Malware, short for "malicious software," is software that is used to harm computer users. It works in many different ways including, but not limited to, disrupting computer operation, gathering sensitive information, impersonating a user to send spam or fake messages, or gaining access to private computer systems. The majority of malware is criminal and is most often used to obtain banking information or login credentials for email or social media accounts. Malware is also used by governments, law enforcement agencies, and even private citizens to circumvent encryption and to spy on users. Malware has wide-range capabilities; it may allow an attacker to record from a webcam and microphone, disable the notification setting for certain anti-virus programs, record keystrokes, copy emails and other documents, steal passwords, and more.
EFF recommends that you use anti-virus software on your computer and your smartphone, though we cannot recommend any particular anti-virus products as being superior to others. Anti-virus software can be quite effective at combatting cheap, “non targeted” malware that might be used by criminals against hundreds of targets. However anti-virus software is usually ineffective against targeted attacks, such as the ones used by Chinese government hackers to compromise the New York Times.
Indicator of Compromise
When it is not possible to detect malware using anti-virus software, it is still sometimes possible to find indicators of compromise. For example, Google will sometimes give a warning to Gmail users stating that it believes your account has been targeted by state-sponsored attackers. Additionally, you may notice a light indicating that your webcam is turned on when you have not activated it yourself (though advanced malware may be able to turn this off)—this could be another indicator of compromise. Other indicators are less obvious; you may notice your email is being accessed from an unfamiliar IP address or that your settings have been altered to send copies of all of your email to an unfamiliar email address. If you have the ability to monitor your network traffic, the timing and volume of that traffic might indicate a compromise. Another red flag would be that you might notice your computer connecting to a known Command and Control server—the computers that send commands to machines infected with malware or which receive data from infected machines.
How can Attackers use Malware to Target me?
The best way to deal with a malware attack is to avoid getting infected in the first place. This can be a difficult feat if your adversary has access to zero day attacks—attacks that exploit a previously-unknown vulnerability in a computer application. Think of your computer as a fortress; a zero day would be a hidden secret entrance that you do not know about, but which an attacker has discovered. You cannot protect yourself against a secret entrance you don’t even know exists. Governments and law enforcement agencies stockpile zero day exploits for use in targeted malware attacks. Criminals and other actors may also have access to zero day exploits that they may use to covertly install malware on your computer. But zero day exploits are expensive to buy and costly to re-use (once you use the secret tunnel to break into the fortress, it increases the chances that other people may find it). It is much more common for an attacker to trick you into installing the malware yourself.
There are many ways in which an attacker might try to trick you into installing malware on your computer. They may disguise the payload as a link to a website, a document, PDF, or even a program designed to help secure your computer. You may be targeted via email (which may look as if it’s coming from someone you know), via a message on Skype or Twitter, or even via a link posted to your Facebook page. The more targeted the attack, the more care the attacker will take in making it tempting for you to download the malware.
For example, in Syria, pro-Assad hackers targeted members of the opposition with malware hidden in fake revolutionary documents and a fake anti-hacking tool. Iranians have been targeted using malware hidden in a popular censorship-circumvention program. And in Morocco, activists were targeted with malware hidden in a document made to look as if it had been sent by an Al-Jazeera reporter, promising information about a political scandal.
The best way to avoid being infected with this kind of targeted malware is to avoid opening the documents and installing the malware in the first place. People with more computer and technical expertise will have somewhat better instincts about what might be malware and what might not be, but well-targeted attacks can be very convincing. If you are using Gmail, opening suspicious attachments in Google Drive rather than downloading them may protect your computer from infection. Using a less common computing platform, like Ubuntu or ChromeOS, significantly improves your odds against many malware delivery tricks, but will not protect against the most sophisticated adversaries.
Another thing you can do to protect your computer against malware is to always make sure you are running the latest version of your software and downloading the latest security patches. As new vulnerabilities are discovered in software, companies can fix those problems and offer that fix as a software update, but you will not reap the benefits of their work unless you install the update on your computer. It is a common belief that if you are running an unregistered copy of Windows, you cannot or should not accept security updates. This is not true.
What Should I do if I Find Malware on my Computer?
If you do find malware on your computer, unplug your computer from the Internet and stop using it immediately. Every keystroke you make may be being sent to an attacker. You may wish to take your computer to a security expert, who may be able to discover more details about the malware. If you’ve found the malware, removing it does not guarantee the security of your computer. Some malware gives the attacker the ability to execute arbitrary code on the infected computer—and there is no guarantee that the attacker has not installed additional malicious software while in control of your machine.
Log into a computer you believe is safe and change your passwords; every password that you typed on your computer while it was infected should now be considered to be compromised.
You may wish to reinstall the operating system on your computer in order to remove the malware. This will remove most malware, but some especially sophisticated malware may persist. If you have some idea of when your computer was infected, you may reinstall files from before that date. Reinstalling files from after the date of infection may re-infect your computer.