What is malware?
Any software designed with malicious intent is malware. It’s a broad category that includes ransomware, spyware, computer viruses, and more. Malware is intentionally created to harm computer systems, making malware attacks distinct from cyberattacks that exploit vulnerabilities in legitimate software.
The vast majority of modern cyberattacks involve malware to some degree. Intentionally malicious software takes many forms, from highly disruptive ransomware to adware that is merely annoying.
Cybercriminals develop malware for the same reasons legitimate developers create applications. Malware automates difficult and time-intensive tasks while expanding the scalability of cybercrime operations.
Often, the success of a cyberattack comes down to the complexity and quality of the malware responsible. Cybercrime organizations with sophisticated development processes, specialist expertise, and financial resources can create highly effective malware — and many do.
Key characteristics of malware attacks:
Cybersecurity experts group define different types of malware according to three broad categories. These categories answer basic questions about the malware itself:
- Objective. What is the malware designed to do? How does it pursue those goals? What kind of IT infrastructure must be in place for the malware to work?
- Delivery. How is the malware delivered to the target? What security vulnerabilities must be exploited for successful delivery?
- Concealment. How does the malware avoid detection? What do the victim’s internal monitoring systems see when they analyze the malware?
Understanding malware objectives
All malware is designed with a specific goal in mind. Since malware creators don’t always broadcast their intentions, threat intelligence teams must conduct investigations to find out what those objectives are.
- In some cases, this is easy. Most ransomware variants have a simple goal — disrupt the victim’s business operations so the user can extort them for money.
- In other cases, identifying malware objectives is very difficult. In 2010, Stuxnet perplexed researchers by spreading aggressively around the world. It took six months of reverse engineering to figure out that the malware was designed to target Iranian nuclear energy infrastructure.
While the number of potential malware objectives is practically infinite, most malware is designed to achieve one of three things:
- Exfiltrating information. This includes stealing login credentials, payment information, or other sensitive data. Data exfiltration allows cybercriminals to conduct fraud and identity theft or leverage sensitive information towards further attacks.
- Disrupting operations. Many malware variants are designed to corrupt or destroy mission-critical IT assets and infrastructure. The main goal is preventing the victim from being able to operate normally and forcing them to spend time and money resolving the issue.
- Extorting victims for money. Some malware focuses on demanding money from victims directly. It may include a data exfiltration or operationally disruptive component. It may also be an empty threat — some malware simply displays messages threatening to leak information or disrupt operations despite not having the capability to carry out the attack.
Malware delivery
In order to work, malware needs to be installed and active on the victim’s system. That means that before launching a malware attack, hackers must deliver the malicious software onto the victim’s network.
These delivery methods require some form of initial access. Cybercriminals typically use one of the following methods to gain initial access to the victim’s network:
- Phishing. Phishing messages use fraud to trick users into running malicious software or giving up sensitive data to hackers.
- Social engineering. This is when hackers psychologically manipulate users into violating security policies and granting access to sensitive assets.
- System vulnerabilities. Cybercriminals may introduce malware by exploiting technical vulnerabilities in applications, devices, and networks.
- Removable media. Physical storage media like USB drives can be an effective solution deploying malicious payloads.
- Spoofed websites and drive-by downloads. Fake websites may trick users into downloading trojans posing as legitimate applications. Drive-by-downloads automatically start when users visit the malicious website — no interaction required.
- Supply chain attacks. Supply chain attacks allow hackers to leverage third-party connections to spread malware between networks and companies.
Malware concealment
Cybercriminals know that cybersecurity experts are constantly coming up with new solutions for detecting malware. They deploy a variety of concealment techniques to keep malware from being detected by antivirus and antimalware software.
Some of the concealment methods hackers use include:
- Obfuscation. This practice involves concealing malicious code in a large volume of clean, non-harmful code. This makes it much harder for analysts to manually pick out the malicious payload.
- Payload encryption. When malware developers encrypt the malicious payload, they make it much harder for antivirus software to reliably detect the payload. This is because most antivirus software works by looking for threat signatures in the code itself.
- Metamorphic malware. This type of malware alters some of its major characteristics every time it propagates to a new device or application. From the perspective of a commercial antivirus solution, it looks like a brand new, unknown type of software.
- Rootkits and bootkits. These tools allow malware to embed themselves deep into the target device, concealing themselves in the system’s core processes or firmware.
11 Types of malware
Millions of malware variants exist, and no two are exactly alike. Information security experts group malware types together according to their shared characteristics, leading to 11 broad categories of malware:
- Trojan horse. This is malware that pretends to be a legitimate file or application. Some trojans pose as documents for popular productivity apps, while others are compromised versions of the entire application itself.
- Virus. This kind of malware propagates itself through other systems and files using code injection. This allows the virus to spread to other files and applications, or even parts of the operating system.
- Worm. Unlike viruses and trojans, worms can automatically propagate to other systems and networks. This type of malware actively seeks out new targets to infect, sometimes without any interaction from the user at all.
- Ransomware. This type of malware encrypts data, rendering it unusable without the appropriate decryption key. Cybercriminals then extort the victim for money in return for the key.
- Adware. These malware variants display unwanted ads and track user behaviors. Not all adware is malicious, but many variants engage in harmful and unscrupulous activities.
- Spyware. This type of malware steals sensitive data and shares it with cybercriminals. This data might include the victim’s internet activity, login credentials, passwords, or Personally Identifiable Information (PII), putting them at risk of identity theft.
- Rootkits. Since rootkits embed themselves at a very low level in the infected device, they can manipulate a wide range of system functions. For example, they may build backdoors that give hackers privileged access to the network.
- Keyloggers. These are technically a kind of spyware. Keyloggers collect data on user keystrokes, allowing them to capture passwords, chat history, and much more.
- Fileless malware. Hackers can use configuration and automation tools like PowerShell to conduct cyberattacks without having to drop an external malicious payload into the network. Fileless attacks modify assets native to the operating system directly.
- Cryptojacking. Cryptojacking malware uses the device’s computing resources to mine cryptocurrency. This generates profits for hackers and makes the victim’s device work less efficiently.
- Remote access malware. Hackers may use malware to gain remote access to victims’ devices. This allows them to expand their attack using the infected device as if they were physically present. Some hackers specialize in deploying remote access malware and selling access to other cybercriminals on the Dark Web.
Note that real-world cyberattacks may involve using malware that fits into more than one category. For example, Ryuk uses Emotet and TrickBot trojans to launch ransomware attacks.
How to mitigate malware risks
Most cybersecurity tools and techniques are broadly separated into two categories:
- Prevention focuses on keeping malware outside the network entirely. It includes a variety of policies and technologies designed to keep attackers away from sensitive IT infrastructure.
- Detection and response is all about identifying malware threats and taking steps to neutralize them. It includes tools, technologies, and services designed to minimize malware risks.
Prevention-based malware risk mitigation strategies often include:
- Robust authentication policies. Strong passwords and multi-factor authentication can prevent attackers from compromising devices and applications entirely. This makes it much harder for hackers to drop malicious payloads onto network assets.
- Security awareness training. Every role in the modern enterprise is also a cybersecurity role. Employees who understand security risks are much less vulnerable to phishing, social engineering, and other psychological tactics.
- Secure, dedicated backups. Organizations with secure backups are highly resistant to ransomware and similar attacks that corrupt or encrypt network assets. Backups provide business continuity even when IT infrastructure has been compromised.
- Zero Trust network architecture. When organizations segment their networks according to the principle of least privilege, it makes it harder for malware infections to spread.
Malware detection and response strategies often include:
- Security Information and Event Management (SIEM). These platforms collect log data and trigger alerts when they detect unusual activity. This allows analysts to investigate the activity and determine whether a malware attack is taking place.
- User Entity and Behavioral Analytics (UEBA). This technology establishes a behavioral baseline that corresponds to normal network activity. It triggers alerts when malware disrupts that baseline or causes network assets to deviate from their normal activity, prompting analysts to investigate.
- Network Detection and Response (NDR). Many forms of malware have a visible impact on network performance and traffic flow. NDR solutions can detect these changes while granting visibility into parts of the network that other tools often overlook.
- Endpoint Detection and Response (EDR). Malware typically enters the network by compromising an endpoint device. EDR solutions — and the more sophisticated XDR solutions — incorporate antivirus software into a comprehensive solution for securing endpoint devices against malware threats.
- Well-documented incident response plans. Highly organized, well-documented playbooks for responding to malware attacks dramatically reduce the risks associated with data breaches.
Don’t leave your organization exposed to malware risks
Malware attacks can be incredibly disruptive when left unchecked. Organizations that are unprepared to address these threats run the risk being exploited by opportunistic cybercriminals.
Meeting the security needs of a modern enterprise is no easy task, though. Security leaders need to balance limited resources between crafting good policies, building resilience into their processes, and achieving operational security excellence.
Managed detection and response vendors like Lumifi let security leaders deploy solutions that meet strict requirements without compromising on quality. We implement custom SIEM configurations, conduct proactive threat hunting, and perform incident response using AI-enriched insights from our proprietary ShieldVision™ SOC automation service. Talk to a specialist to find out how we can help your organization develop its defenses against sophisticated malware threats.