Malware

Malware, a portmanteau of malicious and software, is the collective term for a variety of software-based attacks with malicious intent, including ransomware, viruses, and spyware. Typically delivered in the form of a file or link over email or text that requires user action to execute, malware is usually code developed by cyberattackers, designed to gain unauthorized access to a network or to cause extensive damage to data and systems.

How Does Malware Work?

Cybercriminals use malware, which includes all types of malicious software, for many reasons, such as:

• Identity theft
• Theft of consumer credit card data and other financial information
• Cryptocurrency mining
• Denial-of-service attacks (DDoS attacks)

Malware is intentionally intrusive for devices, networks, and systems as the means of achieving its goal: making money from victims. Malware makes the entire device or system “sick,” because it deliberately interferes with normal functioning.

How does malware spread?

Each type of malware follows a similar pattern: The victim accidentally and probably without knowing installs or downloads the malware, infecting the system or device.

What does malware do?

Every different variety of malware causes problems in its own way, although most rely on some kind of user action. Some deliver malicious code via a link or executable file over email, social media, SMS, or instant messaging.

Accidentally performing some action that downloads the malware, such as visiting a malicious website or clicking a link in an email, causes most malware infections. Hackers in some cases spread malware through free software download bundles, peer-to-peer file sharing services, and text messages.

Common Malware Attacks

There are many types of malware. Here are some of the most common:

Virus

Among the most common types of malware, a virus is malware that attaches to another program and, when executed—typically inadvertently—replicates itself by modifying and infecting other computer programs. Like a biological virus, a malware virus just latches onto a host in the form of an automated process or unsuspecting user. As a virus in the body might inject its genetic material into a host cell’s DNA, the malware virus attaches its malicious code to clean code within an executable file and waits. Computer viruses can spread widely and rapidly, corrupting files and locking users out of their devices.

Worms

Worms are malware named for the way they weave or worm their way through the network to infect systems. Starting with a single infected machine, worms spread infection by connecting to consecutive machines and can infect entire networks of devices rapidly.

Spyware

Spyware, predictably, is malware designed to observe or spy on a user’s activities without their knowledge or permission. This kind of malware hides in the victim’s computer in the background, secretly collecting information such as passwords, credit card details, and other sensitive information, and reports it to the author of the spyware.

Trojans

Named for the Greek myth with the hidden soldiers in the giant wooden horse waiting to deliver a massive attack, trojans or trojan horses are a type of malware disguised as or hidden inside legitimate software. One of the most dangerous types of malware, trojans breach security discreetly in the guise of a useful product or tool. Once in place on the system, they create backdoors and gain unauthorized access, stealing sensitive information or installing ransomware, viruses, or other threats.

Ransomware

Ransomware, sometimes called scareware, is a form of malware that locks out users and shuts down networks, sometimes encrypting files—all to demand a ransom payment in hard-to-trace cryptocurrency for the return of the files. Cybercriminals have used ransomware to target some of the world’s biggest organizations and it is very difficult to defend against.

Adware

Adware is malicious software designed to push unwanted advertisements with pop-up windows or blinking ads on the user’s screen, typically within a web browser. Many adware programs are built to piggyback on another program to trick users into installing it onto mobile devices, tablets, or a PC. Others are disguised as legitimate programs themselves, which trick users into installing them in exchange for free services.

Fileless Malware

Fileless malware infects a computer using legitimate programs, so it leaves no footprint and does not rely on files. This means there are no malicious processes to detect or malware files to scan and detect. Some common fileless malware techniques include launching scripts from memory or leveraging zero-day exploits, both using the system’s own trusted services and files.

Fileless malware attacks exploiting system infrastructure to enable attackers to create hidden folders and files, or to create scripts they can use to connect to networks, compromise systems, and stealthily control servers.

Rootkit

Rootkit is a form of malware and a remote access tool (RAT) or application that gives administrator privileges to the attacker. Typically, a rootkit is also designed to stay hidden on the malware-infected system, invisible to the operating system itself, as well as the user and other system software.

Modern rootkits pose major security risks because they are typically associated with malware such as viruses, worms, and trojans. They are difficult-to-impossible to detect without specialized malware scanner tools and can mask other malware and modify core files—and it’s difficult to remove malware you can’t detect.

Once it is installed on an infected system a rootkit boots at the same time and grants the attacker administrator access. It can scan traffic, track all activity on the device, hijack computer resources, install programs without user consent, or enslave the computer in a botnet.

Keylogger

A keylogger is malware that records and typically stores all user keystrokes on the keyboard, including sensitive information such as passwords, usernames, and credit card numbers, and sends it to the attacker.

Cryptomining

Cryptomining, also called cryptojacking, cryptocurrency mining, drive-by mining, and simply crypto malware, is a type of malware, typically installed by a trojan, that enables the attacker to use your computer to mine cryptocurrency. Basically, a malicious crypto miner steals your system’s resources to make money and sends the collected Bitcoin or other cryptocurrency to their account.

Wiper Malware

Wiper malware has just one goal: erasing or destroying all data from the targeted network or computer completely. The motive may be cleaning up after data theft or sabotage. An example of wiper malware is the Petya ransomware, which actually did not provide any way for victims to pay ransom and retrieve their data, and instead irrecoverably destroyed that data.

Exploits

Exploits are malware programs that capitalize on or “exploit” vulnerabilities and bugs in a system to enable the creator to seize control. Exploits are connected to malvertising, the practice of using legitimate sites to attack users with bad content. There is no need to click on the malicious content from the bad site; you just visit the legitimate site and the bad content attempts a drive-by download and, if it succeeds, installs itself on your computer.

Botnets

Not actually a type of malware itself, botnets are networks of computers infected by malware working together under an attacker’s control. The botnet is the computer network that executes or carries out the malware, and individual computers that are part of the infected network are “bots,” which receive controller commands. Because these infected computers form a network, they offer a substantial amount of collective processing power. The attacker can use this power to send spam, coordinate attacks, create fake ads on your browser, and steal data.

Malware vs Virus

A malware and a virus are not exactly the same. Although all computer viruses are malware, not all malware examples are viruses. Viruses are one kind of malware, and although many people may use the words interchangeably, viruses and malware are technically distinct.

Malware is malicious software or code. Computer viruses are pieces of malicious code that spread across computers and networks like a contagious disease might.

Malware vs Spyware

Are malware and spyware the same thing? The distinction here is similar to the one between malware vs virus. While all spyware is malware, not all malware is spyware.

Spyware is just one type of malware. Malware is malicious software or code of any kind. Spyware is a type of malicious code that allows a cybercriminal to spy on the victim and gain access to sensitive information without their knowledge. But not all malware is spyware; there are many kinds of malware.

Malware Protection Benefits

Effective malware protection offers several benefits. It ensures any newly downloaded files or programs are free of malware. It scans the system periodically to detect malware and defeat any malware infections that it may have missed initially. And to ensure this is a seamless process, it updates regularly to detect and cope with new threats.

The best malware protection tools can also search for and detect technical features that characterize malware, such as attempts to hide in programs, and warn users against these threats—even from previously unknown malware. Furthermore, robust anti-phishing protection is essential to effective malware detection and protection.

Malware protection must be scalable and user-friendly. Even the most robust malware protection cannot protect sensitive information or anything else if it doesn’t get used.

Malware Check: Signs of Malware

There are several signs of a malware infection to be aware of:

• Slow computer. Malware’s intrusive nature tends to reduce the speed and efficiency of the victim’s operating system.

• Intrusive ads. Unexpected, intrusive pop-up ads, particularly associated with adware, are a common sign of a malware infection. These pop-ups typically conceal other malware threats.

• Frozen or crashed system. The system crashes, freezes, or gives you the “blue screen of death” fatal error screen for Windows systems repeatedly.

• Missing disk space. Usually this is taken up by hidden malware on your hard drive.

• Unexplained system and/or browser activity. Any unexplained increase in internet activity, abnormally high usage of system resources, or unwanted browser activity can be from malware. This is often caused by malware activity using system resources, or unexpectedly taking over the browser. New extensions, toolbars, or plugins in the browser may also signal malware.

• Antivirus product failures. Malware can disable your antivirus product, preventing you from updating it and leaving the system vulnerable.

Ransom demand. Yes, the obvious ransomware attack demanding money for files.

Who Is At Risk for Malware? 

Anyone who is online, connected via email or to the internet in any way, is vulnerable to a malware infection. Malware can penetrate a system via hacked websites, downloaded files, clicked links, new software, new toolbars, malspam (a malicious email attachment), or anything else you download.

It is best to download only from trusted sources, but malware can come even from installing something from a credible source. Bundled software permission requests from the app store often lead to installing unexpected or unwanted software, or potentially unwanted programs (PUPs).

In terms of mobile malware or malware on phones, the two most common smartphone operating systems are Apple iOS and Google Android. The Android device platform is more popular among consumers and malware programmers alike, with Android phones making up 80 percent of all smartphone sales. On both Android and iOS, mobile malware works just like computer malware, for the most part.

Malware, Common Phone and OTP Authentication, and Strong Authentication

Malware designers rely on deception to steal information such as usernames and passwords, to gain access to systems, and ultimately to steal money. They have become far more sophisticated, often relying on phishing and social engineering tactics to deliver their malicious packages and tempt users into downloading dangerous code.

The best malware software packages and other dedicated malware removal tools can help once a malware attack has already happened. Clearly, removal of malware is only necessary when malware protection fails.

Most anti-malware tools are preventive: they focus on updated antivirus programs, on advising users on how to avoid the wrong kinds of sites and downloads, and on helping users recover when there’s a breach. However, better security and authentication practices assist in this problem, because they mean that the system is more effectively able to detect malware without user vigilance.

Sadly, not all types of authentication are up to the task of preventing users from downloading malware from modern phishing attacks. This is in large part because most of the “secret” information that platforms require users to know and confirm are not actually secrets unless the users are extremely careful all of the time. Basic forms of credential strengthening such as two-step verification (2SV) and two-factor authentication (2FA) can actually give a false sense of security, whereas strong authentication is required to prevent phishing, and hence malware.

There are various commonly used 2SV/2FA and MFA methods, each with its strengths and weaknesses as it relates to malware and phishing. Let’s quickly review them:

Knowledge-based authentication (KBA) questions. These questions, such as, “What was your high school mascot,” can also be made dynamic by services and businesses you use regularly like a bank. For example, “when did you last leave the state you live in?” However, these typically amount to no more than a second form of something you know, a password, and are often publicly available information or easily gleaned from social media sites, so are vulnerable to attack.

One-time password (OTP) or notification via phone call or SMS text. OTP via SMS is widely available, and there are no secret seeds hackers can steal. However, SMS networks and phones are vulnerable to number porting fraud, and pretexting/vishing, and have been exploited by governments, private companies, and even criminal gangs.

OTP via email. OTP via email is remotely accessible and vulnerable to hackers just as SMS is.

OTP tokens and apps. The OTP app or token embeds secret seeds, which combine with the current time or a counter to produce a code that can only be predicted with the seed. The user cannot be phished for the seed, because they don’t know it. However, since these rely on transmission of the data, they are vulnerable to interception en route or the device itself, such as a smartphone, could be compromised and leak the token.

Push notification OTP codes. Implemented properly, OTP via push notification is difficult for hackers to intercept, but as with all OTP implementations, phishing is a weakness since people will tell others the code.

Push notification-based apps. These apps offer the user context in real-time (for example, “you’re logging into your bank in New Jersey”) so they can decide whether to approve or deny the login via a button on a trusted device instead of entering a code. Attackers can use bots with similar ISPs to the user’s device to trick the user into granting approval.

Biometrics. Biometric credentials cannot be changed if they become publicly known. There is also a notable difference in privacy between systems that centrally validate biometric data online and device local biometrics in terms of vulnerability to scalable remote phishing attacks.

Certificates/TLS mutual authentication. Though not practical for widespread internet use, certificate-based authentication prevents attacks and offers security using public/private key cryptography and helps prevent both man-in-the-middle attacks and phishing when deployed with smart cards in enterprise environments.
FIDO universal 2nd factor (U2F) authenticators. These use public/private key technology to: preserve privacy by creating a unique key per registration and site; handle sensitive private keys with dedicated secure hardware; bind credential use solely to the site where the credential was created; and require user interaction to authenticate. The protocol simply functions, and does not require the user to confirm or notice anything about the site they are visiting.

Minimize Risks with Strong Authentication

Multi-factor authentication (MFA) is one of the best options to establish trust with users, but unfortunately, as described above, not all MFA is created equal. Each system is only as strong as the combined factors.

Actual strong authentication has three qualities:

• Not rely solely on shared secrets/symmetric keys at any point. This includes passwords, codes, and recovery questions.
• Robustly repel credential phishing and impersonation. While wary users are always welcome, strong authentication accounts for these attacks which are inevitable—and some will succeed.
• Be scalable and easy to use. In a modern world, there is no meaningful strong authentication if there is no easy online translation for everyday users.

Strong authentication prevents malware downloads and phishing by definition.

Does Yubico Offer Malware Protection?

Many anti-malware software packages and malware removal tools focus on helping users who have suffered a malware attack. However, removal of malware is only necessary when malware protection fails in the first place.

The best protection from malware—whether it’s bots, browser hijackers, ransomware, or other malicious software—is the standard preventive advice: install and maintain a quality, updated antivirus program, be cautious when surfing by staying away from suspicious websites, be careful about what email attachments you open, and be quick to recover when there’s a breach.

But wouldn’t it be nicer not to maintain such a high level of personal vigilance while sustaining tight security? After all, the attacker only needs to be successful once, so can keep trying. 

Yubico’s YubiKey is built on a foundation of strong authentication. This robust resistance to phishing offers malware protection because it hinges on the ability to detect these attacks before they take place.

Typically, a phishing victim clicks on a link asking for a code or password, receives a request or sign-in page that is actually a phishing link, and responds to the phishing link with their personal information. They download malware or send personal information, and may never know they were phished or ever detect the issue.

Yubico stops this problem. A registered YubiKey “talks” to your device. When you click on a phishing link or dangerous file and enter your details, you are then prompted to authenticate using your YubiKey. However, the YubiKey and device can see that even a phishing link or site with a valid SSL security certificate is bogus and will refuse to authenticate.
Find out more about Yubico’s malware protection here.

Get Started