Malware is malicious software, including any software that acts against the interest of the user. Malware can affect not only the infected computer or device but potentially any other device the infected device can communicate with.
Malware spans everything from the simplest computer worms and trojans to the most complex computer viruses.
Effective IT security can reduce your organization’s exposure to malware attacks. Common cybersecurity practices include patch management to close vulnerabilities on your systems and access control to limit the harm from malware. Additionally, frequent backups of your data isolated from your main production systems will allow you to quickly and safely recover from a malware infection.
Imagine you work in an average office. You come in one morning, set down your coffee and turn on your computer. Then everything starts to go wrong.
Instead of your desktop, you see a blood-red screen with a padlock and a countdown clock. "Your files have been encrypted," it says. "If you don’t pay in 7 days, you won’t be able to recover your files." You look around. One by one, your coworkers are discovering the same message on all of their computers. Every computer.
This scenario played out in workplaces around the world in May 2017, as the WannaCry malware attacked businesses, government offices, and even critical public services such as hospitals.
Not all malware announces itself in dramatic fashion. You might be running malware you don’t even know is there, but which is slowing down your system or violating your privacy. Some programs are designed to evade detection and only perform noticeable activities under precise conditions.
You might not be able to stop malware, but you can lower the odds of it disrupting your operations by staying informed and maintaining sensible security practices.
To better understand what malware can do and how to reduce your risks, it’s helpful to break it into categories. These categories can overlap and malware developers and operators often rely on a combination of techniques.
Malware needs a way to spread, as well as code to achieve its intended goal. You can think of this as a delivery system and a payload.
Trojan horse: Tricks a user into installing it
Worm: Copies itself
May be combined with:
Exploit: Uses a software vulnerability to gain access to a system
Phishing: Tricks a user into providing information that can be used to gain access
Rootkit or bootkit: Gains administrative access to evade detection and obtain more control
Adware: Displays unwanted advertising
Botnet: Places a device under outside control
Cryptocurrency miner: Uses compute power for cryptocurrency work
Ransomware: Demands money
Spyware: Secretly gathers data through a keylogger or other means
Other damage: Data destruction, vandalism, sabotage
Trojan horses, commonly just called Trojans, propagate through social engineering. By making itself look like something else, a Trojan persuades unwitting users to install it. One common strategy is for an attacker to convince a user to open a file or web link that installs malware. In other instances, a user might install an application that seems beneficial—like a nifty browser toolbar or a fun emoji keyboard—but that also contains malware. Another Trojan technique involves writing auto-installing malware onto a USB memory stick, and giving the memory stick to an unsuspecting user.
Worms wriggle into places they aren’t wanted. The first experimental computer worms, which simply made copies of themselves, came about in the 1970s. More damaging worms appeared in the 1980s and became the first widely known computer viruses, spreading from PC to PC via floppy disks and corrupting files they had access to. As the internet became widespread, malware developers designed worms to copy themselves across networks, making them an early threat to internet-connected organizations and users.
An exploit is a vulnerability in software that could be unlawfully used to make the software do something outside of what it was designed to do. A piece of malware might use an exploit to enter a system or to move from one part of a system to another. Many exploits rely on known vulnerabilities (also referred to as CVEs), counting on the fact that not all users keep their systems up to date with security patches. Less commonly, a zero day exploit takes advantage of a critical vulnerability that hasn't been fixed by a software maintainer.
Phishing is a form of social engineering in which an attacker tries to trick someone into handing over sensitive information through a fraudulent request, such as a spoof email. As a strategy to obtain passwords and login credentials, phishing attacks are sometimes a precursor to a malware attack.
Rootkits and bootkits
A rootkit is a set of software tools designed to gain full control over a system and then cover its tracks. Rootkits effectively replace a system’s normal administrative controls. A bootkit is an advanced kind of rootkit that infects a system at the kernel level, so it has even more control and is even harder to detect.
Adware and spyware
Adware clutters your device with unwanted advertising. Its close cousin spyware gathers your information and transmits it somewhere else. Spyware can range from trackers that monitor your internet activity to sophisticated espionage tools. Spyware can include keystroke loggers, or keyloggers, which record whatever a user types. In addition to violating your privacy, spyware and adware can slow your system and clog your network.
Botnet malware turns the control of a device over to an outside party, making the device part of a large network of infected devices. Botnets are commonly used to conduct distributed denial of service (DDoS) attacks, send spam, or mine cryptocurrency. Any unsecured device on a network could be vulnerable to an infection. Botnets typically have means to grow their network of devices and are complex enough to conduct multiple malicious activities simultaneously or in sequence. For example, the Mirai malware attack of 2016 used internet-connected cameras and home routers to form a massive DDoS botnet.
Ransomware is malware that demands payment for something. Many common kinds of ransomware encrypt files on a user’s system and demand a ransom in Bitcoin in exchange for a decryption key. Ransomware became prominent in the mid-2000s and continues to be one of the most serious and widespread computer security threats.
Sometimes the malware developer’s or operator’s goal is to destroy data or break something. Long before ransomware was a problem, one of the first malware programs to gain mass media attention was the Michelangelo virus in 1992. It attempted to overwrite an infected PC’s disk drive on a specific date, March 6. Years later, in 2000, the ILOVEYOU virus spread from user to user in the form of a Visual Basic script sent as an email attachment. When executed, it erased various files and emailed a copy of itself to everyone in the user’s address book.
Those viruses seem quaint by the standards of modern malware. Consider the example of Stuxnet. In 2010, the security community discovered a puzzling and highly sophisticated worm designed to tamper with a specific kind of industrial equipment. Many security experts now believe Stuxnet was engineered by the United States and Israeli governments to sabotage Iran’s nuclear weapons program. (No government officially claimed responsibility.) If so, it’s an example of an emerging kind of malware: A state-sponsored cyberattack.
The best way to defend against malware is to not get infected in the first place. While antivirus or anti-malware software can help, there are many other steps you can take today to improve your resilience.
Reducing your attack surface
Minimize the systems, applications, and ports that are exposed to the internet.
Users should learn to be suspicious of links and attachments in emails, even ones that look authentic.
The earlier you detect a malware infection, the sooner you can remediate the infected system. Keep in mind that some malware is designed to hide. Antivirus or anti-malware tools require regular updates to their detection signatures, and it's a good practice to have multiple malware detection methods in place.
Since software maintainers make it a practice to patch security holes as soon as possible, running current software reduces your risk of a malware infection. Effective patch management means ensuring that all your systems across your organization get timely security patches. Check for updates frequently and apply them to protect against known exploits.
Administrative control should be limited to trusted applications and users who really need it. That way if malware attacks your computer, it will have a harder time infecting the core functions of your system. Review your administrative controls on a regular basis.
Data backup and encryption
Proper data security can make an enormous difference during a malware attack. If the worst case scenario happens and malware enters your system, you’ll be able to fail over to a clean backup made before the infection. In simple terms, this means keeping backup data isolated, so malware can’t damage or erase it. It's also good practice to keep data encrypted, so any data the malware exfiltrates is effectively useless. In practice, this can require a combination of strategies that will vary depending on the size and complexity of your organization. For large organizations, a software-defined storage solution in a hybrid cloud environment offers a wide amount of flexibility in backup and encryption options.
All computer systems have vulnerabilities and malware developers are persistent in finding and exploiting them. This makes malware security a subject that never stops evolving.
Red Hat’s technology guide for IT security has more information about how to establish security policy, process, and procedures.