how does malware get going on a person's PC?

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
if I get a download, wanted or unwanted, it won't execute unless I click on it, right?
and even if a document has hidden code in it, still, Adobe PDF reader and MS office apps will normally ask before executing the code.

so if you keep your browser and your apps nice and updated, you try to stay away from java and flash, and you check out your downloads before executing them, what is there to go wrong?

probably a very dumb question, but better to ask late than never...
 
O

Omnipotent

Yes, the only way to get infected is if you execute the file. To prevent this from happening disable 'Hide extensions for known file types' in Folder Options and always keep Flash & Java updated as some malware can download onto your PC without your consent through websites/e-mails. Always scan unrecognized files on VirusTotal and have SmartScreen enabled. Get a good adblocker and set flash player to click-to-play in your browser. I'm sure you already know about this though.
 

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Usually there are sites infected with exploits or would just have drive by downloads which would execute programmes or codes just by being on the site. This is usually where the user gets infected without actually running a programme or or actively clicking
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Usually there are sites infected with exploits or would just have drive by downloads which would execute programmes or codes just by being on the site. This is usually where the user gets infected without actually running a programme or or actively clicking
If I understand correctly, you need to have an unpatched vulnerability in your browser and/or software for this to happen.
 

Cohen

Level 7
Verified
Well-known
May 22, 2016
328
Yes, the vast majority of the time you have to execute a malicious file for it to infect you.
For the most part, if you have a decent security software, keep your software up-to-date, and you use common sense online, you should be safe.
There are, however, exceptions to this as Hanmin pointed out.
 
L

LabZero

It is not always necessary to start a .exe file to infect the pc and it is not enough to update the browser, OS, or not using some plugins.

If you think of javascript malware present in malversting ads or pages, it is usually executed in the browser sandbox compiler that does not allow it to access files that are located outside of the folders to be permitted, but if you consider for example Ransom32, it runs under framework NW.js that allows for a greater interaction with the operating system, "escaping" from the sandbox in which are usually blocked scripts from running.
In this case .js mal-code is automatically executed without user interaction.

Furthermore, if we consider the client/server communication system, for example, framework for node.js is javascript, but in part it runs on the server and it allows the client to send a request to a script on the server and get a response without reloading the page.

Malware loop cycle.
 

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
based on answers here, most of the time it would be enough to have anti-exploit protection for the browser, or alternatively, disable windows script host, so javascript can't run.
you only need real system protection when you are installing unknown software and during subsequent reboot.
So why not turn off the AV until the next time you want to make a risky install?
 
W

Wave

There are numerous ways for malware to infect a system and for this reason not every single way of this occurring can be demonstrated within a post, however I will list a few methods of how malware can get onto someones system and infect it (some more common than others).

One of the most common ways of someone becoming infected is the standard approach of someone distributing malware via a download on a website (e.g. via a link to download, or a direct download link to the malware being hosted within that site itself), and then the user proceeds to download this malware and then executes it on the system. You may be thinking at this point to yourself, "Why would anyone intentionally download malware and run it?" - at the end of the day this is not what is happening; 9/10 times the user is being manipulated to believe that the download is actually something which it is not, such as a "money hack" for their bank account or a "PSN code generator" for free funds, or even something like a "Facebook account hacker". Attackers know that less knowledgeable people will believe in such things relating to key gens, game hacks, money hacks, and so forth, and therefore target these people, since they already know they are vulnerable for trying to download things like this (since they are always fake, with the exception of a keygen with illegal serial keys - but this is illegal for usage anyway and will end you up in legal trouble potentially should the publisher of the software it's used on decides to push through and enforce their rules). In my opinion, I don't know why anyone would expect different - the attacker wants to infect people (usually so they can make profit from their malware being active in some form or way - e.g. steal account credentials silently to bank accounts so they can wipe out all their money, sell information about the target, etc), and the easiest way for them to do this is to target people who are already vulnerable. If you are looking up on Google about downloading tools to hack your PayPal account from $0 to a million (or an increase of any amount) then yes, you are vulnerable to this approach from attackers.

Note: the name "trojan" actually originated for malware for when it is pretending to seem like something is not. For example, if you have a malware sample called "winlogin.exe" which has the same icon as the genuine "winlogon.exe", then it's clear that that particular sample was trying to trick someone into believing it was the same file (since not everyone will see a difference between the file names, they probably won't remember how it's even all spelt). Therefore, that sample classifies as a Trojan, since it was trying to seem like something it isn't.

Another common method of malware ending up on someones system and becoming active would be through the use of exploits being used as an advantage to the attacker. As we all know, nothing is 100% full-proof and for this reason anything can be technically exploited. Therefore, if you are using a particular browser and end yourself up on the wrong system, a currently unknown vulnerability could be exploited within a scripting language (e.g. JavaScript) to infect the user in some way or form. It's safe to say that most mainstream web browsers today have at least basic protection set-up against zero-day exploits, such as sandboxing mechanisms and the browser processes being executed with lower elevation rights (e.g. not running as administrator), in the case of remote code execution exploits. An example of a web browser which contains sandboxing mechanisms would be Google Chrome (based off the Chromium engine). I'm sure many of us here have heard of a "drive-by-download" - it's the practise of malware being downloaded onto the system without consent/authorisation via an exploit (exploiting a security flaw in the browser software being used, for example). To make things even worse, it's very common for attackers to compromise genuine and trustworthy websites so they can place their own code to cause an attack like a drive-by-download, meaning that anyone visiting that website now becomes compromised also. This is why website security is very important, especially for the big services... Since if you own a service with hundreds of thousands of visitors every month, and an attacker targets your site and you do not have proper protection mechanisms set up, you could end up having your website compromised, leading to all your visitors at that time (before repair of the website) becoming compromised also.

Another common method of infection is through an attackers use of malvertising. If you are unaware of what malvertising is, it's the usage of advertisements being hosted on a website to push malware (in some way or another). If there is a malicious advertisement hosted on a web-page which you are visiting, then this malicious advertisement can attempt to launch exploit code (since the advertisement is being hosted on that website, it can then attempt to execute it's own scripts written in external languages like JavaScript) to infect the host system (and via this method it can attempt to work its way around any sandbox mechanisms or existing protection provided by the browser, or just attempt to break it altogether), or it can be linked to an external webpage which will contain malicious content of some kind, where you'll be redirected too once you click the advertisement. Through malvertising, techniques such as drive-by-download attacks can also be referenced to attack the user - however this can all occur silently and the user may never become aware that the advertisement was malicious, therefore without good monitoring of the website from the owners or someone noticing a pattern of viewers of that particular website being infected, it can be hard to determine the cause of the infection (and which website it was from, etc).

To push an explanation of the most recent method mentioned above (malvertising), I will talk about websites making deals with third-parties for advertisement hosting, briefly. Let's pretend there is a man called John and there is a women called Jessie... John might own a really popular social media website, whereas Jessie may be a start-up and wish to pay John a fixed sum amount of money to have her advertisements for her own service hosted on the social network owned by John for a certain length of time. John may accept the deal and not do proper check ups or follow good guidelines, and therefore becomes tricked... Jessie in this case has malicious intentions, and therefore proceeds with this deal - she sets up an advertisement which looks genuine, and uses this to trick John and have his social network website compromised, and thus all the viewers who are on the page where this advertisement is being displayed. In the end, John discovers his social network was compromised and attempts to repair the damage and end the deal, however it's too late since many people were already infected (including himself and his own work place). John tries to press charges and get the problem resolved with legal matters and enforcement, only to find that Jessie was actually a fake identity and wasn't a real person, but someone else using untraceable methods and a fake identity... Which he fell for.

The above is just an example demonstration of something which could technically happen although may be rare, still, malvertising is a big problem and is a very frequent attack carried out by attackers.

I cannot stress enough that YOU as the user are very important when it comes to decision making, and this is for everything you do on your system (evolving around internet usage, however). To sum things up a bit:
  • When you are searching with a search engine like Google, don't just automatically assume that every result shown will be safe and that behind the website is someone with malicious intent.
  • When you are downloading programs then make sure you know the download is from the official publisher and if you are unsure of the program being clean or not then try to use an online virus scan service/sandboxing service (e.g. VirusTotal, Malwr).
  • When you are speaking with friends or on a trusted forum, don't just believe that any links sent to you will be 100% secure and safe - It's quite often that people have their accounts hacked so malicious links can be spread (and appear to be from a trustworthy and reputable person), and the same goes for online chat services (e.g. Skype - your friend may be hacked and his account may be used to send you links, trying to push you to click them since you believe it's coming from a trusted person) - you can even ask them via another form of contacting them to ask if they sent you that file/link if you feel it seems suspicious.
  • Keep your main OS updated (since this can patch security flaws in the actual OS to strengthen and reduce chances of infection - some infection attacks will rely on specific flaws in the OS and therefore if these are patched in a patch update which you proceeded with, you'll be protected against that specific attack).
  • Keep all other additional software on the system up-to-date and remove any software which you do not use (to prevent external software becoming exploited and the less amount of software on the system will reduce risk since there will be less options in terms of vulnerabilities to be exploited) - you can even use software to auto-update everything for you (e.g. Kaspersky Software Updater).
  • Make sure you use an ad-blocker to help protect yourself against malvertising attacks. Most popular ad-blocker software/extensions won't just block based on a database of advertiser network/malicious hosts, but will also inject their own code within the web pages to scan through for specific sections and hide the elements (e.g. scanning for elements of advertisements and then getting rid of them) - an example of a good ad-blocker software would be Adguard, and for extensions I would recommend uBlock.
  • Work with software like Anti-Exploit/Anti-Exe, and if you need it... Anti-Virus. If you know what you are really doing then you can pull off with using even nothing, but it's always better to use Anti-Exe/Anti-Exploit, and there's nothing wrong with using some form of real-time protection from an AV product. You can also use an AM product on-demand say on case... But most of the time, Anti-Exe and Anti-Exploit will have your back (given that you know what you're doing).
The list of things to watch out for can go on forever, literally.

Good luck and stay safe online! ;)
 
W

Wave

So why not turn off the AV until the next time you want to make a risky install?
This would leave you vulnerable (e.g. drive-by-download attacks - which can be pushed from standard and popular websites which have become compromised, or even malvertising, etc).

If I understand correctly, you need to have an unpatched vulnerability in your browser and/or software for this to happen.
There will always be undiscovered vulnerabilities in every piece of software, so there are bound to be a bunch in the browser you're using right now. It's the practise of these being discovered and these vulnerabilities being exploited to actually perform a successful attack to the user which can be difficult. Nothing is full-proof, always remember this & never dare forget it! :)
 
L

LabZero

based on answers here, most of the time it would be enough to have anti-exploit protection for the browser, or alternatively, disable windows script host, so javascript can't run.
you only need real system protection when you are installing unknown software and during subsequent reboot.
So why not turn off the AV until the next time you want to make a risky install?
About malicious scripts, you can use NoScript browser extension to block Javascript, Java, Flash and other types of scripts.
It blocks in advance the scripts through the whitelist, also it prevents the exploitation of flaws and security vulnerabilities. A very effective tool.
 
Last edited by a moderator:

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
the new edition of avast has a feature that fits in very well with the idea that I am pushing here. It is called "passive mode". The AV will update, and run scheduled scans, and whatever, but it won't provide any active protection until you go out of passive mode.
This way you have the freedom of a non-AV environment when you want it, and you have up-to-date AV protection when you want it.
 
  • Like
Reactions: Logethica

shmu26

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I just read an article about delayed-reaction malware, and this technique may necessitate some rethinking on my part.
A person could run an executable, reboot, and then turn off his AV when everything came out clean -- only to get the payload some time later on.
How Delayed Detonation Malware Works
 

Malware Person

Level 4
Verified
Jun 8, 2016
171
your best against malware is to use your brain and watch your mouse clicks. no antivirus can protect you if you click everywhere and recklessly
 
  • Like
Reactions: frogboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top