Last Updated on April 1, 2022
Everybody has heard of malware and knows its most popular forms like ransomware, viruses, worms, spyware, bots, and rootkits. But for many of us malware is still “just a word.” Knowing a little more about how malware is designed to spread helps to spot and stop it.
Simple on paper
We hear over and over about “staying safe from malware.” But it’s easier said than done; otherwise, there wouldn’t be a huge and ever-growing malware problem.
The basic malware prevention mantra that every user knows is:
- Don’t download sketchy files
- Don’t open sketchy emails
- Don’t navigate to sketchy links
But these simple instructions are less effective against sophisticated, determined, and well-funded attackers, whose convincing bait plays to all our weaknesses and fallibilities. All it takes is one click to spread trouble if the proper controls (e.g., network segmentation) aren’t in place. Spam filters, antivirus, firewalls, and other security controls whose intent is to block malware all directly are useful but imperfect, and some malicious content still gets through.
When malware is installed on endpoints, servers, or other systems, it can cause harm in multiple ways. These include crippling system performance by using CPU time for crypto-mining, exfiltrating personal data and other sensitive data, erasing or encrypting data to hold it for ransom, and (usually in the case of IoT devices like smart lightbulbs or IP security cameras) hijacking and controlling device operations.
Low odds, high profits
Malware is constantly changing as new forms and designs emerge, and the rate of growth and change is overwhelming: 560,000 new malware pieces are detected daily, according to DataProt. Global attack frequencies are on the order of billions of attacks per year, with four companies succumbing to ransomware every minute of every day.
Why is so much malware lurking in the shadows? Because a successful attack can bring even a large enterprise to its knees. Hackers are happy to play a low-odds game with potential financial windfalls on the table. Sooner or later, they’re going to win.
How malware spreads depends on how it is delivered. The most popular malware delivery method by far is through targeted emails, aka phishing.
Most of us routinely find phishing emails in our inbox. Some are sloppy and easy to spot, but the best of these look very convincing. Either way, their links and/or attachments carry a malware payload.
Once a user clicks a malicious link or opens a malicious attachment (e.g., one containing a poison Microsoft Office macro), the malware has its foot in the door. Now it can compromise network security if it can move beyond the infected system and/or communicate with its command-and-control software.
Other top malware delivery methods
Another prevalent malware delivery gambit is the “fake software update site.” Using browser pop-ups or new browser windows/tabs, hackers announce that you need to update your outdated software and direct you to malicious or compromised sites. A related and highly successful attack is to compromise legitimate websites with infected code that entices victims to download files or disclose personal data.
If you click a bad link, malware is delivered to your endpoint (PC, tablet, etc.). If it can run there, it will attempt to spread via whatever networks it can access. Often no user interaction is needed for the malware to activate.
Worms and other malware also routinely spread over the “sneakernet,” in the form of infected removable drives like USB flash drives and portable hard drives. Practicing good “drive hygiene” and scanning any filesystem before downloading files are helpful practices, but accidents inevitably happen.
Malware can also be secretly bundled with other “legit” software that you download—with the SolarWinds attack being the prime example to date. Files shared over peer-to-peer networks can also contain malware payloads.
Spreading to other devices
Once malware is running on a user’s system or out on your network, how does it spread to other devices? Some of the top actions that malicious code execute include:
- Encrypting or blocking access to data and then holding the data for ransom
- Replicating across a file system, including shared drives, searching for valuable data
- Installing code that captures keystrokes, takes over a built-in camera, or otherwise attempts to steal login credentials and/or account data
- Assaulting a user with malicious ads
- Hijacking system resources on the sly, often to mine cryptocurrency or launch distributed denial of service (DDoS) attacks
- Gaining control of a device to render it inoperable or use it as a base to access other assets
When malware is active on your network, it seeks vulnerabilities that will allow it to spread to other devices. Exploiting well-known and longstanding software vulnerabilities that should have been patched is a very common vector for many of the above attacks.
“Traditional” ransomware and other malware types focus on crippling as many individual systems as possible. More sophisticated types target shared network drives accessible via infected endpoints—even in the cloud—and jump from there to infect more shared resources as well as individual endpoints.
Once shared resources are compromised, many more systems are vulnerable. If unchecked, the malware’s impact on data and productivity could be severe, even threatening business viability.
Wherever and however it spreads, malware threatens the confidentiality, integrity and availability of your company’s sensitive information, including everything from human resource data to intellectual property. Contrary to popular belief, malware infections can be very stealthy and hard to spot, enabling hackers to dwell on networks for months or years.
User education and anti-malware controls block many malware attacks, but inevitably some attacks succeed. The best defense is to architect your IT environment leveraging zero trust principles so that malicious code has no room to maneuver and no way to “phone home” back to hackers.
To connect with a network security expert about practical approaches to protect your sensitive data from exfiltration, loss or corruption following ransomware and other malware strikes that relentlessly assault your business, contact Pivot Point Security.