Security awareness

How Security Awareness Training Can Save You From the Horror of Malware

August 10, 2017 by Ki Nang Yip


The first impression of cybersecurity usually refers to the technical aspect. Computer science jargon ranging from software development, network configuration, database management and hardware manufacturing are not easy to be comprehended by average computer users. These fields require specialist knowledge as well as significant theoretical and practical training. Certainly, security issues take place in these aspects and they naturally call upon expert intervention. Nonetheless, the primary cause of a great majority of cybersecurity events has something to do with a careless and innocent click which downloads or activates a malware on the computers of the targeted victim. Once the initial attack succeeds, the following lateral expansion can cause significant damage for the victim. In this perspective, the emphasis of cybersecurity should also be placed on the non-technical aspect.

The landscape of cybersecurity evolves fast. New threats and approaches of attack emerge on a daily basis. High profile network intrusions take place  regularly, not to mention those unreported ones. Their scale and consequences go beyond the technical aspect. The notorious Stuxnet (2010) is a vivid example of the damages a malware can make against a critical infrastructure.   that employees of the Iranian nuclear research facilities found USB keys containing the malware in some car park of the government building. These USB keys were then used in the monitoring systems of nuclear centrifuge and eventually disrupted the functioning of the facilities. The negligence of the security awareness of average users can be fatal to an institution.

Given that personnel of non-technical backgrounds might not be sufficiently aware of the cybersecurity risks they face, they can be the easy target of the attacker. Therefore, a cybersecurity basis should start  with educating these personnel to be cautious of malware and unknown hardware. These two initial steps can greatly reduce the cybersecurity risk of institutions. The availability and development cost of such software make it easily accessible for attackers of all levels. The diffusion speed and scale of malicious software can go out of control within minutes. Hence, recognizing the different malware categories, their features and countermeasures is a crucial step in the security awareness training for non-technical personnel. It helps them understand the consequences of careless operations.

An Overview of Malware

What is malware?

Malware is a coined word of malicious and software. One generally agreed-upon definition of malware refers to software created or modified to cause harm to a computer device. Most of the time, malware are developed to usurp the authorities of the legitimate user. Thus, it achieves the other objectives of taking control over the computer of the victim. The idea of malware comprises a great variety of malicious codes for diversified purposes. Retrieving confidential data, identity theft, hijacking traffic and operating system, encrypting digital assets and user surveillance are several notable capabilities of malware. The world of malware is rich and dynamic. There are, spyware, virus, worm,  ransomware, remote access Trojan (RAT), rootkit and Trojan horse. The name of each malware illustrates its particular feature and usage.

In a way, the notion of malware is simplified or misled by computer security vendors. Antivirus software is marketed as if the virus is an equivalence of all malware and the only possible malware. The attributes of all other types of malware are attached to “virus” to attract attention in the market. It is true that most computer users are ordinary non-technical people. It might not be necessary to learn the features of every malware by heart. However, having adequate understanding of the major types of malware helps institutions deal with them with appropriate antidotes in case of malware infection.

Malware Types

It is crucial not to confuse the malware type in order to ensure the right diagnosis in case of system intrusion. Malware can be firstly categorized by the way they spread as well as the effects they generate. The following types are some of the most common malware:


To begin with the most advertised malware, a virus is a malicious self-replicating code that is attached to or hidden in an executable file to lower the alertness of the user. Once the virus is executed, it can infect other applications and continue to replicate itself. Viruses can be transmitted through both email and hardware (USB key and other external computer accessories). They are usually designed with stealth techniques to avoid being detected by antivirus software.


Worms are often confused with viruses. Indeed, both look similar in many ways except that worms are self-executable files. They do not require user activation and they can execute and replicate themselves on multiple computers. Powerful worms can be self-regulating and even self-healing. Stuxnet is a renowned example of such worms.

Trojan Horses

Thirdly, Trojan Horses are shields of malicious codes. They are disguised as innocuous applications to trick the user to download it from a website or copy it from an external storage device. Video players, games and other free Internet services are ubiquitous baits to lure the user to download Trojan Horses. One important feature of Trojan Horses is that they are not developed to self-execute and infect other applications without the further assistance of the targeted victim.

Spyware, Ransomware and Keystroke Logging

The virus, worm and Trojan Horse belong to the first category of malware—spreading approach. Malware can further be categorized with their features. Keystroke logging, spyware and ransomware are some of the examples spread by virus, worm or Trojan Horse. Keystroke logging  can record every instruction the user puts in on the computer, namely, passwords, credit card information and any other sensitive data. The second one, spyware, can be deployed to silently activate the camera and microphone to collect the surrounding information of the operation environment as well as spy on the user. The third one, ransomware, targets users and companies with valuable data assets. Once activated, the ransomware can encrypt and hijack  the entire database and ask for a ransom in exchange for deciphering the seized data.

Rootkits, RATs and Backdoors

Rootkits, RATs and Backdoors are, in a way, developed for the same purpose. They are sophisticated malware aimed at acquiring or bypassing the highest authority of the computer. Rootkits focus on the former feature. Once deployed, it permits the attacker to have privileged access to the root system. RATs and Backdoors are discrete malware developed to set up a secret remote access on the victim’s computer so that the attacker can monitor and execute applications remotely and legitimately.

Misconceptions about Malware

It is understandable that malware is associated with disruptive attributes. Nevertheless, it should be emphasized that the features of malware sometimes are indispensable tools for legitimate activities. For example, RAT and spyware are useful tools for remote working such as work progress monitoring and remote technical support. Therefore, the intent of the software determines its malicious or legitimate nature.

Moreover, it is true that many malware target the vulnerabilities of Microsoft Windows. It does not mean that other operating systems like MAC OS and Linux are immune to malware . As of March 2017, different versions of Windows have approximately 90% market share of the operation system market. Its popularity among average users makes it a good target for the attacker to exploit and develop tools to infect as many users as possible. Linux might have a small presence in the desktop operation system market, however, 35.9% of the top 10 million servers and 96.6% of the top one million servers run on Linux. Catching a Linux malware such as Linux/Rst-B and Troj/SrvlnjRk-A can paralyze the services provided by Linux servers. More importantly, such a misconception encourages non-Windows users to perform adventurous actions or visit websites of high risk, for examples, adult content and free media sharing platforms. In the case of opening a malicious link of a phishing email and thus entering personal information on the fraudulent website, it makes no difference whether the operation system of the victim is Linux, Windows or MAC OS. Therefore, it is unwise to believe that malware only attacks Windows.

In addition, several misunderstandings about malware concerning user behavior can undermine the overall security level of the institution. One conspiracy theory suggesting that antivirus software developers develop malware to attack the users so as to justify the power of their antivirus products. Therefore, the disciples of this idea refuse to install any antivirus protection on their computers. They think that not downloading anything from the Internet or visiting high risk websites would suffice in protecting their computing systems. Besides, some computer users believe installing more than one antivirus application can ensure additional protection. As a matter of fact, this behavior may generate incompatibility issues between the different antivirus software might see each other as malware.  These fallacies, in a way, facilitate the attacker to break down the security of the target. Last but not least, it is a common belief to format the infected machine to restore the factory configuration as a final solution to get rid of a malware. Unfortunately, this is only partially true because the malware can infect the firmware or hide in unformatted partitions of the hard-drive and the backup copies of personal file. Formatting and restoring Windows does not necessarily uproot the malware.

User behavior is not a hardware problem whereas it can generate multiple vulnerabilities for the computing system and thus expose the user to more security threats. The security awareness training coach should recognize these user misconceptions and behavior so as to deliver effective results.

Malware Detection, Protection and Removal

The different types of malware require various levels and approaches of detection, protection and removal solution. Having reviewed the features and types of major malware, it is indispensable to examine the infection signs so as to identify protection and removal cures in case of system intrusion.

Malware Infection Signs

Most malware have observable symptoms. The most obvious one usually is the popup messages of ransomware, adware and browser redirect links urging the user to take immediate actions or the normal functions of the system cannot be restored.  These popup messages are evident signs of malware presence. In particular, the fraudulent toolbars and other browser redirect gadgets can be highly misleading. They expose the infected computer to further risks by luring the victim to install other malware, provide personal and banking information. In some cases, the malware can disable the antivirus software and firewall of the computer, leaving the victim completely defenseless. These multiple penetrations eventually lead to regular system crashes because the malware can cause compatibility issues and conflicts with other applications.

Malware can sometimes be discrete and not easy to identify. Hence, it can always run on the system background once they are installed. This naturally consumes additional processor, ram, hard-disk and network capacity as the malware executes commands and occupying network speed. It eventually drags down the system performance. The decreasing speed and network performance are also reliable initial indicators of system compromise.

Finally, as shown in malware like Rootkits and Keystroke logging, the attacker can transform the computer of the victim as a botnet or use his identity on the Internet. It is therefore not surprising to notice that the Internet Protocol address (IP) of the victim is blacklisted, or his friends and family inform him for his sending unusual messages to them. The damage of malware can surely go further than simply being unable to login to the email and bank account of the victim. These symptoms are good signs of malware infection. The users should be alerted of such issues and conduct regular security check to ensure their computers are in good health.


Malware Protection

The consequences of getting infected by the various types of malware can be catastrophic for an institution. Thus, establishing effective protection is a fundamental step to ensure the cybersecurity of the institution. This can be done through two principles, personal vigilance and protective tools. The former is a crucial guarding gate. It suggests that non-technical personnel should be trained to stay wary and alerted for suspicious emails. Phishing is always the first and foremost penetration strategy targeting low-level employees. Verifying the identity and downloading source legitimacy are always useful elementary steps to defend against aggressive attempts. The latter provides an immediate prevention and detection layer in case of malware intrusion. High performing comprehensive anti-malware software should be able to stop malware from being downloaded or executed as well as warn the user about high risk applications and websites. Having a prepared, cautious and critical spirit alongside a robust anti-malware software do not demand the knowledge of a computer scientist.

Malware Removal and Incident Response Procedures

Nowadays, many institutions should have established internal procedures in case of malware installation. The first consideration should be installing a high performing anti-malware software on every computer. Normally, as long as the computer is equipped with a robust and updated anti-malware software, it can provide automatic actions such as quarantine or delete the malware and infected files. End users should be aware of getting security updates and patches regularly to ensure the functioning of the anti-malware software. In addition, it is important to have a good reporting mechanism that the intrusion details are reported to the security officer or responsible person of the institution. In some sophisticated cases, the operating system can no longer function correctly and the user can hardly execute the anti-malware in the normal operating environment. The reporting mechanism can swiftly get the technical personnel involved to provide assistance and decide countermeasures such as disconnecting from the Internet, malware containment and reporting to law enforcement authorities. For the security officers, the information collected from the malware can be useful in testing and reinforcing the existing procedures, security awareness enhancement and malware resistance.


Malware can cause devastating damages to the victim computer and even the entire institution network. Indeed, there are many misconceptions and stereotypes about managing malware. The cybersecurity ecosystem will go on to deal with more sophisticated malware and concern more non-technical positions. Understanding the basis of different types of malware and solutions do not require years of expertise in cybersecurity. Most importantly, they play a significant role in nurturing high security awareness for non-technical personnel.

Posted: August 10, 2017
Ki Nang Yip
View Profile

Ki Nang is a researcher in cybersecurity, industrial espionage and political science. He conducts his PhD research in Paris. He studies state-funded cyber-espionage, political impacts in cyberspace for corporate development, and new forms of cybercrime. In his spare time, he also follows cybersecurity and political issues in China, U.S. and Russia.