The most common types of malware infections are caused by keyloggers, rootkits, viruses, trojans, worms, logic bombs, ransomware / crypto-malware, spyware & adware, and bots/botnets. Malware attacks can easily be prevented by using anti-malware software providing security awareness training, implementing security policies, installing spam & anti-malware filters, using multi-factor authentication, performing routine vulnerability assessments, and changing default operating system policies.
You should know that no system is “hacker-proof” or 100% vulnerability free. If a threat actor has enough human resources, resources, and time to launch multiple attacks, they will probably eventually find a way in.
What Is Malware (Malicious Software)?
Malicious software, also known as malware, is designed to harm people, mobile devices, operating systems or data.
Systems that have been infected with malware will show symptoms like sending emails without user action, running slower, starting unknown processes, or rebooting randomly.
Exploit vulnerabilities by using malware continues to rise every year, and in 2018 it reached an all-time high of 812.67 million infected devices.
How Does Malware Infect Computers Or Networks?
There are several methods threat actors utilise to gain access and deploy a malware attack onto a network or system, including social engineering and exploiting software vulnerabilities.
Malware programs often gain access via various types of social engineering attacks like smishing, vishing, or phishing. 92% of malware is, in fact, delivered via email.
In this type of attack, threat actors try to obtain sensitive information by deceiving people into providing access over the phone, downloading attachments, or clicking links.
A malicious payload is delivered successfully, and a breach has been established.
One of the simplest ways threat actors can break into systems or networks is by using several exploits that are known to be successful, such as Kerberoasting.
This is known as the “trial and error” method, but it does require a high degree of technical skill.
What this means for your business is that even if you patch systems daily, scan the network every week, and develop the best policies, you will never be 100% free of vulnerabilities.
There is simply no way to quickly determine if security measures implemented will be adequate unless the system is appropriately stress-tested.
Penetration testing is done to validate any known vulnerabilities identified and evaluate the effectiveness of security tools, controls and procedures.
Common Malware Types
Some of the most common types of malware include:
• Logic Bombs
• Crypto-Malware / Ransomware
• Spyware & Adware
Keyboard capturing or keylogging logs keystrokes and sends these to a threat actor. Users usually are not aware that their actions are being tracked.
Although it does happen that employers sometimes use keyloggers to keep track of employee activity, they’re primarily used to steal sensitive data or passwords.
Keyloggers can be installed by a Trojan or discreetly physically connected to a peripheral device such as a keyboard.
Computer viruses are most often used for malware attacks. For a virus to infect a system, a user needs to copy or click it to a media host.
Most viruses are self-replicating without the user being aware of what’s happening. Viruses can spread from one system to another via instant messaging, email, removable media (USB), network connections, and website downloads.
Some file types are more straightforward to infect with a virus than others –.exe, .doc/docx,.xls/.xlsx, .zip, and .html. Viruses typically stay dormant until they have infected a network or numerous devices before delivering their payload.
Trojan horse malware camouflages itself as legitimate software and hides on a computer until activated.
When Trojans go active, they allow threat actors to gain backdoor access to the system, steal sensitive data, and spy on you.
Trojans are generally downloaded through instant messages, website downloads, and email attachments.
Social engineering methods often scam users into loading and executing Trojans on their system. Unlike computer worms and viruses, Trojans don’t self-replicate.
Worms can self-replicate and spread segments and complete copies of themselves via instant messages, email attachments, and network connections.
Worms are fileless malware as they don’t need a host program to propagate, self-replicate, and run, unlike computer viruses.
Worms are typically used against databases, web, and email servers.
Once installed, worms spread quickly over computer networks and the internet.
This type of malware will only activate when triggered, such as on the 20th logon of an account or on a specific date and time.
Worms and viruses often use logic bombs to deliver malicious code (their payload) when a specific condition is met or at a pre-defined time.
Logic bombs cause damage in various ways ranging from making hard drives unreadable to changing bytes of data.
Although antivirus software can typically only detect the most common types of logic bombs when executed, logic bombs can be dormant on a system for years, months, or weeks until they run.
Crypto-Malware / Ransomware Attacks
Ransomware attacks gain access and then lock users out of their systems or deny access to data until the system owner pays a ransom.
Crypto-Malware encrypts files and demands payment within a specific period. Payment must often be made with a digital currency such as Bitcoin.
Spyware & Adware
Spyware and adware are both unwelcome software.
Spyware is designed to collect users’ personal identification information, browsing history, and habits.
Attackers then steal your personal identity, capture your bank account information, or sell the data to advertisers or data firms.
Spyware is often downloaded from file-sharing sites or in a software bundle.
Adware serves advertisements on a screen within a web browser.
It is usually installed when downloading a program in the background without the user’s permission or knowledge.
Although harmless, the adware can be very annoying for users.
Short for roBOT NETwork, a botnet is a group of bots that attack any type of computer system linked to a network where the security has been compromised.
Botnets usually are controlled remotely.
The Mirai botnet was gained control of devices connected to the internet of things (IoT) such as DVRs, home printers, and intelligent appliances by using the default username and password combinations the devices were shipped with.
The threat actors used a distributed denial of service (DDoS) attack by sending vast volumes of data to a website hosting company. This resulted in many popular websites going offline.
Rootkits are programs that infiltrate a system via a back door and allow the threat actor to exert control and command over the computer without the user being aware.
This type of access can result in total control over the infiltrated system.
The controller can then spy on the owner’s usage, log files, remotely change system configurations, and execute files.
Although it uses typically Trojan horse attacks, it is becoming more prevalent in trusted applications.
Although some antivirus software can detect rootkits, they are notoriously difficult to remove from systems, and in most cases, the rootkit has to be removed and the compromised system rebuilt.
Preventing Malware Attacks
Although it’s virtually impossible to be totally protected from cyber-attacks, numerous measures can be taken to prevent or mitigate malware attacks. These include:
● Implement Security Awareness Training
● Develop Security Policies
● Install Anti-Malware & Spam Filters
● Use App-Based Multi-Factor Authentication
● Change Default Operating System Policies
● Perform Routine Vulnerability Assessments
Security policies provide employees with a road map of what to do (and what not to do), when to do it, and who gets access to information and systems.
Policies are also required for laws, regulations, or compliance.
Below are some examples of security policies that could help to prevent malware attacks:
● Server Malware Protection
This policy outlines which server systems must have anti-spyware and/or antivirus applications.
● Social Engineering Awareness
Provides guidelines for awareness around social engineering threats and defines procedures for dealing with social engineering threats.
● Removable Media
This policy aims to minimise the risk of the company’s exposure or loss of sensitive information. It also reduces the risk of being infected by malware on computers used by the company.
● Software Installation
This policy outlines the requirements for installing software on a company’s computing and mobile devices to minimise the risk of exposing sensitive information contained within the company’s systems, loss of program functionality, the legal exposure of running unlicensed software, and the risk of introducing malware.
Security Awareness Training
Security awareness training is an investment in the overall cyber security of an organisation. Presenting this type of training can save vast amounts of money that could be lost to cyber-attacks.
Many compliance audits and frameworks (SOC 2, ISO 27001, HIPAA, CMMC, HITRUST, etc.) also require regular security awareness training for employees.
Awareness training involves training users, developing a baseline, reporting results and setting up phishing campaigns.
● Training Users
interactive videos, modules, posters, games, and newsletters are used to educate users on social engineering attacks. This training is often automated and uses scheduled email reminders.
● Baseline Testing
provides a baseline to assess the probability of users falling for phishing attacks.
● Reporting Results
The ROI is demonstrated by graphs and stats for phishing activities and training.
● Phishing Campaigns
Perform fully automated simulated phishing attacks across the organisation.
One way of performing security awareness is to include it in an orientation security training module for new hires and make it mandatory before providing access to critical systems.
The training should be done at least annually, and employees trained to identify attacks and respond appropriately while reporting these to the incident response team to take proactive action.
It’s all about making employees aware of what is seen as unsafe behaviour and how to protect themselves and the company.
Using App-Based Multi-Factor Authentication
Microsoft estimates that 99.9% of automated malware attacks against Windows systems can be prevented when multi-factor authentication (MFA) is used.
Although this may sound like an impressive number, the key here is “automated.” As with most things in security, MFA provides only a single layer of defence.
Sophisticated malware attacks use numerous other methods besides automated attacks to break into a network.
It should also be noted that MFAs based on an SMS can easily be bypassed as the passcodes are sent in plain text. Therefore, threat actors can capture the passcode, gain unauthorised access to an account, and then send the code onto the phone without the user noticing.
Therefore, it is recommended that app-based MFA or hardware MFA such as a YubiKey be used.
Spam & Anti-Malware Filters and Antivirus Software
Malware and socially engineered attacks are primarily delivered via emails.
Although employees should always have anti-malware and antivirus software installed on their workstations, installing them on mail servers is highly recommended as part of an in-depth defence approach.
Setting up spam filters is always a balancing act. On the one hand, network administrators want to block all malicious traffic, but on the other hand, filters that are too aggressive will block legitimate traffic, which will lead to end-users complaining.
A baseline for the network can generally be established within about 2 to 3 weeks of use, adjustments can be made.
Anti-malware and spam filtering capabilities are provided by software tools such as Mimecast.
Users are given a summary of emails that their accounts have received and they can then always allow, confirm, or block an entire domain or an individual email.
Changing Default Policies on Operating Systems
Although default settings provided with operating systems are suitable security precautions, they can be improved significantly.
Microsoft, for example, recommends reducing the maximum password age to 42 days from the default 90 days and that the password history be changed from 10 to 24 passwords.
At the end of the day, it’s the network administrator’s responsibility to ensure that the devices, workstations, and domains are set up to adhere to security policies within the company.
Routine Vulnerability Assessments
Performing network vulnerability scans regularly helps identify common misconfigurations, lack of security controls, and known vulnerabilities.
Scanners such as Nessus can map a network, analyse protocols, and scan ports, thereby providing network administrators with detailed information about what services are running on which hosts.
Most scanners present the information gathered in a dashboard that lists each vulnerability found and its severity.
Apart from providing raw scan results, many vulnerability scanning services include assessment reports containing a remediation plan to improve systems at risk.
Many companies also use a patch management program. The primary purpose of patch management is to continuously identify, prioritise, remediate, and report security vulnerabilities in a system.