Ah yes, the question on every tech newbie’s mind: What is malware?
The short answer: malware is software designed to either disable or damage your computer in some way. It’s a portmanteau of the words malicious and software. But when we ask, What is malware? I actually think that’s not what we’re asking.
I think truly what we’re asking is Do I have to worry about malware? And if the answer is yes, then the immediate follow up question is, In what ways should I be worried about malware? Or perhaps, What can I actually do about malware? How can I prevent its installation?
I hate to say it, but in this modern era where much of our lives are lived digitally, the answer to the overarching question is yes. No matter what sort of computer or device you’re operating, someone, somewhere, has written malware for it.
Do I *really* have to worry about malware? Even if I have a Mac?
Yes. You do.
Even if you have a Mac. Listen, it used to be true that there wasn’t really a lot of malware written for a Mac, and to some extent that’s still a little bit true. When someone wants to hit the most computers the quickest, Windows is both easier to infiltrate (because a lot of Apple’s stuff is proprietary and comes from the App Store, so it’s harder to trick a user) and it still makes up the largest marketshare (so if a hacker’s going to put the work in, they’re going to make it compatible with most machines), especially in professional contexts.
But as the internet grows and changes, that statement becomes less and less true. If you want to see exactly how much Mac malware is out there, ObjectiveSee has a sample library (DON’T DOWNLOAD ANYTHING JUST LOOK!) It’s time to face the music: we live in a world where even your fridge can get malware. Your Mac can get it too. Your phone? Yup. You have to worry about it, you have to watch for it, on all your devices.
Different types of malware
There are so many lists out there categorizing different types of malware — and people are both nasty and inventive, so the lists, no matter how many there are, will never be exhaustive. There’s always a better hacker, a better programmer, someone who’s meaner, more expert, and better at not getting caught than anyone ever before. So while I want to focus on what each of these types are for, I also want to touch on why someone might write them. Because those answers are going to be far more consistent, and might help you develop the type of behavior that will prevent the installation of malware on your computer.
If you haven’t yet heard the Greek myth of the Trojan horse, buckle up! The Greek soldiers wanted to take Troy, but Troy was well-defended and their military was well-trained. So rather than tackle it head on, the Greeks built a large horse, hollow on the inside, and hid a bunch of soldiers inside it.
When someone is looking to hack, they don’t start by compromising a computer, they start by compromising a person.
Then they gave the likeness to Troy and said something like, Hey, sorry we thought we could come and take over, here’s a peace offering! We’re leaving now! And then the remaining troops left and Troy was like, Hey, cool horse! So they took the horse inside the walls and partied super hard. In the middle of night, when the Trojan soldiers were sleeping off their drunkenness, the Greeks popped out and attacked. It was, as the myth goes, super effective.
The Trojan horse malware behaves much in the same way. It comes disguised as something you want, sometimes even packaged with legitimate software from a legitimate website or company that’s been compromised by a hacker. You download it and install it yourself. Then, once it’s on your device, it creates backdoors to allow a hacker in, or to allow other malware to be installed. People make this kind of software to introduce other softwares into your machine without having to do much heavy lifting at all. After all, you downloaded this yourself.
A computer virus is named after, you know, a real-life-body virus. Which means it behaves in pretty much the same way. It attaches itself to otherwise normal files and damages them or corrupts them, and then that file infects other files and so on and so forth. Someone programs a virus to damage a computer. They might do it because they don’t like you or your business and they want to destroy your data and your machine; they might also do it because they like to create havoc, or for the lulz. If you’re getting strange errors, or if your computer is running slower than normal, you might have a virus.
I feel like “worm” is what folks who are making up fiction about hackers like to use when they can’t explain how a hacker has done something, because sometimes it feels like worms can do anything, be anywhere. That’s because unlike a virus, which infects one computer, worms are built to infect networks of computers — as in, computers connected to each other or to a server or to the internet. Rather than treating files like cells, it treats individual computers like cells. A worm uses each infected machine to infect more machines on the network. It replicates itself, rather than needing to attach to files. If all of a sudden you have no hard drive space, you might have a worm.
The whys of a worm are many. Like a Trojan, it can also put other things on your machine or make a backdoor for a hacker to enter. Like a virus, it can also corrupt files and cause chaos by modifying or deleting files. It can also just replicate itself over and over and over again, which can bring down a network. It can even send data back to someone who wants to steal it. Or it can be used to form botnets.
A lot of lists consider botnets their own form of malware, but honestly a botnet is the result of malware, in my opinion. It’s more of a why. Computers can work together to accomplish things that need a lot of computing power — that’s a legit thing that can happen. For instance, SETI at Berkley uses volunteer’s computers to search for extra-terrestrial life. Botnets in this context aren’t about volunteers, though. Hackers take over computers or, get this, anything with any computing power at all (like smart fridges and such) and use that computing power to accomplish large tasks by commanding all the devices as one sort of army. Those large tasks might include hacking a very secure network with brute force or they might include using the machine army to mine a cryptocurrency and make a bunch of money.
Those tasks might also include conducting a DDoS (distributed denial of service) attack. Essentially that’s making a website or webapp too busy responding to bullshit queries to function normally, and if it’s too overloaded it might shut down. As of now, people do this to silence voices they don’t like and harm competing businesses (and, as always, for the lulz). I can see a world where, as we do more and more essential governmental and infrastructural things online, this could be regularly weaponized against entire nations and cause havoc in the name of digital warfare. (Nope, I’m not scared and paranoid, no siree.) The most famous of botnets is the Mirai IoT (Internet of Things) Botnet, which is sort of fascinating to read about. I’ve put botnets under worms because they are often the result of worms; Mirai was a worm.
Unlike a worm, ransomware has an extremely specific purpose—to encrypt your machine or a portion of a machine and lock you out of it. The way you get it back? Pay the person who did it to you, of course! And if this person is using cryptocurrency, which they almost certainly are, then they can be extremely hard to track down and catch. A person makes ransomware to make you give them money. And then they might still delete your stuff.
Like ransomware, this one is specific and easy to guess. Spyware keeps track of what you’re doing on your computer (or, using your computer’s microphone or web cam, what you’re doing in your house). This category includes keystroke loggers that can steal your credit card numbers and passwords as you type them in. A person makes spyware to get sensitive information from you that they can then use to blackmail you or steal your identity or charge large weird purchases to your credit cards.
We live in a world where even your fridge can get malware.
A word to the wise: there is a recent scam that pretends to have installed spyware on your machine. I’ve seen the email myself — it’s a form email that includes one of your usernames and passwords in the subject line or in the first paragraph, and it claims to have footage of you doing sexual things in front of your computer, recorded with your webcam. This is lies. I mean, it’s possible to do! But this particular scam is lies. You can tell it’s a form because it doesn’t list specifics, only the username and password to make it believable. All this means is that you’ve been pwned. What does this mean? Pwned means that a company you use was hacked and the usernames and passwords for some portion of it’s user base was leaked in a huge “dump.” Check on this by going to Have I Been Pwned? and type in your email address. It will let you know if your email is listed in one of the large data dumps, and even which one it wound up in. Change your passwords if you’ve been pwned, and don’t use repeat passwords.
Unlike ransomware and spyware, wipers don’t want anything from you. What they do is completely erase all the data off a machine without any warning. Usually people use a wiper after they’ve compromised a machine and want to make sure you don’t know what they took or what they did.
Some folks will argue that adware isn’t malicious, that being advertised to relentlessly is the price of admission when we live under late capitalism. While that second thing may be true, the first one certainly isn’t. I argue that adware is malicious, especially when it does more than serve you random pop-ups (though some do only do that). It’s invasive and terrifying, especially when you consider that in some places on this planet, you can get fired or punished or jailed or killed for things like disagreeing with a dictator or being gay or being an ethnic or racial minority. What does that have to do with ads, you ask? To effectively advertise to people, some adware takes a look at what you search for, what you click on, your general behavior online (yes, exactly like spyware does) and then it categorizes you. When that category exists, that can be dangerous for some people. Do me a favor: listen to this episode of Reply All and then go see what kind of person Facebook thinks you are. Then tell me if adware doesn’t feel malicious.
How to prevent the installation of malware
I almost hate to even do this, because I think it sounds like victim blaming. So I’ll start by saying this: The number one way to prevent malware is to not install malware. Don’t be the person that does this to other people. And don’t fall for the idea that some of these softwares can be used for “legitimate reasons.” They can’t be; don’t track what your children are doing on their computer with a key logger, for instance. That is also bad. Don’t be the company that uses adware — make a good product and engage with the wider world in honest ways.
Now I’ll follow it up with this: being a hacker isn’t about knowing how to crack someone’s password using code or computing power. Being a hacker is about social engineering. Often when someone is looking to hack, they don’t start by compromising a computer, they start by compromising a person. Being able to spot some of the ways hackers try to do that can be a good first line of defense. I want to reiterate that it’s possible to do all this stuff right and still wind up with malware on your computer. Try not to be too hard on yourself if and when it happens.
Don’t fall for phishing
This is a hilarious statement; everyone falls for phishing. I’ve fallen for a phishing attempt, twice that I know of. Basically, approach this bullet point with the idea that, at some point, you will fall for a phishing scam. It will happen.
Always have two copies: one on a physical external hard drive, and one using a remote backup service.
Watch, however, for emails designed to scare you. Once I fell for a phishing attempt because the email looked like it was coming from my job and it had DISCIPLINARY ACTION written in big capital letters in the subject line. Also watch for emails that come from your superiors at work or people you admire in life, If they fell for a phishing scam, a smart hacker will use their access to that particular email address to infect others. Check to make sure the domain name is actually what you expect, and that there isn’t a letter replaced with a number or some other such eye-trick. If the email is *definitely* from your boss or IT department or that famous writer you met one time (raises hand) and the instructions seem off, just give that person a text or a call to confirm what they’re asking you to download or log in to.
If you get phished, don’t panic! Change your password right away, and make sure your password isn’t repeated anywhere else. See software solutions below for something to help you manage a unique password for every single digital thing you’ve got.
Turn on two-factor authentication
Wherever possible, turn on two-factor authentication. That way if someone does get your passwords, you’ve got a double layer of protection — the company will text or call you to confirm a log-in. This is less about preventing the installation of malware on your own machine, and more about keeping your identity and email address from being used to trick other people.
Get skeptical about pop-ups
Every time the internet serves you a pop-up that says something like “Adobe Flash Needs to be Updated!” or really any other pop-up that asks you to download anything, approach it with some skepticism even if it seems like normal behavior. Check the URL to make sure you see what you expect (and not, in the case of this example, ad0be.com). If you’re even a bit unsure, Google the update and download it directly from the provider’s website. I do this every single time a browser pop-up tells me I need to update something.
Beware mystery physical media
People legitimately leave behind malware-infested USB sticks in public places, hoping you’ll plug it into your machine, either because you want to see whose it is and try to return it, or you want to repurpose that piece of equipment for yourself. Don’t do that! In fact, purchase your physical media from places you trust and never use something you find. And don’t share with random folks, either. This goes for plugging your phone into USB charging ports in public. Use an adapter and plug it into a regular ole electrical socket.
Back up your stuff
So what if someone installs ransomware on your computer and locks down all your stuff? If you’ve backed up your stuff elsewhere, you’re golden. You can wipe your computer yourself and feel NOTHING because you are BACKED UP. No? You’re not? You and everyone else; I always tell people it takes one time. One time losing all your stuff. Or — and just hear me out, here — you can imagine what that would be like right now instead of actually experiencing it and decide it’s worth it to back up your things. I recommend always having two copies: one on a physical external hard drive, and one using a remote backup service in case your house floods or burns down or something. Grab a Western Digital My Passport Hard Drive and back up everything once weekly at the very least.
Software that can protect you from malware
You can also install some software on your machine to give you a boost in your brand-new life that explicitly takes into account and avoids malware. Once again, you can have all of these softwares and still wind up with malware on your computer. But it does help! It at least makes it more difficult for someone to do, and less likely that malware on your device will go unnoticed.
“Never repeat passwords” is advice frequently given, but did you know that using a password generator also means key loggers can’t see your username and password because you don’t type them in? LastPass is an excellent password manager and generator. When you think of your master password, use a passphrase instead: type out a full sentence. It’s harder to crack with brute force and easier to remember for you.
This is basically the Tesla of password managers. Since LastPass is free, it can get a little crunchy (I almost lost my whole library once because I changed my passphrase and then forgot it). 1Password is far, far fancier, and if you want a little more customer support in the mix, it might be worth it. It’s available for Mac, PC, Android and iOS, and it’s $3 per month for a single user or $5 per month for a family of five.
Avast makes a whole host of security products for Mac, PC, Androids, iOS devices, and all those things that are connected to the internet in your smart home. I personally use their free essential security for Mac, but there are a whole host of products dependent on what you need. If you’re an individual Windows user, for instance, a year of their premier costs $35. If you’re protecting business machines, it’s $48 per year for one device for their Antivirus Pro Plus. Learn more about Avast here.
Back up your stuff! Do it! I love web apps like Backblaze. They backup incrementally, so you never have to remember to do it and you can restore from a backup literally right before this all happened. You can even save time by asking them to send you a hard drive with all your stuff on it, should you not want to download it all via the internet (that takes one million years). You can back up your personal Mac or PC for just $5 monthly.
Ghostery is a browser extension that helps you disable trackers on websites you’re visiting. It’s free and it works with a ton of browsers. They also make a whole privacy browser for Androids and iPhones. If you got scared by that Reply All episode (I did), this is the software that they recommend you use.
If you’ve got a Mac and spyware really freaked you out, Oversight notifies you every time your microphone and your camera turn on — and it’s completely free. In fact, if you’ve got a little tech knowledge, ObjectiveSee has a whole host of programs to secure a Mac. And yes. You do need to do that (see literally right below, the next heading, just go there, trust me).
Protect the herd
Listen: It’s not just about you. You may have picked up on it, but once your computer has been hacked or infected, it can be an aid to taking over someone else’s machine, too. Concerning yourself with malware and preventing its installation is like vaccinating a population against disease. Sure, something is going to come along that the vaccine doesn’t prevent. But if we immunize the herd, make it harder to spread a worm rapidly, create a culture where digital health is prioritized, we can potentially prevent widespread disaster (like that Mirai botnet situation). We can at least eliminate the low-hanging fruit.
And yes, the best prevention technique out there is to not perpetrate this stuff, that’s still true. So that’s what I want to end on. Don’t do this to other human people; create the internet we want to see in this world by making kinder decisions, even when the distance between personhood and digital life feels vast. That distance is a myth. This is our real life, even if it’s cyberspace. Treat it with respect.