Introduction
Malware, or malicious software, is a growing threat faced by internet users worldwide. Malware includes viruses, worms, Trojan horses, ransomware, and other malicious programs designed to infiltrate computers without the owner’s informed consent. The purpose of malware varies from data theft and espionage to disrupting systems and holding data for ransom. As technology advances, so do the techniques used by malware authors to evade detection and harm victims. Understanding malware through technical analysis and research is crucial to developing effective defenses and educating the public. This paper aims to provide an in-depth overview of current malware threats based on technical white papers and research. Key aspects covered include prevalent malware types, infection vectors, evasion techniques, and recommendations for improved security.
Common Types of Malware
Viruses: A computer virus is a type of malicious software that replicates itself to spread to other computers. When an infected file is opened, the virus ‘infected’ and replicates its code to infect other files and spread throughout the computer or a network. Famous historic viruses include Creeper, Elk Cloner and Brain.
Worms: A computer worm is a standalone malware program that replicates itself to spread to other computers. Unlike viruses, worms do not require human actions to propagate and spread automatically from system to system through network connections. Notable worms include Morris Worm, Code Red, and Blaster.
Trojans: A Trojan, short for Trojan horse, is a destructive program that misleads users of its true intent. Trojans often disguise themselves as regular software applications to trick users into installing it. Once installed, they carry out malicious actions like hijacking web traffic, installing additional malware or stealing sensitive information from the infected system. Examples are keyloggers, backdoors and infostealers.
Ransomware: Ransomware is a growing threat that lock users’ access to computer systems or data and demands ransom payment to regain access. Attackers use phishing emails or exploit software vulnerabilities to install ransomware, which then uses public key encryption to deny users’ access and threatens data deletion unless a ransom is paid. Notable ransomware families are WannaCry, REvil, BitPaymer.
Adware: Adware refers to software designed to display unwanted advertisements on an infected system. While some forms can be intrusive, other variants utilize far more deceptive techniques to infect users and generate ad revenue. Prevalent adware includes CometCursor, PopCash and Cydoor.
Infection Vectors
Malware authors employ various techniques to distribute their threats and gain access to new victims. The most common infection vectors today include:
Email Attachments and Links: Malicious emails containing infected attachments or links are one of the oldest yet most effective malware distribution methods. Phishing lures users into opening attachments harboring viruses or click links loading malware onto their machines.
Drive-by Downloads: Drive-by downloads target users by exploiting software vulnerabilities on websites to silently download and execute malware without the user’s knowledge or permission. Visiting compromised or malicious sites leads to infection.
Software Vulnerabilities: Attackers actively scan for and target unpatched software bugs/flaws. Successful exploitation of vulnerabilities in widely used programs enables remote code execution of malware payloads.
Third-party Software: Freely available software applications from untrusted sources pose risks. Besides vulnerabilities, such software may harbor trojans or download additional malware during/post-installation.
File Sharing Networks: P2P networks allow downloading unverified files from unknown users, some of which may harbor viruses, trojans or backdoors. Torrent sites in particular remain a thriving underground distribution network.
Mobile Apps: As more activities shift to mobile, threats now actively target users via infected or malicious apps available on official/third-party app stores or via SMS/social engineering.
Evasion Techniques
Malware authors employ various techniques to avoid detection by antivirus software and security solutions:
Packing & Encryption: Encrypting malicious payloads or packing/compressing programs make static analysis difficult. These techniques hide program behavior from signature-based detection.
Polymorphism: This technique allows malware to change its internal code structure and external signatures each time it replicates, evolving new variants undetectable by signatures of previous forms.
Anti-Virtualization: Detecting if running in a virtual/sandboxed environment enables malware to alter its behavior or remain inactive to fool analysis.
Domain Generation Algorithms: Algorithmically generated domain names within malware communication prevent blacklisting specific C&C servers. This ensures continued command and exfiltration channel availability.
Blended Threats: Combining benign and malicious functionality confounds analysis by blending in with legitimate programs. For example, trojans can pose as video players to encrypt/steal files.
Sandbox Evasion: Elaborate checks allow malware to detect analysis sandbox environments and alter execution accordingly to evade dynamic behavioral analysis.
Code Obfuscation: Static packers scramble program syntax and semantics to obstruct reverse engineering efforts. Variable renaming, instruction substitution etc. are used to obscure logic and functionality.
Recommendations
To effectively defend against modern malware, a multi-layered approach encompassing both technical and user awareness-based defenses is needed:
Keep software updated and patched to eliminate vulnerabilities exploitable by malware. Use firewalls, security software and deploy employee security awareness training.
Exercise caution regarding emails, links, files from untrusted sources. Verify authenticity before opening attachments or visiting links.
Use robust security software incorporating multiple detection techniques like signatures, behavior analysis, machine learning. Cloud-based solutions ensure up-to-date protection.
Isolate potentially infected systems using network segmentation. Limit spread within internal network in case of breaches until disinfection.
Regular data backups ensure recovery even if ransomed. Enable account/firewall/software logs for timely auditing and incident response.
Carefully vet any downloaded software from third-party sources. Consider using application white-listing on endpoints for tight control.
Technology alone cannot solve the problem. Raising user awareness regarding secure online behavior and how to identify social engineering is equally critical.
Conclusion
As malware distribution methodologies grow sophisticated through constant technical evolution, so too must our defenses through diligent research and awareness of emerging threats. While complete eradication may not be feasible, a balanced, vigilant approach combining people and technology-based security best positions organizations against the dynamic landscape of cyber threats. Understanding malware through open research also crowdsources solutions building resilience across connected communities.
Andrew Stroud