Email Attachments
One of the most common ways that malicious code spreads is through email attachments. Malicious code can be hidden in email attachments in a variety of file types like documents, spreadsheets, images, etc. When a user opens the infected attachment, they are enabling the malicious code to execute on their system.
Mass spam email campaigns are frequently used to spread infections via email attachments. The emails are designed to entice the user to open the attachment through things like sensational headlines, fake invoices, too good to be true offers, and more. According to research, 61% of malware infections in 2020 were spread through email attachments.
Once opened, the malicious attachment can do things like install malware, give access to the attacker, and spread itself further. Users should exercise extreme caution when opening unsolicited attachments, even from known contacts whose accounts may have been compromised.
Infected Websites
One of the most common ways malicious code spreads is through infected websites. Attackers often plant malicious code on legitimate websites through vulnerabilities or by compromising the site owner. When users visit an infected website, the malicious code executes automatically without requiring any action from the user. This method of infection is known as a “drive-by download.”
According to Malware Statistics in 2024: Frequency, impact, cost & more, 75% of malware infections originate from infected websites in 2022, the highest rate since tracking began in 2016 (https://www.comparitech.com/antivirus/malware-statistics-facts/). The malicious code can install malware like viruses, worms, spyware or ransomware without the user’s knowledge.
Infected websites are an effective infection vector because users generally trust legitimate websites and may have no indication anything is wrong before the malicious software installs itself. By compromising trusted sites, attackers can infect many unsuspecting users rapidly.
Fake Software Downloads
One way malicious code spreads is by disguising itself as legitimate software. Cybercriminals will often create fake versions of popular programs and applications to trick users. When users download and install these fakes, thinking it is the real software, the malicious code infects their computer.
Malware is frequently bundled into software installers. Even if the program itself is legitimate, malware can be inserted surreptitiously. During installation, users may be unaware they are also installing malicious scripts or programs on their computer. According to Kaspersky Lab, over 9% of malware infections originate from fake software downloads.
The most common method is through fake versions of everyday tools like PDF readers, media players, downloader utilities, and codec packs. Users eager to get the latest software may inadvertently download the malicious fake. The malware is then activated when the fake program is installed and executed.
Malicious Links
One of the most common ways malicious code spreads online is through malicious links. These are links that redirect users to malicious sites or downloads when clicked. Malicious links are often found in places like:
- Social media posts
- Emails
- Text messages
The goal is to get users to click on a link that contains hidden malicious code. For example, the link might direct to a fake login page to harvest usernames and passwords. Or it may automatically download malware onto the user’s device without them realizing it. According to Tessian, at least one person clicked a phishing link in around 86% of organizations in 2020.
These types of malicious links are often used in phishing and spear phishing campaigns. The links are made to look legitimate to trick users into clicking on them. But they ultimately redirect to malicious sites or initiate malicious downloads. Users should be wary of links from unknown or suspicious sources and avoid clicking on them.
Infected Removable Media
Malware can easily spread through infected removable media like USB sticks and external hard drives. The malware gets copied to the drive, often without the owner realizing it. Then when the infected drive is plugged into a new device, the malware automatically executes and infects that device. According to Kaspersky Lab, in 2017 their antivirus software detected 113.8 million likely malware infections from removable media, though this pales in comparison to web-borne threats [1].
Infected removable media is an effective way for malware to spread in a peer-to-peer manner. For example, malware placed on a USB stick might spread from one computer to another as the stick is shared between coworkers or friends. A recent Check Point study found USB malware still spreading actively, with one campaign managing to infect tens of thousands of victims globally [2]. Defending against these types of attacks remains critical.
Network Propagation
Malicious code often spreads across networks, servers, and databases by taking advantage of vulnerabilities and weak passwords. Once a system is infected, malware can laterally move between connected systems to infect more devices on the network.1 For example, threat actors may use Server Message Block (SMB) protocol to propagate malware across organizations.1
According to one statistical modeling study, factors that influence malware propagation through a network include the capacity of central nodes and the bandwidth of network links.2 Research shows that network viruses spread quickly, have diverse transmission methods, and are difficult to eliminate once a system is infected.3
Social Engineering
Social engineering is one of the most common and effective ways malicious code spreads. It manipulates users into making security mistakes or divulging sensitive information. Rather than exploiting software vulnerabilities, social engineering preys on human vulnerabilities.
Phishing is a prime example of social engineering. Phishers send fake emails designed to look like they’re from a legitimate organization. They trick users into clicking malicious links or attachments that install malware. Phishing kits allow attackers to launch massive phishing campaigns and spread malware to many victims (Source).
Voice phishing, or vishing, uses phone calls instead of emails. Attackers impersonate someone authoritative and pressure the victim into disabling security settings or sharing passwords. Pretexting involves making up a convincing story to extract information from the target.
Overall, social engineering is so effective because it exploits natural human tendencies to trust, help others, and comply with authority. No technical expertise is required. Attackers simply manipulate our psychological vulnerabilities and lack of awareness (Source).
Software Vulnerabilities
Software vulnerabilities refer to bugs, flaws, or weaknesses in software code that can be exploited by malware. Malware often takes advantage of unpatched vulnerabilities in common software like Microsoft Office or web browsers in order to infect devices and systems.
According to the CISA, exploitation of software vulnerabilities was one of the top three initial infection vectors for ransomware in 2021. By exploiting vulnerabilities, malware can gain access to systems and execute malicious code without the user’s knowledge or consent.
However, malware generally cannot exploit a vulnerability on its own – it requires some kind of user interaction to enable the infection. This often takes the form of the user opening a malicious file attachment or clicking on a malicious link that then triggers the exploit. Keeping software regularly updated with the latest security patches can help limit the vulnerabilities that malware relies on to propagate.
Trojan Horses
Trojan horses spread malicious code by disguising malware as legitimate software. This malware is installed willingly by users who think they are downloading needed software. However, once installed on a computer, trojans provide backdoor access and enable malicious hidden functions without the user’s knowledge.
As research has shown, trojan horse malware can act as dangerous “false friends” that infiltrate systems under the guise of something useful. An estimated 15% of computers are part of botnets recruited through trojan infection according to cybersecurity firm BitDefender. Recent research also found that trojan malware can contribute to the breakdown of the blood-brain barrier, enabling infections of the central nervous system.
Botnets
A botnet is a network of computers infected with malicious software and controlled as a group without the owners’ knowledge. These compromised computers, known as bots or zombies, are remotely controlled by an attacker or bot master. Botnets are used to spread malware and amplify the impact of an initial cyberattack (Kaspersky, 2022).
Once infected with malware, the computer joins the botnet and can be used to send spam emails, participate in distributed denial of service (DDoS) attacks, steal data, or distribute viruses, worms, and Trojans to other machines. By controlling many infected hosts, the attacker gains computing power and the ability to automate large scale malicious activities without being easily traced (Microsoft, 2020).
Botnets typically propagate through malicious attachments, downloads, compromised websites, and social engineering. They take advantage of security vulnerabilities to infect devices and spread. Once established, botnets are difficult to dismantle as they use layered encryption and virtual hosting techniques to cover their infrastructure (Science Direct, 2022).