According to Mandiant’s M-Trends report for 2024, exploits were the top initial infection vector in 2023, used in 38% of attacks, followed by phishing (17%), prior compromise (15%), stolen credentials (10%), and brute force (6%) to round out the top 5.

How malware spreads

You’ve probably heard the words virus, trojan, and worm used interchangeably. In fact, the terms describe three different kinds of malware, which are distinguished from each other by the process by which they reproduce and spread.

• A worm is a standalone piece of malicious software that reproduces itself and spreads from computer to computer. Worms’ creators build in knowledge of operating system vulnerabilities, and a worm program seeks these out on computers that it can reach from wherever it’s running and makes copies of itself on those insecure machines. Some of the very first worms were designed to copy themselves to floppy disks and other removable media, then copy themselves again when that disk was inserted into a new computer, but today most worms scan for vulnerable computers connected to their host via a corporate network or the internet.
• A virus is a piece of computer code that inserts itself within the code of another standalone program, then forces that program to take malicious action and spread itself. The infected program propagates itself in some of the same ways that a worm does, by searching for vulnerabilities on other computers it can reach via the internet or a local network. But the virus code is lurking inside programs that look legitimate, so there are other vectors by which it could it spread: if a hacker can infect an application at the source, an application that includes virus code could be available for download from open source repositories, app stores, or even the software maker’s own servers.
• A trojan is a program that cannot activate itself but masquerades as something the user wants and tricks them into opening it via social engineering techniques. Often trojans arrive as email attachments with names like “salary.xls” or “resume.doc”, with the malicious code lurking as a Microsoft Office macro. Once it’s running, one of its first jobs is to propagate itself, so it might hijack your email client and send out more copies of itself to potential victims.

Malware can also be installed on a computer “manually” by the attackers themselves, either by gaining physical access to the computer or using privilege escalation to gain remote administrator access.

How attackers hide malware

Why do cybercriminals use malware?

While some attackers might create malware as an intellectual exercise or for the thrill of destruction, most are motivated by financial gain. They could be looking for banking passwords or access to secrets they can sell or exploit, or they also could be looking to gain control of your computer and use it as a launching pad for a DDoS attack.

Once malware is executing on your computer, it can do a number of things, ranging from simply making it unusable to taking control out of your hands and putting your remote attacker in charge. Malware can also send back information about sensitive data to its creators.

Malware can also be part of a politically motivated attack. Hactivists might use malware in their campaigns against companies or governments, and state-sponsored hackers create malware as well. In fact, two high-profile malware waves were almost certainly started by national intelligence services: Stuxnet was created by the U.S. and Israel to sabotage Iran’s nuclear program, while NotPetya may have begun as a Russian cyberattack on Ukrainian computers that quickly spread beyond its intended targets (including back into Russia).