Malware
Malware is any software that is intentionally designed to cause harm. It is the umbrella term for viruses, ransomware, spyware, and other malicious programs. Malware can steal your passwords, lock your files for ransom, spy on your activity, or turn your computer into part of a botnet. It typically spreads through email attachments, infected downloads, compromised websites, or USB drives.
Malware (malicious software) is any program or code intentionally designed to harm, exploit, or otherwise compromise a system. It is classified by behavior, propagation method, and payload.
Malware types:
| Type | Behavior | Example |
|---|---|---|
| Virus | Attaches to legitimate files, requires user action to spread | File infector, macro virus |
| Worm | Self-replicating, spreads autonomously across networks | WannaCry, Conficker |
| Trojan | Disguised as legitimate software, delivers hidden payload | Emotet, remote access trojans (RATs) |
| Ransomware | Encrypts files, demands payment for decryption key | LockBit, REvil, Conti |
| Spyware | Silently monitors user activity, captures keystrokes | Pegasus (NSO Group) |
| Rootkit | Hides deep in the OS to maintain persistent access | UEFI rootkits, kernel rootkits |
| Adware | Displays unwanted ads, may track browsing | Browser hijackers |
| Cryptojacker | Uses victim’s CPU/GPU to mine cryptocurrency | Coinhive (defunct), XMRig |
| Wiper | Destroys data with no recovery option (no ransom) | NotPetya, WhisperGate |
Infection vectors: phishing emails with attachments, drive-by downloads from compromised websites, supply chain compromise (malicious updates), exploiting unpatched vulnerabilities, infected USB drives, malicious ads (malvertising).
Defense layers:
- Prevention: patch management, email filtering, web filtering, application allowlisting, least privilege
- Detection: endpoint detection and response (EDR), antivirus (signature + heuristic), network detection (NDR), SIEM correlation
- Response: isolation of infected systems, forensic analysis, indicator of compromise (IOC) sharing, restore from clean backups
Malware detection and response
# Scan a suspicious file with ClamAV (open-source antivirus)
$ clamscan --infected --recursive /tmp/downloads/
/tmp/downloads/invoice.pdf.exe: Win.Trojan.Agent FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
# Check running processes for suspicious activity (Linux)
$ ps aux --sort=-%cpu | head -10
# Look for: unknown process names, high CPU from unexpected processes
# Check for unauthorized network connections
$ ss -tnp | grep -v "127.0.0.1"
# Look for: connections to unknown IPs on unusual ports
# Check startup persistence mechanisms
$ systemctl list-unit-files --state=enabled
$ crontab -l
$ ls -la /etc/cron.d/
# Scan file hash against VirusTotal (API)
$ sha256sum suspicious_file.exe
a1b2c3d4... suspicious_file.exe
# Submit hash to https://www.virustotal.com/Malware is the most visible cybersecurity threat. Ransomware alone caused an estimated $20+ billion in damages in 2025, with attacks on hospitals, municipalities, and critical infrastructure making headlines regularly. The Colonial Pipeline ransomware attack (2021) shut down fuel delivery across the US East Coast. Modern malware is often modular: an initial dropper (delivered via phishing) downloads additional payloads based on the target environment. Nation-state malware (Stuxnet, NotPetya) represents the most sophisticated tier, sometimes including zero-day exploits and supply chain vectors. For defenders, endpoint detection and response (EDR) tools like CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint have largely replaced traditional antivirus. The fundamental defense remains: patch promptly, back up religiously, restrict privileges, and train users to recognize phishing.