What is malware
Malware refers to malicious software perpetrators dispatch to infect individual computers or an entire organization’s network. It exploits target system vulnerabilities, such as a bug in legitimate software (e.g., a browser or web application plugin) that can be hijacked.
A malware infiltration can be disastrous—consequences include data theft, extortion or the crippling of network systems.
Common malware types
There are numerous malware types, each having their own application area and focus. Seven of the most common variations are as follows:
Ransomware – Once installed, this malware encrypts files on a computer and/or across an extended network. A popup display informs the user that unless a ransom is paid, their files will remain encrypted.
Ransomware usually arrives as an email attachment or is unwittingly downloaded from a malicious website.
A new business model called ransomware as a service (RaaS) has recently appeared. Using it, amateur hackers (a.k.a., “script kiddies”) license existing malware to execute a RaaS assault. In the event of success, a percentage of the ransom goes to the malware author.
Worms – These were originally designed to infect a computer, clone itself, and then infect additional computers via another medium, such as email.
Perpetrators use worms to create botnets from a large numbers of compromised connected devices (e.g., mobile phones or PCs). Such devices are known as “zombies” because their owners are oblivious to the infection and that their systems are used as part of a much larger attack, such as a distributed denial of service (DDoS).
Worm examples include:
- NgrBot – This worm propagates through chat messengers and social networking sites. Perpetrators use social engineering to encourage downloading of the malware that, once installed, turns the user’s machine into a zombie participating in a massive botnet. It also stops infected systems from being updated and can steal login credentials and other sensitive information.
- ILOVEYOU – This has been deployed using a social engineering attack that encouraged people, through the enticement of a possible love interest, to open an email attachment containing the worm. A Visual Basic script is run that then overwrites various file types. The worm has infected an estimated 45 million computers.
Trojan – A Trojan appears legitimate but carries a dangerous payload. While it doesn’t replicate itself as do worms, it typically comes packaged with additional malware types—including backdoors, rootkits, ransomware and spyware.
The banking industry is a favorite target of Trojan attacks. For instance, the Tiny Banker Trojan (Tinba) malware, which is executed via the Rig exploit kit. Installation is achieved by first locating a software vulnerability on the target computer. It then overlays a spoofed screen requesting personal information, including credit card details, whenever the system user visits a bank site (see below).
Rootkits – These are a prepared, customizable software. They grant access to sensitive parts of an application, enable the execution of files and can even change system configurations.
Typically deployed through a social engineering attack (e.g., phishing)—resulting in the theft of a user’s login credentials—its installation gains access to a network. The rootkit can then subvert any anti-malware software that might otherwise be able to detect it, giving the perpetrator free reign to install additional malware.
Examples of rootkits include Flame, used in cyberespionage attacks to steal screenshots, record keystrokes and monitor network traffic. It was most notably used to disrupt Iranian oil refinery production in 2012.
Backdoors – A backdoor negates normal authentication required to access a system, such as via a webserver or database. Often its installation is part of a targeted assault; after researching a victim, social engineering is used to steal login credentials and gain access to an application.
Backdoors avoid detection and are used to set up a control center. This lets the perpetrator remotely update malware and initiate system commands.
Backdoors are used for many malicious activities, including data theft, denial of service assaults and infection of your visitors’ computers. It’s also an initial step when executing an advanced persistent threat (APT) assaults.
Backdoors have recently been found in a number of Internet of Things (IoT) devices, such as security Wi-Fi cameras used by organizations. Once an IoT device has been hacked and turned into a backdoor, it effectively provides a gateway into that network.
Adware – One of the earliest malware types, adware originated in the days of freeware. The software was free, but included popup ads that appeared whenever you used it. While annoying, it wasn’t malicious.
Today your system can be infected from visiting a compromised website where its malware-laden adware, using a browser vulnerability, installs itself.
Spyware – This malware variant gathers personal data and sends it to a third-party without your knowledge or consent.
A highly malicious spyware type is a keylogger. Once installed, it tracks keyboard entries and sends the data, including login credentials, to the perpetrator.
Malware detection and removal
Imperva has a number services that prevent malware installation while weeding out existing infections on web application servers.
- Web Application Firewall (WAF) –Deployed at the edge of your network, Imperva cloud PCI DSS compliant service uses signature, behavioral and reputational analysis to block all malware injection attacks on your websites and web applications. Imperva cloud WAF is offered as a managed service and maintained by a dedicated security team.
- Backdoor Protect – A service that intercepts communication attempts with backdoor shells on your web server. By tracing these requests, the service is able to pinpoint the most highly obfuscated malware, even if it was installed on your web server long before you onboarded Imperva cloud security services.
- Login Protect – A flexible two-factor authentication (2FA) solution that requires zero integration and can be instantly deployed on any Imperva cloud-protected URL address. The service prevents perpetrators from using stolen login credentials to obtain network access and install rootkits and backdoors on your web servers.