How Malware Infections Happen
From time to time, we will issue newsletters that focus on unpacking a given element of information security. In this briefing, we explore the topic of Malware.
Malware has been at the core of many of our previous briefings, be it because of ransomware, malware miners or advanced persistent threats. In this briefing, we will take a look at the different kinds of malware attacks users may face and what countermeasures work against them.
Common vs Targeted
The first critical distinction we have to make is between common malware and targeted malware.
Common malware doesn't have a specific target. It tries to infect as many machines as possible to have as much of an impact as possible. Be it by stealing money, encrypting files, mining cryptocurrencies or simply causing havoc - common malware tries to spread to and abuse as many computers as it can before antivirus software vendors become aware of it and start protecting their customers. This process usually takes anywhere between a few days and a few weeks.
Targeted malware is created to attack - as its name implies - a specific target. This is usually a specific company or organization but can also be a specific individual that has become the focus of attackers. Targeted malware is generally not designed to spread to as many machines as possible. Instead, its creators purposefully limit the spread to make detection by antivirus vendors trickier and thus extend the lifetime of their creation. It can take months or years until targeted malware is discovered.
Users commonly get infected by malware through one of two channels.
Vulnerable software that hasn’t been updated properly or for which no patches are available. Malware may abuse these vulnerabilities to infect a large number of systems automatically and without any or with very little user interaction. An example of this type of malware was the WannaCry worm which targeded Windows XP systems after their support ended. Keeping all software up to date and avoiding shady websites can help to mitigate the risk of being infected.
Manual downloads and executions. Malware can spread itself by email or through file sharing services. Once users find, download and execute the file, the malware takes over their machine. In some cases, it then uses the new machine to spread even further - for example by sending itself to all of a user’s email contacts. Being careful with email attachments and files downloaded from the internet is the best line of defense against this attack vector. Illegal files such as cracked software or cheat programs for popular games are especially likely to contain malware in a private context. In a corporate context, emails or links to file shares that unexpectedly contain executables or suspicious documents are likely avenues for infection.
Antivirus software is very effective against malware that it knows. Unfortunately it is virtually useless against malware that it doesn’t know. While advanced technologies to discern the maliciousness of unknown executables have been around for decades, their effectiveness is somewhat limited in real life.
For this reason, Antivirus software is significantly better at protecting against common malware - which is spread widely and discovered quickly - than it is against targeted malware, which in extreme cases may only ever be used against one target. In the most general terms, this means that Antivirus software is a reasonable line of defense for regular individuals - who are very unlikely to ever be explicitly targeted by attackers - but not a sufficient line of defense for people of interest or large organizations.
While no defense against malware is perfect, effective protection consists of two elements: Technological and human.
On the technological side, keeping all software up to date and installing antivirus software can help protect against some kinds of malware.
On the human side, avoiding shady downloads and being suspicious of all files - even those supposedly sent by acquaintances - greatly decreases the risk of infection.
Organizations should additionally implement strict reporting policies to make sure that any malware infection can be effectively counteracted once it is discovered.