Malware Attacks: Definition and Best Practices
Let’s jump in and learn:
What is a Malware Attack?
A malware attack is when malicious software is used to infect a system to cause damage or for theft. Malware, also known as malicious software, has many variants created to damage, exploit, or disable computers, laptops, mobile devices, Internet of Things (IoT) devices, and networks.
Intent and approaches for malware attacks can vary. Typical malware objectives, common malware delivery methods, types of malware attacks, and more are covered below. Since the first malware was discovered, individuals and organizations have been under attack with hundreds of thousands of malware variants.
The First Malware Attack to Be Discovered
The Creeper virus (also referred to as the Creeper worm) was discovered on March 16, 1971.
It is not known who created the first self-replicating program in the world, but it is clear that the first worm in the world (Creeper) was created by BBN engineer Robert (Bob) H. Thomas in Cambridge, Massachusetts. The Creeper was an experimental self-replicating program that was not destined to cause damage, but designed to demonstrate a mobile application.
The Creeper was written in PDP-10 assembly and ran on the Tenex operating system (Tenex is the OS that saw the first email programs, SNDMSG and READMAIL, in addition to the use of the "@" symbol that appears in our email addresses even today), and used the ARPANET (predecessor of the current Internet) to infect DEC PDP-10 computers that were running Tenex. The Creeper caused infected systems to display the message "I'M THE CREEPER: CATCH ME IF YOU CAN.”
The Creeper would start to print a file, but then stop, find another Tenex system, open a connection, pick itself up and transfer to the other machine (along with its external state, files, etc.), and then start running on the new machine, displaying the message. The program rarely, if ever, actually replicated itself; instead, it jumped from one system to another, attempting to remove itself from previous systems as it propagated forward.
The Creeper did not install multiple instances of itself on several targets. It just moved around a network.
It is uncertain how much damage (if any) that the Creeper caused. Most sources say the worm was little more than an annoyance. Some sources claim that the Creeper replicated so many times that it crowded out other programs, but the extent of the damage is unknown.
The Creeper revealed the key problem with such worm programs—it is difficult to control the worm.
Malware is created and propagated by a wide range of people. Malware attacks are unleashed by a variety of vandals, blackmailers, and other criminals who seek to cause disruption, get attention, make a statement, or steal money. Individuals, organizations, and even governments have been known to perpetrate malware attacks.
Typical Malware Objectives
Though malware objectives vary in scope and goal, propagators of a malware attack usually have one or more of the following motivations:
- Make or steal money
- Commit espionage, targeting secret or sensitive information
- Create disruption
- Bypass access controls
- Harm computers, devices, or networks
- Activism, also known as hacktivism
- Gray market “business,” such as:
- Distributing unrequested advertisements and promotions
- Offering fake software utilities
- Enticing users into accessing chargeable content online
Common Malware Delivery Methods
Since its inception in the early 1970s, a number of malware vectors have been identified. Common malware delivery methods include the following.
Users are tricked into clicking a file attachment, such as a PDF, ZIP, document, spreadsheet, or other email attachment that includes the malware. Depending on the value of the payload, the people behind the attack may conduct extensive research on their targets to make the email look more legitimate by including specific details related to the users.
Once opened, the malware is on the system and ready for action. However, malware activation is not always the same. In some cases, the malware attack begins immediately. Other malware attacks may lie in wait for days, weeks, or even months.
Malware attacks often start with a malicious URL, which is a link created with the purpose of drawing users into a malware attack. Once the link is clicked, all types of malware could be downloaded and begin to compromise systems and networks.
Malicious URLs show up in emails, on websites, and even in social media posts and ads. In the case of emails, messages are often worded with a sense of urgency or intrigue to entice users to click.
Remote Desktop Tools
A number of remote desktop tools allow users to connect to another computer over a network connection. While these tools are helpful, remote desktop tools are a popular attack vector for malware, because of their open ports.
Malware attacks can include a port-scan phase where the Internet is trolled for computers with exposed ports. Once an exposed port is identified, the attacker attempts to get into the targeted system by exploiting security vulnerabilities or using brute force attacks.
Once inside, the malware attack ensues and often includes a step to disable antivirus software or leave a backdoor open for future malware attacks.
Malicious Advertising (Malvertising)
Malvertising uses malicious online advertisements to spread malware and launch malware attacks. Perpetrators buy ad space on legitimate online advertising networks and post ads infected with malware.
Because so many ads are submitted to ad networks, it is challenging to identify malicious ads. In addition, most ads rotate, which makes it hard to pin down the malvertisement even when the page has been flagged.
Ads are creatively produced to look legitimate and entice users to click. Once the user clicks, the malware scans the system for information about its software, operating system, browser details, and more to identify a vulnerability that can be exploited.
Drive-by Download Attack
Viruses can be hidden in the HTML of compromised websites, so when a user visits the site, the malware is automatically downloaded when the page is loaded. The fact that a download happens without the user’s knowledge makes this a particularly menacing malware attack vector.
Drive-by downloads are made possible by hosting the malicious content on the attacker’s site or exploiting vulnerabilities to inject malware into legitimate websites.
Self-propagating malware can move from computer to computer or network to network, propagating itself. Older strains of malware were only able to infect the single system where it was installed. More advanced malware variants are able to spread across an entire organization.
Free and Pirated Software
Rarely does anyone get something for nothing, so it is not surprising that free or pirated software often comes with adware or hidden malware. Even if it does not contain malware, this software is vulnerable because unlicensed software does not receive patches to address vulnerabilities that can be exploited in malware attacks.
USB drives and external hard drives are common vectors for malware attacks. These devices are commonly infected with malware which loads onto users’ systems when they are connected.
Other Malware Delivery Methods
- Operating system and application vulnerabilities provide security loopholes and backdoors for malware attacks.
- Social engineering is used to launch malware attacks as users can be enticed into clicking malicious URLs or downloading infected files.
- Connected smart devices and IoT devices serve as vectors for malware attacks.
Types of Malware Attacks
There are many types of malware attacks with multiplying variants on each. Below is an overview of the most common types of malware attacks.
Adware is ostensibly benign, but is still malware and does have a dark side.
The basic functions of adware programs are displaying online advertisements, redirecting search requests to advertising websites, and collecting information about users. Adware can also change internet browser settings, default browser and search settings, and the home page.
Adware takes advantage of browser vulnerabilities to infect systems. One danger of adware is that a user profile can be created from the data collected and used for targeted malware attacks.
Bots and Botnets
A bot, or robot, is a malicious version of a program designed to automate tasks. A benign bot would be used for legitimate purposes, such as indexing search engines and searching for information to provide real-time updates. In the context of malware attacks, bots deliver spam for phishing attempts and turn computers into zombies.
The bot infiltrates a computer and then automatically receives and executes instructions given from a centralized command and control server. Bots have similar traits as other malware. Like worms, they can self-replicate and can replicate based on users’ actions, like viruses and Trojans.
Used in large numbers, bots can take over an entire network, turning it into a botnet that can be used to launch large-scale attacks. The most common botnet malware attack is a distributed denial of service (DDoS) attack, which can render systems, networks, or an entire domain unavailable.
One of the most common types of malware, the computer virus, is a piece of code that inserts itself into an application. The virus executes when the application is run, so it relies on an unsuspecting user or an automated process to start its work.
Once the virus executes, the malware attack begins with the virus spreading across computers and networks.
Viruses can also be used to steal information or money, create botnets, and launch other malware.
Fileless malware is injected into a running process, taking advantage of tools that are built into the operating system to carry out attacks. Because there is not an executable file, there is no signature for antivirus software to detect. Fileless malware attacks are also referred to as living-off-the-land attacks.
A keystroke logger, or keylogger, is a type of spyware that monitors user activity by recording every keystroke entry made on a computer. Like bots, keyloggers have legitimate uses, such as monitoring employee activity and keeping track of children’s online behavior. Keyloggers are also used for malware attacks and capturing sensitive information, such as usernames, passwords, answers to security questions, and account numbers.
A more advanced type of software used for malware attacks is metamorphic malware. Metamorphic malware is capable of changing its code and signature patterns with each iteration, which means that each newly propagated version of itself no longer matches the previous one. In essence, the malware becomes a completely different piece of software.
While metamorphic malware is more difficult to develop, it has proven to be an effective way for cybercriminals to disguise their malicious code to avoid detection from antimalware and antivirus programs and hide identifiable signatures.
Malware attacks have been honed to take advantage of the unique vulnerabilities in mobile devices. Smartphones, tablets, and IoT devices are equally or more susceptible to the malware attacks that are perpetrated on computers and networks.
Unlike metamorphic malware, which completely changes itself, polymorphic software alters its appearance and does so rapidly—as frequently as every 15-20 seconds. By altering its appearance, polymorphic malware can evade detection by antivirus and antimalware programs. This attribute is associated with many types of malware attacks.
Also known as scareware, ransomware is used for malware attacks designed for extortion. Ransomware attacks use encryption to lock down networks and prevent access to data until a ransom is paid. There is no way to decrypt data without the encryption key, so ransomware has been a lucrative malware attack type for cybercriminals.
Remote Administration Tools (RATs)
Remote administration tools give attackers total control over systems. Legitimate tools have been repurposed for malware attacks; remote administration tools are difficult to detect. Remote administration tools usually do not appear in lists of running programs or tasks, and are often mistaken for legitimate programs.
A rootkit is a set of malicious attack software tools that gives an unauthorized user remote control of a victim’s computer with full administrative privileges. Rootkits are usually injected into applications, kernels, hypervisors, or firmware.
Once installed, rootkits can be used to execute files and change system configurations as well as conceal other malware. While a rootkit cannot self-propagate or replicate, it is difficult to detect and remove.
Spyware is designed to monitor and capture information about online activities. Unlike adware, spyware can also capture sensitive information.
While not all spyware is malicious, it does invade privacy and captures data that can be used to support other malware attacks. Spyware spreads by exploiting software vulnerabilities, injecting itself into legitimate software, or via Trojans.
A Trojan is a malware program that enters systems in disguise and tricks users into installing it. Once installed, the Trojan gives unauthorized access to the affected system, allowing cybercriminals to introduce additional malware and launch malware attacks.
Like viruses, worms are infectious and able to replicate themselves. An important difference is that, unlike a virus, worms do not require users’ actions to activate. Worms can self-propagate and move to other systems as soon as the breach occurs.
Usually taking advantage of operating system vulnerabilities, worms can quickly spread across networks. Worms can be programmed to delete files, encrypt data, steal information, install backdoors, and create botnets.
Worm vs. Virus vs. Trojan
|Tunnels into systems then moves through networks||Attaches to legitimate programs and runs when the affected program is executed||Disguises as a legitimate program, enticing users to download it|
|Self-replicates||Self-replicates||Cannot replicate itself|
|Can be controlled remotely||Cannot be controlled remotely||Can be controlled remotely|
|Fast spread rate compared to viruses and Trojans||Moderate spread rate compared to worms and Trojans||Slow spread rate compared to worms and viruses|
Malware Attack Techniques
There are a finite number of techniques employed by attackers when crafting malware attacks. And, though there are many different types of malware attacks, they follow a common pattern.
Malware attacks also include a number of tactics to evade detection:
- Wrappers to hide malware
- Variations, such as those created by polymorphic and metamorphic malware
- Packers to bypass prevention measures
- Limiting a malware attack to a specific machine or configuration
Five Malware Attack Techniques
- 1. Establish objectives and assess targets.
The end goal drives the decision about what type of malware attack to use.
- 2. Determine the best exploit to employ.
Vulnerabilities are identified to find the optimal point of entry.
- 3. Enter the system.
Malware is delivered onto the system.
- 4. Execute the malware attack.
With the malware in place, the attack starts.
- 5. Malware replication and propagation.
The malware replicates itself and moves laterally to exploit other systems.
Best Practices for Preventing Malware Attacks
- Keep frontline defenses up to date.
- Create application, system, and appliance security policies.
- Use strong usernames and passwords.
- Enable two-factor authentication.
- Regularly install patches and immediately patch critical vulnerabilities.
- Document backup / restore plans and policies.
- Educate users about cybersecurity and malware attack defensive protocols.
- Train users on who and what to trust.
- Teach users how not to fall for phishing or other social engineering tactics.
- Explain the remediation steps in the event of a malware attack.
- Partition networks.
- Remove unnecessary browser plugins.
- Use security tools.
- Employ security analytics.
- Monitor network traffic for anomalies.
- Use advanced analytics to see across networks.
- Develop and use prevention and remediation programs and processes.
- Deploy a zero-trust security framework to enforce least-privilege protocols.
- Be wary of email.
- Only open attachments from trusted senders.
- Look at the sender’s address to confirm that it is legitimate.
- If an attachment includes macros, do not open it.
- Use email filtering to block malicious attack software.
Employees are a critical line of defense against malware attacks. Training raises awareness about how habits and behaviors can impact overall security. Employee training about malware attacks also provides guidance on best practices for being part of the overall security posture.
When preparing employee training around malware attacks, consider these important points to ensure the efficacy of training:
- Include malware-specific topics in cybersecurity training.
- Make cybersecurity training mandatory for all employees.
- Require regular cybersecurity refresher training and include the latest malware trends.
- Focus training on how employees can be part of the solution, as defenders against malware attacks.
Topics that should be part of employee training include:
- Email scams
What they are and how they work, with a focus on phishing and spear phishing
- Malicious URLs
What they do and how to identify them
What types of malware exist, how to avoid it, and what to do if employees accidentally engage with malware
- Password security
What password protocols exist and instructions for how to adhere to them
- Removable media
The dangers of removable media and how to safely share sensitive files
- Social networking dangers
Explain what dangers exist and how to avoid scams
- Physical security
What to keep in mind, from what information is accessible on desks and laptops to policies regarding open doors and unknown visitors
How to Detect a Malware Attack
Malware attacks, while often stealthy, may generate signs of their presence. Clues that can indicate a malware attack include:
- Computers slowing down
- System resource usage appearing abnormally high
- A computer’s fan running at full speed
- A proliferation of annoying pop-up ads
- Unanticipated loss of disk space
- An increase in a system’s internet activity
- Changes to browser settings
- Antivirus / anti-malware that stops working
- Loss of access to files
- A higher volume of network activity
- Abnormal behavior across systems
Examples of Malware Attacks
Adware Used for Malware Attacks
Usually bundled with free software that overwhelms browsers with ads.
Starts discreetly, but ultimately takes full control of the target browser.
Developed in the Netherlands, it was one of the first big adware programs to spread worldwide. It was instrumental in a number of large-scale botnet attacks.
Chinese malware that infects target browsers and turns them into zombies.
Removed ads from sites and replaced them with their ads from the network.
Botnet Used for Malware Attacks
- EarthLink Spammer
Created to send phishing emails.
Attacks IoT devices and exploits unpatched, legacy vulnerabilities.
Uses command and control servers around the world and sends hundreds of spam messages.
Infects digital smart devices and turns them into botnets.
Computer Viruses Used for Malware Attacks
Used an enticing email message to get users to open an attached infected document, which granted the virus access, then emailed the same message and attachment to all email contacts.
- Code Red
Replicated itself, taking over computer resources, then opened targeted machines for remote access.
Manipulated vulnerabilities to slow down systems, then caused crashes and made it difficult to power down.
Fileless Malware Used for Attacks
Referred to as an information stealer that is capable of running undetected, it takes sensitive information from an affected user (e.g., account credentials, keystrokes, data) and sends it to the attacker.
- Olympic Vision
Gains access to business email accounts, then steals information, including the computer name, Windows product keys, keystrokes, network information, clipboard text, and data saved in browsers, exfiltrating it and taking screenshots. It also gains access to messaging clients, FTP clients, and email clients.
- SQL Slammer
Exploited vulnerabilities in SQL servers.
Took advantage of the same vulnerability as WannaCry, but it was fileless malware.
Spyware Used for Malware Attacks
- CoolWebSearch (CWS)
Installs via malicious HTML applications, then hijacks Web searches, the home page, and other settings.
Targeted business and government leaders who used hotel Wi-Fi networks.
- Internet Optimizer
Hijacks error pages and redirects users to their webpage.
Monitors requested webpages and data entered into forms, then sends related pop-up ads.
Ransomware Used for Malware Attacks
For more on ransomware, see the Ultimate Guide to Ransomware.
Rootkit Software Used for Malware Attacks
Infects systems when users download a fake VPN app, then acts like a human to trick behavioral analysis software.
A kernel-mode rootkit that downloaded malware in the background and made affected systems part of its botnet.
Monitors network traffic, captures screenshots and audio from computers, and logs keyboard activity.
Trojans Used for Malware Attacks
Considered to be the world’s most dangerous malware until it was stopped in 2021, it acted as a door opener for computer systems around the globe, then sold that access to cybercriminals.
This is a slang term for malware that is used by governmental entities to surreptitiously extract information from targeted systems.
A rooting Trojan that gains access to sensitive areas in the operating system and installs spam apps.
Also known as Zbot, Zeus is malware software that targets devices’ operating systems and can grant access to third parties.
Worms Used for Malware Attacks
Reset account lockout settings and blocked antivirus software, then locked users out and used ransomware to extort payments.
With its “LOVE-LETTER-FOR-YOU” attachment and “ILOVEYOU” subject line arriving in an email from a friend, ILOVEYOU became the first global computer virus pandemic, and it remains one of the farthest-reaching worms ever. Once activated, ILOVEYOU generated millions of messages that crippled mail systems and overwrote millions of files on computers across the world.
Regarded as one of the fastest-spreading and most destructive computer viruses of all time. At one point, the MyDoom worm generated up to a quarter of all emails sent worldwide. MyDoom scraped email addresses from infected computers, spread to the contacts, then began sending a new version of itself as a malicious attachment. .
Unlike any other virus or worm that came before, Stuxnet wreaked havoc and destroyed the equipment the computers it controlled, rather than sticking with the computer or jumping around networks to other computers.
Take Precautions Against Malware Attacks
The many objectives, methods, techniques, and types of malware attacks generate fear in most organizations; the financial costs, lost productivity, and other problems that are created are quite staggering. Businesses should stay informed and be vigilant against malware attacks, with recovery plans ready to execute if an attack does occur.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 3rd August, 2021