Diving Deeper: Malware

In 1971, Creeper, perhaps the earliest documented occurrence of malware, was created in an experiment designed to test how a program might move between computers. Fast forward to 2018, and the seeds planted in that experiment decades ago have grown into something far more dangerous – countless malware variants infecting personal and enterprise networks, raking in hundreds of millions of dollars for cybercriminals around the world.

This blog, the latest installment of our Diving Deeper series will look at the history of malware, different attack types and how businesses and individuals can protect against it.

A brief history of malware attacks

Early malware was primitive, often spreading entirely offline via floppy disks carried from computer to computer by human hands. Following the design of Creeper, malware evolved throughout the 1970s, 80s and 90s from self-replicating programs bogging down systems (Wabbit, 1974) to the first known mass-email virus (Melissa Virus, 1999).

Ping Pong Virus, 1988

Q Walker Virus, 1992

As the Internet continued to develop and people grew increasingly connected between 2000 – 2010, malware creators found a faster and more efficient way of spreading their wares via worms like the Anna Kournikova Virus, SQL Slammer, Conficker, and ILOVEYOU which propagate without human intervention.

These types of malware were far more destructive, crippling tens of thousands or even millions of systems and causing businesses operations to grind to a halt in just a matter of days, hours or even, as in the case of SQL Slammer, minutes.

While malware authors have a long history of disrupting business operations and costing organizations untold millions of dollars, it was only within the last decade or so that a clear incentive for their efforts emerged beyond simply wreaking havoc. In today’s landscape, motives have shifted. There are now many ways by which individuals, organizations or even entire countries stand to profit from cybersecurity deficiencies.

Different types of malware

If before the malware family mainly consisted of viruses and worms, today, you have an entire tribe made up of a wider variety of malicious software.

  • Adware – These typically accompany free applications and annoy you with adverts. While not inherently malicious, more dubious will try to convince users they need to purchase software or services to resolve or guard against a non-existent problem.
  • Trojans – Named after the Trojan Horse of Greek literature, trojans masquerade as innocent-looking files that contain a malicious payload, like a keylogger, virus, or ransomware.
  • Rootkit – Used to conceal indications of suspicious system activity associated with compromise and reduce the probability of detection/removal.
  • Spyware – Stealthy malware that surreptitiously gather sensitive information (browsing history, usernames and passwords, or even screen/video captures) and then transmit them back to a command-and-control (C&C) server.
  • Virus – One of the oldest types of malware out there, viruses can self-replicate in infected systems.
  • Worm – This malware can automatically propagate through networks and can infect large swaths of connected systems in very short periods of time.
  • Bot – Usually part of a larger network, a bot client infects machines (servers, desktops, laptops, mobile devices, or even IoT devices) and turns them into ‘zombies’ that obey a controller’s bidding, e.g. launch a DDoS attack or a spam campaign.
  • Ransomware – Highly prolific in recent years, this type of malware will encrypt important user and/or system files, rendering them useless until a ransom is paid, and users receive the key to unlock their data.

High profile malware attacks in recent years

The reason most people have become more familiar with ransomware than any other type of malware is because it’s been responsible for most of the high-profile attacks we’ve seen in recent years.

  • Locky – Before ransomware like WannaCry and Petya, there was Locky. It first gained notoriety in 2016, at the height of its outbreak. Victims were charged a ransom payment of between 0.5 to 1 bitcoin.
  • WannaCry – Easily the most notorious ransomware in history, WannaCry managed to lock 200,000 computers in 150 countries. It had its biggest impact in Ukraine, Russia, India, Taiwan, and the UK (where it ensnared several NHS hospitals).
  • NotPetya – Before the world could fully recover from the WannaCry attack, another cryptoworm (ransomware with worm-like attributes) once again brought businesses to their knees. NotPetya swept through Europe as well as the U.S., using the same vulnerability exploited by WannaCry and leaving $10 billion worth of damages in its wake. There is evidence to suggest that it was developed and deployed by a nation-state actor.

Not all high-profile malware attacks can be attributed to ransomware though. In 2016 (yes, that year was one for the books in malware attacks), Mirai grabbed the spotlight by launching record-setting DDoS attacks against IoT devices.

Why malware isn’t going away anytime soon

Malware has been around for decades and we’re not expecting it to go away anytime soon.

First, the use of malicious software is now an integral piece of most cyberattacks. For example: there are those, like the Laziok trojan, that are used for reconnaissance. Others, like keyloggers, are essential to penetration activities. Others still, like those used to infect PoS (Point-of-Sale) systems, may be used to achieve direct financial gain.

Secondly, not only are they enabling the threat actors who use them to earn millions of dollars, they’re also giving the merchants who sell them in the Dark Web (either as a product or service) good business. Nefarious services like DDoS-for-hire depend heavily on the bots that infect thousands or millions of machines or devices.

Many cybercrime syndicates lack the resources to write their own malware or employ highly-skilled ‘hackers’; these organizations can instead purchase or rent malicious software (along with their corresponding administrative interface, reporting tools, and plugins) to launch their cyberattack campaigns, in turn minimizing the technical overhead required.

How to recognize and mitigate a malware attack

Before you can stop, contain, and ultimately eliminate a malware threat, you must first be able to detect it. The difficulty of detecting a malware infection varies depending on the malware’s ability to conceal itself.

The most common types of malware, whose signatures have already been added to antivirus databases, can be easily detected. There are however those, like zero-day threats, that are almost impossible to detect. And then of course, there are also those types of malware, like ransomware for instance, that really want to make their presence known.

If a malware’s signature has already been added to an antivirus’ database and you happen to have the related antivirus installed on your system, then you will know (from a virus scan report) if your system gets infected with it. But what if a malware isn’t known?

We recommend implementing an antivirus or security solution that has sandboxing or heuristic-based scanning capabilities. These solutions will be able to detect malware threats based on their behavior.

Malware activities tend to cause undesirable effects to your system and can be noticeable if you have someone (or a security solution) monitoring your system for anomalies. For instance, certain types of malware tend to consume a lot of memory, CPU, or network bandwidth. Other types tend to communicate with a C&C server. Security solutions that carry out sandboxing or heuristic-based scanning will look for suspicious behaviors like these to determine if a threat exists.

Despite these capabilities, a lot of the threats out there are pretty good at evading detection. For this reason, you shouldn’t be totally dependent on antivirus/anti-malware solutions. To truly mitigate the threat of a malware attack, you need to augment these solutions with a sound cybersecurity policy and proper employee training/education.

Things to consider:

  • Prevent malware infections (e.g. being mindful when downloading email attachments; applying patches to web browsers and other endpoint applications; avoiding shady websites)
  • Contain malware infections (e.g. reporting suspicious behavior or confirmed infections to IT or cyber security staff)
  • Support damage control initiatives (e.g. cooperating with digital forensic investigators)

Malware attacks usually take advantage of human ignorance in or outright disregard for cyber security to enter an organization. So, it’s very important to gain your employees’ full cooperation in your malware risk mitigation initiatives.

The world of cybercrime has come a long way since 1971’s Creeper malware. In fact, a 2017 survey found that as many as 49% of businesses worldwide reported being attacked by viruses and malware. Additionally, the Black Market is filled with malware or malware services for sale.

Everyday cybercriminals are launching these types of attacks on unsuspecting victims and waiting for the cash to flow in. It’s necessary for companies and individuals to do their due diligence (and then some) in protecting their environments against one of the most prolific and reliable attack types: malware.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals