Malware, short for “malicious software,” is software (or script or code) designed to disrupt computer operation, gather sensitive information, or gain unauthorized access to computer systems and mobile devices.
Malware is the tool of choice for our cyber adversaries because it's easy-to-use and readily available. Malware-as-a-service is a booming business has really lowered the bar to entry into the cybercrime field. Criminals can create their own malware by acquiring malware toolkits, such as Zeus, SpyEye, and Poison Ivy, and customizing the malware produced by those toolkits to meet their individual needs. Most toolkits offer user-friendly interfaces – and even customer service support – that make it simple for unskilled attackers to create customize, high-capability malware.
Malware is difficult to detect. It’s pretty common for an organization to be unaware of an infection for days, weeks, or even months. This is because malware can be designed to evade traditional antivirus solutions, intrusion prevention systems, firewalls, and other network security solutions. This is one of the reason's why we are seeing an increase in advanced threat detection techniques being employed by organizations, including cyber threat hunting. As a threat hunter it's important to be aware of the threats you're facing, so let's take a look at seven types of malware you should be aware of.
Types of Malware
Malware categorization is based on infection and propagation characteristics. Hackers can also combine malware characteristics to create a hybrid malware. For example, the WannaCry attack of 2017 was ransomware, but also had a worm competent, which enabled it to spread as quickly as it did.
Upon execution, a virus replicates itself by modifying other computer programs and inserting its own code. Generally, viruses are destructive. They spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.
A worm is a piece of malicious code that is self-replicating. It duplicates itself to spread from one computer to another by exploiting known vulnerabilities. Worms often use parts of operating systems that are automatic and invisible to the user, so they can be difficult to detect unless their uncontrolled replication consumes system resources, slowing or halting other tasks (TechTarget). USB drives are a common vector for computer worms.
A Trojan is malicious code that masquerades as a legitimate benign application. A typical activity attributed to Trojans is to open connections to a command and control server (known as a C&C). Once the connection is made, the machine is said to be “owned.” The attacker takes control of the infected machine. In fact, cybercriminals will tell you that once they have successfully installed a Trojan on a target machine, they actually have more control over that machine that the very person seated in front of and interacting with it. Once “owned,” access to the infected device may be sold to other criminals. Trojans do not reproduce by infecting other files, nor do they self-replicate. Trojans must spread through user interaction, such as opening an email attachment or downloading and running a file from the Internet. (Security Program and Policies: Principles and Practices (2nd Edition).
Bots (also known as robots) are snippets of code designed to automate tasks and respond to instruction. Bots can self-replicate (like worms) or replicate via user action (like Trojans). A malicious bot is installed in a system without the user’s permission or knowledge. The bot connects back to a central server or command center. An entire network of compromised devices is known as a botnet. One of the most common uses of a botnet is to launch distributed denial of service (DDoS) attacks. A DDoS attack is an attempt to make a machine or network resource unavailable for its intended use. In general terms, DDoS attacks consume computer resources to obstruct the communication channel. (Security Program and Policies: Principles and Practices (2nd Edition).
If your computer is infected with ransomware, you are not able to access data until you pay a ransom to the attacker. After the ransom is paid the data will usually be released, but not always. These attacks are opportunistic in nature and computers are typically infected by a user clicking on a malicious email attachment or visiting an infected website. However ransomware continues to evolve. Attacks surged in 2017 with the appearance of two new self- propagating threats in the form of WannaCry and Petya.
A Rootkit is a set of software tools, typically malicious, that gives an unauthorized user privileged access to a computer. It allows someone to maintain command and control over a computer without the computer user / owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage (Veracode). Rootkits cannot self-propagate or replicate; they must be installed on a device. Because of where they operate (in the lower layers of the operating system’s application layer, the operating system kernel, or in the device basic input/output system (BIOS) with privileged access permissions), they are very difficult to detect and even more difficult to remove.
Spyware is just what it sounds like... it's a spying software. It's a general term used to describe software that without a user’s consent or knowledge to track activity and collect data. For criminal organizations, spyware is a useful tool to collect financial information such as online banking accounts and passwords, or credit card information. Advertisers use it to figure out your online habits and serve you more relevant ads. Governments use it to collect as much information as possible on you (AVG). While not all spyware is malicious, it's controversial because it can violate the end user's privacy and has the potential to be abused.
This post was updated March 19, 2018.
The Sage Advice Guide to Cyber Threat Hunting
As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Go to the Sage Advice Guide to Cyber Threat Hunting to learn more!