Malware, short for “malicious software,” is used by cybercriminals to disrupt, damage, or exploit an endpoint or network. Cybercrime was estimated to inflict more than $6 trillion in damages globally in 2021 – with the stakes this high, it’s no surprise that cybercriminals continue to introduce new and increasingly innovative malware variants.
To make matters more complex, as a result of the global pandemic, Stanford University estimates that 50% of employees now work from home at least part of the time, vastly expanding the attack surface and mitigating the protections offered by a corporate network. It’s therefore critical for security professionals to understand the various types of malware, how they work, and to develop a holistic approach to building, maintaining, and evolving their cyber defenses.
Jump to a section…
A Holistic Approach to Cyber Defense
For more on ensuring your network security, check out our guide, Malware Protection: Everything IT Pros Need to Know.
At Byos, we think about 10 primary types of malware. Increasingly, cybercriminals use these in combination with each other. We’ve also noted a few examples of sub-variants. The list below covers the significant categories of malware that all cybersecurity professionals should know.
Viruses are code inserted in an application, program, or system. Like their namesake, viruses require a host, in this case, a device, to live. And like a biological version, a computer virus can lie dormant until triggered to attack. Typically, the trigger is a user downloading an email attachment; once triggered, viruses can infect an endpoint, proliferate throughout the system, and change how it works. They can also seize applications, send infected files to contact lists, steal data and launch DDoS attacks.
Despite non-security professionals and members of the media often erroneously using the term “virus” to refer to any malware, viruses are actually less common today, making up less than 10% of all malware.
Worms behave much like viruses, infecting, multiplying, and spreading through networked endpoints. But unlike viruses, a worm can copy itself without any human interaction, and it’s not host-dependent, meaning it does not need to attach itself to a software program to cause damage. This makes worms particularly problematic and destructive.
Worms can be transmitted by email attachments or DMs, installed by removable media or via software vulnerabilities. Once opened, these files could provide a link to a malicious website or automatically download the computer worm. What can make Worms so effective, and dangerous, is that once installed, they work in the background to infect the machine and can even spread to an entire network without detection. Worms can be used to delete or modify files, install backdoors for hackers, launch DDoS attacks, and launch ransomware attacks.
As the name indicates, ransomware is a type of malware that uses encryption to hold data for ransom. The attacker will return control to the rightful users only if their demands are met. To add pressure, cybercriminals often threaten to destroy or release the data. Ransomware is responsible for the majority of all data breaches involving malware, double the number of attacks from 2019.
The rise in ransomware also sheds light on another interesting trend that speaks to the proliferation of ransomware. Although the total number of malware attacks decreased 43% in 2020 to 5.6 billion, the increased focus by cybercriminals on ransomware is leading to incidents becoming more costly. Verizon’s 2021 Data Breach Investigations Report finds that the median breach cost is $21,659, but that most organizations can expect their costs to rise as high as $650,000.
A recent event that brought ransomware to the forefront of not only cyber security professionals but the general public as well was the extortion of the Colonial Pipeline Company in May of 2021. This incident not only illustrated the risk of ransomware to corporations but also to all consumers as the impact of Colonial halting oil supplies caused a ripple effect at gas stations across the county, with fuel shortages, price increases and panic buying commonplace. Colonial reportedly paid a ransom of $4.4 million in Bitcoin.
Spyware is a form of malware that can surreptitiously steal data and monitor user activity, such as specific keystrokes. It can also take over computer cameras and microphones. The data gathered using spyware could be valuable in and of itself or could help break into the system, as spyware often targets log-in and password information. But it can also be used to steal credit card information, account PINs, banking details, email addresses, and a host of PII.
Many regard adware as less threatening than other types of malware, but it can be extremely frustrating and also dangerous. As the name indicates, adware is a form of malware that involves advertising. Once adware infects a computer, it displays unwanted advertisements, sometimes in the form of pop-up ads, that track users’ browsing activity. In addition to these ads collecting personal data to sell to third parties or leverage for identity theft, the advertising sites themselves might also be used to download additional malware to the device.
Like its namesake, a trojan is a type of malware designed to trick the user to believe it is something they want, like a non-threatening application, file, or update. Once downloaded, the trojan goes to work to take control of the device and can steal data or inflict other harm to the user’s computer or network. Unsuspecting users typically open the gates for a trojan attack by clicking on what looks like safe or familiar email attachments, website downloads, or direct messages. These attacks can have severe implications, including theft of data, unauthorized access to networks, launching of spyware, and launching of DDOS attacks.
In addition to best practices like microsegmentation to safeguard against attack, it is important for security professionals to continually evangelize safe practices by employees to help them safeguard themselves – and the enterprise – from trojan attacks.
Rogueware is similar to a trojan, in that it relies on tricking the user. In fact, Rogueware actually takes advantage of users’ fear of malware to do so; rogueware alerts the user to the presence of malware when none actually exists, luring the user to click on the notice. Once in place, the culprits demand payment for the fake removal of the non-existent malware. This process itself is actually used to download actual malware to the device. Rogueware is sometimes known as “scareware.”
A rootkit is a form of malicious software that is designed to remain hidden by modifying the host’s operating system. Its name refers to the fact that it is a kit of software tools that gains “root access” — or administrator access – over the target. It then uses that power to conceal itself. As you can imagine, malware that gives thieves remote control of a victim’s computer with full administrative privileges for an extended period of time can be particularly problematic and dangerous. Rootkits can be used in combination with other malware types, also concealing their presence.
As the term suggests, fileless malware requires no files to download. Instead, it operates from a target device’s memory. This makes it more difficult to detect because there are no files to scan. Instead of installing files, fileless malware makes changes to files that are native to the operating system. Because the operating system recognizes the edited native files as legitimate, a fileless attack is very difficult for antivirus software to detect.
A Botnet refers to a number of internet-connected devices, each under the control of an attacker. Ranging in size from a few thousand compromised computers to huge networks with hundreds of thousands of systems under the control of a single “botnet master,” botnets are capable of leveraging their combined computing power to inflict enormous damage. Using “command and control” servers with which botnets communicate for instructions, botmasters can launch DDoS attacks, steal PII and credentials at scale, and spy on people or organizations. In addition, due to their power and scale, botnets are often rented out to those who seek to deploy them for their own criminal activity.
One of the most notorious botnet examples was the Mirai Botnet of 2016. A massive DDoS attack, Mirai is a fascinating example of how a planned attack can morph from one intent to unimagined consequences. In this case, Mirai, which sought to extort Minecraft gamers, shut down the entire internet for much of the US.
The networks of cybercriminals who create malware are constantly ideating and testing new attack methods, making it crucial for security professionals to adopt a holistic approach to building, maintaining, and evolving their cyber defenses.
While it is extremely difficult to prevent all malware attacks given the size and complexity of today's networks, one effective defense is preventing it from moving laterally post-compromise. Having technologies in place that can protect and mitigate against the spread of unwanted attackers through the network helps reduce the potential damage. One such way is by making your network invisible using edge microsegmentation. Ready to learn more? Get in touch with us.