Easy Read Time: 6 Minutes

The term malware is a contraction of malicious software. It corresponds to any intrusive software produced by cybercriminals (often referred to as “hackers”) to steal data and cause damage or loss to computers and information networks. When it comes to security terms, people tend to be a bit sloppy. However, it’s crucial to learn the malware classifications, and learning how different forms of malware propagate is critical to containing and eliminating them.

It comes in a bewildering range of ways, each with its own delivery method (attack vector). About 350,000 new malicious programs (malware) and potentially unwanted applications are registered by the AV-TEST Institute every day. Furthermore, because of the low footprint and lack of files to search, cybercriminals have gradually turned to lifeless malware as an efficient alternative method of attack, making it much more difficult for traditional antivirus (AV) to detect. Viruses, worms, Trojan horses, spyware, adware, and ransomware are all examples of modern malware.

When you hang out with geeks, this article will help you get your malware terms right.

Viruses

Any malware software reported in the news is referred to as a computer virus by the majority of the media and frequent end-users. Fortunately, the majority of malware applications aren’t viruses. When a victim’s file is executed, a computer virus modifies other valid host files (or pointers to them) in such a manner that the virus is also executed. Simple computer viruses are scarce nowadays, accounting for less than 10% of all malware. That’s a positive sign, as viruses are the only malware that can “infect” other files. Since the malware must be executed from the legitimate application, they are particularly difficult to clean up. This has always been complicated, and it is nearly impossible today. The virus will remain dormant once downloaded until the file is opened and used. Viruses are created to impact negatively on a computer’s ability to function. Viruses may thus cause major operating complications and data loss.

Virus Example: ILOVEYOU

The ILOVEYOU virus, as romantic as it is, is not the sort of Valentine’s Day present you’d like to get. The virus spread via email, posing as a love note from one of the victim’s contacts. The virus was concealed in the “LOVE-LETTER-FOR-YOU.TXT.vbs” attachment. The worm began overwriting random files on the user’s PC after the user triggered a Visual Basic script (a programming language that helps programmers to edit code). The virus even made backups of itself and transmitted them to everyone in the user’s address book. About ten million Windows PCs were infected with this virus. The Pentagon, the British Government, and the CIA all had to close down their mail systems due to the unexpected rush triggered by the virus.

Worms

Worms have been existing for much longer than computer viruses, dating back to the days of mainframe computers. In the late 1990s, email made them popular, and for nearly a decade, computer security professionals were infected by malicious worms that arrived as message attachments. When one person opens a wormed email, the entire organization is infected in a matter of minutes. The self-replicating aspect of the computer worm is its defining feature. The worm’s place in computer security history was assured by several worms, including SQL Slammer and MS Blaster. The capacity of an efficient worm to spread without end-user interference is what makes it so dangerous. Viruses, on the other hand, need an end-user to at least turn it off before they can attempt to infect other files and users. Worms take advantage of other files and systems to carry out their dirty work. The SQL Slammer worm, for example, exploited a (patched) vulnerability in Microsoft SQL to cause buffer overflows on nearly every unpatched SQL server connected to the internet in under ten minutes, a speed record that stands today.

Worm example: Stuxnet

Stuxnet was most likely created by the US and Israeli intelligence agencies with the intention of delaying Iran’s nuclear program. A flash drive was used to bring it into Iran’s environment. Stuxnet’s developers never expected it to escape its target’s network because the atmosphere was air-gapped, but it did. Stuxnet spread rapidly after it was released into the wild, but it caused little harm since its primary objective was to disrupt the uranium enrichment process’s industrial controllers.

Trojans

Hackers’ preferred weapon of choice has been changed from computer worms to Trojan malware programs. Trojan horses appear to be legitimate programs, but they contain malicious software. They’ve been around for a long time, much longer than computer viruses, but they’ve infected more machines than any other form of malware. To do its job, a Trojan must be executed by its victim. Trojans are normally distributed via email or when users visit infected websites. The most common Trojan is a fake antivirus program that appears on your screen and says you’re infected, then instructs you to run a program to clean your computer. The Trojan takes hold after the user swallows the bait.

Cybercriminals have become particularly involved in remote access Trojans (RATs). RATs allow an attacker to take remote control of a victim’s computer, with the intention of spreading laterally and infecting an entire network. This form of Trojan is built to remain undetected. Threat actors aren’t even required to write their own scripts. In underground marketplaces, there are hundreds of ready-to-use RATs. Trojans are difficult to protect against for two reasons: they’re simple to write (cybercriminals actively manufacture and distribute Trojan-building kits), and they propagate by deceiving end-users, which a patch, firewall, or other conventional protection can’t avoid.

Trojan Example: Emotet:

Emotet is a complex banking Trojan that was first discovered in 2014. Emotet is difficult to tackle since it evades signature-based identification, is persistent, and incorporates spreader modules that assist in its spread. Emotet has cost state, provincial, federal, and territorial governments up to $1 million per incident to remediate, according to a US Department of Homeland Security alert.

Ransomware

Malware that encrypts the data and keeps it hostage in exchange for a cryptocurrency payment has been a big part of the malware ecosystem for a few years, and it’s still increasing. Companies, hospitals, police forces, and even whole towns have been crippled by ransomware. The majority of ransomware programs are Trojans, which means they must be distributed by some kind of social engineering. Most search for and encrypt users’ files within minutes of being executed, but others are still taking a “wait-and-see” method. The malware administrator will work out how much ransom the victim can pay by monitoring the user for a few hours before beginning the encryption routine.

Ransomware, like any other form of ransomware, can be avoided, but it can be difficult to undo the damage if you don’t have a good, validated backup. According to some reports, about a fifth of the victims pay the ransom, and about a third of those do not get their files back. In any case, unlocking the encrypted files, if at all necessary, requires the use of specialized equipment, decryption keys, and more than mere luck. The best advice is to provide a nice, offline backup of all critical files.

Ransomware Example: Robinhood

The city of Baltimore was compromised with Robinhood ransomware, which crippled all city functions for weeks, including tax collection, property exchanges, and government email. So far, the attack has cost the city more than $18 million, with costs expected to rise. In 2018, the same ransomware was used against the city of Atlanta, resulting in a $17 million loss.

Fileless Malware

Fileless malware is more of a description of how it exploits and survives than it is a separate type of malware. Malware that uses the file system to travel and exploit new devices is known as traditional malware. Fileless malware, which now accounts for more than half of all malware and is still growing, is malware that does not use files or the file system directly. Instead, they use memory-only vulnerabilities or other “non-file” OS objects like registry keys, APIs, and scheduled tasks to spread.

Fileless malware Example: Astaroth

Astaroth was a fileless malware campaign that used links to a .LNK shortcut file to scam users. A WMIC tool, as well as a range of other legal Windows applications, were released when users downloaded the file. These tools downloaded additional code that was only executed in memory, leaving no proof that vulnerability scanners could detect. The intruder then ran a Trojan that took passwords and uploaded them to a remote server after downloading and running it.

Adware:

If you’re fortunate, adware is the only malware you’ve experienced. Adware seeks to expose the infected end-user to unwanted, potentially malicious ads. A popular adware program can cause a user’s browser searches to be redirected to similar web pages with additional product promotions.

Adware Example:

In 2017, adware known as Fireball infected 250 million computers and smartphones, modifying default search engines and monitoring web activity. The malware, on the other hand, had the potential to be more than a nuisance. It was capable of remotely running code and uploading malicious files in three-quarters of the instances.

Spyware

Spyware is most widely used for those who want to track their loved ones’ computer activities. Of course, criminals may use spyware to record victims’ keystrokes to obtain access to passwords or intellectual property in targeted attacks. Adware and spyware applications are normally the simplest to remove, due to the fact that their motives aren’t quite as nefarious as other forms of malware. You’re done when you’ve found the malicious executable and blocked it from being executed. The method it uses to trick the computer or user, whether it was social engineering, unpatched applications, or a dozen other root exploit triggers, is a much bigger concern than the actual adware or spyware. This is because, while the purposes of spyware and adware applications are not as malicious as, say, a backdoor remote access trojan, they both employ the same tactics to obtain access. The appearance of an adware/spyware application should be taken as an indication that the system or customer has a bug that needs to be fixed before real badness appears.

Spyware Example DarkHotel:

DarkHotel, which used hotel WIFI to attack business and government officials, used a range of malware to gain access to the networks of specific powerful people. After gaining access, the attackers mounted keyloggers to capture the passwords and other confidential information of their victims.

References:

https://www.crowdstrike.com/cybersecurity-101/malware/types-of-malware/

https://www.csoonline.com/article/2615925/security-your-quick-guide-to-malware-types.html

https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-malware.html#~how-malware-works

https://comtact.co.uk/blog/what-are-the-different-types-of-malware/