Malware poses a significant threat to enterprises, and it is crucial for security departments to actively monitor networks to detect and contain malware before it can cause extensive damage. Prevention plays a key role in defending against malware attacks, but in order to prevent an attack, it is essential to have a clear understanding of what malware is and the different types that exist.
Malware, which stands for malicious software, is a term that encompasses various subcategories. Attackers use malware with the intention of infecting and harming devices and networks. Let’s take a closer look at some of the most common types of malware:
1. Viruses: These are computer programs that infect devices and replicate themselves across systems. Viruses require human intervention to spread. Once users download the malicious code onto their devices, typically through malicious advertisements or phishing emails, the virus can quickly spread throughout their systems. Viruses can modify computer functions and applications, copy, delete, and exfiltrate data, encrypt data for ransomware attacks, and carry out distributed denial-of-service (DDoS) attacks. The Zeus virus, first discovered in 2006, is still being used by threat actors today. It is used to create botnets and steal victims’ financial data.
2. Worms: Worms are self-replicating malware that infect other computers without human intervention. They exploit security vulnerabilities or use malicious links or files to enter devices. Once inside, worms search for other networked devices to attack. Worms are often disguised as legitimate work files, making them difficult to detect. One well-known worm is WannaCry, a form of ransomware that took advantage of the EternalBlue vulnerability in outdated versions of Windows’ Server Message Block protocol. WannaCry quickly spread to 150 countries and infected nearly 5 million devices.
3. Ransomware: Ransomware is a specific type of malware that locks or encrypts files or devices and demands a ransom from victims in exchange for access. Ransomware attacks have become increasingly prevalent and sophisticated in recent years. There are different types of ransomware, including locker ransomware, crypto ransomware, extortionware, double extortion ransomware, and triple extortion ransomware. Ransomware as a service (RaaS) is also a growing trend, where individuals can rent ransomware for their malicious activities. Some well-known ransomware variants include REvil, WannaCry, and DarkSide, the strain that was responsible for the Colonial Pipeline attack.
4. Bots: Bots are self-replicating malware that create a network of infected devices called a botnet. Once a device is infected, it can be controlled by the attacker to perform automated tasks. Botnets are often utilized in DDoS attacks, keylogging, and phishing campaigns. Mirai is a classic example of a botnet that launched a massive DDoS attack in 2016 and continues to target IoT and other devices today. Research has also shown an increase in botnet activity during the COVID-19 pandemic, as infected consumer devices used by employees working from home became a gateway for the malware to spread to corporate systems.
5. Trojan horses: Trojan horses are malicious software that appear legitimate to users. They rely on social engineering techniques to gain access to devices. Once inside, Trojans install a payload, typically malicious code, to facilitate the exploit. Trojans provide attackers with backdoor access to a device, enabling them to perform various actions such as keylogging, installing viruses or worms, and stealing data. Remote access Trojans (RATs) allow attackers to take control of an infected device and use it to infect other devices, creating a botnet. Emotet is an example of a Trojan horse that was first discovered in 2014 and continues to be a persistent threat, helping threat actors steal victims’ financial information.
6. Keyloggers: Keyloggers are surveillance malware that monitor keystroke patterns. Threat actors use keyloggers to obtain victims’ usernames, passwords, and other sensitive data. Keyloggers can be implemented as either hardware or software. Hardware keyloggers need to be manually installed into keyboards, and the attacker must physically retrieve the device after the victim has used it. Software keyloggers, on the other hand, can be downloaded by victims unknowingly through malicious links or attachments. They record keystrokes and upload the data to the attacker. The Agent Tesla keylogger, which emerged in 2014, is widely deployed and continues to be a significant threat. It not only logs keystrokes but also takes screenshots of victims’ devices.
7. Rootkits: Rootkits are malicious software that allow threat actors to remotely access and control a device. They facilitate the spread of other types of malware like ransomware, viruses, and keyloggers. Rootkits are often difficult to detect because once they are inside a device, they can deactivate antimalware and antivirus software. Rootkits typically enter devices through phishing emails and malicious attachments. NTRootkit, which appeared in 1999, was the first rootkit, and Hacker Defender, released in 2003, became one of the most widely deployed rootkits in the 2000s.
8. Spyware: Spyware is malware that downloads onto a device without the user’s knowledge and steals users’ data for advertising or external use. It can track credentials, obtain bank details, and gather other sensitive information. Spyware infects devices through malicious apps, links, websites, and email attachments. Mobile device spyware is particularly damaging as it tracks a user’s location and has access to the device’s camera and microphone. Adware, keyloggers, Trojans, and mobile spyware fall under the category of spyware. Pegasus, a mobile spyware that targets iOS and Android devices, was first discovered in 2016 and has been linked to Israeli technology vendor NSO Group. It was also associated with the assassination of Saudi journalist Jamal Khashoggi in 2018.
9. Fileless malware: Fileless malware differs from traditional malware as it does not involve installing code on the victim’s hard drives. Instead, it utilizes legitimate tools like PowerShell, Microsoft macros, and Windows Management Instrumentation (WMI) to infect systems. Fileless malware resides in computer memory, making it difficult to detect with traditional file- and signature-based detection tools like antivirus and antimalware. Some examples of fileless malware include Frodo, Emotet, and Sorebrect.
10. Cryptojacking: Cryptomining is a process that requires significant processing power to validate transactions within a blockchain. Malicious actors engage in cryptojacking by using the resources of an infected device, including electricity and computing power, to conduct mining operations. This can result in performance degradation and financial losses for the device owner.
As malware attacks continue to evolve and become more sophisticated, it is crucial for enterprises to stay informed about the various types of malware and take proactive measures to protect their systems and data. This includes deploying advanced protection technologies, regularly updating software and operating systems, educating employees about cybersecurity best practices, and implementing robust backup and disaster recovery strategies. By staying vigilant and proactive, organizations can reduce their vulnerability to malware and minimize the potential damage caused by malicious attacks.