0

Exploring Malware: Types, Distribution Methods, and Defense Strategies

Cyberattack
Howard Poston
Nov 23, 2023
Exploring Malware: Types, Distribution Methods, and Defense Strategies

Malware is a portmanteau of malicious software. Malware can be designed to achieve various purposes, such as stealing data, sabotaging operations, or providing unauthorized access to computer systems.

Cybersecurity is a major concern for many businesses, and a significant portion of cyberattacks rely on malware. For example, ransomware is one of the most expensive and damaging cybersecurity threats that companies face, and infostealer malware contributes to expensive data breaches.

This article explores the malware threat. This includes highlighting the various types of malware, how they infect and spread through an organization’s IT environments, and how to prevent and remediate malware infections.

What is Malware?

Malware is software specifically designed for malicious intent. Malware has many different potential uses, and many cybercriminal groups specialize in developing custom malware that is used in their attacks or made available to other groups via affiliate models.

Intent is the main differentiator between malware and other types of software, and the lines can often be blurred. In some cases, software that was developed for legitimate purposes — such as penetration testing or IT administration — can be used to support cyberattacks. On the other hand, some forms of malware are billed by their creators as legitimate software. For example, some forms of spyware are advertised as parental monitoring tools rather than software developed with malicious intent.

Malware attacks can have significant impacts and carry heavy costs. For example, the 2017 NotPetya wiper attack generated an estimated $10 billion in losses by bringing down corporate and government systems around the world.

Types of Malware

Malware is an umbrella term that is used to describe a wide variety of malicious software. The various types of malware can be classified based on their intent or their method of spreading themselves. Some examples of common types of malware include:

  • Spyware: Spyware malware like DarkHotel is designed to collect information about the users of infected machines. Spyware may collect user credentials, personally identifiable information (PII), intellectual property (IP), or other data that could be useful in a cybercriminal’s future attacks or could be sold on the dark web.
  • Adware: Adware malware like Fireball is software that generates revenue by presenting ads to users. While adware can be legitimate, the term is often used to describe malware that is installed on users’ machines without their consent and that serves unwanted advertisements via pop-ups and banner ads. Adware can also have more malicious purposes, engaging in malvertising or directing users to phishing pages.
  • Botnet: Botnet malware is group of computers that are controlled by an attacker and used to perform automated attacks such as credential stuffing or Distributed Denial of Service (DDoS) attacks. Often, botnets are created by infecting computers with malware (such as Zeus) that listens for the botnet operator’s instructions and uses the infected computer’s resources to participate in the attack.
  • Keyloggers: Keyloggers like Olympic Vision are malware that monitor and record a user’s keystrokes as they type on a computer. This type of malware is designed to steal sensitive data, such as passwords or credit card numbers, that a user will type into a computer.
  • Rootkits: Rootkits are malware designed to conceal the presence of malware on an infected system. Rootkits, such as ZeroAcess, mess with the lists of running processes, files in directories, and network communications to hide evidence of malware on an infected system.
  • Trojan Horses: Trojans like Emotet are malware that pretend to be legitimate software to gain access to a computer. For example, software pretending to be a cracked version of a game or office software may actually include malicious functionality.
  • Remote Access Trojans (RATs): RATs are a type of trojan designed to grant an attacker control over an infected machine. Once it is running on a computer, the RAT will open a communications channel to the attacker, enabling them to run various commands on the target system.
  • Ransomware: Ransomware — like Ryuk — has emerged as one of the main cybersecurity threats to organizations and is designed to make money by threatening an organization’s data. In the past, ransomware encrypted data and demanded a ransom for the decryption key, but ransomware groups are increasingly moving to attacks where they steal data and demand a ransom not to sell or leak that data.
  • Cryptojackers:Cryptojackers are malware that uses an infected computer’s resources to mine cryptocurrency for an attacker. Coinhive and other cryptojackers consume the organization’s resources and generate profit for the attacker.
  • Wipers: Wipers are designed to erase data or render a system unusable. For example, wipers like HermeticWiper could erase key parts of the Operating System, making it unbootable.
  • Fileless Malware: Fileless malware is defined by the fact that it only resides in memory, never writing a file to disk. Often, fileless malware like Astaroth uses built-in functionality on an infected computer to achieve its goal by “living off the land”.
  • Worms: Worms are malware with the ability to spread themselves independently throughout a network. For example, WannaCry spread by using the EternalBlue exploit to compromise vulnerable SMB services and install copies of itself on other computers.
  • Viruses: Viruses — such as the Cascade Virus — also spread by self-replication but can’t do so independently. They need someone to execute the malware by running a malicious application or opening an infected file.

While these are clear-cut categories, a particular malware variant might include multiple functions and fall into several categories. For example, WannaCry is an example of a ransomware worm because it has ransomware functionality and spreads itself independently by exploiting vulnerabilities.

How Malware Spreads

Cybercriminals use various means to install malware on target computers. Some of the most common malware infection vectors include the following:

  • Phishing Attacks: Phishing is one of the most common methods for propagating malware. Malware may be included in malicious attachments or on websites indicated by malicious links. When the user opens the attachment or link, their computer may be infected by malware.
  • Social Media: In addition to email, cybercriminals can use other platforms to spread malware. For example, social media platforms are another common vector for attackers looking to distribute malicious files.
  • Malicious Websites: Malware can spread via malicious websites or ones that are infected by malicious ads. After users are directed to these sites by a malicious link o QR code, they may automatically download malware to users’ devices or offer downloads that are actually trojan malware.
  • Vulnerability Exploitation: Some malware — such as WannaCry and many botnet malware variants — spread by exploiting vulnerabilities in target systems. For example, botnet malware often targets Internet of Things (IoT) devices, which frequently have poor security and lack the defenses of traditional computer systems.>
  • Account Takeover: The rise of remote work provided cybercriminals with opportunities to spread malware by taking advantage of remote work infrastructure. Attackers use compromised passwords or credential stuffing attacks to remotely access and plant malware on corporate systems via VPNs, RDP, or other remote access solutions.
  • Removable Media: Infected USBs and external hard drives are a common tactic for distributing malware via social engineering. If a user plugs an infected drive into their device, it may be executed via Autorun (if enabled) or be contained in an infected file with an enticing name.
  • Supply Chain Attacks: In a supply chain attack, the attacker takes advantage of trust relationships that an organization has with other organizations. For example, an attacker may exploit an organization’s managed service provider (MSP) and use their access to a company’s systems to spread malware. Alternatively, they could embed malware in trusted software that users will install on their devices.

The infection vectors used to spread malware often depend on the type of malware and the group behind the attack. For example, ransomware is often spread byvulnerability exploitation, account takeover, and phishing attacks.

Detecting and Removing Malware

Rapid detection and remediation are essential to minimizing the cost and impact of a malware infection. The first step toward managing a malware infection is identifying the presence of malware on corporate systems. Some means of doing so include:

  • Endpoint Scanning: Antivirus and other endpoint security solutions can identify common types of malware. Running scans regularly or when a malware infection is suspected can help to identify the infection.
  • Threat Hunting: Threat hunting is the practice of proactively searching for a malware infection. For example, a threat hunter might search for indicators of compromise (IoCs), such as the presence of a file on a computer or communications to a known malicious URL.
  • Network Monitoring: Malware typically infects systems over the network and communicates with its operator. Monitoring network traffic for anomalies or connections to known-bad URLs can help to identify a malware infection.
  • Behavioral Analytics: Malware is designed to perform malicious actions on an infected computer or network. Behavioral analytics can identify anomalous or malicious behaviors that could point to a malware infection.
  • Detection Services: If a file is believed to be malware, a detection service can help to identify it. Services such as VirusTotal or Hybrid Analysis allow files to be uploaded or searched and provide in-depth information about the potential malware.

As soon as a malware infection is discovered, it’s best practice to quarantine it from the network. This helps to prevent the malware from infecting other systems or stealing sensitive data.

After containing the outbreak, an organization can begin remediation efforts. Some methods of removing malware from an infected computer include:

  • Antivirus Remediation: Antivirus programs often have the ability to quarantine and remediate malware infections. If the tool identifies the infection, it may be able to remediate it.
  • Safe Mode: Safe Mode limits the programs that are permitted to run on a computer. Booting into Safe Mode may allow the malware to be removed without interference from the malicious program.
  • System Restore: Restoring an infected computer to a past, known-good configuration can also help to remove malware infections. This can use an operating system’s built-in restore functionality or saved backups.
  • Factory Reset: A factory reset can provide high confidence that a malware infection has been remediated. However, it can result in the loss of files and data if they are not backed up elsewhere.

Often, the best remediation mechanism depends on the malware and the desired level of assurance that the malware is truly gone. For example, deleting malicious files might overlook something, enabling the system to be reinfected. On the other hand, factory resets provide a higher level of assurance but risk data loss.

Protection Against Malware

The best way to manage a malware infection is to prevent the infection from occurring in the first place. Some steps to help protect against malware and mitigate its effects include:

  • Endpoint Security: Endpoint security solutions such as antivirus and antimalware can identify and block malware from being installed on a computer. Often, if the malware manages to gain access, these tools can also help with removing it.
  • Strong Authentication: Cybercriminals can spread malware through compromised accounts, and user credentials are a common target of infostealers. Implementing strong account security, including multi-factor authentication (MFA), can make these attacks less successful and limit the utility of stolen credentials.
  • Email Scanning: Phishing is a favorite malware infection vector. Email scanning solutions can identify and block messages containing malicious links or infected attachments.
  • Patch Management: Some forms of malware spread by exploiting vulnerable systems. Regularly installing updates and patches can help to close any potential security gaps before they can be exploited by an attacker.
  • Network Segmentation: Network segmentation breaks a network into discrete, isolated segments. This makes it more difficult for a malware infection to spread or gain access to critical data and systems.
  • Zero Trust Security: The zero trust security model states that a user or application should only have the access needed for its job. Implementing zero trust makes it harder for malware to gain the access needed to achieve its objectives.

Conclusion

Malware is a key component of many cyberattacks. Ransomware, infostealers, and other malware have the potential to perform expensive, devastating attacks against organizations.

Protecting against malware attacks requires a defense-in-depth mindset. Employee education and security training can help to detect and prevent malware attacks, but it’s not enough on its own. Companies should alsohave solutions in place to manage the impact of a successful infection.

For example, employee credentials play a key role in many malware attacks. Compromised credentials are used to distribute malware by abusing employee’s access and permissions. Infostealers and keyloggers target credentials to provide access to corporate and online accounts.

Kelvin Zero’s Multi-Pass protects against malware attacks by replacing passwords with enterprise-grade, phishing resistant passwordless MFA. Book a demo today to learn more about Multi-Pass and how Kelvin Zero can help your organization integrate trust throughout all of its operations.

Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant.