Malware
Malware is software or firmware intended to perform unauthorized processes that adversely affect the confidentiality, integrity, or availability of an information system, encompassing viruses, worms, Trojan horses, spyware, ransomware, rootkits, and adware.
What Is Malware?
Malware is software or firmware intended to perform unauthorized processes that have an adverse impact on the confidentiality, integrity, or availability of an information system. The term is a contraction of "malicious software" and encompasses any code whose purpose is to damage, disrupt, or gain unauthorized access to computing systems and the data they hold. According to the NIST Computer Security Resource Center glossary, malware includes viruses, worms, Trojan horses, spyware, ransomware, rootkits, and certain forms of adware. These categories share the defining attribute of covert or unauthorized execution but differ substantially in how they propagate, what they do once installed, and how difficult they are to detect and remove.
Malware has been a persistent threat since the early days of networked computing. The first self-replicating programs were demonstrated in research settings in the 1980s, and the Internet worm released by Robert Morris in 1988 was among the earliest widely publicized incidents of network-propagating malicious code. Since then, both the sophistication of malware and the economic value of the attacks it enables have grown substantially, with malware now underpinning ransomware extortion campaigns, nation-state cyber espionage operations, and large-scale data theft.
Types and Classification
The principal categories of malware are distinguished by their propagation mechanisms and primary effects. A virus attaches itself to a legitimate executable or document file and requires user action to spread; running the infected file causes the virus to copy itself to other files on the same or connected systems. A worm propagates autonomously across networks by exploiting vulnerabilities in networked services, without requiring user interaction or an infected host file. A Trojan horse presents itself as a legitimate application while executing hidden malicious functions, often installing a backdoor or downloading additional payloads.
Ransomware encrypts files or locks systems and demands payment for restoration, a category that has grown from isolated nuisance attacks to a major threat to hospitals, critical infrastructure, and government agencies. The NIST IR 8374 Ransomware Risk Management profile provides a cybersecurity framework for assessing and reducing ransomware exposure, covering backup strategies, access controls, and incident response procedures. Spyware and rootkits operate covertly over longer periods, collecting credentials, keystrokes, or sensitive data while evading detection by disabling or subverting system security tools.
Delivery Mechanisms
Malware reaches target systems through several delivery vectors. Phishing emails carrying malicious attachments or links to exploit kits remain the most common initial access method, taking advantage of users clicking on apparently legitimate messages. Drive-by download attacks place exploit code on compromised websites; visiting the site with an unpatched browser executes the exploit and installs a payload without any explicit user action. Supply chain attacks compromise software updates or third-party libraries so that malware is delivered through channels users implicitly trust.
Advanced persistent threat (APT) campaigns, frequently associated with state-sponsored cyber espionage, combine multiple delivery techniques with long dwell times and careful operational security. These campaigns target government, defense, and critical infrastructure networks and rely on custom malware designed to avoid signature-based detection. The NIST SP 800-83 Rev. 1 Guide to Malware Incident Prevention and Handling addresses technical controls and organizational practices for reducing vulnerability to the full spectrum of malware delivery methods.
Detection and Defense
Anti-virus and endpoint protection platforms detect malware through signature matching against known malware samples, heuristic analysis of suspicious code patterns, and behavioral monitoring that flags anomalous process activity at runtime. Network-level controls including intrusion detection systems, email filtering, and web proxies block known malicious traffic before it reaches endpoints. Defense in depth principles, combining these layers with regular patching, least-privilege access controls, and user awareness training, reduce both the probability of successful delivery and the impact of infections that do occur.
Applications
Malware research and defense has applications in a range of fields, including:
- Critical infrastructure protection, including power grids, water systems, and industrial control networks
- National security and intelligence, where malware is a tool of cyber espionage and offensive cyber operations
- Financial services, where malware targeting banking credentials and transaction systems drives significant fraud losses
- Healthcare, where ransomware attacks on hospital systems directly threaten patient safety
- Consumer and enterprise endpoint security product development