How do machines become infected with malware?
Fraudulent emails, SMS messages, fake websites, and shared resources — such as storage drives or files — can all be used as avenues for malware deployment.
One of the most common avenues for attack is phishing or spam emails that may appear to be from your bank, tax offices, or well-known brands such as Amazon, PayPal, or Facebook.
Fraudsters will often use social engineering tactics to lure victims into clicking suspicious links or falling for these fake emails by trying to generate fear, panic, or greed. For example, they may contain:
- Threats from a tax office demanding payment on pain of a criminal prosecution
- Delivery notices sent from Amazon or PayPal alerts concerning a transaction
- Promises that you have won a prize, money from the lottery, or free cryptocurrency
- Threats to let all of your contacts know what adult websites you have been visiting
- Get rich quick schemes
In the business world, business email compromise (BEC) attacks will often be tailored to relate to HR departments, invoices, and quote inquiries.
If a target falls for a phishing email — which may be sent during a “spray and pray” mass spam campaign or through a tailored, spear-phishing exercise — they may be asked to click a link to a compromised or malicious website containing a payload, or alternatively, the email may contain a malicious attachment such as a Microsoft Word document, in which macros will fetch malware.
Other common infection vectors include:
- Malvertising via internet pop-ups: While technology vendors are clamping down on the older methods to deploy malware — such as pop-ups that claim your PC has been infected with malware — malvertising, the use of fake and malicious ads to drive malware, is still common. Victims may be asked to visit a website and download a file, such as a fake browser plugin or AV solution, that actually executes malware instead.
- Malicious, compromised websites: Malvertising, when served by third-party ad networks, can turn a legitimate domain into a springboard for malware distribution. In the same way, websites that have been compromised — such as through a back-end vulnerability in a content management system (CMS) — may serve visitors malicious packages or may reroute them to other domains owned by attackers.
- Malicious software updates: Cyberattackers are constantly evolving their tactics and techniques for infecting systems, and one relatively new way to do so is by performing a supply-chain attack. Threat actors compromise a central entity, such as a company that develops popular software, and tampers with software updates that are automatically pushed to users. The SolarWinds incident is a recent example of how much havoc this kind of cyberattack can cause. This attack vector is more commonly used to break into company networks.
- Software bundles: Some software may come bundled with malware or unwanted software, such as adware or spyware.
- Shared resources: There are malware variants in the wild that contain wormable functionality, allowing the programs to spread through shared resources including individual files, external storage, and USB drives.
Common online threats and malware to watch out for
The threats that can land on your PC are extensive, ranging from destructive malware to spyware that covertly monitors your activities, adware that constantly serves you adverts during browser sessions, and Potentially Unwanted Programs (PUP), also known as junk or nuisanceware. PUPs may serve ads, slow your PC, or download additional software without your explicit consent.
Malware is a blanket term for different kinds of malicious software, as explained below:
- Virus: A computer virus is designed to latch onto a legitimate file, corrupt it, and self-propagate through devices and emails. They may steal data, damage systems, and maintain persistence on an infected machine by executing every time the legitimate, compromised application runs. Viruses may be polymorphic and change their code to avoid AV programs.
- Worm: Many malware variants now contain “worm” capabilities as part of a wider toolset. However, worms may also be standalone programs that spread through system networks or via email as malicious attachments. A worm is able to propagate once it lands on a vulnerable system and may also be designed to steal data, corrupt files, or degrade PC performance.
- Trojan: A Trojan, or Trojan horse, is a malware variant that is often disguised as a legitimate program. Once installed on a victim’s system, Trojans may establish a backdoor for persistent access, perform surveillance, download and execute additional malware, and steal information. Many Trojans today are focused on the theft of financial data.
- Ransomware: Ransomware has become one of the most potentially damaging types of malware to land on both consumer and enterprise systems. This malware variant will encrypt an infected system, prevent users from accessing their files and services, and will throw up a ransom note, demanding payment in cryptocurrency in return for a decryption key. Some of the worst ransomware incidents impacting businesses to date are the global WannaCry attack, the outbreak at Ireland’s health service, and the closure of Colonial Pipeline’s operations across the United States.
- Spyware: Spyware, also known in its worst forms as stalkerware, is unethical, privacy-invading software that spies on device users, collecting data including — but not limited to — browser activities and logs, email records, contact lists, social media activity, images, video, and VoIP logs. When installed on a mobile device, GPS data, location, and SMS/MMS messages may also be monitored.
- Adware: Legitimate adware may be installed with consent — for example, in return for a copy of otherwise paid-for software. However, abusive variants of adware unscrupulously push adverts to a user’s system in order for its operators to be paid.
- Rootkits: Rootkit malware can be injected into applications, hypervisors, firmware, or the kernel level of an operating system. These bundles of tools may be used to hide the activity of other malware payloads, operate with high privileges, and can often be very difficult to detect. A recent example of rootkit use has been described by Kaspersky under Operation Tunnelsnake.
- Botnets: Botnet-based malware is designed to enslave PCs, mobile devices, and Internet of Things (IoT) devices into a broader network that may have further payloads deployed to ‘slave’ systems, forcing them to become payers in distributed denial-of-service (DDoS) attacks, send spam, and more.
- Hybrid: Today’s malware strains cannot always be cleanly categorized, and they may include modules for different purposes, such as ransomware functionality, backdoors, spyware functions, or the ability to perform fileless attacks.
- Cryptocurrency miners: While not inherently malicious, cybercriminals may deploy cryptocurrency mining software such as XMRig on vulnerable servers and PCs in order to leverage stolen computer resources to covertly mine for coins. These coins are then sent to a wallet controlled by the attacker.
What are the symptoms of a malware infection?
There are a number of changes to your device’s typical behavior that can indicate the existence of malware. These include:
- Poor performance: One of the first indicators that something isn’t quite right on your PC is changes to typical performance levels, such as a high CPU load, freezes, crashing, and lags during browser sessions. If processing speed or performance suddenly changes, this may be an indicator of a malware infection. When it comes to your handset, similar symptoms may occur, such as plummeting battery life, extra heat generation, lags, and crashes. However, you can’t rely purely on CPU or resource usage alone as a sign that you’re infected. Some malware, including cryptocurrency miner strains, will boot out competing malware and manage their resource usage to prevent performance issues — and, therefore, potentially detection.
- Pop-up windows and browser redirection: If you experience unexpected advert bombardment or browser redirection, this may be a sign your sessions are being manipulated.
- PC and device changes: If you find programs suddenly appearing and executing that you are not familiar with, changes to a browser’s home page or search engine, or settings tweaks that you did not make, this could also be an indicator of infection.
- Loss of storage space: If your hard drives are filling up without any known reason, this could mean you have been compromised. This symptom is more common with adware and nuisanceware programs.
- Reports of unusual communication: If friends, colleagues, or associates ask you about emails or messages you have allegedly sent that appear to be suspicious, this could indicate that either your device is compromised or an account belonging to you has been hijacked.
- Locked screens: A typical sign of ransomware, in particular, is the inability to access your system beyond the home screen — on which a ransom note, demanding payment, will be loaded. In these cases, it is likely that your files have been encrypted and cannot be recovered without a ransomware decryptor.
- Existing antivirus solutions: If your existing antivirus software or firewalls have been disabled without warning, this is a common indicator of malware infection.
What else can I do to protect my computer and mobile device?
No AV product is a catch-all security solution, and so they should be considered an important aspect of protecting your devices alongside general awareness, caution, and in tandem with other security solutions.
- Stay wary: If an email looks suspicious, trust your gut. If you receive a message from what appears to be a trusted source containing a link, for example, visit the organization’s domain directly rather than clicking through.
- Website downloads: Downloading files from dubious websites — such as crack, warez, or pirate domains, is usually asking for trouble.
- Third-party apps: It is generally recommended to only download apps from sources that have their own security mechanisms in place, such as Google Play or the Apple App Store.
- Firewalls: You should keep your operating system’s firewall software enabled at all times.
- Wi-Fi: Public, unsecured Wi-Fi hotspots should be avoided as they may be honeypots or allow threat actors to monitor your activity — and potentially redirect you to malicious websites. Instead, stick to secure spots or mobile connectivity.
- Backups: You should make sure you backup valuable content on your devices frequently. While this won’t protect your system, this practice can help you recover, should the worst happen.