What is Malware?
Malware is short for malicious software and refers to any program or file designed to damage, exploit data, or compromise systems from any programmable device or network. Malware includes viruses, worms, trojans and ransomware. Its current relevance in cybersecurity is that they are constantly lurking around endpoints as their primary target, aiming to destroy or gain access to confidential information from individuals and organizations. The following diagram explains the attack process that malware fo…
How a Usual Malware Attack Works
Brief History of Malware
In 1971, the first known malware was Creeper, which was distributed through ARPANET (the precursor to the Internet) and displayed the message “I’m the creeper, catch me if you can!” In 1982, a 15-year-old boy named Rich Skrenta developed Elk Cloner, the first recognized computer virus, which targeted home computers (Apple II). It corrupted disks containing a copy of DOS (Disk Operating System) by overwriting reserved tracks regardless of their content. Each time an infected disk was started, the virus showed a poem onscreen that, indeed, was no fun at all for victims.
During the 1980s and 1990s, the first worms and trojans (trojan horses) appeared. Brain, created by the Alvi brothers in Pakistan, infected devices via floppy disks. The Morris Worm was created to exploit vulnerabilities in UNIX systems, which led to the need for the first CERT (Computer Emergency Response Team). By the late 1980s, AIDS Trojan encrypted the victim’s computer, demanding a ransom to decrypt it.
In the early 2000s, malware evolved into more creative forms: ILOVEYOU, A worm that spread via email, overwriting files and self-propagating; SQL Slammer, a worm that exploited vulnerabilities in Microsoft SQL Server, infecting thousands of systems within minutes;Stuxnet, highly sophisticated malware targeting Iranian nuclear facilities, with the potential to spark cyber warfare.
In 2013, CryptoLocker became the first major ransomware outbreak, encrypting files and demanding payment in Bitcoins. In 2017, WannaCry, became a global attack, infecting hundreds of thousands of computers in 150 countries, demanding ransom payments in Bitcoin. The first Fileless malware appeared in 2014: Poweliks (2014) inserted malicious scripts into the Windows registry; Duqu 2.0 (2015), a sophisticated cyber espionage tool for lateral movement and data retrieval; PowerSniff (2016), hid within seemingly innocent Word documents to execute malicious code in PowerShell memory.
More recent malware includes: Emotet (2018-2020),initially a banking trojan, it evolved into a distribution platform for other malware, including ransomware; Conti Ransomware (2021), a highly profitable ransomware, extorting victims for millions of dollars.
As you may see, malware has become more sophisticated and stealthy, targeting both individuals and businesses from any endpoint (laptops, PCs, tablets, smartphones, Internet of Things devices, etc.) connected to networks or enterprise systems. This is why knowledge, tools, and proper anti-malware strategies are essential to implement cybersecurity effectively in computing networks and operating systems, ensuring constant protection at the right time.
Most Common Types of Malware
The exact number of companies and individuals exposed to a cyber threat is uncertain. However, to give an idea, according to the X-Force Threat Intelligence Index report by IBM Security, 59% of attacks in 2021 used a double extortion strategy. The Global Cybersecurity Outlook 2022 report by the World Economic Forum states that 39% of organizations were affected by a third-party cyber incident in the past two years. Some of the most common types of malware include:
- Viruses, Worms and Trojans:These types of malware are malicious programs created to damage, disrupt, or gain access to computer systems without the user’s permission. Viruses and trojans use a host file or program to spread, while worms can replicate and propagate themselves. Once the malware is introduced, files are corrupted, system functionality is disrupted, or data is stolen. They are often difficult to detect, allowing them to operate for an extended period without the user realizing their presence.
- Spyware, ransomware and adware:These types of malware aim to compromise the privacy and security of endpoints. Their primary objective is to infiltrate a system without the user’s knowledge. They often cause performance issues, data leaks, or data loss. They spread through emails, malicious websites, internet downloads, and attachments. They also use techniques to avoid detection by antivirus or anti-malware software.
- Other Advanced Types of Malware:
- Rootkits: This type of malware gains complete control of the system. Its name highlights its high danger level: root, system administrator, or superuser are interchangeable terms. A rootkit attack seeks to enter through an email or other method to gain remote control over the system at the root level.
- Keyloggers: This type of malware is known as a keystroke logger, allowing it to capture confidential information, such as passwords and personal data. It is one of the most commonly used malware for cyber espionage today.
- Cryptojacking: Also known as crypto hijacking, this malware hijacks an electronic device to gain access to endpoint resources and exploit them for cryptocurrency mining. Crypto hijacking is widely used for mining Bitcoin and Ethereum due to their high market value.
- Fileless malware: This type of malware operates without files, making it virtually invisible and running directly in a computer’s memory instead of the hard drive. This feature increases its ability to evade antivirus software, which typically relies on file-based whitelisting, signature detection, hardware verification, pattern analysis, timestamp sealing, etc. It also leaves little evidence, making it difficult for digital forensic investigators to identify any illicit activity.
Methods of Malware Attacks
Now that you are familiar with the most common types of malware, it is important to understand the primary attack methods to develop the best strategy to detect and block any malicious software.
Common Infection Vectors
A cyberattack vector is the pathway (or set of nodes) that malware uses to discover and exploit vulnerable endpoints in a network, such as:
- Social Engineering to impersonate a legitimate identity and gain access to sensitive data (phishing), or create anxiety and panic in users (scareware) to manipulate them into purchasing unwanted products or software.
- Insecure or unprotected networks, such as accessing unsecured public Wi-Fi networks, allowing attackers to intercept sensitive data and send malware to connected devices.
- Vulnerabilities in outdated software and operating systems, when patches and updates are not applied, creating opportunities for malware installation.
Endpoint Attacks
In our IT Topic: What is an Endpoint? we highlight the importance of protecting devices that users rely on to access and share data within enterprise systems. These endpoints are vulnerable points that cybercriminals exploit to carry out malware attacks.
For example, if an Internet of Things (IoT) device is not properly configured in terms of security, it can become the entry point for spreading a worm that infects the rest of the organization’s users. In extreme cases, it can compromise the entire company’s operations. That is why you and your team must become familiar with modern attack techniques.
Modern Attack Techniques
- Supply Chain Attacks. This occurs when malicious code is added to cybersecurity providers’ software; attacks on software developers and suppliers to gain access to source codes or updates; or digitally signed malicious code using a provider’s private keys.
- Use of Infected USB Devices. Many viruses can hide within executable files (.exe) stored on an infected USB drive. Additionally, malware can exploit the autorun.inf file to execute automatically.
- Unauthorized Downloads (Drive-By Downloads). This happens when attackers inject malicious elements into websites. Cybercriminals also purchase advertisements on legitimate websites to insert malware. Their creativity extends to using pop-up windows that appear to be from legitimate software, but in reality, they contain malware.
Malware Detection and Analysis
To combat malware, there are strategies and tools available for detecting and analyzing it, including:
How to Identify Signs of Infection
- System slowdown: When a device or system runs slower than usual because malware is consuming its resources.
- Unusual increase in network traffic: A spike in network activity or data usage, as malware communicates with its command and control server.
- Device changes: Unexpected device restarts, unwanted redirections, or unauthorized installation of programs.
- Pop-up windows: Requests to download software, execute specific instructions, or error messages appearing suddenly.
- Encrypted and locked files: Data is held hostage until a ransom is paid.
Detection Tools and Processes
There are antivirus and anti-malware software designed to prevent, detect, and remove malware. Malware firewalls act as a barrier between a trusted and an untrusted network, monitoring and controlling incoming and outgoing network traffic based on security policies.
Additionally, Security Information and Event Management (SIEM) is a real-time process for identifying, monitoring, logging, and analyzing security events or incidents in an IT environment. SIEM provides a centralized and comprehensive view of an IT infrastructure’s security landscape.
To understand how a SIEM system detects suspicious patterns in endpoint logs consider this example: SIEM can collect logs from multiple sources, such as devices that users connect to a corporate network. These logs are normalized to create structured data, making analysis easier. The SIEM can then correlate events from different sources to identify patterns and relationships using dashboards and visualization tools. These patterns may indicate a cyber threat, such as unauthorized access, unusual data transfers, or activity outside working hours. Once an anomalous pattern is detected, the SIEM triggers alerts and notifications so the security team can investigate and respond promptly.
Malware Forensic Analysis
Malware forensic analysis involves examining malware to understand its behavior, origin, and impact on infected devices and systems. This analysis is crucial for identifying how malware entered a system, how it spread, and which security vulnerabilities were exploited.
Some techniques used to investigate the infection source and minimize future damage include log analysis (using SIEM to review event logs and system records to identify anomalies); network traffic analysis (monitoring unusual or unknown communications within a network); file analysis (examining suspicious files using static and dynamic analysis techniques); reverse engineering (disassembling and analyzing the malware’s code to understand its functions and objectives.
Additionally, automated analysis and Artificial Intelligence (AI) can be leveraged to scan systems and files automatically, detecting malware more efficiently.
Malware Prevention and Protection
It is always better to prevent a malware attack rather than regret its consequences by adopting best practices and protection tools.
Essential Best Practices
- Regularly update software and operating systems. Cybercriminals are always looking for vulnerabilities, which can often be mitigated through timely updates.
- Implement strong passwords (long, complex, and difficult to guess or crack) and ensure they are regularly changed. Multi-factor authentication (MFA) is recommended so that users provide two or more forms of identification, such as a password, a device (mobile phone), and biometric identity (fingerprint or facial recognition). Users should also be able to block suspicious access immediately.
- Regularly back up critical data to restore it in case it becomes compromised by malware. This also helps reduce downtime and productivity losses.
Important Note: These best practices not only help protect against malware but also aid in disaster prevention, human error mitigation, and infrastructure failure management.
Other Protection Tools
- Advanced Firewalls and Antivirus Software. There are Stateful Inspection Firewalls, which monitor the state of active connections and make decisions based on traffic context. Application Firewalls filter traffic within applications and their specific functionalities. Packet-Filtering Firewalls review data packets exchanged between computers, allowing blocking based on IP addresses, ports, and predefined protocols. Firewalls with IDS/IPS (Intrusion Detection and Prevention Systems) use traffic analysis to identify patterns and detect malicious activities, in addition to blocking threats in real-time. Advanced antivirus software performs real-time scans against malware (malware scanner) and advanced threats. They also integrate VPN functionality and smart scanning to analyze system and device configurations. Some already incorporate Artificial Intelligence (AI) to accelerate malware analysis and response in a more automated and efficient manner.
- Sandboxing: This technique consists of running programs or applications in a controlled, isolated virtual environment. It is primarily used for safe testing of suspicious files.
Endpoint Prevention
Since endpoints are constantly under threat, as an IT strategist, you must implement security policies focused on protecting these devices, which serve as access points to enterprise systems and networks. A Zero Trust (ZT) cybersecurity strategy focuses on data security, assuming that no device, end-user, web service, or network connection can be trusted, even if the access request comes from within the enterprise network perimeter.
Additionally, it is recommended to use an endpoint monitoring and management solution to collect telemetry data (processes, network activities, changes, etc.) and monitor remote device usage. The collected data helps identify suspicious or malicious activities, leveraging Endpoint Detection and Response (EDR) solutions, which use advanced technologies to log behaviors and detect Indicators of Compromise (IOC) in real-time.
If an endpoint is infected, the first step is to isolate the compromised device from the local network and the internet to prevent further malware spread. This includes disconnecting it from all local and internet connections. At that point, the malware should be analyzed in a controlled environment (sandboxing) to understand its behavior. Once the malware is analyzed, it must be removed using antivirus or anti-malware tools.
How to Remove Malware
According to Helpransomware, 79% of malware has spread among company employees. If you have already been a victim of malware or want to prevent it, we recommend the following:
Step-by-Step Process
- Ensure constant updates of antivirus and/or anti-malware software.
- Perform a deep system scan using antivirus software to detect and remove any threats.
- If anti-malware software detects a suspicious file, you can quarantine it instead of deleting it immediately. Analyzing its behavior helps identify vulnerabilities and security improvements. If the file is confirmed as malicious, the anti-malware program can remove it. Be aware of false positives, as some quarantined files may be harmless and can be restored if necessary.
Preventing Reinfections
It is not just about removing the malware. Once it has been eliminated, locate clean backup copies and ensure they have not been compromised. It is also recommended to format the infected system’s hard drive and reinstall the operating system to guarantee that no traces of malware remain. After this, you can restore system files and then the user’s files. Additionally, install updates and patches, and reconfigure security measures (multi-factor authentication, antivirus software, etc.) to prevent vulnerabilities that could lead to reinfection.
Finally, implement continuous real-time monitoring to block malicious software and detect suspicious activities.
Relationship Between Malware and Endpoints
Endpoints are devices that exist at the end of a network or system connection (hence their name), including desktop or laptop computers, smartphones, tablets, and Internet of Things (IoT) devices. Each endpoint serves as a link to enterprise networks and systems. Endpoints are a primary target for cybercriminals, who exploit even the smallest vulnerabilities. This is due to their nature:
- Ubiquity: Whether in large or small businesses, or for individual users, endpoints are widely used, especially with the increased mobility in most organizations.
- Diversity: Each device has a unique combination of applications and services, requiring specific security management to protect them when accessing enterprise systems and networks.
- Exploitability: Cybercriminals have the time and resources to find and exploit vulnerabilities.
- Lack of Control: Human error is the hardest security risk to manage.
A single email or visit to a compromised website can be the entry point for malware. For example, if a user clicks on an ad from a smartphone, thinking it is harmless but infected with ransomware, it could lead to file encryption, making important files inaccessible unless a ransom is paid. If you do not want this to happen to your users, implement comprehensive endpoint protection.
Endpoint Protection
We recommend implementing a SIEM solution to identify, monitor, log, and analyze security events or incidents within an IT environment in real time, providing a comprehensive and centralized view of what is happening in the IT infrastructure. Take advantage of SIEM’s capability to store, aggregate, and visually analyze data (through dashboards) to make well-informed decisions. The reason is that SIEM can also perform event correlation, providing additional context on common patterns. Additionally, SIEM can activate alert protocols for users through notifications displayed on the dashboard, email alerts, or automated text messages.
Also, implement strict security policies, such as: Zero Trust strategy, complex passwords with frequent changes and multi-factor authentication (MFA). Additionally, we recommend relying on IT system monitoring to gain visibility into infrastructure status and services, as well as on the role of the Network Operations Center(NOC) for network monitoring and control, which can help identify factors affecting connectivity performance (one of the symptoms of malware presence). The goal is to find solutions to counteract malware and even take preventive actions to mitigate cyber threats before they escalate.
Conclusion
The analysis and reference frameworks from NIST (National Institute of Standards and Technology) on malware profiling practices highlight the significant impact on IT security for any organization. This includes risks such as intellectual property theft, exposure of sensitive user data (such as credit card information or personal identification details), leaked information for monetization, and potential business operation disruptions.
Endpoints should not be the weak point in an organization’s security. Instead, they must become the first line of defense against malware. IT strategists and their teams must implement well-defined processes to prevent, confront, and eliminate malware. To achieve this, it is essential to have real-time and continuous endpoint monitoring tools, as well as robust SIEM solutions that leverage data collected from agents and firewalls, allowing security teams to take action based on customized rules using existing decoders.
We invite you to explore Pandora FMS’s SIEM solution, designed to detect, correlate, and respond to threats in real time across your entire infrastructure. Click here to discover how monitoring insights can help manage security events effectively.
Beyond limits, beyond expectations
