The 7 types of malware businesses must protect against
The introduction of government initiatives, such as the cyber essentials scheme and GDPR, has led to an increase in cybersecurity awareness amongst businesses, causing the nature of cyber attacks to change in the last few years. While the types of malware-based attacks have seen a decrease, malware still represents a significant proportion of attacks on businesses.
The UK Government’s latest Cyber Security Breaches Survey 2020, identifies a fall in attacks from viruses or other malware (from 33% in 2017 to 16% in 2020). However, when also taking into account ransomware, the results are more startling. 24% of businesses are still experiencing attacks from different types of viruses, malware and ransomware.
The focus for businesses has shifted from malware to phishing type attacks – primarily due to the potential level of disruption phishing attacks have on organisations. However, the threat from various types of malware attacks remains considerable.
In this article, we identify the 7 different types of malware, describing what malware is, impact malware has on businesses and what steps companies should take to protect against malware.
In this article, we explain:
What is malware?
Malware (Malicious software) is a “catch-all” term for a code or program which is hostile and harmful to computer systems.
Malware can have different forms and functions. Viruses, worms, trojans, rootkits, spyware, adware, ransomware and botware are all types of malware.
All malware is, by design, intended to be intrusive. Malware seeks to infect, damage and immobilise computers, computer systems, computer networks, tablets, mobiles and laptops. With the sole aim of extorting money from the target organisation.
Consequently, malware will seek to infiltrate and disrupt the target, by stealing, encrypting, deleting and hijacking severely hampering core functions to achieve its aim forcefully.
How does malware affect businesses?
According to the UK Government’s Cyber Security Breaches Survey 2020, 24% of businesses experienced an attack from viruses, spyware, malware or ransomware.
The anonymity offered by the internet, coupled with its cross-border nature, provide cybercriminals with the perfect cover from which to launch attacks against organisations.
In particular, small and medium businesses and not-for-profit organisations, are lucrative targets for malware, with over 60% of attacks targeted towards companies with less than 1,000 employees (Varonis, 2018).
A well-executed malware attack could cripple your day-to-day operations. Such an attack could result in a complete breakdown of your computer network or the loss of critical data, leading to lost sales, custom and future business.
Some of the high profile malware attacks seen over the last few years are:
CovidLock, 2020 – Ransomware: The recent Coronavirus (COVID-19) pandemic has been greatly exploited by cybercriminals. The CovidLock ransomeware uses malicious files to infect victims with the promise of providing more details about Coronavirus. Once installed, Android device data is encrypted by CovidLock, denying data access to the victim. CovidLock victims must pay USD100 per device to be granted access to their data.
LockerGoga, 2019 – Ransomware: LockerGoga infected large corporations, like Altran Technologies and Norsk Hydro. LockerGoga ransomware attacks include credential theft, malicious emails, and phishing scams. LockerGoga completely blocks system access. It is estimated that LockerGoga caused millions of dollars in damage in advanced and targeted attacks.
Emotet, 2018 – Trojan: This trojan, became famous after the US Department of Homeland Security labelled Emotet as a leading destructive type of malware. Emotet received widespread attention due to its targeting of financial data theft, such as cryptocurrencies and bank logins. Emotet’s spread via malicious emails in the form of spam and phishing campaigns.
WannaCry, 2017 – Ransomware: One of the worst ransomware attacks in recent history. WannaCry, caused infections via phishing emails, and impacted the UK’s national health service (NHS), exploiting a vulnerability in Windows XP. Estimate indicated that more than 200,000 people worldwide have been reached by WannaCry, including public sector bodies (hospitals, universities) and large enterprises (FedEx, Renault). Losses due to WannaCry are estimated to exceed USD4 billion.
Petya, 2016 – Ransomware: Petya blocks the machine’s entire operating system. To release the operating system, a ransom has to be paid by the victim. It is estimated that USD 10 billion in losses have been incurred by its victims since Petya and its more new and destructive variations was released. Victims of Petya have included banks, airports and oil and shipping companies from across the globe.
How can businesses protect against malware?
Most types of malware infections will go unnoticed, clandestinely impacting your systems in the following ways:
- Steals sensitive information and confidential data
- Allows unauthorised access to system resources, such as CPU and memory
- Slows applications and web browsers
- Interferes with network connections and resources
- Results in frequent freezing or crashing of systems
Consequently, businesses must take the necessary precautions to detect and prevent malware infections. The lack of antivirus software and firewalls will freely let malware infiltrate your systems and stay concealed until it has caused extensive damage.
The primary sources of malware infection
Systems are most likely to become infected by malware from the following sources:
Internet: A large proportion of malware is distributed via the internet. For example, you may visit a website which contains malicious code or inadvertently download a malicious disguised as an ordinary application. A significant majority of malware is also concealed in files downloadable via peer-to-peer networks (torrents).
Email: Different types of malware can also be hidden in the body of an email or the attachments. The opening of such emails or attachments will execute the malware to infiltrate your computer. Users could also receive phishing and spam emails which entices them to a website containing malicious code.
Software vulnerabilities: Software vulnerabilities can be exploited to allow cybercriminals to gain remote access to your data, as well as network resources and sources of confidential information. This may be perpetrated by enticing users with a fake patch or update.
External storage drives: External drives and network folders could harbour malware. If users inadvertently execute a malicious application on an external drive, the malware could propagate a virus to all computers or systems, wiping or encrypting the crucial data.
New users: Another user, particularly new users, not familiar with the organisation’s cybersecurity policy, may inadvertently cause systems to become infected without realisation. Cybercriminals are known to use social engineering to lure users into installing and running malware.
10 Tips to avoiding malware infiltrations
As with most malicious activities, avoidance is best. Keeping your systems healthy, by way of robust antivirus and firewalls, and implementing best practices, most organisations can avoid or minimise the impact of any malware infiltration.
Here are some tips businesses can employ to protect against malware:
- Pay attention to domain names that end with obscure letters, for example, domain names ending in .com, .org, .edu, .co.uk, to name a few, are, in general trustworthy. Cybercriminals can set up spoof websites using uncommon TLDs, containing malicious code.
- Ensure the operating systems, browsers, and plugins are always up to date with the latest manufacturers patches and updates.
- Instruct users to not click on pop-up ads while browsing a website. Users should refrain from clicking on unverified links in unsolicited emails, texts and WhatsApp messages. Downloading software from peer-to-peer file transfer networks or untrustworthy websites should also be avoided. Train users to avoid executing executable files and avoid enabling macros on Office files.
- For mobile devices, only download apps from Google Play Store or Apple’s App Store. Be wary and check the ratings and reviews first. It is best to avoid apps which have low ratings and downloads. Android devices have a function to switch off downloads from third-party sources.
- To prevent malicious apps from threatening their computer networks, organisations should develop strong mobile security policies and deploy a mobile security solution to enforce those policies.
- Business can invest in a good antivirus/anti-malware program with layered protection. This will scan and detect malware, such as adware and spyware while maintaining a proactive real-time defence to block threats such as ransomware. Any security program should also provide remediation to rectify any system changes from the malware it cleans. Hence, returning systems to the last known normal state.
- Large networks can be segmented into smaller subnetworks – smaller targets are harder to attack. This will help to contain any breaches to a limited number of endpoints instead of your entire network.
- Backup all your data, including all endpoints and network shares. This will allow you to wipe an infected system and restore from a backup.
- Businesses should educate employees on how to create strong passwords and should implement multi-factor authentication (MFA) where possible. Organisations should also limit account privileges by granting users the minimum access level required to complete their jobs.
- Remove and get rid of old software which is past its expiration date. Updates for old software are rarely available, allowing malware to be developed to exploit security loopholes. Cybercriminals actively seek outdated and obsolete software to target.
Malware continues to grow and evolve, with a new type of malware attack available every other year. Businesses should pay attention to early signs of malware infection. An indicator could be a slow device which is relatively new. The application of best practice, along with antivirus/anti-malware software, will keep your organisation safe from malware infections.
How to remove malware from business systems
There are three simple steps organisations need to take if they suspect a malware infection, or if they simply want to be cautious:
Step 1. Firstly, invest in a legitimate antivirus/anti-malware program. But before paying for a pricey antivirus subscription, check out these 9 free malware scanning and removal tools.
Step 2: Once downloaded, install the application and run a scan. Anti-malware applications are intended to seek and eliminate any malware on your device.
Step 3: Once the device has been cleaned and any malware eliminated, it is a good idea to change your passwords. Make sure you change all passwords. Not only for the PC or mobile device, but also email, social media accounts, e-commerce sites, and online banking.
Note: Apple iPhone does not allow scans of its system. The only choice is to wipe the phone with a factory reset, then restore it from a backup.
The 7 different types of malware
Here we provide definitions for the different types of malware threats.
Adware aims to force unwelcomed advertisements onto the user’s screen. The purpose of this is to compel users to watch an ad which will, as a result, earn cybercriminals money.
If users have been led to a different page to that which they clicked on, the likely cause is adware. In most cases, users will finally reach the page that they intended to visit. However, the injection of a random advertisement in your page code, can slow down browsers and make browsing the internet cumbersome.
Adware also works by altering application settings on the local computer. For example, certain types of adware will hijack your internet web browser and add unwanted search engines, toolbars, and even change the default home page on the New tab page.
Ransomware has risen to prominence in the last few years due to some high profile cases. In a ransomware attack, initially, no target data is damaged or lost. Instead, it is encrypted, effectively locking the user out of using that data, with the cypher key only being provided once a ransom has been paid. Ransomware can spread very fast and is typically instigated and propagated via trojans or worms.
The rise in prominence of ransomware correlates with the increasing popularity of cryptocurrencies, such as Bitcoin, which offer a degree of pseudo-anonymity to hackers. This makes it difficult for law enforcement officials to trace the perpetrators even once the money has been transferred to the bank account.
The WannaCry ransomware in 2017 received extensive media attention. In the UK, the malware severely impacted the national health service (NHS), leading to an acute increase in awareness in ransomware.
Ransomware is nothing more than a digital protection racket. With companies receiving a demand for a ransom and warnings that if not paid, their data will be lost forever. Unfortunately, most companies do not take any chance and pay the ransom.
A rootkit is a type of malware which has aims to gain privileged access, while remaining undetected. Not all rootkits are malware. However, those with malicious intent take privileges such as admin rights, gain full and unfettered access to the system. A rootkit can be used to install other malware, changing the names of the malware to hide its real intent, appearing as an innocent application to the user.
Rootkits spread via injection. Injection methods vary but can include piggybacking, whereby the rootkit is bundled with genuine software, such as an application plugin. Other injection methods include blended threat, whereby the rootkit takes advantage of vulnerabilities on the system, or via infected mobile apps.
Rootkits can reside at different levels in a system, i.e. Level 0 to level 3. Level 3 represents the applications level for the system, while level 0 is the at the kernel level. Rootkit infections can escalate in severity with a level 0 infection the hardest to remove. Not all antivirus solutions have full access to level 1 and lower.
Rootkits are very powerful. A more sophisticated type of rootkit malware is Ghostware which simply hides its existence, altering parts of the system to make them appear healthy, thereby rendering the malware invisible to the computer user.
As the name suggests, the purpose of spyware is to spy on your activities to report and steal data. Spyware will clandestinely collect and share potentially sensitive information with the cybercriminal, who will either use it or sell the data to whoever finds that information valuable.
Spyware infects systems via conventional means of malware including websites, email and ads. Spyware relies on an active internet connection since one of the critical functions of spyware is to send information back to the cybercriminal.
There are four types of spyware, namely, keyloggers, password stealers, infostealers and mobile spyware. You may sometimes see adware identified as the fifth type of spyware.
Keyloggers: Also known as system monitors. Keyloggers record keystrokes entered on the keyboard. This data is then sent back periodically to the creator, who can reassemble the information to obtain sensitive and confidential data.
Password stealers: This type of malware steals passwords entered on computers, including login details. Password stealers can steal passwords for email, banking and social media accounts.
Infostealers: Used by third parties to collect sensitive information entered on an infected system. This confidential information could include usernames, passwords, browser history, log files and emails. Infostealers typically infect a system via web browser vulnerabilities.
Mobile spyware: This targets mobile phones. This type of spyware is attached to SMS and MMS messages, infecting phones when they receive the message without any user interaction. The spyware will then use the mobile’s camera and microphone to snoop on the user, monitoring mobile’s web browser search history, and phone calls.
This type of malware tricks users by posing as legitimate software. Once the trojan is downloaded, opened and executed on a computer, the trojan is activated and will have access to the system. Trojans typically infect systems via two general methods — either by hiding within a piece of software or through phishing.
Trojans can be attached to software downloads. A popular choice is to hide a trojan within freeware and shareware games. In phishing, the trojan is installed via a downloaded file from an email that has portrayed itself to be a trusted source. Trojans are now often delivered in Microsoft Office and PDF files to avoid suspicious executable files from unknown or random sources.
Different types of trojans exist and can be broadly categorised as follows:
Backdoor Trojans: This type of trojan, once executed, creates vulnerabilities in the infected system’s security which allows other attacks to be perpetrated.
Downloader Trojans: Downloader trojans act as a delivery mechanism to download malicious code, typically from the cybercriminal’s website, with the aim to gain control of the target system.
Rootkit Trojans: These trojans aim to install a rootkit which can be used by other attackers to gain access to your system.
Exploit Trojans: This type of trojan target specific vulnerabilities within the target system and contains code which exploits this opportunity.
Viruses are one of the most commonly known types of malware. Viruses hide within application code and replicate until it has achieved its programmed task. When not reproducing, viruses will modify legitimate programs in a compromised system to insert its code.
A classic mainstay of malware, viruses have been around for a long time, being delivered to target systems via infected floppy disks and spreading via the circulation of these infected disks. With the prevalent use of the internet, the delivery mechanism has advanced to emails, files and websites.
A virus is activated by a user using a regular application which has been unwittingly infected. When the application is started, the virus code is executed.
There are 4 distinct phases in a virus attack, namely, dormant phase; propagation phase; triggering phase and execution phase.
Dormant Phase: Not all viruses exhibit this phase; however, during the dormant phase, the virus is idle while residing in the infected system. In this phase, the virus requires interaction from the user to activate and trigger its malicious activity.
Propagation Phase: The propagation phase is when the virus reproduces and attempts further system infection. During reproduction, the virus clones itself to infect different programs and different parts of a system. Clones may not be identical to the original virus and are likely to change over time to avoid detection from antivirus software. However, each of these clones can replicate in the same way, meaning a system can become overwhelmed with an infection in a very short time.
Triggering Phase: Once activated, the virus enters the triggering phase and executes the task(s) that it was intended to perform. This phase can be caused by running an application, or in some cases by a system event, for example, a system reboot. Once triggered, the virus intends to deliver a payload to the broadest number of systems as possible.
Execution phase: Viruses aim to deliver a malicious payload onto the compromised system. This payload could be minor, such as causing a pop-up to appear, or widely damaging, deleting files and folders.
The easiest way to prevent your system from viruses is by installing an antivirus program into your system. Many modern operating systems now come with a bundled antivirus system.
Worms, while similar to viruses, have a fundamental difference. Worms do not require user interaction (activation) to perform its programmed task, such as deleting files and stealing data. Worms commonly attack vulnerabilities that exist in operating systems.
Since worms act independent of the actions of third parties, they do not have an easily identifiable lifecycle. Once a system becomes infected, worms will replicate, identifying other computers on the network, and execute its programmed task. Worms exist in several different forms, each having their own mechanism of infiltrating a system:
Bot worms: Bot worms are a type of malware worm which infects systems intending to turn the victim computer into a bot or zombie. The infected machine is then used with other compromised systems to form botnets (robot network). Cybercriminals use botnets to launch large-scale, coordinated attacks, such as denial-of-service attacks (DoS). A DoS using multiple computers globally is known as a distributed-denial-of-service attack (DDoS); essentially, many infected computers working in unison. Users of the computer system in a botnet may not even realise that their computer system is taking part in DDoS attack. In a similar vein, a bot worm can be used for Cryptojacking – infecting and using unwitting systems to mine for cryptocurrency.
Email worms: Email worms initiate infection either by the way an infected email attachment which infiltrates the target system upon download or via a malicious link which will infect the target system when clicked. A well-known instance of an email worm is the ILOVEYOU worm, which in 2000, had infected millions of systems.
Internet-based worms: An internet-based worm is not picked up via web browsing; instead, it is spread when infected systems scan the internet for vulnerable machines that can be infected. Taking advantage of systems that have not received security and operating system updates, the worm identifies the vulnerabilities that have been fixed recently. From here, the worm locates a computer that has not yet had these updates installed.
File-sharing (P2P) network worms: File-sharing networks have a glaring security weakness – you rarely know what you are downloading. This type of worm relies on users to be enticed to download an infected file, such as the latest movie or application, onto the system. Once downloaded, the worm will execute the malicious actions it is programmed to do and self-replicate.
Chat room and instant message worms: Similar to the email worm, this worm will use the contact list to send out messages containing malicious links. Typically, these links will direct the user to a malicious website laden with malicious worms, or it may simply download the worm itself.
Different types of malware threats have been around for a while. However, their level of sophistication has grown on an almost daily basis. New malware threats may surface in the next few years, but the forms mentioned above are the ones that currently exist.