In general, malware can range from being a simple annoyance like pop-up advertising to causing serious damage like stealing passwords and data or infecting other machines on your network. Malware accounts for at least 40% of all data breaches worldwide; the other 60% is as a result of direct hacking. As hacking is usually perpetrated against multinational corporations, the average computer user or small business is usually unaffected.
Malware is as old as software itself and although there are new types of malware constantly under development, they generally fall into a few broad categories. Probably the most well-known and most common type of malware, viruses, consist of harmful programs designed to infect legitimate software programs. Once a person installs and runs the infected program, the virus activates and spreads itself to other programs installed on the computer before taking further action such as deleting critical files within the operating system. Worms are stand-alone programs that are able to transmit themselves across a network directly. Unlike a computer virus, worms do not need to attach themselves to an existing program. The newest threat is data-encrypting malware; it attempts to hold hostage any data on the computer, while still allowing computer functionality. In some cases, FIT has been successful in restoring encrypted data by accessing Windows' ShadowExplorer. Any malware can cause severe damage by exploiting / deleting / altering files and databases and that is why running a standalone program along side your antivirus program is an excellent idea.
Another common type of malware is a Trojan Horse. Similar to Greek mythology, Trojans present themselves as harmless "gifts" in order to persuade victims to install them on their computer. Trojans are "socially engineered" to trick or scare you into thinking they are real. The easiest way to inadvertently install a Trojan is by clicking on a link in unsolicited email. Emails with attachments from a bank, a long lost friend, Paypal, Facebook, FedEx, UPS or the FBI are the most common way computers get infected. Even if you think an email may be genuine, it's best to delete it, then contact the company or person directly by calling them or typing in the URL address in a fresh browser window. Other Trojans are bundled with free software, games, illegal music or videos, free registry cleaners or other utilities. Trojans sometimes include a backdoor allowing unauthorized access to your computer. When a backdoor has been opened on a computer or server we say it "has been hacked." Trojans typically do not attempt to inject themselves into other files or applications like computer viruses. And it should be noted that viruses are no longer the primary conduit of infections.
The last type of common malware is adware and spyware. Though not technically fitting into the virus category, these programs invade your privacy, contain malicious code and at the very least become a nuisance. Adware is a form of financially supported malware that usually presents itself as unwanted advertisements. The Internet is filled with these types of programs that can hijack your computer for profit -- as you surf the web, ads that you would not normally see are displayed in your browser and if you click on them and go to the advertisers website, a profit of a few cents is received by the advertiser. Some will also forcibly install software on computers with active vulnerabilities. The most common Adware (and some Trojans) install themselves through a fake Adobe Flash Player Update that looks real - because it's a copy from the legitimate Adobe website. However upon closer inspection - by looking at the http address, it's obvious it is not from Adobe Flash. The important thing to note is that any legitimate updates your computer requires will present themselves within minutes of the computer being turned on - not 30 minutes after you have begun "surfing the web." If you have any doubt, save any document you are working on, restart the computer and then open the program/app that the supposed update was for and allow it to automatically update, or if the auto update function has been turned off, perform a manual update if one is available. Then check your computer with Malwarebytes, the best anti malware program available for Macs and PCs, to see if it is infected. FIT installs Malwarebytes Premium on every computer it services.
This is a sample of malware attempting to convince a Windows user to update Adobe Flash Player.
Note the URL does not show https://adobe.com as the originating website.
Mac users are also vulnerable to fake Adobe Flash Player updates. Though is useful to know what a fake installer looks like, the simplest solution for both Windows and Mac users is to close any window claiming to be an update and simply go to Adobe's Flash Test Page and click on the gray icon that looks like a puzzle piece.
Spyware is a type of malware that surreptitiously gathers information and transmits it to interested parties. Information gathered includes the websites visited, browser and system information and IP address. Spyware does not have any infection mechanisms and is usually dropped by Trojans. Once dropped, it installs itself on the victim's computer and will begin collecting information silently to avoid detection.
Zombies, Bots and Botnets are how the "Black Hat" hackers or "cybercriminals" really monetize all the above mentioned malware. Ultimately, if an unprotected computer or server becomes infected with malware and it is not correctly cleaned, a Rootkit can be left behind. This is why FIT recommends running a stand alone anti-malware program with an antivirus program. A Rootkit has the ability to hide itself in such a way that makes them difficult to identify. This means that a computer can still be hiding a Rootkit even after running a reputable antivirus program. Often, it is only by examining the behavior of TCP/IP/UDP (internet) connections being made while the computer is connected to the Internet (with no web browsers open) that Rootkit activity can be identified. Malwarebytes, Sophos, Kaspersky and other antivirus makers provide tools to discover Rootkits, but at the same time the Black Hats use these same antivirus programs to reverse engineer new Rootkits.
A "bot", short for internet robot, is a type of software application or script that performs tasks on command, like sending spam email and they are really good at performing repetitive tasks. There are good bots that do useful things like index websites on the internet and there are malicious bots that allow cybercriminals to take complete control over infected computers remotely. These infected computers are called "zombies" and are usually part of a botnet.
Taking over one computer is useful, but the real value to a cybercriminal comes from infecting huge numbers of computers and networking these (a botnet) so they can all be controlled at once and perform large scale malicious acts. As of March 2016 there were 5,699,236 computers worldwide (out of over 3 billion internet users) infected with bots and under the control of Black Hat hackers. These computer owners unwittingly put everyone at risk, and most would be shocked to learn that the spam we all receive is coming from millions of computers just like (and including) theirs. The owners of these infected computers can still use them, due to the bot being shielded by a Rootkit and they are probably unaware of anything being wrong except perhaps they think their computer seems slow at times. Amazingly, Rootkits even have the ability to report that a computer's hard drive is empty when in fact it could be packed with files stolen through corporate espionage or full of millions of email addresses used to create spam. Cybercriminals store Petabytes of stolen information on these compromised computers; it doesn't cost them anything and it lowers their liability.
In fact, one botnet, called Rustock, was disabled through collaboration between industry and law enforcement in March of 2011. It had approximately 1 million infected computers networked together, and was capable of sending up to 30 billion spam emails a day. This botnet was so large that when it was taken down, global spam volumes instantly dropped by 30%. See a current global spam map from Sophos here.
Cybercriminals make money from their botnets in several ways. They may use the botnets themselves to send spam, sell illegal "medication," launch phishing attacks, or other scams to trick consumers into giving up their hard earned money. They may also collect information from the bot-infected machines and use it to steal identities, make credit card purchases or open loan accounts under the victim's name. They may use their botnets to create distributed denial-of-service (DDoS) attacks that flood a legitimate service, company or network with a crushing volume of traffic. The volume may severely slow down the company's service or network's ability to respond or it may entirely overwhelm the company's website and crash it. Revenue from DoS or DDoS attacks comes through extortion (pay or have your site taken down) or through payments made by groups interested in inflicting damage to a company or network. These groups include "hacktivists" - hackers with political agendas as well as foreign military and intelligence organizations. Cybercriminals may also lease their botnets to other criminals who want to do the same.
It literally only takes hours for an unprotected, internet connected computer (which is not behind a firewalled router) to be infected with malicious software, underscoring the critical need for every computer to have up-to-date applications and security software.
Here is a short list of nine of the worst worldwide botnets and the damage they caused:
In the last year nearly 84 billon pieces of spam have been sent by bots: