Illustration of security badge with 1 and 0's and webpapges behind
Jump to section

What is malware?

Copy URL

Malware is malicious software, including any software that acts against the interest of the user. Malware can affect not only the infected computer or device but potentially any other device the infected device can communicate with.

Malware spans everything from the simplest computer worms and trojans to the most complex computer viruses. Malware, viruses, and malicious code are relatives but not the same, so only one kind of antivirus software or anti-malware software may not prevent all threats. It can exist on desktop computers, laptops, and mobile devices—and depending on which operating system a device uses (Windows, Android, iOS, or Apple MacOS) malware can attack and present differently. No device is always immune, and most devices—whether they are professional or personal—can benefit from malware protection.

Effective IT security can reduce your organization’s exposure to malware attacks. Common cybersecurity practices include patch management to close vulnerabilities on your systems and access control to limit the harm from malware. Additionally, frequent backups of your data isolated from your main production systems will allow you to quickly and safely recover from a malware infection.

Imagine you work in an average office. You come in one morning, set down your coffee and turn on your computer. Then everything starts to go wrong.

Instead of your desktop, you see a blood-red screen with a padlock and a countdown clock. "Your files have been encrypted," it says. "If you don’t pay in 7 days, you won’t be able to recover your files." You look around. One by one, your coworkers are discovering the same message on all of their computers. Every computer.

This scenario played out in workplaces around the world in May 2017, as the WannaCry malware attacked businesses, government offices, and even critical public services such as hospitals.

Not all malware announces itself in a dramatic fashion. You might be running malicious programs you don’t even know are there, but which slow down your system or violate your privacy. Cybercriminals often design these programs to evade detection and only perform noticeable activities under precise conditions.

You might not be able to stop malware, but you can lower the odds of it disrupting your operations by staying informed and maintaining sensible security practices.

To better understand what malware can do and how to reduce your risks, it’s helpful to break the common types of malware into categories. These types of malware can infiltrate anything from an Android mobile device to an Apple laptop, if you are not careful.

Malware needs a way to spread, as well as code to achieve its intended goal. You can think of this as a delivery system and a payload. Below is a basic summary of that structure, and more detailed explanations follow.

Delivery systems

Trojan horse: Tricks a user into installing it

Worm: Copies itself

May be combined with:

Exploit: Uses a software vulnerability to gain access to a system and sensitive data

Phishing: Tricks a user into providing information that can be used to gain access

Rootkit or bootkit: Gains administrative access to evade detection and obtain more control


Adware: Displays unwanted advertising

Botnet: Places a device under outside control

Cryptocurrency miner: Uses compute power for cryptocurrency work

Ransomware: Demands money

Spyware: Secretly gathers data through a keylogger or other means

Other damage: Data destruction, vandalism, sabotage

Trojan horses

Trojan horses, commonly called trojans, are executable files which propagate through social engineering. By making itself look like something else, a trojan persuades unwitting users to open it and thus launch the executable file. One common strategy is for an attacker to convince a user to open a file or web link that installs malware. For example, trojans like scareware can persuade the user to think that a particular program will help protect their computer, when in fact the program does the opposite. 

In other instances, a user might install an application that seems beneficial—like a nifty browser toolbar or a fun emoji keyboard—but that also contains malware. Another trojan technique involves writing auto-installing malware onto a USB memory stick (or a USB drive), and giving the memory stick to an unsuspecting user. Remote access trojans (RAT) malware allows cybercriminals to control your device remotely after infiltrating.


Worms wriggle into places they aren’t wanted. The first experimental computer worms, which simply made copies of themselves, came about in the 1970s. More damaging self-replicating worms appeared in the 1980s and became the first widely known computer viruses, spreading from PC to PC via infected files on floppy disks and corrupting files they had access to. As the internet became widespread, malware developers and hackers designed worms to copy themselves across networks, making them an early threat to internet-connected organizations and users.


An exploit is a vulnerability in software that could be unlawfully used to make the software do something outside of what it was designed to do. A piece of malware might use an exploit to enter a system or to move from one part of a system to another. Many exploits rely on known vulnerabilities (also referred to as CVEs), counting on the fact that not all users keep their systems up to date with security patches. Less commonly, a zero day exploit takes advantage of a critical vulnerability that hasn't been fixed by a software maintainer.


Phishing is a form of social engineering in which an attacker tries to trick someone into handing over sensitive information or personal data through a fraudulent request, such as a spoof email or a scam offer. As a strategy to obtain passwords and login credentials or perpetrate identity theft, phishing attacks are sometimes a precursor to a malware attack.

Rootkits and bootkits

A rootkit is a set of software tools designed to gain full control over a system and then cover its tracks. Rootkits effectively replace a system’s normal administrative controls. A bootkit is an advanced kind of rootkit that infects a system at the kernel level, so it has even more control and is even harder to detect.

Adware and spyware

Adware clutters your device with unwanted advertising, such as pop-ups in your web browser. Its close cousin spyware gathers your information and transmits it somewhere else. Spyware can range from trackers that monitor your internet activity to sophisticated espionage tools. Spyware can include keystroke loggers, or keyloggers, which record whatever a user types. In addition to violating your privacy, spyware and adware can slow your system and clog your network. While computers running Windows have traditionally been the favored target for malware, macOS users are just as susceptible to pop-up ads and potentially unwanted programs (PUPs) disguised as legitimate software.


Botnet malware turns the control of a device over to an outside party, making the device part of a large network of infected devices. Botnets are commonly used to conduct distributed denial of service (DDoS) attacks, send spam, or mine cryptocurrency. Any unsecured device on a network could be vulnerable to an infection. Botnets typically have means to grow their network of devices and are complex enough to conduct multiple malicious activities simultaneously or in sequence. For example, the Mirai malware attack of 2016 used internet-connected cameras and home routers to form a massive DDoS botnet.


Ransomware is malware that demands payment for something. Many common kinds of ransomware encrypt files on a user’s system and demand a ransom in Bitcoin in exchange for a decryption key. Ransomware became prominent in the mid-2000s. Since then, ransomware attacks continue to be one of the most serious and widespread computer security threats. 


Smishing or SMS phishing is a relatively young form of malware in which scammers send links to malware through SMS text messages, hoping to get users to click on links to download malware disguised as an app. Smishers may pretend to be a financial institution, government agency, or customer support to attempt to fool a user into handing over passwords, credit cards, or other personal data.  

Other damage

Sometimes the malware developer’s or operator’s goal is to destroy data or break something. Long before ransomware was a problem, one of the first malware programs to gain mass media attention was the Michelangelo virus in 1992. It attempted to overwrite an infected PC’s disk drive on a specific date, March 6. Years later, in 2000, the ILOVEYOU virus spread from user to user in the form of a Visual Basic script sent as an email attachment. When executed, it erased various files and emailed a copy of itself to everyone in the user’s address book.

Those viruses seem quaint by the standards of modern malware. Consider the example of Stuxnet. In 2010, the security community discovered a puzzling and highly sophisticated worm designed to tamper with a specific kind of industrial equipment. Many security experts now believe Stuxnet was engineered by the United States and Israeli governments to sabotage Iran’s nuclear weapons program. (No government officially claimed responsibility.) If so, it’s an example of an emerging kind of malware: A state-sponsored cyberattack.

The best way to defend against malware is to not get infected in the first place. While antivirus or anti-malware software can help, there are other security solutions you can implement today to improve your resilience.

Adopt a zero trust security architecture

For decades, enterprises were designed with a trusted or internal network separated from the external world by a perimeter of firewalls and other security defenses. Individuals or endpoints within the perimeter, or connected via remote methods such as VPN, got a higher level of trust than those outside the perimeter. This led to a “crunchy outside” but a “chewy center” which was easily traversed by bad actors once accessed. To manage vulnerabilities, enterprises are adopting more granular Zero Trust Network Access (ZTNA), which segments access and limits user permissions to specific applications and services.

Brief: Zero trust: 10 ways Red Hat OpenShift simplifies the journey

Reducing your attack surface

Minimize the systems, applications, and ports that are exposed to the internet.

User education

Users should learn to be suspicious of links and attachments in emails, even ones that look authentic. This education could also explain how insider threats can lead to malware attacks.


The earlier you detect a malware infection, the sooner you can remediate the infected system. Keep in mind that some malware is designed to hide. Antivirus or anti-malware tools require regular updates to their detection signatures in order to monitor for new variants, and it's a good practice to have multiple malware detection methods in place.

Patch management

Since software maintainers make it a practice to patch security holes as soon as possible, running current security software (and keeping your entire system up-to-date) reduces your risk of a malware infection. Effective patch management means ensuring that all your systems across your organization get timely security patches. Check for updates frequently and apply them to protect against known exploits.

Keep reading about patch management and automation

Access control

Administrative control should be limited to trusted applications and users who really need it. That way if malware attacks your computer, it will have a harder time infecting the core functions of your system. Review your administrative controls on a regular basis. Where possible, require multi-factor authentication to secure access.

Data backup and encryption

Proper data security can make an enormous difference during a malware attack. If the worst case scenario happens and malware enters your system, you’ll be able to fail over to a clean backup made before the infection. In simple terms, this means keeping backup data isolated, so malware can’t damage or erase it. It's also good practice to keep data encrypted, so any data the malware exfiltrates is effectively useless. In practice, this can require a combination of strategies that will vary depending on the size and complexity of your organization. For large organizations, a software-defined storage solution in a hybrid cloud environment offers a wide amount of flexibility in backup and encryption options.

All computer systems have vulnerabilities and malware developers are persistent in finding and exploiting them. This makes malware security a subject that never stops evolving.

Red Hat’s technology guide for IT security has more information about how to establish security policy, process, and procedures.

Keep reading


What is DevSecOps?

If you want to take full advantage of the agility and responsiveness of DevOps, IT security must play a role in the full life cycle of your apps.


What is different about cloud security

High-level security concerns impact both traditional IT and cloud systems. Find out what's different.


What is SOAR?

SOAR refers to 3 key software capabilities that security teams use: case and workflow management, task automation, and a centralized means of accessing, querying, and sharing threat intelligence.

More about security


A security framework that manages user identities and helps keep communications private.

An enterprise-ready, Kubernetes-native container security solution that enables you to more securely build, deploy, and run cloud-native applications.

A set of technologies to help software development teams enhance security with automatic, integrated checks that catch vulnerabilities early in the software supply chain.

A single console, with built-in security policies, for controlling Kubernetes clusters and applications.