Viruses
Viruses
Viruses
Malicious software, or malware, is used by cyber criminals, hacktivists and nation states to disrupt computer
operations, steal personal or professional data, bypass access controls and otherwise cause harm to the host
system.
1. Viruses
A computer virus infects devices and replicates itself across systems. Viruses require human intervention to
propagate. Once users download the malicious code onto their devices -- often delivered via malicious
advertisements or phishing emails -- the virus spreads throughout their systems. Viruses can modify computer
functions and applications; copy, delete and exfiltrate data; encrypt data to perform ransomware attacks; and carry
out DDoS attacks.
The Zeus virus, first detected in 2006, is still used by threat actors today. Attackers use it to create botnets and as a
banking Trojan to steal victims' financial data. Zeus's creators released the malware's source code in 2011, enabling
threat actors to create updated and more threatening versions of the original virus.
2. Worms
A computer worm self-replicates and infects other computers without human intervention. This malware inserts
itself in devices via security vulnerabilities or malicious links or files. Once inside, worms look for networked devices
to attack. Worms often go unnoticed by users, usually disguised as legitimate work files.
WannaCry, also a form of ransomware, is one of the most well-known worms. The malware took advantage of the
EternalBlue vulnerability in outdated versions of Windows' Server Message Block protocol. In its first year, the
worm spread to 150 countries. The next year, it infected nearly 5 million devices.
3. Ransomware
Ransomware locks or encrypts files or devices and forces victims to pay a ransom in exchange for reentry. While
ransomware and malware are often used synonymously, ransomware is a specific form of malware.
Common types of ransomware include the following:
• Locker ransomware completely locks users out of their devices.
• Crypto ransomware encrypts all or some files on a device.
• Extortionware involves attackers stealing data and threatening to publish it unless a ransom is paid.
• Double extortion ransomware encrypts and exports users' files. This way, attackers can potentially receive
payments from the ransom and/or the selling of the stolen data.
• Triple extortion ransomware adds a third layer to a double extortion attack, for example, a DDoS attack, to
demand a potentially third payment.
Ransomware as a service, also known as RaaS, enables affiliates or customers to rent ransomware. In this
subscription model, the ransomware developer receives a percentage of each ransom paid.
Well-known ransomware variants include REvil, WannaCry and DarkSide, the strain used in the Colonial Pipeline
attack.
Data backups were long the go-to defense against ransomware. With a proper backup, victims could restore their
files from a known-good version. With the rise of extortionware, however, organizations must follow other
measures to protect their assets from ransomware, such as deploying advanced protection technologies and
antimalware.
4. Bots
A bot is a self-replicating malware that spreads itself to other devices, creating a network of bots, or a botnet. Once
infected, devices perform automated tasks commanded by the attacker. Botnets are often used in DDoS attacks.
They can also conduct keylogging and send phishing emails.
Mirai is a classic example of a botnet. This malware, which launched a massive DDoS attack in 2016, continues to
target IoT and other devices today. Research also shows botnets flourished during the COVID-19 pandemic.
Infected consumer devices -- common targets of Mirai and other botnets -- used by employees for work or on the
networks of employees working on company-owned devices from home enable the malware to spread to
corporate systems.
5. Trojan horses
A Trojan horse is malicious software that appears legitimate to users. Trojans rely on social engineering techniques
to invade devices. Once inside a device, the Trojan's payload -- malicious code -- is installed to facilitate the exploit.
Trojans give attackers backdoor access to a device, perform keylogging, install viruses or worms, and steal data.
Remote access Trojans (RATs) enable attackers to take control of an infected device. Once inside, attackers can use
the infected device to infect other devices with the RAT and create a botnet.
An example of a Trojan is Emotet, first discovered in 2014. Despite a global takedown at the beginning of 2021,
attackers have rebuilt Emotet and it continues to help threat actors steal victims' financial information.
6. Keyloggers
A keylogger is surveillance malware that monitors keystroke patterns. Threat actors use keyloggers to
obtain victims' usernames and passwords and other sensitive data.
Keyloggers can be hardware or software. Hardware keyloggers are manually installed into keyboards. After a victim
uses the keyboard, the attacker must physically retrieve the device. Software keyloggers, on the other hand, do not
require physical access. They are often downloaded by victims via malicious links or attachments. Software
keyloggers record keystrokes and upload the data to the attacker.
The Agent Tesla keylogger first emerged in 2014. The spyware RAT still plagues users, with its latest
versions not only logging keystrokes, but also taking screenshots of victims' devices.
Password managers help prevent keylogger attacks because users don't need to physically fill in their usernames
and passwords, thus preventing a keylogger from recording them.
7. Rootkits
A rootkit is malicious software that enables threat actors to remotely access and control a device. Rootkits
facilitate the spread of other types of malware, including ransomware, viruses and keyloggers.
Rootkits often go undetected, because once inside a device, they can deactivate antimalware and antivirus
software. Rootkits typically enter devices and systems through phishing emails and malicious attachments.
To detect rootkit attacks, cybersecurity teams should analyze network behavior. Set alerts, for example, if a user
who routinely logs on at the same time and in the same location every day suddenly logs on at a different time or
location.
The first rootkit, NTRootkit, appeared in 1999. Hacker Defender, one of the most widely deployed rootkits of the
2000s, was released in 2003.
8. Spyware
Spyware is malware that downloads onto a device without the user's knowledge. It steals users' data to
sell to advertisers and external users. Spyware can track credentials and obtain bank details and other sensitive
data. It infects devices through malicious apps, links, websites and email attachments. Mobile device spyware,
which can spread via Short Message Service and Multimedia Messaging Service, is particularly damaging because it
tracks a user's location and has access to the device's camera and microphone. Adware, keyloggers, Trojans and
mobile spyware are all forms of spyware.
Pegasus is a mobile spyware that targets iOS and Android devices. It was first discovered in 2016, at which time it
was linked to Israeli technology vendor NSO Group. Apple filed a lawsuit against the vendor in November 2021 for
attacking Apple customers and products. Pegasus was also linked to the assassination of Saudi journalist Jamal
Khashoggi in 2018.
9. Fileless malware
Fileless malware, unlike traditional malware, does not involve attackers installing code on victims' hard drives.
Rather, it uses living-off-the-land techniques to take advantage of legitimate and presumably safe tools -- including
PowerShell, Microsoft macros and WMI -- to infect a victims' systems. Fileless malware resides in computer
memory. Without an executable, it can evade file- and signature-based detection tools, such as antivirus and
antimalware.
Note that fileless malware might indeed have files, but the attacks leave no files behind after completing the attack,
making attribution difficult.
Frodo, Emotet and Sorebrect are examples of fileless malware.
10. Cryptojacking
Cryptomining -- the process of verifying transactions within a blockchain -- is highly profitable but requires
immense processing power. Miners are rewarded for each blockchain transaction they validate. Malicious
cryptomining, known as cryptojacking, enables threat actors to use an infected device's resources -- including
electricity and computing power -- to conduct verification. This can lead to performance degradation of the
infected device and loss of money due to stolen resources.
Coinhive, Vivin, XMRig Lucifer, WannaMine and RubyMiner are examples of cryptomining malware.
12. Adware
Adware is software that displays or downloads unwanted advertisements, typically in the form of banners or pop-
ups. It collects web browser history and cookies to target users with specific advertisements.
Threat actors use vulnerabilities to infect OSes and place malicious adware within preexisting applications. Users
might also download applications already corrupted with adware. Alternately, adware can be included in a software
bundle when downloading a legitimate application or come pre-installed on a device, also known as bloatware.
Fireball, Gator, DollarRevenue and OpenSUpdater are examples of adware.