Let’s demystify malware and understand how we can avoid it
Software that is malicious
Merriam-Webster defines it as
software designed to interfere with a computer’s normal functioning
Today malware does more than just interrupt what is “normal”. It’s used to exploit our system’s resources, commit crimes, and attack others.
What can it do
In the beginning there were fork bombs. Fork bombs were programs written by mischievous programmers trying to crash their friends’ systems. These were distributed on floppy disks and, when loaded, would crash computers by spawning too many versions of themselves.
Fast forward to today: Malware is used to ransom family photos for Bitcoin and enroll systems into networks of “bots” that can be co-opted into performing criminal actions. Malware has evolved.
Types of Malware
To understand modern malware, I divide it into three conceptual categories: malware that’s attacking you, malware that’s monetizing you, and malware that’s using you to attack others.
It’s attacking you
Malware can attack us in handful of ways. A common type of malware is “ransomware.” It encrypts your files and requires payment for the decryption key.
If the malware doesn’t extort you, it may wait and listen for sensitive information. Criminals will capture this information, such as social security numbers, login credentials, and credit card numbers. Then, they package up your information into “dumps”, and sell it on the black market. Identity thieves buy up this data and use it to impersonate you, steal money from you, or abuse your accounts (e.g. take free ride sharing trips).
It’s trying to monetize your system
Your system is a computing resource. It uses power, and you pay for this power. It is common for malware to exploit your system’s resources for monetary gain. They can do this by “mining” cryptocurrency and having you foot the electricity bill. They can also enroll you in a “botnet” and rent out these botnets to other criminal organizations.
Botnets are groups of infected computers, unwitting cogs in a criminal machine. Criminals will use botnets to attack new systems or perform large scale attacks such as distributed denial of service (DDoS) attacks . This makes attribution more difficult, if not impossible.
It’s using you to attack others
In 2015 an NSA contractor took home top secret data and put it on his home computer. It is likely that software running on his system leaked this sensitive information to Russian intelligence. Although this sounds straight out of a Robert Ludlum novel, attackers can use malware to to go after less sexy targets, such as your employer or people in your personal network.
Do’s and Don’ts
To stop these attacks we need to understand how it gets on our systems in the first place.
I’m not the first to write about avoiding malware, and I won’t be the last. Most articles give you top ten lists of do’s and don’ts. I do not want to add to this canon of lists. I prefer to provide general ways of thinking about malware avoidance, lay out some example steps, and readers can take the exact actions necessary for their lives. The key things you should be doing are: use up-to-date software and enable built in security features.
To start out on the right foot, make sure that you keep your technology up-to-date. If you don’t, you are at risk to malware exploiting known flaws in your internet browsers, document readers, or operating systems. One step you can take is to enable automatic updating of your system and software.
A new attack vector these days is taking advantage of network connected devices that we use but don’t update. Think of your home router or any number of “internet-of-things” (IoT) things. We often purchase, connect, and a forget about these devices. But attackers can use vulnerable IoT devices to establish footholds on your network. When buying new connected devices, pay a little extra for a brand that advertises ongoing automatic updates. If you have IoT devices that don’t update automatically, set up reminders to manually update every few months.
Next, turn on the available security features of your products. If your operating system supports it, enable firewall and anti-malware protections. Investigate the security features available to you in the common software that you use, such as your browser. In addition to taking these proactive steps, avoid certain behavior that can increase your risk.
The don’ts fall into two general guidelines: Don’t trust “free,” and don’t trust unsolicited contact.
First off, free usually has a cost. When you use “free” tools like Google and Facebook you’re paying with your privacy. When you download free music or stream pirated content you could be paying with your system security. So, stick to trusted sources and use official app stores for downloading software. If you download software for “free”, that you’d normally have to pay for, someone may be subsidizing the software with malware.
In addition to free software and media, also be wary of free internet access. We all love free internet at coffee shops and airports, but you’re exposing your system to tens if not hundreds of untrusted systems. Everyone at the coffee shop might be a good person but one person may have malware on their system thats looking for its next victim. Use a VPN¹ to prevent others from tampering with your internet connection or injecting malicious content into your traffic.
By now, most of us have heard of phishing. We’ve been taught to avoid advance-fee scams (a.k.a Nigerian prince scam), poorly typed emails, and questionable Internet links. What we haven’t been taught is that malware pushers are getting more sophisticated. They’re sending emails and creating scam sites that seem legit. So we have to become more vigilant. If you receive an unsolicited email with attached files or embedded links, even from a contact you believe you know — exercise caution. Avoid downloading these files or clicking on suspicious links. Open files using your email’s document viewer and inspect links before following them. If the email contains a shortened link put it into a link unshortener.
With these do’s and don’ts in mind you can decrease the likelihood of an infection.
As long as people have greed in their hearts and malice on their minds, we will have malware (i.e. forever). Understanding a threat is the first step to preventing it. Malware is not magical software that suddenly causes our computers to slow down or our identities to be stolen. These days, malware is engineered with a specific purpose in mind: to attack you, to monetize your system, to attack others, or some combination of the above. However, we can make it harder for malware to infiltrate our systems. And we can avoid behaviors that increase our likelihood of infection.