could be useful to an attacker. Users are more likely to install applications on their smartphones, thinking it’s safer than installing software on a desktop. All these factors make smartphones bigger targets than desktops for some threats.
Threats can take advantage of a smartphone’s constant connection to either Wi-Fi or cellular data, making the internet always available. As the malware runs in the background, it can silently upload stolen data and credentials to an attacker-controlled server regardless of the smartphone owner’s location.
Individuals and corporations must take the necessary steps to protect desktops and mobile devices. That means running antivirus software on computers and mobile devices, significantly reducing the risks of malware threats.
More ways to prevent malware from affecting devices:
- Include multifactor authentication (MFA) such as biometrics (e.g., fingerprints or face recognition) or text message PINs.
- Employ strong password complexity and length rules to force users to create effective passwords.
- Force users to change their passwords every 30-45 days to reduce the window of opportunity for an attacker to use a compromised account.
- Use administrator accounts only when necessary and avoid running third-party software using administrator privileges.
- Update operating systems and software with the latest patches as soon as vendors release them.
- Install intrusion detection systems, firewalls, and communication encryption protocols to prevent data eavesdropping.
- Use email security to block suspicious messages or messages determined to be phishing.
- Monitor a corporate network for any suspicious traffic.
- Train employees to identify malicious emails and avoid installing software from unofficial sources.
How to Remove Malware
If you think your computer has malware, you must take steps to remove it. For enterprise workstations, malware removal can be done remotely with business antivirus tools. More sophisticated forms of removal might be necessary for malware that evades antivirus.
The first step in removal is updating antivirus software on the machine and running a scan on the entire system. Ensure your antivirus is enabled before beginning a scan because some malware disables antivirus. It can take several minutes to scan a computer, so it’s best to leave it running overnight if you need the computer for work.
After the antivirus completes the scan, it produces a report on its findings. Most antivirus software quarantine suspicious files and ask you what to do with quarantined files. After the scan, reboot the computer. The antivirus software should have a setting that tells it to scan the computer periodically every week. Scanning your computer at a set schedule ensures that malware is not installed unknowingly again.
At worst, you might be forced to re-image or reset a computer to factory settings. If you have a complete backup of your operating system and files, you can re-image it. Re-imaging installs everything, including files, so that you can recover from your last storage point. If you don’t have this type of backup, you can reset the PC to factory settings. Remember that you lose all files and software this way, and the computer is returned to the state when you first purchased it.
It’s important to ensure that malware is completely removed. If you do not completely remove malware from an environment, it could be coded to re-infect a newly scanned and cleaned computer. To stop malware from re-infecting a computer, always have monitoring and data protection running across all network resources. Intrusion detection systems actively monitor the network for suspicious traffic patterns and alert administrators of potential threats to proactively stop cybersecurity incidents from becoming a data breach.
Malware attacks within organizations
Malware has been seen attacking organizations in nearly every vertical. While some criminals use malware to directly attack an organization, we’ve seen malware attacks attempt to sidestep the normal delivery via email.
Attacking companies that rely on the exchange of external documents has proven to be a good target for criminals. As every organization depends on people, criminals have keyed into the opportunity to drive malware attacks to targeted companies through the HR function. By using a direct upload or sending resumes through recruiting job sites, attackers have been able to deliver resumes directly to employees while avoiding a key detection mechanism, the secure email gateway.
How Proofpoint Can Help
Proofpoint employs several anti-malware strategies and infrastructure tools that stop threats before they can install and infect an entire environment. We take a multi-layer approach to cybersecurity and protecting your network.
A few strategies Proofpoint uses in its enterprise security:
- Encryption of communications.
- Threat Response Auto Pull (TRAP) of potential malware sent in email or hosted on a malicious website.
- Threat intelligence: using dynamic threat analysis of collected data from various sources.
Backdoored litecoin wallet spread via typosquatted domains
Cryptocurrencies are increasingly being used for mainstream applications, outside of the dark web markets where they still dominate for anonymous payments.
Meet Ovidiy Stealer: Bringing credential theft to the masses
Proofpoint threat researchers recently analyzed Ovidiy Stealer, a previously undocumented credential stealer which appears to be marketed primarily in the Russian-speaking regions.
Threat actor goes on a Chrome extension hijacking spree
Chrome Extensions are a powerful means of adding functionality to the Chrome browser with features ranging from easier posting of content on social media to integrated developer tools.
The Human Factor Report
Discover the Proofpoint Human Factor Report. Learn how COVID-19 transformed cybersecurity, the threat landscape, and how we can help you face these new challenges.