Malware (Malicious Software)
- Definition: Software specifically designed to damage, disrupt, or gain unauthorized access to network systems and devices
- Critical for network security - malware represents one of the primary threats to network infrastructure integrity
- Network engineers must understand malware types to implement proper defense-in-depth strategies
Primary Malware Categories
| Malware Type | Method of Operation | Network Impact | Detection Method |
|---|---|---|---|
| Virus | Attaches to legitimate files/programs | Spreads via file sharing, email attachments | Signature-based scanning |
| Worm | Self-replicating across network connections | Consumes bandwidth, crashes systems | Network traffic analysis |
| Trojan Horse | Disguised as legitimate software | Creates backdoors, steals credentials | Behavioral analysis |
| Ransomware | Encrypts data, demands payment | Network file shares become inaccessible | File integrity monitoring |
| Rootkit | Hides deep in OS kernel level | Persistent access, difficult removal | Boot-time scanning |
| Spyware | Monitors user activity silently | Data exfiltration, bandwidth usage | Network monitoring tools |
Network-Specific Malware Behaviors
- Lateral Movement: Once inside network perimeter, malware spreads to adjacent systems using SMB shares, RDP, or SSH protocols
- Command and Control (C2): Infected devices communicate with external servers (often using DNS tunneling or HTTPS to evade detection)
- Data Exfiltration: Sensitive information transmitted outside network boundaries (watch for unusual outbound traffic patterns)
- Network Scanning: Malware performs reconnaissance using tools like Nmap to identify vulnerable services on TCP/UDP ports
Common Attack Vectors
- Email Attachments:
.exe,.zip,.pdffiles containing embedded malicious code - Drive-by Downloads: Compromised websites automatically download malware to visiting clients
- USB/Removable Media: Autorun features execute malware when devices connected
- Network Shares: Unsecured SMB/CIFS shares allow malware propagation across subnets
- Remote Access: Compromised VPN credentials or RDP sessions provide direct network access
Network Defense Strategies
- Perimeter Security: Deploy firewalls with deep packet inspection (DPI) to analyze application-layer content
- Network Segmentation: Use VLANs and ACLs to contain malware spread (principle of least privilege)
- DNS Filtering: Block known malicious domains at DNS resolver level (similar to military network hardening)
- Network Access Control (NAC): Verify device compliance before granting network access
- Intrusion Detection Systems (IDS): Monitor for suspicious traffic patterns and known attack signatures
Vocabulary
- Zero-Day: Previously unknown malware exploiting undiscovered vulnerabilities (no signatures available)
- Polymorphic: Malware that changes its code structure to evade signature-based detection
- Botnet: Network of infected devices controlled remotely by cybercriminals
- APT (Advanced Persistent Threat): Long-term, stealthy malware campaigns targeting specific organizations
- Indicator of Compromise (IoC): Network artifacts suggesting malware presence (unusual DNS queries, suspicious IP connections)
Notes
- Monitor network traffic baselines - sudden spikes in bandwidth usage or unusual connection patterns often indicate malware activity
- Default-deny firewall policies are essential (block everything except explicitly permitted traffic)
- Regular vulnerability scanning helps identify potential entry points before attackers exploit them
- Network forensics capabilities critical for incident response - maintain packet captures and flow data for analysis
- Consider air-gapped networks for critical infrastructure (complete physical separation from internet-connected systems)
- Malware increasingly uses encrypted channels (HTTPS, DNS over HTTPS) making detection more challenging
- Employee security awareness training reduces social engineering success rates significantly