What is malware and how can organizations defend against it? Malware, short for “malicious software,” is a large and growing part of the cybercrime industry. McAfee Labs Global Threat Intelligence identified more than 41 million new malware samples—a slight 5% decrease over the previous quarter. Total malware samples have grown 34% over the past four quarters to more than 774 million samples.
Cybercriminals distribute malware in several ways:
- They infect a popular website, which then passes on the malware to visitors.
- They attach malware to emails disguised as a legitimate file.
- They insert malicious code into trusted applications and tools, such as programming utilities or software updates.
A malware attack typically falls into one of five categories based on what the attacker hopes to achieve:
Spyware and adware
Adware collects information on a user's browsing habits and pushes pop-up ads to the user. Pornware is a type of adware that downloads pornographic images and advertisements to a computer and may auto-dial pornographic talk services. Spyware also collects information—sometimes the user's web browsing history, but also more sensitive data, such as passwords and account numbers. In some cases, the spyware may seek out confidential content, such as customer lists or financial reports. Spyware and adware often masquerade as legitimate applications, including malware protection programs.
Botnet malware creates networks of hijacked computers that can be remotely controlled. Called botnets, these networks may consist of hundreds or thousands of computers—all conducting one of the following malicious activities:
- Emailing spam
- Mining cryptocurrencies (see cryptojacking below)
- Launching distributed denial-of-service (DDoS) attacks to disrupt or disable an organization's network
- Distributing malware to create more botnets
Ransomware gained prominence in 2016 when a wave of ransomware exploits encrypted computers around the globe and held them hostage for payment in bitcoin or other cryptocurrencies. One of the most notorious was the May 2017 WannaCry/WannaCryptor ransomware that impacted major organizations around the world, including the U.K. National Health Service (NHS). The attackers demanded $300 in bitcoin for each computer’s decryption key, although they did not always deliver the key. The ransomware shut down NHS hospitals and affected hundreds of thousands of organizations and individuals who lost valuable data. In 2018, ransomware attacks have declined as attackers refocus their efforts on cryptojacking malware.
Cryptojacking or cryptomining malware
Cryptojacking or cryptomining malware involves hijacking a computer or computer network to mine cryptocurrencies. The Cyber Threat Alliance's cryptomining subcommittee measured an increase in mining malware attacks of 459% in 2018. The surge in bitcoin value in late 2017 (to more than $19,000 per coin) fed the growth of cyberjacking malware. The infected computers mine Monero cryptocurrency and send it to the attacker's account.
Mining programs use large amounts of processing power, bandwidth, and energy. Victims pay the price—in reduced processing power for their legitimate uses and increased electricity costs. Excessive data crunching can also damage the victim's hardware. Malware attacks may also steal or alter data or plant other malware for future use.
Some cryptojackers also steal victims' own cybercurrency. The HaoBao campaign, which McAfee Labs identified in early 2018, delivers its payload through a Dropbox link to a falsified job advertisement. Once on the computer, the malware searches for bitcoin activity, and if found, redirects the funds into the criminal’s wallet.
Fileless malware operates only in the memory of the computer and leaves no files for antivirus software to locate. Operation RogueRobin, discovered in July 2018, is an example of a fileless malware attack. RogueRobin starts with a phishing email containing malicious Microsoft Excel Web Query files. These files force the computer to run PowerShell scripts, which in turn provide the attacker with a backdoor to the victim's system. Although the malware disappears if the computer is powered off, the backdoor remains.
By using trusted technologies such as PowerShell, Excel, or Windows Management Instrumentation, fileless malware hackers can evade traditional security software.
Because some applications are designed to run continuously, a fileless malware script might run for days, weeks, or longer. A financial services company discovered fileless malware that ran on its domain controllers and collected the credentials of system administrators and others with access to deeper parts of the system.
Best practices for malware protection
Below are the primary strategies that individuals and organizations can implement for better malware protection:
Back up data frequently
If a file or database is corrupted, it may be restored from a recent backup. Hence, maintain multiple backups over a period of time. Also, test backups regularly to ensure they function properly.
Disable administrative tools and browser plug-ins that are not needed.
Install and update malware detection software
Advanced malware detection programs and services employ multiple methods for detecting and responding to malware, including:
- Sandboxing or activating a suspected virus in a quarantined environment
- Conducting reputation filtering (e.g., filtering by the reputation of the sending IP address)
- Using signature-based filtering to identify malware by comparing it to characteristics of known malware
- Employing behavior-based analytics software, which uses artificial intelligence and machine learning to profile normal user behavior and detect abnormal use of applications
Learn about malware threats
The most significant factor in preventing any kind of malware infection is the users themselves. Users need to be aware of the risks of downloading and installing unauthorized applications, inserting USB thumb drives into their computers, or browsing untrusted websites.
User training on safe internet and social media practices is recommended. Users benefit from regular informational updates on the latest malware threats, as well as reminders on security practices. IT employees can improve their security skills by attending a McAfee webcast, reading McAfee blogs, or reviewing McAfee Threat Center reports.