Malware is a program or file that intentionally damages or grants unauthorized access to a computer system. In other cases malware is used to destroy or steal sensitive data. Malware can infect devices, operating systems, and networks. Depending on the type and purpose of the malware, infection can have different levels of impact on users, endpoints, and organizations.
Some malware is only a nuisance, while other malware can lead to catastrophic data breaches. It is widely understood that malware detection and anti-malware protection is an essential component of any cybersecurity strategy for organizations of any size.
In this article:
Here are some of the key types of malware attacks.
A virus is a software program that is added to an application or operating system without the user’s knowledge. It can be used to steal data, run unwanted activities on the user’s device, and cause damage to the device and its applications and data. A virus is a general term often used to describe other types of malware (see below).
Ransomware is software that uses encryption to disable access to a victim’s data until the ransom is paid. In some cases, in addition to encrypting the data, ransomware also sends it to attackers, allowing them to extort the organization. Even if the organization chooses to pay the ransom, there is no guarantee that attackers will provide the required decryption key or that it will properly restore the data.
Fileless malware does not initially install anything, but instead changes files specific to the operating system, such as PowerShell and Windows Management Instrumentation (WMI). Traditional antivirus software cannot detect fileless attacks because the operating system recognizes the edited file as legitimate.
Fileless attacks are stealthy and have a much higher success rate than traditional malware. However, next-generation antivirus (NGAV) technology uses advanced techniques to detect and block fileless malware.
Spyware collects information about a user’s activities without their consent. This may include passwords, passwords, payment information, messages, and documents. Spyware was originally prevalent on desktop computers but now affects mobile devices as well. On a mobile device, spyware is much more dangerous because attackers can use it to track a victim’s physical movements and activities.
Bot malware, which is commonly implemented as worms, trojans, or rootkits, is self-replicating malware that attempts to spread to a large number of devices. The malware compromises infected devices, establishes communication with a command and control (C&C) server, and starts performing automated actions under the attacker’s control.
Using bot malware, attackers herd devices into a botnet—a large network of compromised devices under their control. Botnets are frequently used in DDoS attacks. Botnet malware can also launch keyloggers, send phishing emails, or be used by attackers to mine cryptocurrency on victim devices.
Adware tracks browsing activity and displays unwanted ads to the user. Adware is similar to spyware, but it typically does not capture keystrokes or otherwise compromise the device.
Adware can be an annoyance to users and can slow down a user’s device. This type of malware invades the user’s privacy—data captured by adware is used to explicitly or covertly analyze an individual’s online activity, including purchases, travel, and private communications. This information may be shared or sold to advertisers without the user’s consent.
A more severe danger is that adware can show malvertising—advertisements that lead to malicious sites or trick the user into performing unwanted actions.
Trojan horses are malicious software that users knowingly install and consider as legitimate software. Trojan horses rely on social engineering techniques to infiltrate a victim’s device. Once deployed on a device, a Trojan horse deploys its payload—malware designed to facilitate exploitation of the device. Trojan horses provide attackers with backdoor access to devices, run keyloggers, install viruses or worms, and steal data.
A rootkit is software that allows a malicious attacker to take remote control of a victim’s computer with full administrator privileges. Rootkits can be injected into applications, kernels, hypervisors, or firmware. It spreads through phishing, malicious attachments, malicious downloads and corrupted shared drives. Rootkits can also be used to hide other malware such as keyloggers.
Worms are malware designed to spread rapidly across networks. They can infect devices in a variety of ways, including operating system vulnerabilities, other software vulnerabilities, software-embedded backdoors, and infected flash drives. Once the worm is deployed, a malicious attacker can launch a DDoS attack, steal sensitive data, or launch a ransomware attack.
Malware uses a variety of methods to spread from an initial attack vector to other computer systems. Here are common ways malware is delivered to victim devices:
Here are some key best practices you can use to protect your organization against malware.
Learn about these and other best practices in our detailed guide to malware prevention
Users are a weak link in most organization’s cybersecurity strategy. It is critical to educate users on a regular basis about best practices to avoid malware, such as:
Practice exercises, such as intentional phishing campaigns, can help refresh guidelines and illustrate the severity of the threat to users.
Controlling access to systems on your organization’s network is an important preventive measure against malware. Deploying proven security technologies such as firewalls, intrusion prevention/detection systems (IPS/IDS), web application firewall (WAF), and VPN-only remote access can minimize the organization’s attack surface.
It is important to regularly scan web applications, networks, and other critical systems for vulnerabilities, misconfigurations, and existing malware infections.
In a modern IT environment, vulnerability scans can generate thousands of results and it is not possible to remediate all of them. However, organizations should carefully prioritize vulnerabilities and invest efforts in remediating the most important ones.
Vulnerabilities that cannot be remediated—for example, those affecting legacy systems that cannot be easily updated—must be mitigated using appropriate security controls or by isolating vulnerable systems from the network.
If your organization is covered by compliance standards or regulations, it may be required to perform security audits by internal teams and external auditors. Even if this is not the case, conduct your own security audits to discover vulnerabilities that can lead to a malware infection. Another important measure is conducting regular penetration testing to discover gaps in existing security defenses and understand how to remediate them.
Regular backups, saved in a secure location that cannot be accessed and infected by malware, can help your organization recover from many types of disasters, including malware and ransomware attacks. The key is to take regular backups and verify that they are working and can be used to recover operational systems. Conduct regular testing to ensure your backups are working properly and you are able to restore systems within a required timeframe.
Endpoint security is a method of protecting endpoint devices, such as desktops, laptops, and mobile devices, from exploitation by malicious attackers and activities.
Endpoint protection includes technologies such as legacy antivirus (legacy AV) and next-generation antivirus (NGAV) that focus on identifying and blocking or isolating threats. Other endpoint protection capabilities include:
In addition, advanced endpoint protection solutions include Endpoint Detection and Response (EDR). EDR helps detect threats that bypass AV, NGAV, or other defensive layers. EDR provides the visibility security teams need to detect breaches on endpoints, investigate them, and take immediate action to mitigate malware and other threats. EDR solutions can also take action automatically, for example by isolating the endpoint from the network.
eXtended Detection and Response (XDR) was developed as an alternative to security solutions that are limited to a single silo in the security environment (such as endpoints or the network). It is an evolution of solutions such as endpoint detection and response (EDR) and network traffic analysis (NTA).
XDR solutions rely on a variety of analytics to detect threats such as malware. The techniques they use include:
When suspicious events are detected, XDR can provide tools to help security teams determine the severity of a threat and respond accordingly. This can help identify even the most sophisticated malware attacks and respond before they spread throughout the environment and cause damage.
The Cynet 360 Advanced Threat Detection and Response platform provides protection against threats including zero-day attacks, advanced persistent threats (APT), advanced malware, and trojans that can evade traditional signature-based security measures.
Block exploit-like behavior
Cynet monitors endpoints memory to discover behavioral patterns that are typical to exploit such as an unusual process handle request. These patterns are common to the vast majority of exploits, whether known or new and provides effective protection even from zero-day exploits.
Block exploit-derived malware
Cynet employs multi-layered malware protection that includes ML-based static analysis, sandboxing, process behavior monitoring. In addition, they provide fuzzy hashing and threat intelligence. This ensures that even if a successful zero day exploit establishes a connection with the attacker and downloads additional malware, Cynet will prevent this malware from running so no harm can be done.
Uncover hidden threats
Cynet uses an adversary-centric methodology to accurately detect threats throughout the attack chain. Cynet thinks like an adversary, detecting behaviors and indicators across endpoints, files, users, and networks. They provide a holistic account of the operation of an attack, irrespective of where the attack may try to penetrate.
Accurate and precise
Cynet uses a powerful correlation engine and provides its attack findings with near-zero false positives and free from excessive noise. This simplifies the response for security teams so they can react to important incidents.
You can carry out automatic or manual remediation, so your security teams have a highly effective yet straight-forward way to detect, disrupt, and respond to advanced threats before they have a chance to do damage.
Learn more about Cynet’s Next-Generation Antivirus (NGAV) Solution.