Detect malware: Malware comes in many ways

When PCs began to enter more and more offices and private households in the 1980s, the Internet did not yet exist in its present form. Malware could therefore only get from one system to the next via exchangeable data carriers such as floppy disks or, later, CD-ROMs. Although USB sticks or external USB hard disks still play a role in malware distribution today, in the always-on age the Internet has clearly become the most important infection route through which malware most frequently penetrates foreign systems.

Cyber criminals attempt to infect foreign systems with malware through a wide variety of channels - for example, via a file attachment to a seemingly trustworthy email, as a hidden "add-on" to a free download, or as a malicious macro within an Office document. Sometimes it is enough to simply call up a website with a prepared advertising banner - and your own computer is already infected with a malware program.

Most of the malware in circulation has the functionality to remotely control an infected system. If devices are infected, they can be used by cyber criminals to set up a so-called botnet. This usually happens without users noticing. A botnet is a temporarily created network of many computers and electronic devices from the Internet. It can be used, for example, to paralyze websites or to send spam.

As a result, in principle all devices connected to the Internet are at risk of malware infection. In addition to PCs or laptops, tablets or smartphones, this also applies to smart home products and consumer electronics that at first glance only remotely resemble a computer - for example, a smart TV.

What are malware programs and what types are there?

It doesn't matter whether it's a Trojan, a virus or a worm - all terms ultimately fall into the category of malware. These malicious programs are often multifunctional and are often capable - once they have infected a system - of downloading additional malicious programs from the Internet that cause further damage. One thing is for sure: more and more intelligent and increasingly difficult to detect malicious programs are entering the market every day, and you should protect yourself from them as much as possible.

Which devices can be affected by malware?

In principle, all electronic devices are susceptible to malware that either interface with the Internet or with other removable media. So in addition to PCs, laptops, smartphones and tablets, smart watches, televisions or vacuum cleaners, for example, can also be affected by malicious software. While infected CD-ROMs or USB sticks used to be more likely sources of malicious software, today the constant Internet connection of devices is the main gateway for malware. In any case, the purchase of a device should be accompanied by immediate protection.

How does a device become infected with malware (examples)?

Email attachments in file formats such as .exe or .scr can contain malware that is executed when opened. But duplicate file extensions such as "pdf.exe" are also intended to deceive users. In addition, Office documents can also be used to load malware. In addition, harmless-looking links in the text of an e-mail which, when clicked, refer to infected websites or initiate the download of a malicious file can be a source of danger for the system.

Infected software: Trojans refer to a hidden malicious component of software. Users install them independently but unnoticed - for example, when downloading free software offers.

Websites: Calling up a malware-prepared website in the browser - for example from the results of a search engine - can also infect a device. The dangerous thing about this is that even legitimate websites can be contaminated with malicious code - for example, through manipulated advertising banners. For the website operator, this usually goes unnoticed.

What can malware do?

Spying on data: Malware can hide behind deceptively genuine-looking websites or even in e-mail attachments from supposedly known contacts. Their goal: to spy on or tap into personal information or access data of those affected in order to cause further damage with online accounts. We have compiled a list of what you can do to prevent data theft in the Phishing section.

Extortion: Ransomware refers to types of malware that restrict or completely prevent access to data or the system. Either the software blocks complete access to the system or it encrypts certain data. A ransom is then demanded for the release. Since it is not certain whether the data can actually be decrypted again after payment of the ransom, it is advisable not to respond to the demands and not to transfer money or online currencies such as Bitcoins.

Manipulation in online banking: If malware has been placed on a computer, it can intercept and manipulate data traffic in online banking. For those affected, there are no clues that indicate manipulation. From calling up the website, through the input mask, to completing the transaction, there are no conspicuous features. The malware intercepts data, changes it and forwards the manipulated data to the bank. Only the account statement shows what damage has been done.

Display of advertisements: Adware, malware for displaying unwanted advertisements, usually gets onto your device as an additional appendage of free downloads. If more pop-up windows with advertisements open while you are surfing in the future, an adware is probably up to its mischief. This software can be comparatively harmless, but most of the time it is also capable of recording user data while surfing the Internet in order to further customize advertising pop-ups.

How do I protect myself from malware?

• Regularly and promptly update your operating system and programs on all devices to close security gaps.
• Be careful when opening e-mails - especially when clicking on links and attachments and when it is an unexpected message from an unknown sender. But also be careful with supposedly known senders, see e.g. Emotet.
• Use only trusted sources to download data.
• Make regular backups of important data to protect yourself from their encryption and to be able to restore lost data yourself. Install an antivirus program and a firewall to detect malware during unwanted downloads, if possible.
• Use user accounts with reduced rights so that malicious programs do not have administrator rights and thus access to the entire system.
  

How do I check if my devices are affected by malware?

Cyber criminals try to sneak malware onto a system as unnoticed as possible. If you suspect that something is wrong - for example, emails are being sent in your name - first examine your device with an up-to-date antivirus program. In any case, you should give your system a thorough check.

What can I do if I am affected?

Many malware programs make profound changes to the system that cannot simply be undone. Therefore, in case of a confirmed infection, the entire system should be rebooted. Regular backups make it easier to restore your data. If a malware infestation is indicated, you should perform the following steps:

• If the files are encrypted by ransomware and no backup is available, keep the encrypted data, as it may be decrypted at a later time
• Reinstall the operating system.
• After the reinstallation, change your passwords for all online access (email, social networks, etc.).
• In any case, report any misuse or infestation of your system to your local police station or at www.polizei-beratung.de.

The special case of Emotet

The Emotet malware is currently considered a particularly serious threat and regularly causes high damage to private consumers and companies in Germany. The reason: Emotet spreads itself to contacts of users of infected systems with the help of very authentic-looking e-mails.

The recipients' systems are also infected with Emotet as soon as an Office document is opened from the attachment or via a link and the execution of macros is activated. Downloaded software then does the actual damage. How exactly Emotet works and how to protect yourself.

Virtually every technical system is threatened by malware

Unlike in the past, today's malware not only threatens computers in the narrower sense, but in principle targets every software-controlled and networked system. In addition to smartphones and tablets, this applies in particular to routers and also to Internet-enabled devices such as digital heating thermostats, or a garage door that can be controlled via the Internet.

The relationship between attack and defense methods is like the well-known race between the hedgehog and the hare: On the part of the IT security industry, for example, every newly discovered malware program results in an improvement in the virus protection function. Each improved defense mechanism, in turn, elicits the development of even more sophisticated attack methods to circumvent this mechanism.

As a result, this race leads to increased professionalization of malware development and increasingly complex malware. Modern malware variants usually consist of several components that perform different functions - including the ability to load further program modules with additional functions after the initial infection of a system. Due to their versatility and multifunctionality, today's malware programs can hardly be assigned to a single malware category such as virus, worm or Trojan.

For example, the WannaCry ransomware, like the TrickBot banking Trojan, also possesses a typical worm characteristic - namely the ability to spread independently within networks. Regardless of the aforementioned difficulty in classification, a basic understanding of how common malware types work is essential in order to respond adequately to the ubiquitous cyber risks.

What (almost) all current malware has in common

Malicious programs that have a so-called backdoor function in their luggage are widespread: Such programs open a backdoor for cyber criminals that enables surreptitious remote access to the affected system.

Regardless of how a malware program is distributed, once it has infiltrated the computer, it usually continues to operate autonomously, for example, loading further malware onto the device or connecting to a so-called C2 server, from which it is abused centrally for a botnet.

The malware receives commands such as the reloading of further malware from automatically operating command centers on the Internet, so-called command-and-control servers (C&C servers). The addresses of such C&C servers can either be explicitly coded in the program text of the malware in question or the malware contains an algorithm to generate changing C&C addresses depending on the current date, for example. Security specialists can find out the addresses by analyzing the code - and thus track down the C&C server in question.