Malware is the general name for software that has been written to intentionally cause harm.
One of the best known forms of malware are viruses and worms, which can spread automatically between computers, but there are many other forms, including ransomware and spyware.
Malware can be used for “persistence” - once an attacker breaches an organisation, they can use malware as a back door that they can access later at any time.
The nature of malware has evolved over time as computers became more and more connected and online commerce has grown.
This brief history of cyber-threats points out that early malware was designed more to show off technical skills, or was created out of curiosity.
However, once internet commerce became widespread, malware could be used to trick people into spending money, and more recently ransomware has become lucrative, where the malware locks up a company’s computer systems or data, and a payment is demanded to unlock it.
Today malware is used for several purposes.
A common form of malware is to gain control over a very large number of personal computers in order to later carry out a “Distributed Denial of Service” (DDoS) attack.
The malware is installed on innocent people’s computers using a virus, or even tricks like phishing; the malware sits dormant on the computer until it is activated (along with thousands or millions of other computers) to send requests to the victim’s site.
Since these computers are likely to be trusted, it is hard for the victim to block them without blocking legitimate customers, and so the targeted site either slows down or has to be shut down.
A DDoS attack is like sending someone a million letters - a single letter they are hoping to get will be lost, or else they have to commit huge resources to sorting out good mail from bad.
Ransomware typically works by finding a flaw in the security of a system, and capturing the victim’s data.
Bear in mind that this might be sensitive information, such as medical records held by a hospital, or financial records held by a finance organisation.
Without the data, the organisation can’t function, and if the data is published, the organisation could be ruined for not keeping their clients’ information private.
Ransomware became particularly feasible with the rise of cryptocurrency, which enables payments of a ransom to be untraceable.
A high profile ransomware attack in New Zealand was on the New Zealand stock exchange (NZX) in August 2020, where trading was disrupted for five days.
There are several defenses against malware.
Because malware is often designed to exploit weaknesses in a system, software developers and computer vendors will quickly update their software to block those weaknesses, and send out updates.
This can all happen in a matter of hours, so keeping systems as updated as possible can help keep ahead of attackers.
Also, malware is often delivered through the internet, so firewalls can try to block data transfers that look like they contain malware.
And importantly, since malware may try to block access to data, having the data backed up means that if an attack is successful, the system can still be restored from a backup.
This last defence doesn’t work if an attacker is going to reveal sensitive information, but it is useful if they do something like encrypting a company’s information.
For this reason, an important part of security is testing that backups are working.
Many organisations have been caught out because backups may have been running regularly, but no-one ever checked that the data could be recovered from the backups being made!
Another attack vector is to convince a user to install malware themselves!
This is sometimes done through phishing emails, or by unsolicited phone calls, where the user is told there’s a fault on their computer and they need to grant the caller access, who then installs the malware under the pretence that it is a fix to the system.
Preventing this line of attack involves making sure there is good public awareness of the issue.
Exercises to investigate examples of malware attacks
Exercise
Read up on details about an attack that was started with malware.
What could have been done to prevent the attack?
What were the weaknesses that were exploited?
What are some important lessons learned from the breach?
Are aspects of the attack kept secret by the victim, and if so, why?
Here are some examples, but see if you can find your own.