Malware

Unique identifier / Notation

TL0019

Synonyms

Malicious software,

Viruses,

Trojan horses,

Worms.

Malware is a summary term for different forms of malevolent software designed to infiltrate and infect computers, typically without the knowledge of the owner (ITU, 2008).

Primary reference(s)

ITU, 2008. ITU Study on the Financial Aspects of Network Security: Malware and Spam. International Telecommunication Union (ITU). Accessed 3 October 2020.

Additional scientific description

In 2008, the International Telecommunication Union (ITU) reported that until a few years ago, the most common types of malware were viruses and worms. More recently other types have appeared and are widely distributed, including Trojan horses, backdoors, keystroke loggers, rootkits, and spyware. These terms correspond to the functionality and behaviour of the malware. For instance, a virus is self-propagating, and a worm is self-replicating (ITU, 2008a).

Malware is often categorised into ‘families’ (referring to a particular type of malware with unique characteristics) and ‘variants’ (usually a different version of code in a particular family). Malware is put in an information system to cause harm to that system or other systems, or to subvert them for use other than that intended by their owners (ITU, 2008a).

There are two principal ways by which malware can be inserted into information systems to carry out the malicious player’s goal. One option is an automated installation, and the other is manual installation. Malware compromises the system and may download additional payload code to expand or update its functionality. Once installed, new features and capabilities are therefore easily added (ITU, 2008a).

Malware can be used to distribute spam and to support criminal activities including those based on spam. It can be used to infect systems to gain remote access for the purpose of sending data from that system to a third party without the owner’s permission or knowledge. Malware can be instructed to hide that the information system has been compromised, to disable security measures, to damage the information system, or to otherwise affect the data and system integrity. Sometimes the malware uses encryption to avoid detection or conceal its means of operation (ITU, 2008a).

Metrics and numeric limits

None identified.

Key relevant UN convention / multilateral treaty

The Council of Europe (CoE) convention on cybercrime also known as the Budapest Convention is the only binding international treaty on this issue. At the time of writing the total number of countries that had ratified the convention was 64 and includes both members and non-members of the CoE (CoE, 2001).

Examples of drivers, outcomes and risk management

Malware attacks can originate in the cyber environment, such as via worms or other malware, by direct attack on critical infrastructure, such as telecommunications cables, or through the actions of a trusted insider. A combination of these attacks is also possible. Risks are often characterised as high, medium, or low. The level of risk varies among different components of the cyber environment (ITU, 2008a).

Cyber security threats and attacks are growing rapidly and a wide variety of types of malware exist, including computer viruses, worms, Trojan horses, spoofing attack identity theft, ransomware, spyware, adware, rogue software, and scareware. Some examples are summarised as follows (ITU, 2008b):

Worm: a programme that reproduces by replicating itself from one system to another without the need of human involvement.
Viruses: attach themselves to user files and can become active by replicating themselves into other files when an unsuspecting user performs an action such as opening an infected file.
Trojan horse: conceals a harmful code that is unsuspected by a user.
Spoofing attack: a complex attack that exploits trust relationships.
Identify theft: involves capturing or copying personal identity details such that the legitimate owner or user may not even be aware of the theft.

Use of antivirus scanning technologies is therefore to ensure the security of a system is maintained (ITU, 2008b).

Risk management measures include the use of antivirus software to protect cyber environments against malicious code, worms and Trojan horse attacks. Internet Service Providers (ISP) can provide the software, or it can be installed via an electronic device of a user. Various techniques such as string signature, activity scanners and static heuristic scanners are used to identify malware, viruses, worms and Trojan horses (ITU, 2008b).

WannaCry is an example of Trojan horse malware that was used to extort money by holding files to ransom. In a report by the UK National Audit Office (2018), on Friday 12 May 2017 a global ransomware attack, known as WannaCry, affected more than 200,000 computers in at least 100 countries. In the UK, the attack particularly affected the National Health Service (NHS), although it was not the specific target. At 4 pm on 12 May, NHS England declared the cyber-attack a major incident and implemented its emergency arrangements to maintain health and patient care. On the evening of 12 May, a cybersecurity researcher activated a kill-switch so that WannaCry stopped locking devices. According to NHS England, the WannaCry ransomware affected at least 80 out of the 236 trusts across England, because they were either infected by the ransomware or had turned off their devices or systems as a precaution. A further 603 primary care and other NHS organisations were also infected, including 595 General Healthcare Practices. As an example of the impact of the cyber-attack on the health sector, it was reported that thousands of appointments and operations had been cancelled (UK National Audit Office, 2018).

Security is all about risk management. Many techniques can be used to manage risk. For example, the development of a defence strategy that specifies countermeasures to possible attacks may be used; detection, which includes identifying an attack in progress or afterward; formulating a response to an attack that specifies the collection of countermeasures to an attack to either stop it or reduce its impact; and formulating a recovery strategy that enables the network to resume operation from a known state (ITU, 2008a).