How Malware Works

How Malware Works (And How to Fight Back)

September 6, 2016 | By

Malware is a persistent and pervasive challenge for all businesses who live and die by the internet (which, let’s face it, is most businesses today!) It’s lucrative for attackers, and anyone can be a target, from private citizens to the smallest of SMBs and from the largest enterprises to the U.S. government.

While there is a lot out there on the dangers of malware, less has been said about how malware works. The inner workings of malware are not exactly intuitive. Plus, malware is a threat that is continually evolving as the attackers come up with more and more clever ways to get into our systems, steal data, and generally make life difficult.

For years, defenders have been coming up with security solutions, only to have the attackers adapt and render them useless. The good news is that, by understanding what malware is and how it works, we can begin to fight back in a meaningful and effective way.

Before we dive into how it works, here’s a quick primer on what malware is.


Why They Do It

Attackers target organizations either because they want to steal information (e.g. intellectual property, financial details, or customer information) or they want to hold your information hostage for a ransom. When they steal information, it can be to use the info (as in the case of IP), or they may want to sell it to others (as is often the case with personally identifiable information). In many cases, it’s all about money; ransomware has quickly become the most profitable type of online attack of all time. The attackers have big incentives to carry out their attacks; but you also have a big incentive to protect your business and that of your customers, and the good news is that it doesn’t have to be expensive to do so.

Major Types of Malware

Malware is a general category, and there are quite a few specific sub-types within it.

One of the most prevalent and destructive types is ransomware. You may be aware that ransomware is having a field day in 2016, with more attacks in the first quarter of the year than in the entirety of 2015. This is why understanding how malware works and how to identify and remove it is so critical.

Ransomware is specifically designed to freeze files and demand ransom (hence the name) from its victims in exchange for releasing the data. Even worse, attackers have been so successful that they’ve realized they can take it a step further. Today, often even after victims pay up, they do not get their data back—or the attackers demand yet another, larger payment. So paying up isn’t a good solution to dealing with ransomware; in fact paying is only making it worse.
Other common types of malware include:

  • Adware: Software that downloads or displays unwanted ads and collects data without the user’s knowledge or permission. It can also redirect searches to certain advertising websites.
  • Bots: Automated scripts that take control of your system. This allows attackers to use you as a “zombie” to carry out other attacks on the internet.
  • Rootkits: Software designed to hide the fact that a system is compromised, often by replacing vital executables. Rootkits enable malware to “hide in the open” by mimicking normal files.
  • Spyware: Software that helps attackers steal information, often by transmitting data from a hard drive without the owner knowing.
  • Remote Access Tool (RAT): Software that helps attackers persist on your systems and networks. RATs typically allow attackers to capture your keystrokes, take pictures with your camera, and/or spread to other computers. One of the most important features of this type allows the malware to send all of this data from the victim to the attacker in a secure way.
  • Viruses: Malware that propagates by pushing a copy of itself into and becoming part of another computer program. It can spread between computers, leaving infections as it travels.
    Worms: Similar to viruses in that they they self-replicate. Different in the sense that they are standalone and don’t need a host program or human to propagate. Worms may exploit a vulnerability on the target system or make use of social engineering to fool users into executing.


How Malware Gets In

An important thing to understand is how malware gets onto computers and servers in the first place. Attackers have found ways to circumvent most security solutions such as antivirus and firewalls using email and web traffic. Attackers know humans are the most unpredictable and thus weak link in the chain, and are therefore using phishing to distribute their malware. Phishing campaigns can range from simplistic spray-and-pray campaigns that work by sheer volume, to complex, targeted social engineering schemes (a.k.a. spear-phishing). Bottom line: All it takes is  one person to click on a bad link for an entire computer or system to be compromised.

Thanks to education campaigns, users are getting better at not clicking on links and documents sent to them via e-mail. However, this has pushed attackers to a new, more dangerous approach: malicious ads. Attackers have come up with ways to purchase ads across the internet and inject malicious code into them. These ads do not even require a click in order to infect your device with malware. While this technique does require more advanced skills, attackers are getting better at it all the time and increasing their efficacy.

Now that you understand how malware gets in, here’s how malware works, how its attacks unfold, and what we can do to fight back.

How Malware Works

Command and Control: Phoning Home
Once it’s on your system, malware has one goal: communicate back to the attackers who sent it.
See, malware doesn’t work alone; it takes orders from “command and control” servers hidden throughout the Internet. Attackers generally use the DNS (domain name system) to have their malware map a domain to an IP address. This helps them control their victims and ensure persistent access. These servers can then command malware to:

  • steal information
  • capture keystrokes
  • encrypt hard drives (to hold them for ransom)
  • spread to other computers
  • enable the camera
  • erase itself to avoid detection

Here’s the kicker: Attackers need to utilize command and control channels to steal from you. We can use this against them.

Visualizing an Attack: A Step-by-Step Guide

Step 1
Attacker infects victim
Malware can come from many places, but in most cases, it begins with someone clicking on a bad link (perhaps sent via a phishing email or installed from a thumb drive).

The attacker’s goal here is to get malicious software running on the victim system so they can begin to execute the attack.

Step 2
Malware “phones home”
The malware on the victim system performs a DNS lookup,  preparing to “phone home” to the people controlling it or download other malware.

Step 3
Attacker controls your system via malware
The people controlling the malware use it to take action in one or more of the following ways, depending on their goals:

  • steal information
  • erase data
  • encrypt hard drives (to hold them for ransom)
  • spread to other computers
  • erase itself to avoid detection

Of course, if you are using Strongarm, this will go down completely differently (see here for the full explanation of how Strongarm stops and eradicates malware for you.)

Why Traditional Malware Protection Doesn’t Work

Many types of malware defenses attempt to stop attacks by blocking them. This often does not work because you are only stopping one part of what could be a much larger, more complex attack. Moreover, once you “block” the malware, you no longer have access to information about what it is, where it came from, or what it wanted—making it even more difficult to put a complete stop to it.

Antivirus and firewalls also fall short, because things like email can easily skirt around them (and as we mentioned before, many malware attacks come in via email.) On the other hand, Strongarm’s DNS blackhole works by tracking command and control servers across the internet and monitoring any traffic that tries to get in touch with them.

From there, Strongarm can intercept the traffic and speak directly to the malware, gathering the information needed to put a stop to the attack for good. In other words, in order to truly eradicate malware, you need to be able to speak its language.

If you’re interested in learning more about how Strongarm can protect your business or that of your customers in a highly cost-effective manner, we encourage you to:

Sign Up for a Free Trial