Short for “malicious software,” malware is computed code that is designed to harm or exploit any programmable device, server, or network. The malicious intent of malware can take many forms, including denial of access, destruction or theft of data, monetary theft, hijacking computer resources, spreading misinformation, propagation of malware, and many other harmful actions. The motivation for cybercriminals to spread malware could be for money, spying or theft of secrets, or damage to a competitor or adversary.
With millions of programmable devices now connected via the internet, malware is a large and growing part of the cybercrime industry. McAfee Labs Global Threat Intelligence identified more than 41 million new malware samples—a slight 5% decrease over the previous quarter—in September 2018. Total malware samples have grown 34% over the past four quarters to more than 774 million samples. Take a look at our malware infographic covering this Global Threat Intelligence report in more detail
Cybercriminals distribute malware in several ways:
- They infect a popular website, which then passes on the malware to visitors.
- They attach malware to emails disguised as a legitimate file.
- They insert malicious code into trusted applications and tools, such as programming utilities or software updates.
The five categories of malware attacks
A malware attack typically falls into one of five categories based on what the attacker hopes to achieve:
Spyware and adware
Adware collects information on a user's browsing habits and pushes pop-up ads to the user. Pornware is a type of adware that downloads pornographic images and advertisements to a computer and may auto-dial pornographic talk services. Spyware also collects information—sometimes the user's web browsing history, but also more sensitive data, such as passwords and account numbers. In some cases, the spyware may seek out confidential content, such as customer lists or financial reports. Spyware and adware often masquerade as legitimate applications, including malware protection programs.
Botnet malware creates networks of hijacked computers that can be remotely controlled. Called botnets, these networks may consist of hundreds or thousands of computers—all conducting one of the following malicious activities:
- Emailing spam
- Mining cryptocurrencies (see cryptojacking below)
- Launching distributed denial-of-service (DDoS) attacks to disrupt or disable an organization's network
- Distributing malware to create more botnets
Ransomware gained prominence in 2016 when a wave of ransomware exploits encrypted computers around the globe and held them hostage for payment in bitcoin or other cryptocurrencies. One of the most notorious was the May 2017 WannaCry/WannaCryptor ransomware that impacted major organizations around the world, including the U.K. National Health Service (NHS). The attackers demanded $300 in bitcoin for each computer’s decryption key, although they did not always deliver the key. The ransomware shut down NHS hospitals and affected hundreds of thousands of organizations and individuals who lost valuable data. In 2018, ransomware attacks have declined as attackers refocus their efforts on cryptojacking malware.
Cryptojacking or cryptomining malware
Cryptojacking or cryptomining malware involves hijacking a computer or computer network to mine cryptocurrencies. Mining programs use large amounts of processing power, bandwidth, and energy. Victims pay the price in reduced processing power for their legitimate uses and increased electricity costs. Excessive data crunching can also damage the victim's hardware. Malware attacks may also steal or alter data or plant other malware for future use. Some cryptojackers also steal victims' own cybercurrency.
The Cyber Threat Alliance's cryptomining subcommittee measured an increase in mining malware attacks of 459% in 2018. The surge in bitcoin value in late 2017 (to more than $19,000 per coin) fed the growth of cyberjacking malware. The infected computers mine Monero cryptocurrency and send it to the attacker's account.
View the infographic >
Fileless malware operates only in the memory of the computer and leaves no files for antivirus software to locate. Operation RogueRobin, discovered in July 2018, is an example of a fileless malware attack. RogueRobin starts with a phishing email containing malicious Microsoft Excel Web Query files. These files force the computer to run PowerShell scripts, which in turn provide the attacker with a backdoor to the victim's system. Although the malware disappears if the computer is powered off, the backdoor remains.
By using trusted technologies such as PowerShell, Excel, or Windows Management Instrumentation, fileless malware hackers can evade traditional security software.
Because some applications are designed to run continuously, a fileless malware script might run for days, weeks, or longer. A financial services company discovered fileless malware that ran on its domain controllers and collected the credentials of system administrators and others with access to deeper parts of the system.
Best practices for malware protection
Below are the primary strategies that individuals and organizations can implement for better malware protection:
- Back up data frequently. If a file or database is corrupted, it may be restored from a recent backup. Hence, maintain multiple backups over a period of time. Also, test backups regularly to ensure they function properly.
- Disable macros. Disable administrative tools and browser plug-ins that are not needed.
- Install and update malware detection software. Advanced malware detection programs and services employ multiple methods for detecting and responding to malware, including:
- Sandboxing or activating a suspected virus in a quarantined environment
- Conducting reputation filtering (e.g., filtering by the reputation of the sending IP address)
- Using signature-based filtering to identify malware by comparing it to characteristics of known malware
- Employing behavior-based analytics software, which uses artificial intelligence and machine learning to profile normal user behavior and detect abnormal use of applications
- Learn about malware threats. The most significant factor in preventing any kind of malware infection is the users themselves. Users need to be aware of the risks of downloading and installing unauthorized applications, inserting USB thumb drives into their computers, or browsing untrusted websites.
User training on safe internet and social media practices is recommended. Users benefit from regular informational updates on the latest malware threats, as well as reminders on security practices. IT employees can improve their security skills by attending a McAfee webcast, reading McAfee blogs, or reviewing McAfee Threat Center reports.