Malware, short for “malicious software”, refers to any software that is intentionally designed to cause damage to a computer, server, client, or computer network. Malware spreads in various ways, the most common being through networks that connect devices together. Networks provide an easy way for malware to propagate quickly to multiple endpoints. Understanding how different types of malware spread through networks is crucial for effectively protecting systems and data.
Email Attachments
One of the most common vectors for malware is email attachments. Malware authors use social engineering techniques to craft convincing messages that trick users into opening attachments containing malicious payloads. These emails masquerade as legitimate messages from trusted sources, such as businesses, colleagues, friends, etc. Once the attachment is opened, the malware executable runs and infects the victim’s system.
From there, the malware can propagate through the network by stealing email addresses and sending infected emails to more people. Well-known malware worms and trojans like MyDoom, Melissa, and ILOVEYOU have spread globally via email attachments. Modern malware continues to leverage malicious attachments in spearphishing campaigns directed at businesses, governments, and individuals.
Web Downloads
The web is another vector frequently abused by malware. Malicious websites may trick users into downloading malware-laced software claiming to be legitimate. Methods like drive-by downloads do this without any action from the user. Malware may also get bundled with legitimate software as an additional payload. Once the malware infects a system through a web download, it can then move laterally across the network.
Web downloads allow remote attackers to target many systems without relying on users to install malicious attachments. Malvertising is one technique hackers employ to stealthily deliver malware via web ads and pop-ups. Users can unknowingly get infected just by visiting a website, without having to download anything themselves.
Network Shares
Network file shares are prime targets for malware. Cybercriminals are increasingly using malware like worms to automatically scan for and infect connected systems through open file shares. Once a single system is infected, the malware can copy itself to shared folders that other systems have access to.
When other systems access these infected shares, the malware executes and spreads. Network worms like WannaCry and NotPetya have exploited this technique using SMB shares to rapidly propagate across enterprise networks. Maintaining restricted SMB permissions and disabling SMBv1 can reduce exposure to such “wormable” malware.
Removable Media
Portable storage devices continue to be used as malware delivery systems. When infected USB drives or external hard disks are connected to systems, malware is installed that then compromises those systems. Carelessly connecting untrusted removable media often leads to quick malware infection.
In high-security environments like industrial control facilities, this tactic enables targeted attacks to bypass air-gapped systems by first infecting an internet-connected computer. The Stuxnet worm that attacked Iranian nuclear centrifuges spread partly through USB drives. Securing removable media with features like device control and scan-on-access is key to stopping such threats.
Remote Access Trojans (RATs)
Remote Access Trojans (RATs) are a type of malware that cyberattackers install on victim endpoints to gain complete access and control. By opening a backdoor, RATs provide attackers with remote access to infected systems on the network.
RATs are often used in espionage, cybercrime, and hacking campaigns. Once a RAT is active on the endpoint, attackers can perform functions like executing commands, exfiltrating data, or moving laterally. RATs pose a dangerous threat to network security and can quickly spread across connections.
Infected Websites
Websites infected with malware can leverage browser vulnerabilities and drive-by downloads to automatically compromise visiting users. This allows malware to quickly spread to many individuals accessing the site. Watering hole attacks manipulate websites likely visited by targets to infect them for espionage.
These types of attacks just require users to view the infected site for their system to get infected. Malware can then leverage installed browsers and access to internal networks to propagate without any additional action needed. Keeping browsers patched and restricting web traffic are key to reducing this threat.
Instant Messaging/Chat Apps
Messaging platforms like Slack, Teams, WhatsApp etc. are ubiquitous in organizations for communication and collaboration. However, links shared via these apps can direct to malware download pages. Files exchanged through them also carry risk of spreading infected documents.
As messaging apps are allowed through most corporate firewalls and used widely internally, they offer an easy avenue for malware to propagate across users and systems once it gains an initial foothold. Monitoring content and limiting attachments can help control exposure.
Peer-to-Peer Networks
Peer-to-peer (P2P) file sharing networks are used heavily to distribute pirated software and files. Malware is often bundled with or masked within these illicit files and applications shared on P2P networks. Infected files and apps downloaded through P2P networks provide an easy malware injection point.
If organizations allow and have systems participating in P2P file sharing, malware can leverage internal network access to spread. Corporate security policies should block P2P apps and traffic to avoid this threat. Monitoring is needed to detect bypass attempts.
Malicious QR Codes
QR codes are popular for enabling quick access to web pages by scanning a code. However, cyber criminals leverage QR codes to direct users to malware-laden sites or downloads when scanned. QR codes can be used on business cards, promotional materials, stickers, etc.
An unsuspecting individual that scans a malicious QR code from their mobile device can end up infecting their smartphone or even corporate network in case code directs to a mobile malware app. For high security networks, it is best practice to prohibit using external QR codes within facilities.
Apache Struts and Log4Shell Vulnerabilities
Vulnerabilities in popular enterprise software like Apache Struts and Log4j allow remote code execution when exploited. These have been used as vectors to deploy malware payloads. The Log4Shell vulnerability in the ubiquitous Log4j component was discovered in late 2021.
Attackers are actively exploiting it to install remote access trojans and other malware on vulnerable systems. For internet-facing systems, compromised servers can then be used to infect other computers browsing or accessing them. Prompt patching and isolating affected systems is critical.
Malvertising and Traffic Distribution Systems
Online ads on websites are commonly used for spreading malware through a technique called malvertising. It works by hijacking ad networks and injecting malicious ads that lead to infection pages. Traffic distribution systems that reroute web traffic can also introduce malware.
These tactics covertly redirect website visitors to malware delivery pages, transparently infecting them when they simply browse sites with poisoned ads or redirects. Since visitors are not required to click or download anything themselves, it provides a very easy way for malware to reach many systems.
Supply Chain Compromises
In supply chain attacks, the development tools, processes, and distribution mechanisms of legitimate software are compromised to inject malware that is then distributed unwittingly by the vendor. SolarWinds, Kaseya, Codecov and countless software supply chain attacks have been seen affecting thousands of downstream users.
The broad reach of supply chains allows even a single compromise to distribute malware far and wide to networks globally. Defenses like software integrity checks, least privilege access, and audits of suppliers are important to prevent supply chain malware attacks.
Malicious Macros in Documents
Malicious macros in everyday document types like Word, Excel, PowerPoint are a common method to distribute malware. The macro payload gets installed on a system when the boobytrapped document is opened by a victim.
From there, the malware can spread across networks by compromising shared folders containing documents, emailing itself as malicious attachments, or copying itself to connected systems. Blocking untrusted macros can reduce this threat for endpoints and networks.
Spearphishing Credentials Theft
Spearphishing attacks use carefully crafted emails to steal user credentials for critical systems and infrastructure. Once attackers gain access to internal accounts, they can stealthily move across the network compromising more systems and accounts, ultimately dropping malware.
This gradual network-wide compromise avoids triggering alerts that sudden malware infections would. Two-factor authentication, user education against phishing, and monitoring for lateral movement are key defenses against these types of attacks.
Exploiting Remote Management Tools
Most corporate networks use remote management and administration tools. However, access to these powerful tools also provides attackers an avenue for compromise. By stealing passwords or gaining remote access to just one endpoint tool, attackers can gain a foothold on the network.
They then leverage inbuilt features of tools like RDP, SSH, VPNs etc. to perform lateral movement and distribute malware across networks. Rigorously securing remote access tools and protocols denies attackers this vector to infiltrate networks.
Exploiting Internet-Facing Vulnerabilities
Unpatched vulnerabilities in internet-facing applications and servers, like Remote Code Execution flaws, allow attackers to gain an initial foothold and deploy malware on targeted networks. Once in place, this malware then further compromises internal network resources.
Continuously patching public-facing systems and infrastructure denies easy initial access to attackers. For critical systems, techniques like isolating web applications, minimizing exposed surface area, and regular pen testing also help strengthen defenses.
Brute-force Attacks on Network Infrastructure
Network infrastructure like firewalls, routers, VPN concentrators etc. are sometimes targets of brute force password guessing attacks. Given how deeply embedded and critical to network operations devices like firewalls are, compromising them offers attackers significant control and the ability to distribute malware widely across network segments.
Strong/multi-factor authentication, password vaulting, rate limiting, alerting on brute force attempts etc. are key protections. Micro-segmentation and monitoring for abnormal network flows also help contain threats that breach infrastructure.
Exploiting Zero-Day Vulnerabilities
Zero-day vulnerabilities are software flaws that remain unknown to vendors. These can be exploited by attackers before patches are available. Sophisticated hackers use zero-days to deliver customized malware as part of targeted intrusion campaigns.
Stuxnet and Flame leveraged multiple Windows zero-days to compromise systems across the internet. Software-driven defenses like behavior analytics help detect and stop zero-day malware since it’s an unknown variant.actincy response plans also help minimize damage from undiscovered threats.
Conclusion
Malware has many pathways to gain entry and traverse across modern networks. Understanding how malware spreads through tactics like email, web, removable media, apps, lateral movement etc. is necessary to contain infections. A layered defense with email scanning, endpoint protection, firewalls, behavior analytics, access controls, and routine patching is key to limiting malware outbreaks across networks.
