Inhalt
Malware – short for malicious software – is the generic term for harmful programs that infect computers, networks or mobile devices and can cause damage in various ways. Malware comes in a wide variety of forms. The best-known variants include viruses, worms and Trojans. Spyware and ransomware also belong to the genre of malicious software. In order for users to be able to protect themselves against malware, the various forms and their mechanisms of action must be known. This article will tell you what types of malicious software there are and how you can protect yourself from them.
How do I get infected with malware?
In order for malware to be actively deployed on a computer, network or mobile devices, the malicious program must first find its way there. Cybercriminals are constantly developing new strategies to infiltrate malicious code onto their victims’ systems. One widespread method is to send malware via e-mail. Malware can be hidden in the attachment of a mail that at first glance appears unsuspicious – often in compressed archives or disguised as a Word document. Malware is also very often distributed via a link. This can also be sent in an e-mail or via messenger services such as WhatsApp, Signal or Telegram. If the recipient clicks on the link and downloads the software, all he has to do is start the installation – and the computer is compromised. Another method that is extremely popular among cybercriminals is distributing malware via fake software. In particular, malicious programs like to hide in illegal downloads of games, movies or high-priced software. The methods mentioned above all have one thing in common: they require the recipient’s active “cooperation” – by opening attachments, clicking on links or even downloading offers from the Internet. However, a computer or smartphone can also become infected with malware without any action on the part of the recipient. By exploiting vulnerabilities in publicly accessible systems, such as e-mail servers accessible via the Internet, or vulnerabilities in browsers, cybercriminals gain access to connected computers and can install malware – without the user noticing.
How does malware work?
Malware programs usually have a multi-stage structure. Often, the first stage is carried out by a so-called “dropper”, which then executes the malicious “payload”. The dropper hides, for example, in Office documents or behind links in e-mails and its only task is either to download and execute the next stage of the infection, the payload – or the payload is already present in the dropper and is only decoded and executed.
In order for the attackers to know that an infection has been successful, they set up so-called command and control servers. The infiltrated malware connects to these servers – thus enabling the attackers to transmit commands to or interact with the infected systems.
Malware is designed to be active for as long as possible. To ensure that malware is able to remain active after a reboot, for example, it often provides itself with so-called “persistence”.
The different forms of malware
Malware comes in many different forms. Keyloggers, ransomware, backdoors, bots and cryptominer – there is no limit to the creativity of cybercriminals. In the following, we identify the types of malware that are particularly relevant in cyberattacks.
What is a dropper?
Droppers are not active malware per se – but they often represent the first stage of an infection. This is because droppers have precisely one task: to load or decode further malware. Droppers are particularly often found in “malicious” email attachments, hidden as macros that are automatically executed when opened.
What is ransomware or wiper?
Ransomware is capable of encrypting certain files on a computer system. Once ransomware has been successfully executed on a system, users have no way to access the data without the corresponding cryptographic key. Attackers often use encryption to extort a ransom from their victims. After payment – mostly in Bitcoins – the user receives the code needed to decrypt the data. Whether this actually happens, however, is in the hands of the attackers. In many cases, the ransom is gone and the data still remains inaccessible.
Wipers can be considered a special “subform” of ransomware. Wipers also encrypt files – but without the at least theoretical possibility of decrypting the data again. Many wipers also simply delete the files from the hard drive completely. Thus, wipers are to be understood as an extremely aggressive attack weapon that pursues purely destructive purposes. In the current Russia/Ukraine conflict, several attacks with wipers have been reported.
What is a keylogger or spyware?
Keyloggers and spyware always aim to gather as much information as possible about the infected system and send it back to the attacker. For example, some spyware variants are able to collect certain files and, unnoticed by the user, send them to the attacker via existing network connections. Keyloggers, on the other hand, specialize in recording keystrokes. This enables hackers to tap into access data or “read” confidential information in real time.
What is a RAT/backdoor?
A Remote Access Trojan (RAT) is a malware program that opens a backdoor for administrative control on a target system. Once installed, a backdoor provides an attacker with the ability to connect to the infected system at any time and thus execute commands on the system. Backdoors are often used when attacks are not completely automated. Backdoors literally keep a “back door” open for the attacker to continue executing an ongoing attack at any time.
How do botnets work?
When a system, often IoT devices for example, is infected with botnet malware, this allows the attacker to send commands to the infected device. This allows the attacker to send commands to all devices at once, for example. Often, these bots are used to carry out DDoS (Distributed Denial of Service) attacks, i.e. by sending a high number of requests, for example, to crash a web server.
How are cryptominer used?
The “mining” of cryptocurrencies is immensely resource-intensive and requires both a lot of energy and computing power. Cybercriminals are also aware of this – and have created a special form of malware in the form of cryptominer. A cryptominer abuses the CPU/GPU of an infected system in order to mine cryptocurrencies with the computing power thus gained.
What are rootkits used for?
From the basic principle, rootkits are initially just collections of various software tools that interact with the operating system. Rootkits are used by cybercriminals to hide running processes on compromised systems or to hide the attacker’s login attempts. Rootkits can also open new backdoors, load additional malware and hide the attacker’s traces on the system.
How do I protect my company from malware?
The variety of existing and deployed malware variants that we have seen shows that hackers are creative and leave no stone unturned: Hackers are proving creative and leaving no stone unturned to compromise networks to gain access to corporate data and extort ransom. With the plethora of daily threats, an organization’s cybersecurity teams must be able to respond immediately and efficiently to existing threat situations. SIEM systems deliver critical value to an organization’s information security by being able to comprehensively collect security-related data, aggregate it into a centralized repository, and automatically detect anomalies and rule violations based on pre-defined use cases. This offers IT security teams a decisive advantage – because the time required to identify an acute threat (mean time to detect) can be significantly reduced by a SIEM. Particularly in the case of critical attacks on the IT infrastructure, this represents a decisive time advantage.
