What is malware?
Malware is malicious software designed to infiltrate and compromise computer systems, networks, and devices. Malware is used to gain access to devices, steal sensitive information, encrypt files to gain financial means, or cause other harm to the user or a company. Malicious software can be distributed through various channels, such as email attachments, infected websites, fraudulent links online, security vulnerabilities, or social engineering techniques.
The most common types of malware
There are 12 prevalent types of malware that are different in nature and mode of action. Hybrid versions of these malware types may undergird the most devastating hacking campaigns. Let’s closely examine how each type of malware works and affects internet users.
A virus is a piece of malicious code that inserts itself into computer systems, self-replicates, and spreads to other systems and devices. Viruses usually attack when triggered, for instance, when the victim opens the malicious file they’ve downloaded. Once launched, a computer virus attempts to encrypt, distort, and steal your data or conduct more elaborate malware attacks.
Typically, viruses need to be let into the devices by their victims. To reach this goal, cybercriminals utilize various social engineering techniques to trick users into downloading viruses through email attachments, network shares, infected websites, or removable media (e.g., USB drives).
One real-life example of a virus is the ILOVEYOU cyberattack that emerged in May 2000. The virus was distributed through an email attachment that was supposed to be a love letter. Once opened, the virus replaced files on the infected computer and sent copies of itself to other unsuspecting users in the victim’s Microsoft Outlook address book.
A worm is self-replicating malware that searches for vulnerable points in the operating system to get into the network. Typically, worms attack devices’ memory or hard drives and are designed to interrupt networks and exhaust bandwidth. Sometimes they also steal sensitive data or can be used in launching more elaborate cyberattacks.
Unlike viruses, worms don’t require interaction with humans or attach themselves to software to spread. Worms usually enter computer systems through backdoors built into software or its vulnerable points. They also can spread through flash drives, email, or message attachments.
In 2008 a computer worm called Conficker exploited a vulnerability in Microsoft Windows operating systems and quickly spread across millions of computers worldwide. This worm targeted systems that hadn’t updated their security and spread through network shares and removable media. Once a system was infected, Conficker established a network of compromised computers under the control of threat actors.
Adware is advertising-supported software that displays unwanted or malicious advertisements on a user’s device. It tracks users’ activity online and collects data to provide targeted advertising. Adware can hinder your device’s performance and may lead to downloading other types of malware.
Adware is often installed alongside the desired software without the user’s knowledge. It’s developed to put advertisements on the victim’s screen, often in a web browser or a popup.
In 2017, a large-scale adware campaign called Fireball emerged, which spread by piggybacking on legitimate software. The adware hijacked the browser, modified its settings, redirected search queries, and tracked user activity to deliver targeted advertisements. Reports suggested that the Fireball campaign infected over 250 million computers globally.
A trojan is malware disguised as harmless and legitimate software, application, or a game, tempting users to download it. Once a trojan infiltrates the system, it grants the attacker unauthorized control over devices or spreads malware without the user’s knowledge. This includes stealing sensitive information, modifying files, taking control of the system, or creating backdoors for remote access.
Trojans are typically distributed through social engineering techniques like email phishing, fake software updates, or compromised websites. This malware can’t spread by itself and can only be executed by a person.
Emotet was a sophisticated trojan campaign that emerged in 2014. It spread mainly through authentic-looking emails containing infected attachments or malicious links. Emotet stole heaps of sensitive information and served as a delivery platform for other malware, including ransomware and banking trojans.
Ransomware is a time-sensitive cyberattack when a hacker encrypts user files or devices and holds them for ransom until a certain deadline. Even after the victim proceeds to pay the release payment, they have no guarantee that their files or devices will be decrypted.
Ransomware attacks can be initiated in various ways: through malicious files, exploit kits, compromised websites, or malware-infected downloads and links. Attackers also tend to tailor specific messages to the targeted victims. After ransomware is installed, it creates a backdoor for a hacker to access the victim’s device and encrypt the data inside.
The WannaCry ransomware attack that took place in 2017 targeted thousands of computers in over 150 countries. It spread rapidly through a Windows SMB vulnerability, encrypting files and demanding ransom payments in Bitcoin.
Spyware is software that secretly monitors and collects information about a user’s activities, often without their knowledge or consent. It’s designed to gather sensitive data, such as passwords, browsing habits, personal information, or financial details, and transmit it to a remote attacker.
Spyware can be disguised as legitimate software or be delivered through malicious email attachments or infected websites. This type of malware is often used as a first stage of a data breach for a hacker to explore the system.
One example of spyware is a long-running cyberattack campaign called Darkhotel, which focuses on high-profile business travelers. The attack’s name derives from the mode of tracking travelers’ plans: Malware infiltrates victims’ devices with spyware via the hotel’s Wi-Fi. The Darkhotel attack typically aims to steal the sensitive data of high-position government officials.
7. Bot and botnets
A bot is a malicious software application designed to create a network of infected devices — a botnet, which is under the control of a hacker. Once a device is infected with a bot, it becomes part of the botnet, allowing the attacker to control and command the compromised devices remotely.
Botnets launch broad, remotely controlled cyberattacks through the infected computer networks, steal sensitive information, or launch large-scale spam campaigns. Bots are typically spread using social engineering tactics or software vulnerabilities while they roam the internet and search for ways to breach security infrastructures.
The botnet Mirai, which emerged in 2016, was set to target Internet of Things (IoT) devices, such as routers, cameras, and digital video recorders (DVRs). Once infected, they became part of the Mirai botnet and were used in a later launched massive distributed denial-of-service (DDoS) attack.
Rootkit is malware that enables unauthorized access to a computer system, obtaining administrative privileges. Rootkits are usually the first step in a data breach used to hide and spread other malware infections. It can also steal sensitive information, modify files, capture keystrokes, or intercept network traffic.
Rootkits are designed to maintain a long-term presence on an infected system and remain undetectable by both the user and security software. This malware can automatically reinstall or reactivate itself after the system has been restarted or security measures applied. Rootkits are usually spread through phishing attacks, unsolicited malicious downloads, or compromised shared files.
An example of a sophisticated rootkit attack is Zacinlo, which emerged in 2018. The goal of this rootkit was to perform click fraud: It hijacked web browsers, injected fraudulent ads into web pages, and attracted user clicks for those ads to generate revenue for threat actors.
9. Fileless Malware
Fileless malware is a memory-based malware program that operates in the computer’s memory without leaving traces on the file system. Fileless malware is often used in targeted attacks to gain long-term access to the computer system. It’s evasive and able to bypass traditional security measures, making this malware program an attractive choice for sophisticated cyberattacks.
Fileless malware affects legitimate programs in the device, making changes to files, applications, protocols, or software. Because all these elements are inherent to the operating system, antivirus software struggles to detect fileless malware.
A real-life example of a fileless cyberattack is the Astaroth. This malware attack, discovered in 2018, showed persistence on infected computer systems by modifying the Windows Registry and creating scheduled tasks. It communicates with its command-and-control servers to receive updates, download additional payloads, and steal data.
Keylogger is malicious software or hardware devices that record keystrokes typed on a computer keyboard. They are designed to capture and log sensitive information, such as usernames, passwords, credit card details, and other confidential data users enter.
Keyloggers are often difficult to detect: They can run in the background, bypass antivirus software, and capture keystrokes without the user’s knowledge.
A keylogger attack called Zeus, or Zbot, emerged in 2007 and targeted numerous financial institutions worldwide. Zeus was distributed through phishing emails and exploit kits, and once installed, it implemented a keylogger component on the victim’s device to capture sensitive information.
Malvertising, a compound word for “malicious” and “advertising,” is the distribution of malicious content through online advertisements. Malvertising can deliver various types of malware, such as viruses, ransomware, spyware, or adware.
Malvertising typically uses legitimate and reputable websites to deliver harmful payloads. One unaware click on the ad may trigger malware to automatically download and carry through the victims’ devices without their knowledge.
The Kyle and Stan malvertising campaign that occurred in 2016 affected a number of major websites. The malicious advertisements exploited vulnerabilities in users’ browsers or plugins and delivered various types of malware, including ransomware and banking trojans. The malware aimed to steal sensitive information, encrypt files for ransom, and gain unauthorized access to the victim’s device.
12. Logic bomb
A logic bomb is a pre-set attack run through malicious code or software. It remains inactive until triggered by a specific condition or victims themselves. Logic bombs are usually set with computer viruses or worms and can sabotage systems, extort victims for financial gain, or create system-wide disruption.
Sophisticated logic bomb attacks can be accomplished through approved software or network infrastructure, making them harder to detect. This type of cyberattack is usually triggered by either a positive catalyst (e.g., when a particular file is opened) or a negative catalyst (e.g., when no one deactivates the attack).
One famous logic bomb attack was carried out by a San Francisco city employee who planted a logic bomb in the city’s network infrastructure in 2008. The logic bomb was meant to sabotage the city’s computer network the next time it shut down for maintenance.
What is a hybrid malware?
Hybrid malware is malicious software that blends features from different types of malware to boost its capabilities and evade detection. It can be a combination of two or more malware types, such as viruses, worms, trojans, or ransomware.
This type of malware can employ various techniques to dynamically alter its code or structure, making it challenging to detect by security solutions. For instance, a trojan can become a worm or virus once it has entered the system. As with other types of cyberattacks, hybrid attacks might spread through software vulnerabilities, social engineering techniques, infected websites, or compromised network devices.
How to protect yourself from malware
The best way to prevent your device from being exposed to malware attacks is to use software security tools and stay aware of online threats.
Here are some easy but effective ways to keep yourself safe from online threats:
- Multi-factor authentication (MFA). MFA strengthens your login process with an additional step that you need to take before accessing your account. Usually, it’s a code — a time-based one-time password (TOTP) that is valid only for a short period of time. Since the code changes every time you connect to the system, it becomes useless for future authentication attempts.
- Antivirus. Consider installing reliable antivirus software: It will monitor, detect, and stop many types of malware before they can breach your data or paralyze your network. It is also beneficial to use additional malware protection solutions to boost your safety online and help to deal with more case-specific online threats.
- Be aware of social engineering schemes. Suspicion is your key to noticing the signs of malware and staying safe online. Avoid answering messages, clicking links, or downloading files from unsolicited or suspiciously looking email addresses — always use spam filters. If you see an advertisement that seems too good to be true — it’s probably the case, so make sure to never click on links that aggressively encourage you to do so.