1 Introduction
Malware continues to be a pervasive and costly threat to businesses, governments, and end-users worldwide. Multiple reporting sources estimate that total malware related cybercrime costs will reach $2 trillion globally in 2019 and will rise to $6 trillion by 2021.
Malware comes in many forms: viruses, worms, rootkits, botnets, file-less malware, ransomware, and crypto-miners are prevalent in the wild. Malware is usually, and almost by definition, an exploitation of an operating system or application vulnerability.
Viruses are far more sophisticated than they were decades ago. Now viruses are generally polymorphic, meaning they alter their structure to try to avoid detection upon every iteration. Viruses infect files and usually need user interaction to initiate a compromise.
Worms spread across unsecured networks, relying upon unpatched, compromised applications and unprotected ports.
Rootkits are low-level malware usually implemented like device drivers in operating systems. Rootkits allow bad actors complete control of affected machines.
Botnets are collections of controlled devices, often compromised by rootkits, that are used in large numbers to magnify other kinds of attacks, such as Distributed Denial of Service (DDoS) attacks, credential stuffing, account take-overs (ATOs), or other forms of cybercrime. Botnets can be composed of PCs, servers, smartphones, IoT devices, etc.
File-less malware is a fairly recent malicious innovation that seeks to avoid signature-based anti-malware scanners by propagating between machines without being written and transferred as files. Instead, file-less malware is malicious code which spreads by process or memory injection. Once on a target device, file-less malware uses native tools like PowerShell to assemble and execute the malicious payload.
Ransomware attacks are still popular and evolving. Ransomware is a form of malware that either locks users’ screens or now more commonly encrypts users’ data, demanding that ransom be paid for the return of control or for decryption keys. Needless to say, paying the ransom only emboldens the perpetrators and perpetuates the ransomware problem.
Many businesses and government agencies have been hit with ransomware over the last few years. Healthcare facilities have been victims. Transportation infrastructure has been affected. Even police departments have been attacked and lost valuable data. As one might expect, protecting against ransomware has become a top priority for CIOs and CISOs in both the public and private sectors.
Much of the cybersecurity industry has, in recent years, shifted focus to detection and response rather than prevention. However, in the case of ransomware, detection is pretty easy because the malware announces its presence as soon as it has compromised a device. That leaves the user to deal with the aftermath. Once infected, the choices are to pay the ransom and hope that malefactors return control or send decryption keys (not recommended, and it doesn’t always work), or wipe the machine and restore data from backup.
Restoration is sometimes problematic if users or organizations haven’t been keeping up with backups. Even if backups are readily available, time will be lost in cleaning up the compromised computer and restoring the data. Thus, preventing ransomware infections is preferred. However, no anti-malware product is 100% effective at prevention. It is still necessary to have good, tested backup/restore processes for cases where anti-malware fails.
Most ransomware attacks arrive as weaponized Office docs via phishing campaigns. Disabling macros can help, but this is not universally effective since many users need to use legitimate macros. Ransomware can also come less commonly come from drive-by downloads and malvertising.
Crypto-jacking is the unwanted execution of crypto-mining software on user devices. Crypto-jackers capitalized on the surge of cryptocurrency prices. Though cryptocurrency prices are down a bit currently, crypto-jacking is still a threat to unprotected devices, annoying device owners with increased power costs and depleted batteries in the case of mobile devices. Initially, some anti-malware solutions did not identify crypto-mining software as malicious, since it could be built with freely available and sometimes legitimate code.
Key features of endpoint protection products include host-based agents for detecting and preventing execution of malicious code, management console for collecting and analyzing information from deployed agents; collecting agent patch status and pushing upgrades, and an interface to Security Intelligence systems.
All end-user computers, smartphones, and tablets should have anti-malware endpoint security clients installed, preferably with up-to-date subscriptions. Servers and virtual desktops should be protected as well. Windows platforms are still the most vulnerable, though there are increasing amounts of malware for Android. It is important to remember that Apple’s iOS and Mac devices are not immune from malware, and as market share increases, particularly for Mac devices, the amount of malware for that platform will increase too.