Fell Free To contact Us

Shannon: (061) 708 820

Dublin: (01) 531 3777



Malware & Exploit Attacks Explained

Malware & Exploit Attacks Explained

Malware & Exploits, What you need to know


Today’s cyber threat landscape is driven by an array of attack techniques that grow

constantly in both diversity and sophistication.

To the average person, the often bizarre and cryptic names given to most attacks offer little about

the attack’s nature. However, it’s a fair assumption that not all cyber attacks are created equal; there

are several different techniques and vectors to consider, for starters. Regardless whether or not you

are technically versed when it comes to cybersecurity, there is much to be gained from a deeper

understanding of what differentiates one attack technique from another.


This blog aims to inform you about two different yet often confused types

of attacks: Exploits and Malware.




In Latin, ‘mal’ is a prefix which denotes ‘bad’, ‘evil’, and ‘wrong’. Therefore, it should come as no

surprise that the name ‘malware’ was coined to represent an ever-expanding collection of intrusive

software and executable code purposely engineered to do bad things.


The earliest form of malware was the computer virus, which is reported to have first appeared in the

wild sometime in the early 1980s. Many early viruses were written with arguably little to

no criminal intent, but the evolution of malware surged during the dawn of the internet age, with

many new types of infections designed to bombard users with intrusive advertising. That picture

has changed drastically over the last decade and a half. Malware has steadily evolved to become

the weapon of choice for cybercriminals across the globe, leveraged for attacks that are deliberate,

rampant, and in many cases—highly targeted. Today’s malware is made up of worms, trojans, rootkits

and ransomware, virtually all of which are actively used for financial gain (theft of sensitive data,

industrial espionage, extortion or ransoming of files) and for destabilizing or destroying infrastructure

and organizations.


The level of targeting of malware attacks varies significantly. For example, ransomware attacks—

whose objective is profit—tend to be very widespread, with the goal of extorting as much money

as possibly from its victims. On the other hand, malware designed to exfiltrate sensitive information

from an organization would target only a few individual users or small numbers of servers of a

specific type.


The endpoint has long been malware’s primary penetration target; after all, this is where

sensitive data lives. Today’s endpoint devices are numerous, span several different computing

platforms, and are more mobile and dynamic than ever before in today’s hyper-connected world.

As such, they are much more vulnerable against increasingly sophisticated and stealthy malware



Popular Types of Malware



One of the earliest forms of malware, viruses self-replicate when executed, infecting

other programs or systems for sabotage or profit. The vast majority of viruses target

Microsoft Windows-based computers.



A piece of malware designed to appear as something entirely different to the user,

masking its true intent. Trojans are typically spread via social engineering techniques

(seemingly benign e-mail attachments) or by drive-by downloads.



Malware designed to replicate itself in order to spread to other systems through a

computer network. Unlike viruses, worms do not need to attach themselves to other

programs in order to spread. Worms have been instrumental in the creation of botnets

through installing back doors on infected computers.



A form of malware that launches unwanted advertisements (usually pop-up windows)

on infected computers. Most adware doesn’t present a substantial threat, but it has been

routinely classified as a cyber threat, nonetheless.



A form of malware designed to capture sensitive user data (files or user actions on

the target system). Spyware can stealthily infect a system via a Trojan or web browser




A form of malware engineered to extort money from users and institutions. Ransomware

attacks will either encrypting a target device’s files, or by locking the user out the device

completely until a ransom is paid within a short time period.


FILE-LESS / MEMORY-A malicious program typically injected into some running process, and executes only

ONLY MALWARE in RAM. This vector of attack is difficult to detect, but does not persist if the system is

rebooted because memory is volatile.




Though there are many different types of malware today, such attacks follow roughly the same

framework in terms of how they unfold.


PHASE 1: Attack Targeting and Inception

Every malware-based attack begins with some sort of targeting strategy. Based on the end goal,

cybercriminals will determine the method of launching their attack. If profit is the primary objective—

such as with ransomware attacks—then attackers will target as many users as possible, and opt for

an install route with the highest likelihood of success. In these cases, attackers use spear-phishing

e-mail blasts in which recipients are incited to open up the message’s attachment, which then

launches the malicious malware program. Other widespread targeting methods involve the use of

websites, where attacks are initiated through hidden redirects and drive-by-downloads. Attackers

will typically focus their attention on public websites running vulnerable web or application servers

that they can leverage. Attacks targeting specific systems or individuals might also leverage exploits

and different types of social engineering techniques to entice an insider to unknowingly install

the malware from within the organization’s firewall. If the goal is to compromise a specific type of

endpoint system, the malware could be engineered to remain hidden or dormant until it finds itself

on that system.


PHASE 2: Exploit Discovery


Many attackers favor packaging malware into exploit kits that they covertly place on legitimate

websites, or host the malware on a fake website designed to look like a legitimate site. When a

potential victim’s browser connects with a website hosting an exploit kit, the kit probes the visitor’s

system and extracts information like OS version, browser type, and installed applications, in order to

find vulnerabilities to exploit.


Exploits and malware go hand in hand. All types of enterprise and consumer applications have

vulnerabilities that can potentially be exploited, paving the way for malicious programs to find their



PHASE 3: Payload Delivery


In the payload delivery stage, the malicious program will download and install a “payload” to the

target endpoint device. This payload could be the piece of malware itself, or it could be a hidden

downloader which then creates a backdoor through which multiple types of malware can be

downloaded, allowing different attacks to be executed.


PHASE 4: Execution of Attack


At this point, the malicious program has reached its target and begins to run on the system, carrying

out the attacker’s intent. In the case of ransomware, the program will begin to encrypt the user’s files

or block critical system operations, thus locking the user out. More sophisticated attack code can be

designed to trigger off

of specific system events, or stealthily steal data over an extended period of



PHASE 5: Malware Propagation


If a malware attack goes undetected or unmitigated, it will likely spread laterally, infecting other

endpoints or even launching further targeted attacks via the network. As the malware persists, it

communicates back to the attacker’s back end, or to other command & control servers. Lateral

spread is often the goal of attacks leveraging RATs (Remote Access Trojans). RATs are malware

programs designed to establish administrative control over the host computer through back doors.

Once such control is gained by an attacker, they can distribute RATs to other vulnerable computers

on the network, establishing a botnet.





Much of malware’s sophistication is attributed to its ability to evade detection by security solutions.

A considerable portion of malware out there today is well known and has been classified by threat

intelligence services used by traditional antivirus (AV) solutions to identify and preemptively block

malicious programs from running. With static prevention, the currency of threat intelligence is

signatures. Every piece of known malware has a distinct signature; typically a static hash consisting of

a calculated numerical value of a segment of code unique to that particular malware variant.


However, static prevention methods are completely ineffective at catching new, never-before-seen

malware. Simply put: no signature equals no detection. It’s interesting to note that new malware isn’t

necessarily new; an existing piece of malicious code can be quickly transformed into a brand new

binary with only a slight modification of its source code, or by packing that code into an entirely

different program in order to obfuscate it. By today’s cybersecurity standards, getting past AV is no

remarkable feat.


Bypassing advanced security measures requires significantly more effort and ingenuity on the part of attackers

and malware engineers. Sandboxing solutions are a substantial step up from traditional antivirus, which many

organizations deploy for their ability to dynamically detect new or more advanced malware. Sandboxing

attempts to detect malware attacks by running suspicious programs in a virtualized environment designed to

emulate the target device. Signatures are dynamically created by the sandbox for programs it deems malicious,

and can be shared with firewall solutions for enhanced localized prevention. This approach has proven to

be successful in alerting of ‘patient zero’. However, more advanced forms of malware can detect sandbox

environments, and the malicious program can be designed to lie dormant until it finds itself on a ‘real’ endpoint

device of a specific configuration.


The list below summarizes various types of types of countermeasures employed by attackers.



Designed to hide an attack payload or malware

inside of a new binary



Designed to slightly alter code to make known

code appear new/different



Designed to bypass static prevention (can also

include anti-VM, sleepers, interactions, anti-

debugging features)



Designed to allow code to run only on a

specific target machine/configuration


Malicious Code

The attack code that runs with the goal of

persisting, stealing, spying, or exfiltrating data


Anatomy of an Advanced Malware Program

Basic malware can be made to appear new or benign to antivirus protection with just a few simple

code alterations, and more sophisticated pieces of malware can be engineered to evade detection by

more advanced security solutions, like sandboxes. In order to effectively protect against all types of

malware attacks—simple or sophisticated—a Next-Generation Endpoint Protection (NGEP) solution

is required. NGEP detection is based on how a malicious program behaves, and not just on what the

program actually is. Though there are many different types of malware, and millions of variants in

existence, malware in general tends to follow specific behavioral patterns. Behavior-based detection

is proven to be highly effective in detecting malware attacks.



In the realm of cybersecurity, exploits are malicious programs that take advantage of application

software or operating system vulnerabilities. Such vulnerabilities represent critical security gaps

for organizations and individual users alike, and software vendors are compelled to regularly issue

patches that fix vulnerabilities discovered through their own internal quality testing or by application

users themselves.


Exploits typically target productivity applications such as Microsoft Office (Word, Excel, etc.), Adobe

applications, web browsers and operating systems, and they continue to pave the way for many

malware-based attacks. Though not all exploits involve file-based malware (for example: null/default

system password exploits, DDoS attacks), the exploit/malware combination is highly prevalent when

it comes to targeting endpoints.


One prominent example of an exploit-facilitated malware attack involves a known vulnerability in

Microsoft Office. The exploit is crafted to fool the targeted application into executing malicious

code, which is hidden within the document as shellcode. The running malware would then allow the

attacker to take control of the affected system. Should the logged-on user have admin privileges,

the impact of the attack would be more severe. Though this vulnerability is known and documented,

the exploit is still in use by attackers simply because many organizations and users have not gotten

around to installing the released patch.



Aside from constantly pushing users to exercise basic caution when opening up e-mail attachments

from unknown senders and downloading files, minimizing the risk of exploit-based attacks begins

with routine patch installations for software applications and operating systems. Most organizations

endeavor to routinely patch their critical applications and operating systems in a timely manner

for compliance and security purposes. However, the ones who fall behind by not having the latest

patches installed expose themselves to substantial risk of attack; usually, with each new patch

release, details of the vulnerabilities fixed by the patch are made available to everyone—including

attackers. With this information, attackers can develop a corresponding exploit and launch a

successful attack against any unprotected endpoint system whose software isn’t up-to-date with

the latest vulnerability fixes. In fact, 99.9% of exploited vulnerabilities were compromised more than

a year after the Common Vulnerabilities and Exposures report was published, according to Verizon’s

2015 Data Breach Investigations Report. A glaring example of this is that the number one exploit

found still affecting Windows systems in the second half of 2015 is old and long-patched Windows

Shell flaw (CVE-2010-2568), according to Microsoft’s latest Security Intelligence Report. The exploit

was reportedly used in the Stuxnet attacks on Iran’s Natanz nuclear plant to sabotage its uranium

enrichment program in 2010.


The latest patches will keep endpoint devices safe from attacks involving known exploits, but there

is always the possibility of a zero-day exploit being developed; an exploit based on a vulnerability

whose existence is completely unknown to everyone in the world but the attacker. Zero-day

exploits appear to be on the decline, simply because it is far easier for an attacker to succeed using

alternative vectors of attack. However, organizations should deploy security measures that can

detect exploits, in addition to having the latest patches installed.


There are a finite number of techniques employed by attackers (buffer overflows, heap spraying,

unauthorized code execution, etc.), when crafting an exploit, and the best defense is a dedicated

endpoint protection platform capable of detecting these behaviors. A Next-Generation Endpoint

Protection approach dramatically reduces the risk of compromise via exploit, and if it is compliance-

certified, it allows for flexibility in patching cycles as a compensating control.



Given today’s complex and ever-expanding threat landscape, both individuals and IT teams have a

lot to contend with in protecting their respective endpoint devices from attacks. Understanding the

nature of different types of attack vectors and techniques is critical in establishing a robust endpoint

protection strategy. Though malware and exploits are used in combination for both widespread and

targeted attacks, they present distinctly different threat vectors that must be examined individually.

Many organizations take a piecemeal approach to endpoint security, deploying point solutions for

protection against individual vectors of attack. However, a Next-Generation Endpoint Protection

solution leveraging behavior-based threat detection will offer much more comprehensive protection

(with a single endpoint agent and a single management console) against malware, exploits and live/

insider attacks.

See our recent article on Ransomware here: WOULD YOU BUY A PRODUCT THAT ONLY WORKS ONLY 50% OF THE TIME?


Contact Us

Our team is ready and waiting to answer any strange-confusing-complex questions you can throw at them.