What hackers do: their motivations and their malware

Understanding hackers and how they attack

Whatever the threat, it is arriving to your computer in one of two ways: human adversary or malware. Human attackers can use any of the hundreds of thousands of known computer exploits and attack methodologies to compromise a computer or device. People are supposed to run patching routines, and many devices and software programs try their best to automatically update themselves, yet many computers and devices are left vulnerable for long periods of time even after the patches are available, a fact that hackers love.

Unique malware programs number into the hundreds of millions, with tens of thousands of new ones created and released each day. The three main malware categories are viruses (self-replicating), worms (self-traveling), and Trojan horse programs (which require an end-user action to execute). Today’s malware, usually arriving via web page or email, is often a combination of multiple malware classes. Often the first malware program to exploit a system is just a “stub downloader” program, which gains initial access and then “phones home” to get more instructions and to download and install more sophisticated malware.

Often the stub program will download over a dozen different new malware variations, each designed to avoid antimalware detection and removal. Malware writers maintain their own malware multi-detection services, similar to Google’s legitimate VirusTotal, which is then linked to an automated updating service which modifies their malware to be undetectable by current antimalware engines. It’s this nearly instantaneous updating that causes so many “unique” malware programs to be created and distributed.

The malware writer or distributor may also be paid to infect people’s devices with completely different types of malware. It’s a renter’s market out there, and if the malware controller can make more money renting the compromised devices than they can make alone, they will do it. Plus, it’s much less risk for the controller in the end.

Many hackers (and hacking groups) use malware to gain access across a company or much broader array of target victims, and then individually select some of the already compromised targets to spend more effort on. Other times, like with most ransomware, the malware program is the whole ball of wax, able to compromise and extort money without any interaction from its malicious leader. Once released, all the hacker has to do is collect the ill-gotten gains. Malware is often created and then sold or rented to the people who distribute and use them.

Why do hackers hack?

The reasons why hackers commit crimes fall into these general categories:

• Financial motivations
• Nation-state sponsored/cyberwarfare
• Corporate espionage
• Hackivists
• Resource theft
• Gamer issues

Financial theft and nation-state attacks are easily the largest portion of cybercrime. Decades ago, the lone, solitary youth hacker powered by junk food was an adequate representation of the average hacker. They were interested in showing themselves and others that they could hack something or create interesting malware. Rarely did they do real harm.

Today, most hackers belong to professional groups, which are motivated by taking something of value, and often causing significant harm. The malware they use is designed to be covert as possible and to take as much of something of value as is possible before discovery.

How do hackers hack?

Regardless of their motivations, hackers or their malware usually break in and exploit a computer system the same way and use most of the same types of exploits and methodologies, including:

• Social engineering
• Unpatched software and hardware vulnerabilities
• Zero-day attacks
• Browser attacks
• Password attacks
• Eavesdropping
• Denial of service
• Physical attacks

This list does not include insider threats, unintended data leaks, misconfiguration, user errors, and myriad other threats not connected directly to intentional hacking.  The most common ways devices are compromised are unpatched software and social engineering. These threats compromise the vast majority of the risk (over 95 percent) in most environments. Fix those issues and you get rid of a ton of risk.

Zero-day attacks, where a hacker or malware program exploits a vulnerability not known by the public, are always newsworthy when they occur because the vendor doesn’t yet have a patch for them. Only a handful of them are discovered each year. Usually, they exploit only one company, or a few companies, before they are found, analyzed, and patched. Far more zero days are probably being used, especially by nation-states, than we realize, but because they are used very sparingly by those types of hackers, we rarely discover them, and they can be used again and again when needed.

The vast majority of malicious exploits come through the internet and require that a user do something — click on a link, download and execute a file, or supply a log-on name and password — for the maliciousness to begin. Browser security improvements have made less common “silent drive-by” attacks, where a threat executes without any user action when a user visits a web page or opens an email.

Protection from hackers

A key to defeating hackers and malware, regardless of their motivation, is to close the root cause exploit holes that allow them and their malware to be successful. Take a look at the root cause exploits listed above, determine which ones are used the most against your organization, and then create or improve existing defenses to minimize them. If you can do that, you’ll build a solid security defense second to none.