We hear about computer viruses and other types of malware all the time, be it in the news or from a friend or colleague who has been affected. Unfortunately, many of us also have first-hand experience with various types of malware. In fact, with 10 billion malware attacks detected in 2018, it’s very likely that you or someone you know has dealt with malware recently.
While there are methods to protect against, detect, and remove many forms of malware, some attacks are more stubborn. The key is knowing what to look out for and having a plan in place to deal with an attack.
In this post, we provide an encyclopedia of common computer viruses and other malware, as well as some other common terms related to malware attacks. At the end of the post, you’ll find advice on how to prevent malware attacks and tips for detection and removal.
Encyclopedia of common types of malware
Short for advertising supported software, this unwanted software bombards you with advertisements. Adware typically targets web browsers and earns money for its developers by presenting you with ads. It can represent a privacy risk as some adware can track your browsing history to help serve you targeted advertising, and your profile may be sold to third parties.
This password-stealing spyware is openly sold as a software for monitoring your own computer. Licenses are bought in exchange for Bitcoin. Although the proprietors claim that this should not be used on computers without authorized access, they give tips on how to deploy the product while evading antivirus software.
A botnet associated with dozens of different malware families, Andromeda reportedly infected more than one million systems each month at its peak. The botnet was taken down by authorities in December 2017, but in late 2018, its impact was still being felt.
A banking Trojan targeting Android systems, Anubis is often delivered via malicious apps from within the Google Play Store. Once it’s executed, the malware requests permission for access to the device. If given, it can simulate button clicks and steal user data. It’s also capable of sending SMS spam, recording sound, taking screenshots, tracking location, and keylogging. An attack may even involve a ransomware component.
A backdoor is a method of bypassing regular authentication to gain access to a system. It is used by hackers to gain remote access to a computer or network.
Baldr is a stealer, similar to a banking Trojan, but with a slight twist. A stealer will enter a system, collect data, and leave right away. It looks for information such as browser history, passwords, cookies, and files that contain valuable data.
A cryptominer that targets enterprises, mainly in China. Beapy uses leaked US National Security Agency (NSA) hacking tools to spread through networks via malicious emails. It uses a file-based cryptojacking technique that is fast and efficient and can generate up to $750,000 per month.
A group of devices that are collectively controlled by malware and used to carry out some malicious activities. Device users may be completely unaware that malware has found its way onto their system and that their device is being used in such a manner.
A type of malware that makes modifications to a browser’s setting without permission from the user. It typically used to inject advertisements and may replace specific pages, such as a homepage, error page, or search engine.
Thought to have gone away in 2017, this Remote Access Trojan (RAT) that targets Windows systems surfaced again in 2019. It can steal credentials, log keystrokes, capture screenshots, and clean out cookies from browsers.
Cerber is a ransomware that gained prominence in 2016, but its variants continued to pop up in 2017. It encrypted Windows files and was typically spread via an email (both the attachment and a link within the email could execute the malware) or exploit kit. Some criminals got creative and spread Cerber ransomware via a US government site and a police surveillance system.
A type of malware that intercepts the contents of the victim’s clipboard. This takes advantage of the fact that we now have very long strings of characters to deal with, such as cryptocurrency wallet addresses and randomly-generated passwords.
A now-defunct coinminer that could be used by cybercriminals to siphon a victim’s computer-processing power for mining monero.
Conficker (aka Downadup)
A worm that targets a Windows vulnerability and spreads fast. Conficker was originally discovered in 2007 and has one of the highest infection rates in the history of malware. Unsecured machines can still be infected with the worm, which can spread through corrupted removable devices such as USB sticks. Microsoft is still offering a bounty of $250,000 for information that leads to the capture of Conficker’s creators.
No, this isn’t a coinminer but it may have something to do with cryptocurrency. The aptly named CookieMiner targets Mac computers and is designed to steal browser cookies along with other information. It specifically targets cookies related to cryptocurrency wallet service providers and exchanges in an attempt to steal cryptocurrencies from people who frequent those sites. To help its cause, it also steals credit card information, login credentials, and text messages.
An early form of ransomware (initially detected in 2013) on which many subsequent ransomware attacks have been based. CryptoLocker was spread via email and encrypted Windows files.
In early 2019, this was cited as the top threat in the cryptominer market since Coinhive ceased operations.
A subset of malware that involves the mining of cryptocurrencies. Miners typically steal a host computer’s processing power, which is required for cryptomining.
A class of Trojans that alter DNS settings in order to redirect the victims web traffic without their knowledge.
A cyber espionage campaign designed to steal login credentials for email and other platforms. Those behind DNSpionage (suspected Iranian hackers) targeted entities within the private and government sectors in Lebanon and the UAE.
This banking Trojan was thought to be rid of having first sprung up in 2012, enabling attackers to target Facebook, Twitter, and Skype users. However, an overhauled version resurfaced in 2018 that steals users’ credentials as they log in to online banking accounts.
A Trojan targeting the Windows platform, Dorvku collects system information along with sensitive information from browsers. It can create a remote connection such that its controller can perform various actions on the host device.
A drive-by download refers the downloading of malware onto a device without any direct action from the user. Whereas most malware requires the user to click an ad, attachment, or link, for example, a drive-by download can be initiated simply by the user visiting a specific website.
A Trojan that attacks Windows systems and enables hackers to access sensitive data, install malware, and more. A May 2019 report from the Department of Homeland Security (DHS) identified this malware as being used in international espionage by North Korean hackers..
A modular banking Trojan that typically serves as a downloader for other banking Trojans. It also has worm-like features enabling it to spread rapidly across networks. Emotet has proven costly to the US government, with each incident costing up to $1 million.
The most common type of ransomware, encrypting ransomware will encrypt files and demand a ransom be paid in return for the decryption key. If paid, the criminal may or may not hand over instructions for obtaining the key.
These are automated programs that bundle multiple exploits. Each exploit is designed to take advantage of a specific known vulnerability in a popular software such as Adobe Flash or Internet Explorer. When a vulnerability is exploited, a malware payload can be dropped. Kits are used to spread a variety of malware types.
Fileless malware (aka non-malware or invisible malware)
A class of malware that loads directly onto a Windows system by hijacking built-in tools. It’s not stored in a file and doesn’t reside on the victim’s machine. Fileless malware is difficult to detect by antivirus software because there’s no digital signature to look out for.
This malware hijacks browsers in order to manipulate a user’s web traffic. It can use this to generate ad revenue. Fireball can also run code on a victim’s computer so can download any type of malware. By mid-2017, it had affected more than 250 million computers across the globe.
A remote access Trojan distributed by the cybercriminal group TA505 via phishing campaigns. The group mainly targets organizations in the retail and financial sectors.
This malware that steals data and grabs forms has been around since 2016. FormBook is typically delivered via malicious email attachments. The perpetrators behind this malware have mainly targeted the US and South Korea with particular focus on companies within the aerospace and defense contractor sectors, as well as manufacturing.
One of the most prolific botnets in history, this affects Windows machines. At the end of 2017, along with Necurs (see below), Gamut was responsible for the vast majority of all email spam.
A ransomware holding a large portion of the ransomware market in 2019. GandCrab targets Windows machines and spreads via email, popups, and exploit kits, and includes custom notes. Ransoms range from $600 to $700,000 and are usually demanded in Dash instead of Bitcoin.
A family of malware (mostly Trojans and some adware) that target Windows systems.
An exploit kit targeting Windows systems that distributes Trojans, coinminers, and ransomware.
This is a type of adware that showed up in Android apps in the Google Play Store. It performed an ad-clicking function that resulted in a profit for its creators. Apps containing the Guerilla malware were detected and removed from the Google Play Store in 2018.
A Trojan that opens a backdoor allowing a hacker to perform actions on the victim’s’ Windows computer. The hacker may be able to read and write to files and the registry, take screenshots, and create processes.
An adware and spyware that targets Android systems. Hiddad takes legitimate apps and repackages them before releasing them to a third-party store. This malware mainly displays ads, but it can also obtain sensitive data by accessing security information within the operating system.
An Android malware that mines Monero, HiddenMiner hides itself well on the device and continues to mine until resources are exhausted. It can lead to overheating and failure of the device.
A backdoor Trojan used by North Korean hackers. The Hoplight malware collects information about the infected device and sends it to a remote server. The remote connection also affords hackers the ability to send commands and carry out certain actions on the host device. In April 2019, the US government issued a security alert warning about Hoplight, which attributed the malware to North Korea’s primary government-backed hacking group, referred to as Hidden Cobra, Guardians of Peace, or the Lazarus Group.
Hybrids (aka exotic forms or blended threats)
These are some of the terms you may come across describing malware that combines two or more traditional types of malware. For example, a piece of malware may present itself at a harmless piece of software, classing it as a Trojan, but it also spreads like a worm, making it a Trojan worm.
This data-locking Trojan is the newest iteration of the Globe Imposter malware. It targets Windows PCs and is likely spread through fake updates, spam emails, and infected software. It encrypts files, adding the extension .IGAMI to the filename, and then drops a ransom note which uses strong social engineering tactics.
A new version of the DNSpionage malware discovered in 2019. Karkoff “improves” upon DNSpionage by allowing the authors to monitor and select targets.
A type of spyware that logs keystrokes. These have legitimate uses, such as for employers monitoring employees, but are often used maliciously to steal information.
A botnet that as of April 2018 was the largest in the world. Having the ability to evade detection by antivirus software, the Kraken botnet reportedly sent 9 billion spam messages per day.
A ransomware that surfaced in 2018 and was downloaded from legitimate spyware provider site superantispyware.com. It checks the language and location of the Windows system before executing.
This banking Trojan was develop in 2014 and was able to perform tasks such as keylogging and form-grabbing (to steal online banking login credentials). It was developed such that it could be easily injected and was difficult to detect, bypassing antivirus software. An interesting fact about Kronos is that it was developed and distributed by Marcus Hutchins, the malware researcher who became an “accidental hero” in 2017 when he halted the spread of the WannaCry ransomware.
A spyware that can monitor, block, or modify emails. LightNeuron can also act as a backdoor enabling hackers to execute code remotely.
This banking Trojan targets Brazilian PC users. Although it hasn’t been found outside of Brazil yet, it’s still very new having only been discovered in April 2019. LoadPCBanker primarily functions as spyware, more specifically a clipper, monitoring the clipboard of the infected device for passwords, credit card numbers, and other valuable information.
A Trojan that can covertly steal information. Because many email providers now effectively block many malicious emails, Lokibot creators attempt to bypass these detection systems by hiding the malware inside a .PNG file.
A tool utilized by hackers for exploiting Android vulnerabilities. Lotoor allows hackers to gain root privileges on a compromised mobile device.
An exploit kit that attacks Internet Explorer vulnerabilities. Magnitude versions usually target select Asian countries, for example, Magnitude EK targets South Korea.
The general term used to describe malicious software. Any file or program that can cause harm to a computer user is considered malware. There are many different types of malware such as Trojans, worms, spyware, ransomware, viruses, and more.
Online advertisements used to spread malware. These may be present on legitimate sites, often without the knowledge of the site owner.
A malware that infects devices such that they become part of a botnet. Mirai scans for Internet of Things (IoT) devices that use ARC processors. If the default username and password haven’t been changed, the device can become infected. Using its army of devices (or bots), the botnet can be employed to carry out DDoS attacks. One such attack on Dyn was believed to have involved 100,000 devices.
A remote access Trojan that targets Windows systems and surfaced around 2013. It disables the operation of an antivirus program and generates false alerts or error messages, prompting the user to install an updated version of application software or an antivirus program. In the background, the malware drops payloads and can spy on and threaten the user. The cybercriminal can eventually use the system as part of a botnet.
A botnet that uses Windows machines and has a new hiding technique enabling it to evade detection. Necurs has been used for various payloads, including cryptominers, banking Trojans, DDoS tools, and ransomware.
A Trojan worm that targets Windows machines and spreads easily from computer to computer by itself. NotPetya is infamous for causing massive damage costs to companies across the globe, estimated to be $1.2 billion in total, including $300 million for Danish company, Maersk.
A Windows-targeting exploit kit which functioned via an “exploit-as-a-service” model. Nuclear hasn’t been around for a while, but at one point, the team behind it was reportedly earning around $100,000 per month by renting the kit to criminals.
A type of virus that can destroy original program code by overwriting data in the computer system’s memory. Overwrite viruses are considered more harmful than many others because they can cause permanent damage to a system.
Panda (aka Zeus Panda or Panda Banker)
A spin-off of the Zeus banking Trojan that also targets cryptocurrency and social media, among other industries.
A polymorphic virus—one that can create slightly different versions of itself to evade detection. Parite is a file infector worm that can infect all executable files on shared and local network drives of a Windows system.
Qbot (aka Qakbot)
This password-stealing malware was first detected a decade ago but resurfaced in 2019 attacking thousands of Windows systems. Qbot is periodically reconfigured by its controllers such that it is very difficult to detect.
A banking Trojan that steals credentials and personal data, among other information. At one point in 2018, Ramnit infected over 100,000 Windows machines in just two months.
A Trojan that installs malicious browser extensions or infects extensions that are already installed. First discovered in 2018, Razy can carry out its functions in Chrome, Firefox, and Yandex. The process is different within each browser, but the main functionality is to steal cryptocurrency. Razy does this through a combination of techniques, including replacing wallet addresses with that of the perpetrator, spoofing QR code images that point to wallets, modifying cryptocurrency exchange web pages, and spoofing search results.
A type of virus that remains stored within a computer’s memory. This enables it to infect additional files run by the computer, even if the original program is no longer running.
A malware family discovered in early 2019 that uses a multi-stage process, including initial delivery through instant messaging client like Skype, an encrypted file, an executable, and a downloader.
RIG exploit kit
An exploit kit targeting Adobe Flash used to spread banking Trojans, ransomware, coinminers, and more. This was one of the most popular kits doing the rounds in 2018 and early 2019.
The term used for a collection of software (often malware) that enables a hacker to gain remote access to and control over a system. The rootkit opens a backdoor and delivers various other types of malware, such as keylogger, ransomware, and viruses.
A monero cryptominer that hit the news in 2018 when it attempted to exploit 30% of worldwide networks. RubyMiner finds vulnerable web servers to use in a mining pool
A relatively new ransomware that targets enterprise victims. According to Security Boulevard, Ryuk is the main reason that the average ransom payment shelled out during a ransomware attack rose sharply by 90% in early 2019 to over $12,000.
A family of malware, the members of which are mostly worms. Sality worms typically run automatically and infect executable files on Windows systems through a discoverable or removable device. Some variants also combine a keylogger as well as a Trojan downloader for installing more malware.
This ransomware gained notoriety as one of the first pieces of malware to be used in highly targeted attacks that used custom infections. Organizations were studied prior to an attack so that vulnerabilities could be identified. Once a way in was selected, the attack was launched via a variety of methods, including exploit kits and brute force attacks. The attacks targeted government organization and major companies, but the perpetrators were .
A type of ransomware that tells you have a computer virus and you need to take action. The idea is that you’ll hand over money for a fake removal program that may in fact be another piece of malware. Scareware isn’t particularly common these days and is fairly simple to get rid of with an antivirus software.
A rootkit affecting Windows systems that gains persistent access. Scranos can steal information stored in a browser, including passwords and payment information, and uses browsers to click ads to gain revenue for its creators.
A class of ransomware that limits your ability to access certain system functions and computer files.
A backdoor for establishing remote desktop access to Windows systems. Making the news in early 2019, ServHelper also acts as a downloader for the RAT, FlawedGrace.
A Trojan targeting Linux systems, Shellbot connects the victim’s system to the hacker to create a backdoor for stealing information and remote operation, including the delivery of additional malware.
This is a second-stage downloader that has been around since 2011, but its popularity dramatically increased in 2019. SmokeLoader is used to load other malware, including banking Trojans such as Retefe and Trickbot.
A Monero miner that used the same ExternalBlue exploit that helped WannaCry proliferate. This miner managed to steal millions of dollars worth of Monero, having at one point more than half a million devices under its control.
A fileless encrypting ransomware that injects code into a legitimate Windows system process. It then self-destructs while the host process executes the encryption.
Spacefiller virus (aka cavity virus)
A rare class of virus that installs itself by filling empty parts of a file. This method of infection helps make the virus difficult to detect as the file size doesn’t change.
A class of malware that’s usually designed to steal information of some type, including internet usage data, credit card information, and login credentials. Depending on the type of spyware, it may be able to record keystrokes, capture screenshots, access and change your device settings, and even use your device’s camera and microphone.
New in 2019, this piece of malware is used by threat group FIN7 (also known as Carabank). SQLRate is distributed as a malicious email attachment drops and executes SQL scripts within a compromised system. It doesn’t leave a trace, making it difficult to track or reverse-engineer.
An exploit kits that exploits Microsoft vulnerabilities through malicious Microsoft Office documents. Threadkit is used to spread various malware including Trickbot and Lokibot.
First spotted in 2016, this banking Trojan continues to represent a threat. TrickBot’s persistency is thought to be in part due to its creators rolling out updates. As recently as late 2018, the UK’s National Cyber Security Centre rolled out a warning for small and medium-sized businesses to be on high alert for this malware.
Dubbed “the world’s most murderous malware” by MIT Tech Review, Triton was designed to attack specific physical safety systems. It can tamper with emergency systems and shut down processes, potentially leading to physical harm.
Also described as a Trojan horse, this subset of malware poses as a legitimate piece of software. A user is typically duped into downloading and executing the software by some means of social engineering and a cybercriminal uses the software to carry out some form of attack. Because users install Trojans, they can bypass firewalls that would normally prevent malware from communicating over the internet, and they often download more malware onto the device.
A malvertising software targeting Apple users, VeryMal uses a technique called stenography in which information is hidden in plain sight. It runs display ads purporting to be for Flash updates or PC repair software.
This Trojan has been around since 2014 but was spotted as recently as April 2019 posing as free antivirus software. Once installed on Windows systems, it can perform activities on the host computer without the victim’s knowledge, such as collecting system information, keylogging, establishing remote access connections, dropping malware, and carrying out DDoS attacks.
A type of malware that can propagate and spread from one computer to another. Most viruses involve an executable file, which means they require a user action to activate and spread.
A defect or weakness in a system that can be exploited in an attack. For example, a hacker can use some vulnerabilities to gain access to a system and drop a malware payload.
A ransomware worm targeting Windows operating systems. This was part of a major attack in May 2014 which affected hundreds of thousands of machines, holding information for ransom demanded in Bitcoin.
A type of malware that can replicate itself and spread from computer to computer across a network. The main difference between a worm and a virus is that a worm doesn’t need a host program or human help to spread.
Cryptomining software introduced in 2017 but that is still prominent in 2019. This open source CPU miner mines Monero and mainly targets MacOS and Linux systems but can work on Windows too.
A Trojan backdoor targeting Windows, XRat allows remote access to the affected computer. It runs in the background silently while waiting for commands from its controller. The hacker can carry out multiple actions including keylogging, sending emails, and downloading or uploading files.
A zero-day exploit takes advantage of a vulnerability for which there is no known patch.
A computer that is being used by a hacker for nefarious purposes without the knowledge of the computer’s owner. A hacker will usually exploit multiple devices at a time to form a zombie army (botnet).
What is malware used for?
We’ve discussed many types of malware and how it works, but why is malware used in the first place? There are a vast number of reasons a criminal might employ malware, but here are some of the most common:
- Steal confidential and sensitive information: Cybercriminals can get their hands on vast amounts of data via malware executed on computers or mobile devices. For example, login credentials, credit card information, digital wallet addresses, social security numbers, and plenty more can be stolen during an attack. This information can be used in other crimes (such as credit card fraud or identity theft) or sold to the highest bidder.
- Make money illegally: There are plethora of ways that criminals can make money using malware, such as by stealing resources for mining cryptocurrency or selling your personal information to third parties.
- Cybervandalism: This refers to any kind of vandalism carried out using a computer. For example, a hacker may gain access to a website and deface or replace its homepage.
- Cyber-espionage: As it sounds, cyber-espionage is a form of spying that uses computers to steal confidential or sensitive information.
- Hacktivism: This refers to activism that involves activists (or hacktivists) misusing technology to promote a social or political agenda. For example, if a network is hacked in order to spread a political message, this would be considered hacktivism.
- Cyberwarfare: This is a broad term that describes the use of computers or networks to cause disruption or damage.
How to detect malware and remove it from your computer
It’s best to avoid having to deal with malware altogether by taking steps to protect your system (more on that in the next section). However, if you do find yourself stuck with an infected computer, there is still hope.
While the process of detection and removal will be different depending on the malware, there are general steps you can take:
- Download a scanner: Most reputable antivirus software includes a scanner. These programs run in real-time in the background. There are also on-demand scanning tools available such as Zemana Anti-Malware, Malwarebytes, and Kaspersky Virus Removal Tool. Note that if you already have an antivirus software installed on your device and suspect you have been infected with malware, you should choose a different software to run. Even if your current antivirus is from a reputable provider, not all software works all of the time. If you suspect you’ve been hit with malware, then your antivirus might have missed it.
- Run the scanning tool: If for some reason you can’t download the scanning tool onto the infected device, try downloading it to another device and transferring it using a USB drive. Open the scanning tool and navigate the options to run a scan. Scans may take anywhere from five minutes to an hour to complete. If the scan comes up with nothing, you may want to try a different tool. Some tools have custom scan options that you can play with to see if you get different results.
- Remove infections: If the scanning tool detects infections, it should give you the option of removing them. You made need to restart your device to complete the removal process. Even if the malware appears to have been removed, it may still be worth using another scanning tool to confirm this.
If the scan comes up with nothing and problems persist, then you may have one of the trickier types of malware on your hands. In the worst case, you may be forced to do a fresh install of your operating system, but if you do this, don’t forget to run a full backup first.
Before considering a system reinstall, it’s worth delving deeper to identify the type of malware you’ve encountered and what your alternative options are. The following guides will help you learn about detecting and removing specific types of malware:
- Complete Guide to Windows Malware Removal and Prevention
- The best free rootkit removal, detection and scanner programs
- What ransomware is and how to prevent and remove it
- What is an exploit kit (with examples) and how do cybercriminals use them?
- How to remove spyware for free and which tools to use
- What is a botnet and how to avoid being part of one
- DNS changer malware: how to detect it and protect yourself
- Fileless malware attacks explained (with examples)
How to protect against malware
The best case is to have adequate protection measures in place to ensure malware doesn’t find its way onto your computer in the first place. Here are some top tips for virus and malware prevention.
1. Keep systems up to date
Most updates to operating systems and applications include patches to security vulnerabilities. With so many threat actors ready to exploit known vulnerabilities, it’s important to install updates as soon as possible after they are released.
This can be tricky for enterprises that operate huge networks of devices, and many companies have to prioritize which updates they run. This is why malicious parties still have success when targeting vulnerabilities long after they have been identified.
2. Use a good antivirus software
While an antivirus software can’t protect against every threat out there, it can do a good job of keeping the majority of malware at bay. The name comes from the fact that this type of software was originally developed to combat viruses. However, these days, it can protect against other types of malware, including Trojans, adware, spyware, and ransomware.
Antivirus software scans for and detects code of known malware and prevents it entering your system. Most antivirus software can also remove some types of malware after it has found its way onto your device.
3. Use common sense
Most malware enters systems through malicious email attachments or links, or via ads. And most cases require some type of user action, usually a click, in order for the malware to be executed. As such, many successful malware attacks are entirely avoidable.
Be very cautious about opening emails, clicking links or advertisements, or opening attachments. Learn to spot suspicious emails by looking out for telltale signs such as a too-good-to-be-true offer, misspelled company names, and poor grammar.
Image credit: “HTTP” by Gerd Altmann licensed under CC BY 2.0