What is a Malicious Code?
Today’s cyber threat landscape has become more sophisticated and challenging. The number of cyberattacks and data breaches has skyrocketed in the last few years, both in size and scope. The recent malware statistics show that malware is still a significant problem worldwide. At the center of these security challenges are a sinister application called malicious code. A malicious code or malware is any software intentionally created to act against the interests of the computer user by causing damage to the computer system or compromising data stored on the computer.
Since broadband internet access became ubiquitous, malicious software has more frequently been designed to take control of users’ computers for for-profit and other illicit purposes such as data modification, stealing, destruction, sabotage, or hostage-taking. Most malware can install itself on the victim’s system, make copies of itself and spread to other victims, use an event to initiate its payload execution (steal or deletes files, install backdoors, etc.), removes itself after the payload has been executed, and uses all kinds of evasion techniques to avoid being detected. Some of the methods used to evade detection include:
- Evasion of detection by fingerprinting the environment when executed.
- Confusing automated detection tools such as signature-based antivirus software by changing the server used by the malware.
- Execute by following specific actions taken by the user or during specific vulnerable periods, such as during the boot process, while remaining dormant the rest of the time
- They are obfuscating internal data so that automated tools do not detect malware.
- Use information hiding techniques such as steganography to evade detection (stegomalware)
How do malware infections happen?
Malware infections can affect your computer, application, or an entire network. The infections take place through a variety of means, including physical and virtual. Malware authors often use tricks to try to convince users to download and open malicious files. For example, phishing attacks are a common malware delivery method where emails disguised as legitimate messages contain malicious links or attachments that can deliver the malware executable file to unsuspecting users.
Malware can also spread through infected removable drives such as USB flash drives or external hard drives. The malware can be automatically installed when you connect the infected drive to your PC. In addition, some malware comes bundled with other software that you download. This includes software from third-party websites, files shared through peer-to-peer networks, programs used to generate software keys (keygens), browser toolbars, and plugins, among others.
Attackers can take advantage of defects (vulnerabilities) in existing software due to insecure coding practices to infect your application with malicious codes. The malicious code can come in the form of injection attacks (SQL injection, JSON injection, cross-site scripting, etc.), directory traversal attacks, cross-site request forgery (CSRF) attacks, among others. A typical example of defects in software is the buffer overflow vulnerability. Many malware exploits buffer overflow vulnerabilities to compromise target applications or systems.
Sophisticated malware attacks often feature the use of a command-and-control server that enables malicious actors to communicate and control infected systems in a botnet to steal sensitive data or get them to do their bidding.
How can you tell your computer has been infected with malicious code? A user may be able to detect malware infection if they observe any unusual activity such as a sudden loss of disk space, prolonged speeds, strange cursor movements, and mouse clicks, denial of access to your device or data, the appearance of unknown applications you did not install, anomalous network traffic, among others.
Does malware affect Mac, Linux, and mobile devices?
Most users think that only Windows machines are vulnerable to malware. They assume that users of Linux and Mac devices are immune and need not take precautions. The truth is malware can affect Windows, Linux, and even Mac devices.
Windows devices are considered a larger target for malware than the other platforms because they dominate the market share, which has made them the more significant and more accessible target for malicious actors. Today, Macs aren’t as safe as they used to be. As Mac devices grow in popularity, malware authors appear to focus more on them. According to Malwarebytes’ 2020 state of malware report, the amount of malware on Macs is outpacing PCs for the first time.
There are also malicious codes that specifically target the operating systems of mobile devices such as tablets, smartphones, and smartwatches. These types of malware rely on the exploits of particular mobile operating systems. Although mobile malware is not as pervasive as malware that targets workstations, they are becoming a growing concern for consumer devices.
Apple iOS devices such as iPhones are less likely to be infected with malware than Android devices. This is because iOS devices are highly locked down, and apps go through extensive checks before getting on the App Store. However, we know that some governments and sophisticated criminals are armed with million-dollar hacking tools that can penetrate iPhones. Notwithstanding, iOS devices are generally safer and will only become more vulnerable if jailbroken.
What are the Common Types of Malware?
Malicious code is a broad term that refers to a variety of malware programs. Examples include computer viruses, worms, spyware, adware, rootkits, logic bombs, fileless malware, trojan horse, and ransomware.
Computer viruses are small applications or strings of malicious codes that infect computer systems and host applications. Computer viruses do not spread automatically; they require a carrier or medium such as USB or the internet to propagate and almost always corrupt or modify files on a targeted computer. Computer viruses come in different forms, some of which include:
- Polymorphic virus—the polymorphic virus attempts to evade signature-based antivirus applications by changing its signature upon infection of a new system.
- Compression virus—a virus that appends itself to executables on the system and compresses them by using the user’s permissions.
- Macro virus—a virus written in macro languages such as Microsoft Office or Excel macros.
- Boot sector virus—a virus that infects the boot sector of a PC and loads upon system startup.
- Multipart virus—a virus that spreads via multiple vectors. Also called a multipart virus.
- Stealth virus—a virus that hides from the OSs as antivirus applications.
Worms: Worms are malware that replicates themselves to spread to other computers. They are more infectious than viruses and often use a computer network to propagate themselves, relying on security defects on the target computer to access it. Worms are dangerous because of the malicious code they carry (payload) and their potential to cause bandwidth degradation or even denial of service due to aggressive self-propagation. One of the most famous computer worms is Stuxnet, which targeted Siemens SCADA systems. It was believed to be responsible for causing substantial damage to the nuclear program of Iran.
Spyware and Adware: Spyware is a type of malicious software secretly installed to gather information (including browsing habits) about a particular user or entity, which it then sends to another entity for malicious intent such as identity theft, spamming, targeted ad, etc.
Adware is software that generates revenue for its developers by automatically generating online advertisements. The ads can be provided through pop-ups, user interface components, or screens presented during the installation process. The goal of adware is to generate sales revenue, not carry out malicious activities, but some adware uses invasive measures, which can cause security and privacy issues.
Rootkits: A rootkit is a collection of malicious software tools designed to enable root access to a computer or an area of its software that is not otherwise allowed. Rootkits are loaded on the compromised system to allow the attacker to carry out malicious activities while hiding their tracks. The attacker usually replaces default system tools with new compromised tools, which share similar names.
Rootkits can reside at the user or kernel level of the OS. It can also live at the firmware or in a hypervisor of a virtualized system. A user-level rootkit has minimal privileges and thus cannot carry out as much damage. If a rootkit resides in the hypervisor of a system, it can exploit hardware virtualization features and target host operating systems. Rootkits in firmware are challenging to detect because software integrity checking does not usually extend to the firmware level. Rootkit detection and removal can be complicated because the rootkit may be able to subvert the software that is intended to find it. Detection methods include behavioral-based methods, signature-based scanning, and memory dump analysis.
Logic Bombs: A logic bomb is a malicious code intentionally inserted into a software system to set off a negative function when specified conditions are met. The logic bomb software can have many triggers that activate its payload execution at a specific time or after a user carries out a particular action. For example, a malicious actor may install and configure a logic bomb to delete all of the digital evidence if forensics activities are carried out.
Fileless malware: Fileless malware, just as the name implies, does not write any part of its activity to files on the computer hard drive; instead, it operates exclusively from a victim’s computer’s memory. Because there are no files to scan, it is harder to detect than traditional malware. It also makes forensics more difficult because the malware disappears when the victim’s computer is rebooted.
Since there are no files for antivirus and forensic tools to analyze, detecting such malware can be difficult. In 2017, Kaspersky Lab published a report about fileless malware attacks affecting 140 enterprise networks globally, with banks, telecommunication companies, and government organizations being the top targets.
Trojan Horse: A Trojan horse is any malware that disguises itself as a legitimate program to mislead users of its true intent. Trojan horses perform their expected normal functions in addition to the malicious functions in the background. Users are typically tricked by some form of social engineering into loading and executing trojans on their systems. Once installed, trojans can also use decoys to maintain the illusion that they are legitimate.
For example, when executed, a trojan disguised as a wallpaper or game application will typically run as a wallpaper or game application. While the user is distracted by these decoys, the trojan can quietly perform malicious actions in the background. Trojans are classified according to the type of malicious actions they perform. Examples include banking trojan, remote access trojan (RAT), backdoor trojan, FakeAV trojan, etc. Notable examples of trojans include Zeus, MEMZ, and FinFisher.
Ransomware: Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it by encrypting the victim’s files unless a ransom is paid. Ransomware attacks are typically carried out as part of a phishing scam or using a trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. The attacker proceeds to encrypt specific information that can only be opened by a mathematical key they know. When the attacker receives payment, the data is unlocked.
Notable ransomware attacks include WannaCry (2017) and REvil (2020). The WannaCry ransomware spread through the Internet in 2017, infecting more than 230,000 computers in over 150 countries and demanding US$300 per computer. REvil is a private ransomware-as-a-service (RaaS) operation that threatens to publish victims’ data on their blog (doxxing) unless a ransom is paid. In April 2021, REvil stole Apple’s upcoming product blueprints and threatened to publish them unless a $50 million ransom was paid. Both WannaCry and REvil have been taken down.
How Can You Prevent and Protect Your IT Assets From Malware Infection?
Protecting your device, critical applications, and indeed your entire network from those long lists of malware requires more than just rolling out antivirus software. Nowadays, antivirus and another signature-based approach to security are no longer considered enough to protect systems from modern cyber threats. With over 350,000 new malware discovered every day, it’s practically impossible for antivirus applications to keep tabs on these new and emerging threats.
This is why organizations need to develop a risk-based information security program that embraces the principles of the zero-trust security model in their security strategy to boost cyber resilience. A security program should address risk issues from a strategic, tactical, and operational standpoint. This includes designing and implementing administrative, physical, and technical controls to protect critical digital assets, as detailed in Table 1.0 below. Administrative controls focus on security policies, procedures and guidelines, security awareness training, and other human factors of security that define personnel or business practices in line with the organization’s security goals. Physical controls are measures put in place to prevent unauthorized physical access to critical IT assets. Technical controls focus on hardware or software components such as antivirus, firewalls, IPS/IDSs, access control lists (ACLs), application whitelisting, etc.
|Type of Control||Preventive||Detective||Corrective|
|Physical||Physical access control||CCTV and surveillance camera logs||Repair and restore physically damaged assets|
|Administrative||Risk management, security policies, and procedures, backup plan, etc.||Auditing, security event mgt, change mgt, etc.||Incident response plan, DR/BCP.|
|Technical||Antivirus, IPS, MFA solution, updates, whitelisting, ACL, etc||IDS, honeypots, vulnerability scanners, static testing, etc.||Patching, blacklisting, quarantine techniques, etc|
Table 1.0 | Comparison of administrative, physical, and technical security controls
For organizations that develop business-critical applications, one way to prevent malicious code from ruining your applications is to embrace secure coding practices, including static code analysis in your software development lifecycle. Static analysis is used to secure applications by reviewing the source code when it’s not running to identify malicious codes or evidence of known insecure practices. It is one of the most effective ways to prevent malicious code from successfully causing damage to your business’s critical applications. Automated tools such as Invicti, Acunetix, Veracode, Checkmarx, and others implement static code analysis to detect and prevent malicious codes such as backdoors, logic bombs, rootkits, etc.
Users looking to protect and prevent malicious codes from infecting their PCs can install antimalware software as an added layer of security. Beyond that, users can avoid malware by practicing safe behavior on their computers or other personal devices. This includes keeping software updated, using non-administrative accounts as much as possible, being careful about downloading unknown programs and attachments that may contain malware in disguised form, among others.