Malware: Harmful Software, Delivery Paths, and Layered Defense
📑 On this page
- A concrete example: ransomware
- Viruses, worms, and trojans
- Ransomware
- Spyware and information stealers
- Backdoors and remote-access tools
- Loaders and droppers
- Botnets
- How malware enters
- Least privilege limits damage
- Segmentation limits movement
- Detection uses several signals
- Backups support recovery
- Incident response
- Rebuilding can be safer than cleaning
- Knowledge check
- The one idea to remember
Malware is a broad label for software created or used to disrupt, spy, steal, extort, or gain unauthorized control.
Malware categories describe behavior or delivery, but one malicious program can perform several roles at once.
A program may arrive disguised as a useful installer, steal credentials, download additional tools, spread to other machines, and encrypt files.
Understanding the chain is more useful than memorizing labels.
A concrete example: ransomware
An attacker obtains an employee's remote-access credentials.
After entering the network, the attacker:
- Explores available systems.
- Steals additional credentials.
- Copies sensitive data.
- Disables or deletes reachable backups.
- Deploys ransomware across many devices.
- Demands payment for decryption and nonpublication.
The ransomware executable is only the final visible stage.
Prevention and response need to address identity, privileges, movement, data theft, backup isolation, and detection before encryption begins.
Viruses, worms, and trojans
A virus attaches to another file or program and spreads when the host runs or is shared.
A worm spreads between systems, often by exploiting reachable vulnerabilities without requiring a user to copy each instance.
A trojan pretends to be legitimate software or is bundled within it, persuading the user to install or run it.
These terms describe propagation and disguise. Modern campaigns frequently combine techniques rather than fit one neat category.
Ransomware
Ransomware denies access, commonly by encrypting files or systems, and demands payment.
Many groups also steal data before encryption and threaten publication.
Paying does not guarantee:
- Working decryption
- Deleted stolen data
- No future attack
- Legal permission to pay
Recovery depends on incident response, trustworthy backups, rebuilding systems, credential reset, and investigation of the original access path.
Organizations should decide legal, communication, and restoration processes before an incident.
Spyware and information stealers
Spyware gathers information without appropriate consent.
It may capture:
- Passwords
- Session cookies
- Browser data
- Documents
- Screenshots
- Keystrokes
- Cryptocurrency wallets
- Device and network details
Information stealers can make password changes insufficient if active sessions remain valid.
Response may require session revocation, token rotation, device rebuilding, and review of every secret accessible from the compromised machine.
Backdoors and remote-access tools
A backdoor provides unauthorized persistent access.
Attackers may install a custom tool or misuse legitimate remote-administration software.
This is called living off the land when built-in system tools or trusted applications perform malicious actions.
Allow-listing one executable name is not enough. Detection should consider behavior, identity, command context, network destination, and unusual timing.
Legitimate tools need controlled deployment and audit.
Loaders and droppers
A small initial program may exist mainly to install or download other components.
This staged approach helps attackers:
- Keep the first file small
- Change later payloads
- Check whether the environment is useful
- Avoid delivering expensive tools to analysis systems
Blocking the final malware family is useful, but earlier signals such as suspicious script execution, unusual child processes, or unexpected outbound connections can stop the chain sooner.
Botnets
A botnet is a group of compromised devices controlled together.
Bots may be used for:
- Distributed denial-of-service attacks
- Spam
- Credential guessing
- Fraud
- Cryptocurrency mining
- Proxying malicious traffic
Internet-connected cameras and routers are attractive when they use default credentials, expose management services, or stop receiving updates.
One neglected device can become infrastructure for attacks on other people.
How malware enters
Common entry paths include:
- Phishing attachments or links
- Stolen credentials
- Unpatched vulnerabilities
- Malicious or compromised software updates
- Pirated software
- Exposed remote services
- Infected removable media
- Supply-chain dependencies
- Misconfigured cloud resources
No single prevention tool covers all paths.
An inventory of devices, software, accounts, and exposed services is foundational because unknown assets cannot be maintained.
Least privilege limits damage
Malware running with administrator privileges can do more harm than malware running in a restricted account.
Least privilege can limit:
- System changes
- Credential access
- Network movement
- Backup deletion
- Software installation
Application allow-listing can restrict which executables or scripts run.
Attackers may still exploit privilege-escalation flaws, so updates and monitoring remain important. Least privilege reduces the starting power and blast radius.
Segmentation limits movement
Network segmentation separates systems according to purpose and trust.
A compromised employee laptop should not automatically connect to database administration ports or backup systems.
Segmentation can use:
- Firewalls
- Network policies
- Identity-aware access
- Separate management networks
- Restricted service accounts
Rules should allow required communication and deny unnecessary paths.
Flat networks make one initial compromise far more valuable.
Detection uses several signals
Detection may observe:
- Known malicious signatures
- Unexpected process behavior
- File changes
- Privilege escalation
- Unusual network connections
- Large data transfers
- Disabled security tools
- Rapid file encryption
- Suspicious authentication
Endpoint detection and response tools collect and correlate activity, but require tuning, investigation, and skilled operation.
No alert proves guilt by itself. Analysts combine evidence and preserve context.
Backups support recovery
Useful ransomware recovery requires backups that are:
- Independent
- Protected from production credentials
- Versioned or immutable
- Complete
- Regularly tested
- Available within recovery objectives
If malware can encrypt every mounted backup, those copies share the same failure.
Restoring files without removing the attacker's access may lead to reinfection. Recovery includes identity, configuration, and system trust.
Incident response
When malware is suspected:
- Activate the incident process.
- Contain affected systems without destroying evidence.
- Identify scope and entry path.
- Revoke compromised credentials and sessions.
- Remove persistence or rebuild from trusted sources.
- Restore validated data.
- Monitor for recurrence.
- meet legal and communication duties.
Turning off one visibly infected computer may be appropriate in some cases and harmful in others if volatile evidence is needed.
Follow practiced organizational guidance rather than improvising alone.
Rebuilding can be safer than cleaning
It is difficult to prove that every malicious change has been removed from a deeply compromised system.
Rebuilding from a trusted image can restore confidence when paired with:
- Patched software
- Rotated credentials
- Validated configuration
- Restored clean data
- Corrected entry path
For specialized devices where rebuilding is impossible, organizations need vendor support, isolation, and compensating controls.
Recovery should return to a safer state, not recreate the vulnerable environment exactly.
Knowledge check
- Why can ransomware be only the last stage of an attack?
- How do a worm and a trojan differ?
- Why might changing a stolen password not invalidate an information-stealer attack?
- How do least privilege and segmentation reduce malware impact?
- Why should recovery remove attacker access before restoring data?
The one idea to remember
Malware is harmful software operating inside a wider attack chain. Layered identity controls, updates, limited privileges, segmentation, behavioral detection, and isolated tested backups reduce both the chance of infection and the damage it can cause.