Malware—short for "malicious software"—is any software code or computer program intentionally written to harm a computer system or its users. Almost every modern cyberattack involves some type of malware. These malicious programs can take many forms, ranging from highly damaging and costly ransomware to merely annoying adware, depending on what cybercriminals aim to do.
Cybercriminals develop and use malware to:
There are billions of malware attacks every year (link resides outside ibm.com), and malware infections can happen on any device or operating system. Windows, Mac, iOS, and Android systems can all fall victim.
Increasingly, malware attacks target businesses rather than individual users, as hackers have learned it's more lucrative to go after organizations. Companies can be extorted for larger sums of money, and they often hold significant amounts of personal data that can be used for identity theft or sold on the dark web.
Cybercrime is a massive industry. According to one estimate (link resides outside ibm.com), it would be the world’s third-largest economy behind the US and China, projected to cost 10.5 trillion USD by 2025.
Within this industry, hackers constantly develop new strains of malware with new features and functionality. These individual malware strains spawn new variants over time to better evade security software. It is estimated (link resides outside ibm.com) that more than 1 billion different malware strains and variants have been created since the 1980s, making it difficult for cybersecurity professionals to keep up.
Hackers often share their malware by making the code open-source or selling it to other criminals. Malware-as-a-service arrangements are prevalent among ransomware developers, so that even criminals with little technical expertise can reap the rewards of cybercrime.
While the landscape is always shifting, malware strains can be categorized into a few common types.
The terms "malware" and "computer virus" are often used as synonyms, but a virus is technically a particular kind of malware. Specifically, a virus is malicious code that hijacks legitimate software to do damage and spread copies of itself.
Viruses can't act on their own. Instead, they hide snippets of their code in other executable programs. When a user starts the program, the virus begins running, too. Viruses are usually designed to delete important data, disrupt normal operations, and spread copies of themselves to other programs on the infected computer.
Most of the earliest malware threats were viruses. Elk Cloner, perhaps the first malware to spread through public devices, was a virus that targeted Apple computers.
Ransomware locks up a victim's devices or data and demands a ransom payment, usually in the form of cryptocurrency, to unlock them. According to IBM's X-Force Threat Intelligence Index, ransomware is the second most common type of cyberattack, accounting for 17% of attacks.
The most basic ransomware attacks render assets unusable until the ransom is paid, but cybercriminals may use additional tactics to increase the pressure on victims.
In a double extortion attack, cybercriminals steal data and threaten to leak it if they're not paid. In a triple extortion attack, hackers encrypt the victim's data, steal it, and threaten to take systems offline through a distributed denial-of-service (DDoS) attack.
Ransom demands can range from tens of thousands to millions of US dollars. According to one report (link resides outside ibm.com), the average ransom payment is USD 812,360. Even if victims don't pay, ransomware is costly. IBM's Cost of a Data Breach report found the average ransomware attack costs USD 4.54 million, not including the ransom itself.
Hackers use remote access malware to gain access to computers, servers, or other devices by creating or exploiting backdoors. According to the X-Force Threat Intelligence Index, planting backdoors is the most common objective for hackers, accounting for 21% of attacks.
Backdoors allow cybercriminals to do a lot. They can steal data or credentials, take control of a device, or install even more dangerous malware like ransomware. Some hackers use remote access malware to create backdoors they can sell to other hackers, which can fetch several thousand US dollars each.
Some remote access malware, like Back Orifice or CrossRAT, is intentionally crafted for malicious purposes. Hackers can also modify or misuse legitimate software to remotely access a device. In particular, cybercriminals have been known to use stolen credentials for Microsoft remote desktop protocol (RDP) as backdoors.
A botnet is a network of internet-connected, malware-infected devices under a hacker's control. Botnets can include PCs, mobile devices, Internet of Things (IoT) devices, and more. Victims often don't notice when their devices are part of a botnet. Hackers often use botnets to launch DDoS attacks, which bombard a target network with so much traffic that it slows to a crawl or shuts down completely.
Mirai, one of the most well-known botnets, was responsible for a massive 2016 attack against the Domain Name System provider Dyn, which took down popular websites like Twitter and Reddit for millions of users in the US and Europe (link resides outside ibm.com).
A cryptojacker is malware that takes control of a device and uses it to mine cryptocurrency, like bitcoin, without the owner's knowledge. Essentially, cryptojackers create cryptomining botnets.
Mining cryptocurrency is an extremely compute-intensive and expensive task. Cybercriminals profit while users of infected computers experience performance slowdowns and crashes. Cryptojackers often target enterprise cloud infrastructure, allowing them to marshal more resources for cryptomining than targeting individual computers.
Fileless malware is a kind of attack that uses vulnerabilities in legitimate software programs like web browsers and word processors to inject malicious code directly into a computer's memory. Since the code executes in memory, it leaves no traces on the hard drive. Because it uses legitimate software, it often evades detection.
Many fileless malware attacks use PowerShell, a command line interface and scripting tool built into Microsoft Windows operating systems. Hackers can execute PowerShell scripts to change configurations, steal passwords, or do other damage.
Malicious macros are another common vector for fileless attacks. Apps like Microsoft Word and Excel allow users to define macros, sets of commands that automate simple tasks like formatting text or performing calculations. Hackers can store malicious scripts in these macros; when a user opens the file, those scripts automatically execute.
Worms are self-replicating malicious programs that can spread between apps and devices without human interaction. (Compare to a virus, which can only spread if a user runs a compromised program.) While some worms do nothing more than spread, many have more severe consequences. For example, the WannaCry ransomware, which caused an estimated USD 4 billion in damages, was a worm that maximized its impact by automatically spreading between connected devices.
Trojan horses disguise themselves as useful programs or hide within legitimate software to trick users into installing them. A remote access Trojan or "RAT" creates a secret backdoor on the infected device. Another type of Trojan, called a "dropper," installs additional malware once it has a foothold. Ryuk, one of the most devastating recent ransomware strains, used the Emotet Trojan to infect devices.
Rootkits are malware packages that allow hackers to gain privileged, administrator-level access to a computer's operating system or other assets. Hackers can then use these elevated permissions to do virtually anything they want, like adding and removing users or reconfiguring apps. Hackers often use rootkits to hide malicious processes or disable security software that might catch them.
Scareware frightens users into downloading malware or passing sensitive information to a fraudster. Scareware often appears as a sudden pop-up with an urgent message, usually warning the user that they've broken the law or their device has a virus. The pop-up directs the user to pay a "fine" or download fake security software that turns out to be actual malware.
Spyware hides on an infected computer, secretly gathering sensitive information and transmitting it back to an attacker. One common type of spyware, called a keylogger, records all of a user's keystrokes, allowing hackers to harvest usernames, passwords, bank account and credit card numbers, Social Security numbers, and other sensitive data.
Adware spams a device with unwanted pop-up ads. Adware is often included with free software, unbeknownst to the user. When the user installs the program, they unwittingly install the adware, too. Most adware is little more than an annoyance, but some harvest personal data, redirect web browsers to malicious websites, or even download more malware onto the user's device if they click one of the pop-ups.
A malware attack has two components: the malware payload and the attack vector. The payload is the malicious code the hackers want to plant, and the attack vector is how the payload is delivered to the target.
Some of the most common malware vectors include:
Social engineering attacks psychologically manipulate people into doing things they shouldn't do—like downloading malware. Phishing attacks, which use fraudulent emails or text messages to trick users, are particularly common. According to the X-Force Threat Intelligence Index, phishing is a factor in 41% of malware infections.
Phishing emails and messages are often crafted to look like they come from a trusted brand or individual. They typically try to evoke strong emotions like fear ("We've found nine viruses on your phone!"), greed ("You have an unclaimed payment waiting for you!"), or urgency ("You're running out of time to claim your free gift!") to get users to take the desired action. Usually, the action is opening a malicious email attachment or visiting a malicious website that loads malware onto their device.
Cybercriminals are constantly searching for unpatched vulnerabilities in software, devices, and networks that allow them to inject malware into the target's software or firmware. IoT devices—many of which are sold and deployed with minimal or no security—are an especially fertile field for cybercriminals sowing malware.
Using a tactic called "baiting," hackers may place infected USB drives adorned with attention-grabbing labels in public places like coworking spaces or coffee shops. Enticed by these drives, unsuspecting users may plug them into their devices to see what they contain—and the malware infects their system. One recent study found that 37% of known cyberthreats are designed to exploit removable media (link resides outside ibm.com).
Many forms of malware, like Trojans and adware, disguise themselves as useful software or free copies of movies and music. Ironically, they often masquerade as free antivirus programs or apps that will improve device performance. While torrenting networks where users share pirated media are notorious playgrounds for cybercriminals, hidden malware can also make its way into legitimate marketplaces. Recently, the Goldoson malware (link resides outside ibm.com) was able to infect millions of devices by hiding in apps available through the Google Play store.
Malvertising is when hackers place malicious ads in legitimate ad networks or hijack legitimate ads to deliver malicious code. For example, the Bumblebee malware (link resides outside ibm.com) spread through a malicious Google ad posing as Cisco AnyConnect. Users searching for the real thing would see the ad in their search results, click it, and unwittingly download malware. A related technique called "drive-by downloads" makes it so that users don't even have to click anything: As soon as they visit a malicious website, the download automatically starts.
In corporate networks, users' personal devices can be prime malware vectors. Users' smartphones and laptops can be infected during their personal time, when they are connecting to unsecured networks without the benefit of the company's security solutions. When users bring those devices to work, the malware can spread to the corporate network.
If a vendor's network is compromised, malware can spread to the networks of companies using that vendor's products and services. For example, cybercriminals took advantage of a flaw in Kaseya's VSA platform (link resides outside ibm.com) to spread ransomware to customers under the guise of a legitimate software update.
Some malware infections, like ransomware, announce themselves. Most, however, try to stay out of sight as they wreak havoc. Still, malware infections often leave behind signs that cybersecurity teams can use to identify them. These include:
Performance declines: Malware programs use the infected computer's resources to run, often eating up storage space and disrupting legitimate processes. The IT support team may notice an influx of tickets from users whose devices are slowing down, crashing, or flooded with pop-ups.
New and unexpected network activity: IT and security staff may notice strange patterns, such as processes using more bandwidth than normal, devices communicating with unknown servers, or user accounts accessing assets they don't usually use.
Changed configurations: Some malware strains alter device configurations or disable security solutions to avoid detection. IT and security teams may notice that, for example, firewall rules have changed or an account's privileges have been elevated.
Security event alerts: For organizations with threat detection solutions in place, the first sign of a malware infection is likely to be a security event alert. Solutions like intrusion detection systems (IDS), security information and event management (SIEM) platforms, and antivirus software can flag potential malware activity for the incident response team to review.
Malware attacks are inevitable, but there are steps organizations can take to strengthen their defenses. These include:
Security awareness training: Many malware infections result from users downloading fake software or falling for phishing scams. Security awareness training can help users spot social engineering attacks, malicious websites, and fake apps. Security awareness training can also educate users on what to do and who to contact if they suspect a malware threat.
Security policies: Requiring strong passwords, multi-factor authentication, and VPNs when accessing sensitive assets over unsecured wifi can help limit hackers' access to users' accounts. Instituting a regular schedule for patch management, vulnerability assessments, and penetration testing can also help catch software and device vulnerabilities before cybercriminals exploit them. Policies for managing BYOD devices and preventing shadow IT can help prevent users from unknowingly bringing malware onto the corporate network.
Backups: Maintaining updated backups of sensitive data and system images, ideally on hard drives or other devices that can be disconnected from the network, can make it easier to recover from malware attacks.
Zero trust network architecture: Zero trust is an approach to network security in which users are never trusted and always verified. In particular, zero trust implements the principle of least privilege, network microsegmentation, and continuous adaptive authentication to ensure that no user or device can access sensitive data or assets they shouldn't. If malware gets onto the network, these controls can limit its lateral movement.
Incident response plans: Creating incident response plans for different types of malware ahead of time can help cybersecurity teams eradicate malware infections more quickly.
In addition to the manual tactics outlined above, cybersecurity teams can use security solutions to automate aspects of malware removal, detection, and prevention. Common tools include:
Antivirus software: Also called "anti-malware" software, antivirus programs scan systems for signs of infections. In addition to alerting users, many antivirus programs can automatically isolate and remove malware upon detection.
Firewalls: Firewalls can block some malicious traffic from reaching the network in the first place. If malware does make it onto a network device, firewalls can help thwart outgoing communications to hackers, like a keylogger sending keystrokes back to the attacker.
Security information and event management (SIEM) platforms: SIEMs collect information from internal security tools, aggregate it in a central log, and flag anomalies. Because SIEMs centralize alerts from multiple sources, they can make it easier to spot subtle signs of malware.
Security orchestration, automation, and response (SOAR) platforms: SOARs integrate and coordinate disparate security tools, enabling security teams to create semi- or fully automated playbooks for responding to malware in real-time.
Endpoint detection and response (EDR) platforms: EDRs monitor endpoint devices, like smartphones, laptops, and servers, for signs of suspicious activity, and they can automatically respond to detected malware.
Extended detection and response (XDR) platforms: XDRs integrate security tools and operations across all security layers—users, endpoints, email, applications, networks, cloud workloads, and data. XDRs can help automate complex malware prevention, detection, investigation, and response processes, including proactive threat hunting.
Attack surface management (ASM) tools: ASM tools continuously discover, analyze, remediate, and monitor all assets in an organization's network. ASM can be useful in helping cybersecurity teams catch unauthorized shadow IT apps and devices that may carry malware.
Unified endpoint management (UEM): UEM software monitors, manages, and secures all of an organization's end-user devices, including desktops, laptops, and mobile devices. Many organizations use UEM solutions to help ensure employees' BYOD devices don't bring malware into the corporate network.
Outsmart attacks with a connected, modernized security suite. The QRadar portfolio is embedded with enterprise-grade AI and offers integrated products for endpoint security, log management, SIEM and SOAR—all with a common user interface, shared insights and connected workflows.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack, and help you recover faster.
To prevent and combat modern ransomware threats, IBM uses insight from 800 TB of threat activity data, information on more than 17 million spam and phishing attacks and reputation data on nearly 1 million malicious IP addresses from a network of 270 million endpoints.
Cyberattacks are unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems.
Ransomware holds victims' devices and data hostage until a ransom is paid. Learn how ransomware works, why it has proliferated in recent years, and how organizations defend against it.
Zero trust is a framework that assumes a complex network’s security is always at risk to external and internal threats. It helps organize and strategize a thorough approach to counter those threats.
Each year, IBM Security X-Force—our in-house team of cybersecurity experts and remediators—mines billions of data points to expose today’s most urgent security statistics and trends.
Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.