There are numerous ways for malware to infect a system and for this reason not every single way of this occurring can be demonstrated within a post, however I will list a few methods of how malware can get onto someones system and infect it (some more common than others).
One of the most common ways of someone becoming infected is the standard approach of someone distributing malware via a download on a website (e.g. via a link to download, or a direct download link to the malware being hosted within that site itself), and then the user proceeds to download this malware and then executes it on the system. You may be thinking at this point to yourself, "Why would anyone intentionally download malware and run it?" - at the end of the day this is not what is happening; 9/10 times the user is being manipulated to believe that the download is actually something which it is not, such as a "money hack" for their bank account or a "PSN code generator" for free funds, or even something like a "Facebook account hacker". Attackers know that less knowledgeable people will believe in such things relating to key gens, game hacks, money hacks, and so forth, and therefore target these people, since they already know they are vulnerable for trying to download things like this (since they are always fake, with the exception of a keygen with illegal serial keys - but this is illegal for usage anyway and will end you up in legal trouble potentially should the publisher of the software it's used on decides to push through and enforce their rules). In my opinion, I don't know why anyone would expect different - the attacker wants to infect people (usually so they can make profit from their malware being active in some form or way - e.g. steal account credentials silently to bank accounts so they can wipe out all their money, sell information about the target, etc), and the easiest way for them to do this is to target people who are already vulnerable. If you are looking up on Google about downloading tools to hack your PayPal account from $0 to a million (or an increase of any amount) then yes, you are vulnerable to this approach from attackers.
Note: the name "trojan" actually originated for malware for when it is pretending to seem like something is not. For example, if you have a malware sample called "winlogin.exe" which has the same icon as the genuine "winlogon.exe", then it's clear that that particular sample was trying to trick someone into believing it was the same file (since not everyone will see a difference between the file names, they probably won't remember how it's even all spelt). Therefore, that sample classifies as a Trojan, since it was trying to seem like something it isn't.
Another common method of malware ending up on someones system and becoming active would be through the use of exploits being used as an advantage to the attacker. As we all know, nothing is 100% full-proof and for this reason anything can be technically exploited. Therefore, if you are using a particular browser and end yourself up on the wrong system, a currently unknown vulnerability could be exploited within a scripting language (e.g. JavaScript) to infect the user in some way or form. It's safe to say that most mainstream web browsers today have at least basic protection set-up against zero-day exploits, such as sandboxing mechanisms and the browser processes being executed with lower elevation rights (e.g. not running as administrator), in the case of remote code execution exploits. An example of a web browser which contains sandboxing mechanisms would be Google Chrome (based off the Chromium engine). I'm sure many of us here have heard of a "drive-by-download" - it's the practise of malware being downloaded onto the system without consent/authorisation via an exploit (exploiting a security flaw in the browser software being used, for example). To make things even worse, it's very common for attackers to compromise genuine and trustworthy websites so they can place their own code to cause an attack like a
drive-by-download, meaning that anyone visiting that website now becomes compromised also. This is why website security is very important, especially for the big services... Since if you own a service with hundreds of thousands of visitors every month, and an attacker targets your site and you do not have proper protection mechanisms set up, you could end up having your website compromised, leading to all your visitors at that time (before repair of the website) becoming compromised also.
Another common method of infection is through an attackers use of
malvertising. If you are unaware of what malvertising is, it's the usage of advertisements being hosted on a website to push malware (in some way or another). If there is a malicious advertisement hosted on a web-page which you are visiting, then this malicious advertisement can attempt to launch exploit code (since the advertisement is being hosted on that website, it can then attempt to execute it's own scripts written in external languages like JavaScript) to infect the host system (and via this method it can attempt to work its way around any sandbox mechanisms or existing protection provided by the browser, or just attempt to break it altogether), or it can be linked to an external webpage which will contain malicious content of some kind, where you'll be redirected too once you click the advertisement. Through malvertising, techniques such as drive-by-download attacks can also be referenced to attack the user - however this can all occur silently and the user may never become aware that the advertisement was malicious, therefore without good monitoring of the website from the owners or someone noticing a pattern of viewers of that particular website being infected, it can be hard to determine the cause of the infection (and which website it was from, etc).
To push an explanation of the most recent method mentioned above (malvertising), I will talk about websites making deals with third-parties for advertisement hosting, briefly. Let's pretend there is a man called John and there is a women called Jessie... John might own a really popular social media website, whereas Jessie may be a start-up and wish to pay John a fixed sum amount of money to have her advertisements for her own service hosted on the social network owned by John for a certain length of time. John may accept the deal and not do proper check ups or follow good guidelines, and therefore becomes tricked... Jessie in this case has malicious intentions, and therefore proceeds with this deal - she sets up an advertisement which looks genuine, and uses this to trick John and have his social network website compromised, and thus all the viewers who are on the page where this advertisement is being displayed. In the end, John discovers his social network was compromised and attempts to repair the damage and end the deal, however it's too late since many people were already infected (including himself and his own work place). John tries to press charges and get the problem resolved with legal matters and enforcement, only to find that Jessie was actually a fake identity and wasn't a real person, but someone else using untraceable methods and a fake identity... Which he fell for.
The above is just an example demonstration of something which could technically happen although may be rare, still, malvertising is a big problem and is a very frequent attack carried out by attackers.
I cannot stress enough that
YOU as the user are very important when it comes to decision making, and this is for everything you do on your system (evolving around internet usage, however). To sum things up a bit:
- When you are searching with a search engine like Google, don't just automatically assume that every result shown will be safe and that behind the website is someone with malicious intent.
- When you are downloading programs then make sure you know the download is from the official publisher and if you are unsure of the program being clean or not then try to use an online virus scan service/sandboxing service (e.g. VirusTotal, Malwr).
- When you are speaking with friends or on a trusted forum, don't just believe that any links sent to you will be 100% secure and safe - It's quite often that people have their accounts hacked so malicious links can be spread (and appear to be from a trustworthy and reputable person), and the same goes for online chat services (e.g. Skype - your friend may be hacked and his account may be used to send you links, trying to push you to click them since you believe it's coming from a trusted person) - you can even ask them via another form of contacting them to ask if they sent you that file/link if you feel it seems suspicious.
- Keep your main OS updated (since this can patch security flaws in the actual OS to strengthen and reduce chances of infection - some infection attacks will rely on specific flaws in the OS and therefore if these are patched in a patch update which you proceeded with, you'll be protected against that specific attack).
- Keep all other additional software on the system up-to-date and remove any software which you do not use (to prevent external software becoming exploited and the less amount of software on the system will reduce risk since there will be less options in terms of vulnerabilities to be exploited) - you can even use software to auto-update everything for you (e.g. Kaspersky Software Updater).
- Make sure you use an ad-blocker to help protect yourself against malvertising attacks. Most popular ad-blocker software/extensions won't just block based on a database of advertiser network/malicious hosts, but will also inject their own code within the web pages to scan through for specific sections and hide the elements (e.g. scanning for elements of advertisements and then getting rid of them) - an example of a good ad-blocker software would be Adguard, and for extensions I would recommend uBlock.
- Work with software like Anti-Exploit/Anti-Exe, and if you need it... Anti-Virus. If you know what you are really doing then you can pull off with using even nothing, but it's always better to use Anti-Exe/Anti-Exploit, and there's nothing wrong with using some form of real-time protection from an AV product. You can also use an AM product on-demand say on case... But most of the time, Anti-Exe and Anti-Exploit will have your back (given that you know what you're doing).
The list of things to watch out for can go on forever, literally.
Good luck and stay safe online!