Malware (malicious software) is a term used to describe any program or code that is created with the intent to do harm to a computer, network, or server. Common types of malware include viruses, ransomware, keyloggers, trojans, worms and spyware.
Malware works in different ways, but most start by ensuring a means of persistent access to a system so adversaries can slip into the network any time they like. Once inside, the malware takes control of the system with the purpose of communicating back to its original sender. The information it communicates may be sensitive data, intellectual property, captured keystrokes, images from a device’s camera, etc.
Signs You Have a Malware Infection
Simply relying on your own senses is not enough of a defense against malware, but there are a few common signs that may indicate you’ve been infected:
- You receive a ransom demand
- You click on a link and are sent to an unexpected website, your home page has changed, and/or you are getting pop-ups that won’t close
- Your computer is running slow, system is crashing, and/or browser is not responding
- You receive a lot of bounced emails that you didn’t send
- Command windows open on their own
- Your mobile device battery is draining rapidly
- Everything seems fine. Again, many malware attacks are silent, including spyware and bot malware. You should be scanning your systems regularly and applying modern endpoint protection to all of your assets.
Types of Malware
In the years since the Morris Worm debuted, adversaries have applied a great deal of creativity to the concept of malware, coming up with new types of attacks as enterprise technology has evolved. The most common types of malware today are:
In a ransomware attack, an adversary encrypts a victim’s data and offers to provide a decryption key in exchange for a payment. The decryption key may or may not work, if the adversaries deliver it at all. Ransomware attacks are usually launched through malicious links delivered via phishing emails, but unpatched vulnerabilities and policy misconfigurations are used as well. Ransomware is one of the most common types of malware attacks today. Just over half of businesses globally reported ransomware attacks in 2020, and 73 percent resulted in the encryption of a targeted organization’s data.
Fileless malware uses tools native to Windows systems to execute attacks against the owners of those systems. Traditional malware requires the installation of a malicious program, and these installed programs can be detected and blocked by antivirus solutions. But fileless malware doesn’t install any programs – it exists only in the memory of the system, leaving no evidence that can be analyzed by security teams or signatures that traditional antivirus solutions can block.
Spyware secretly collects information about a targeted individual or organization. It is used by malicious actors as various as jealous spouses, criminal organizations, and nation-states. Spyware has been around a long time and rarely makes headlines, but bad actors have not stopped using it. To the contrary, businesses experienced a 142 percent increase in attacks between 2017 and 2018.
Adware is a type of spyware that watches a user’s online activity in order to determine which ads to show them. While adware is not inherently malicious, it has an impact on the performance of a user’s device and degrades the user experience.
A trojan is malware that appears to be legitimate software. Trojans may be disguised as native operating system programs or they may appear to be harmless files like free downloads of consumer tools or games. Trojans are installed through social engineering techniques such as phishing or bait websites. Once a trojan gains access to a system, it may commence its destructive activity, wait for instructions by its master, download additional malware, interfere with security controls, or incorporate the targeted system into a bot network.
A worm is a self-contained program that replicates itself and spreads the copies to other computers. A worm may infect its target through a software vulnerability or it may be delivered via phishing or smishing. Once a worm is embedded, it can modify and delete files, inject more malicious software, or simply replicate in place until the targeted system runs out of resources.
Unlike worms, which are self-contained, viruses need to infect another program in order to operate. There are numerous types of viruses and they behave in different ways, but they all propagate by infecting other programs and then execute a payload. The payload can be any of a multitude of nefarious actions, including keylogging to capture banking credentials, hijacking the computer into a botnet, or encrypting data as part of a ransomware attack.
A rootkit is a software package that contains all the tools its operators need to acquire remote access and administrator-level control a targeted computer. Rootkits are typically injected through the use of a trojan. This type of malware is designed to evade traditional antivirus solutions.
Keyloggers record a user’s keystrokes and send the records back to their operators. There are legitimate reasons to use keyloggers, such as IT troubleshooting or law enforcement surveillance, but criminals use keyloggers to acquire financial or personal information, such as credit card numbers and passwords. Keyloggers can reach their targets through infected websites, apps, or USB drives, or through phishing emails. They also may be delivered as part of a malware bundle that is meant to be used as part of a larger attack, or they may sold on the dark web as part of a broader malware kit that includes ransomware, botnet, cryptomining, and other tools that help bad actors launch many types of attacks.
A bot is part of a botnet, which is a network of infected computers that are slaves to the bot operator’s commands. Botnets are used to infect other computers, collect volumes of personal or business information, and conduct distributed denial-of-service (DDoS), cryptomining, spam, and other attacks. Bots are delivered through phishing emails and poisoned apps.
Mobile malware is any type of malware designed to target mobile devices. Mobile malware is delivered through malicious downloads, operating system vulnerabilities, phishing, smishing, and the use of insecure WiFi.
Cryptocurrency is mined by using computers to solve cryptographic equations. This activity eats up resources, both computing and electrical. Cryptojacking is when an unauthorized person installs malware on a victim’s computer and uses it to run cryptomining programs. Cryptojacking software may be delivered through phishing emails or it may only run in-browser, meaning it only runs while a victim is on the attacker’s web page.
An exploit is a piece of software or data that opportunistically uses a weakness or bug in an operating system or app to provide access to unauthorized actors. The exploit may be used to install more malware or steal data. The type of exploit most commonly making headlines is the zero-day exploit, which is an exploit for which there is no known defense.
A Brief History of Malware
The idea of self-reproducing software goes back to 1949, when a mathematician named John Von Neuman theorized that “computing machines” could use elements in their environments to modify themselves.
“I’M THE CREEPER: CATCH ME IF YOU CAN.”
About 20 years later, that idea was put to the test when Bob Thomas, an engineer at BBN Technologies, wrote a program that infected DARPA computers and caused them to display the message, “I’m the creeper: catch me if you can.”
Another 10 years passed before malware made a real impact on the world. In 1988, a college student named Robert Morris wrote a program that became known as the “Morris Worm.” Although its author stated that his intent was to test internet security flaws, the worm spread with such rapidity and was so hard to stop that it ultimately caused between $100K and $10M in damages. Morris was tried and convicted under the Computer Fraud and Abuse Act and sentenced to a fine, probation, and 400 hours of community service.
At the turn of the century, malware not only became more prevalent but continued to evolve as well. The growing worldwide web offered new and lucrative opportunities to monetize malware. Malicious toolkits, email worms, phishing schemes and other methods of delivery spread online at a rampant pace.
Since 2010, malware has gone through yet another evolution. The targets of malware attacks have also expanded beyond just individual consumers and their desktops to organizations and Internet of Things (IoT) devices. In recent years, nation-state and eCrime actors have focused on more sophisticated, large-scale attacks – what we now refer to as Big Game Hunting.
The history of malware shows that malicious software is unlikely to stagnate in the future. Adversaries will continue to modify their tactics to evade prevention solutions that lag behind the times – making next-generation technologies more important than ever.
Detecting and Removing Malware
Because malware is varied and always evolving, the only way to prevent it is to take a multi-pronged approach driven by constant innovation. Traditional Antivirus (AV) is simply no longer effective. Organizations need to get ahead of their adversaries by stopping malware before it infects their systems.
Mobile Threat Report
Download the latest mobile threat report to explore why the targeting of mobile platforms is being increasingly adoptedDownload Report
Why Traditional AV Doesn’t Stop Malware
Traditional AV compares suspected threats to a list of known threats by looking for Indicators of Compromise (IOCs), which are small pieces of code that are like digital fingerprints. This approach no longer works because no matter how promptly antivirus vendors update their signature databases, they can’t keep up with the pace at which new malware is emerging.
That leaves organizations in the weak position of always being a step behind their adversaries, only able to react to attacks and never able to proactively prevent them.
Malware Protection Needs a Next-Gen Solution
The Falcon platform uses a unique and integrated combination of methods to prevent and detect known malware, unknown malware, and fileless malware (which looks like a trusted program). These methods include machine learning, exploit blocking, behavioral analysis, and blacklisting.
Falcon uses machine learning to block malware without using signatures. Instead, it relies on mathematical algorithms to analyze files and can protect the host even when it is not connected to the internet.
But malware does not always come in the form of a file that can be analyzed by machine learning. Some types of malware may be deployed directly into memory through the use of exploit kits. To defend against these, Falcon provides an exploit blocking function that adds another layer of protection.
What about fileless malware that doesn’t use an exploit kit, such as certain types of ransomware? To protect systems against these threats, Falcon uses IOAs, which look across both legitimate and suspicious activities to detect stealthy chains of events that indicate malware infection attempts. Most IOAs can prevent non-malware attacks as well.
Falcon also allows organizations to blacklist applications, automatically preventing them from running anywhere in the organization.
Watch the video below to get a firsthand look at how the Falcon Platform stops malware in its tracks:
These powerful methods work together in Falcon to produce an integrated approach that effectively protects against most malware and breaches. Take a tour of the Falcon Platform or experience it yourself today with a free trial.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.Download Now