About the author
Alexander Vukcevic is the Director of Protection Labs & QA at Avira.
Malware – the combination of two words – malicious and software - is the term often used to describing a wide range of potentially dangerous and invasive code. The main malware categories include Trojans, viruses, worms, and ransomware. There are malware examples targeting all of the major operating systems including those from Apple, Android, and Windows – even Linux.
The problem with viruses
There is a lot more to malware than viruses. Computer viruses are a specific type of malware which have two specific characteristics. First, a computer virus can execute or run itself. It does this by attaching itself to other programs or by hiding in the computer code which is run automatically when certain types of files or programs are opened. Second, a virus can replicate itself. This is often done within a targeted program or app within the device, followed by the virus spreading to other devices via emails, USB memory devices, or a vulnerable network.
While these technical distinctions are important for analysts, they aren’t for the consumer. The important point for consumers is to realize that a narrowly defined computer virus is just the tip of the iceberg -- there are many more risks and vulnerabilities out there than just that.
Trends in malware
Malware has been around almost as long as the IT era. While there is no universal agreement over what was the first malware, two early examples are the Brain and the Morris Worm. The Brain was launched in 1986 by two Pakistani brothers. It was a self-replicating virus on a large floppy that promoted their computer repair services shop. The Morris worm, launched in 1988, was one of the first computer worms. It also resulted in the first felony conviction under the Computer Fraud and Abuse Act.
The four basic stages of malware
Impress/annoy – The earliest malware was designed by to either impress or annoy – or both. It was largely a platform for early hackers to show off their technical prowess and confound the rest of the world.
Damage – Malware soon moved into the damaging mode with some earlier malware types bricking up infected devices or deleting files. While impressive – and highly irritating – it was limited.
Steal – The profit motive soon showed up as hackers realized they could make substantial amounts by extracting data from infected devices and then misusing it. This discovery moved malware from simply being IT geeks showing off into a lucrative business. Monetization types have run the gamut from credit card fraud, bank fraud, identity theft, to ransomware.
Track – The age of smartphones – with always online individuals – have pulled in the trackers. Tracking can be legal, exist in a grey area, or be flatly illegal – depending on how trackers are added to the device and whether the individual agreed to this. Intrusive trackers sniffing out user activities have been linked to malicious advertising campaigns and streaming of dubious ads to infected devices.
Malware creation and distribution trends
Malware began as cyber-boasting, often as a lone wolf-individual showed off his – or her – special skill set. Then it became a gang of thieves, focused on a particular technical angle such as hacking SQL databases and Point of Sales devices.
Malware as a service – As malware grew into a bigger business, it split into various roles and specializations. In particular, there were the actual malware code developers, those marketing lists of stolen credentials, and the individuals testing out various marketing strategies and delivery mechanisms. From a security analyst perspective, we often see the same development of distribution, marketing campaigns, even A/B testing for malware such as Dridex and Locky that we would see for completely legal online products.
Malware as a government service – State actors have had an outsized position in the development and deployment of malware. Stuxnet malware was allegedly developed and deployed by the USA/Israel to knock Iran’s plutonium-producing equipment out of action. Subsequently, elements of this code have been integrated into other purely malware packages.
North Korea is believed to have had a major influence in the damaging of Sony studio files and ransomware deployment. Russia-connected entities were behind the Petya and NotPetya ransomware. Some of the major industrial hacks such as that of the Marriott have come from China-connected organizations. The leak of NSA zero-day exploits into the wild have resulted in several waves of malware and ransomware attacks.
Trends in malware detection
Malware has existed almost as long as the modern computer – but its destructive power has increased exponentially since the days of the I LOVE YOU virus back int the dark ages of the year 2000. Incidentally, this malware is still circulating on the internet. While the ability of malware to upset our online lives has grown, so also have the different techniques for detecting malware and keeping it off your device.
Signature-based detection – An early staple of antivirus programs was signature detection where a unique code pattern or hash of a known malicious file is known and recorded. Once this signature is discovered again, the file containing it can be flagged by the antivirus.
As malware became more sophisticated, malware authors began using new techniques, like polymorphism, to change their pattern each time their creation spread from one system to the next. As such, this minimized the effectiveness of a simple signature detection. Researchers then supplemented this with heuristic detection that judges the code based on its behavior. When anything starts acting out of the ordinary, it sets off alarm bells.
Cloud-based detection – Cloud based detections shift the identification work from the individual device to the cloud. This frees up computer space for more productive tasks and enables security firms to keep their detection methodologies more hidden from the cyber-criminals. By adding AI-enhanced machine learning into the mix, security firms are able to sort and sift through potential malware much faster and more in-depth than in the past, saving their manual ID work for new and emerging threats.
Protection from malware
There are three primary elements to protect your device from malware.
a. Antivirus – Have a reputable, security app that has been through a battery of independent tests on your device. This is a basic starting point for malware security. In addition, a good security app will also have a history of testing results so look at a couple test results if you can.
b. Updates – Malware loves finding a device that runs outdated software. Stay ahead of these threats by having an updater installed. This takes the responsibility for finding and installing the latest updates for the many apps on your devices.
c. You – As the device user and owner, you are the most important layer of security. Look before you click on suspicious email attachments. Is the sender address correct? Are the links in the encrypted HTTPS? Does it feel correct? It’s ok to be suspicious – it could save your device from malware.
Alexander Vukcevic is the Director of Protection Labs & QA at Avira.
Gloss