I'm a professional malware analyst, so the domain of this question is what I literally do 8-10 hrs a day.
As the folks above said, malware = mal
. This means that it is software like any other kind with the exception of it often needing to hide from antivirus, antimalware, the user, and even analysts like me in order to best accomplish its mission. Why? Well, if it is detected, definitions are written and the threat diminishes greatly.
Martins offered great advice for protecting yourself from malware. Even in the most severe cases with the so-called most advanced/ "sophisticated" malware like Stuxnet (malware said to halt Iran's nuclear program by a couple years) or NSO Pegasus (malware which took over iPhones with a rootkit silently allowing the attacker to access camera, GPS, etc...), there is usually some silly user mistake which unleashes the payload. In the case of Stuxnet, the malware attempted to login to Siemens-brand Programmable Logic Controller management software with the default password of "1234" or "password." In the case of the Iranian nuclear research facility, they had left this as the default password, probably because they forgot that the computer was in fact connected to the network or just were not thinking. This allowed Stuxnet to control and destroy centrifuges in the facility.
NSO Pegasus also required the victim to click a link for it to activate and take over the phone. Just one link, but it still required a user mistake. This is most common in malware but it is not always the case for individuals.
For example Wanacry did require someone to initially open the malware on a network, but once that person did, the malware would spread to every out-of-date computer on the network and infect it without those users doing a single thing.
"Advanced" malware does this by exploiting what's called zero-day vulnerabilities
. WanaCry actually did not exploit a zero day, but first let's talk about what a zero day even is.
All a zero day is is a software exploit that nobody knows about except for the finder of the exploit. So, say you open up some program that is used to track retail stock at a retail store and in the login screen, for the username, you enter 5,000 characters, and for the password, you enter 2,000 characters. The program crashes. There are tools that help with this, but you can fool with the program, open it in a debugger, and find a vulnerability like a memory leak, buffer overflow, etc... Say you are able to bypass the entire login screen by entering characters like this and gain access to sensitive information, or cause the program to do other unexpected behavior. If you didn't report this to the developer, this would essentially be a "zero-day exploit."
Now, you create a piece of malware and you program it to perform this exploit, access the system, and once in there, do damage. This is how malware is made.
Other very common characteristics of malware is something called hooking, process replacement, and process injection. Without going into crazy amounts of detail, imagine instead of creating a program that does bad things, you instead create a library file or DLL. Instead of launching the malicious code directly, you trick Mozilla Firefox into accessing and running the code, thinking that it's running a legitimate system DLL. Or, you wait until Mozilla Firefox is loaded in memory, and your program overwrites and replaces some of the data in memory with malicious code.
The above techniques offer several benefits for malware:
- The non-technical victim can hit Ctrl+Shift+Escape or Ctrl+Alt+Del amd they won't find a single suspicious process. They may see Firefox, but that's a name they know and trust. Little do they know that the malware is embedded in Firefox's memory space!
- It could be for example inside lsass.exe and when you Google that, it appears like a legitimate Microsoft system file
- Even anti-malware which scans the memory and processes for viruses may miss malware which is loaded into an otherwise legit process.
However, there are some tried-and-true ways to detect even the most advanced malware. If you go to Microsoft and download the Sysinternals tools, particularly Process Explorer and ProcMon, and you learn them like the back of your hand, you can detect most of this stuff. This is because ProcMon will show you the behavior of every single thing going on on the computer, and in Process Explorer, you can set what's called highlight duration to several seconds, so when you launch a bad malware or suspicious file and it tries to hide itself within 20 milliseconds, it will still show and you will be onto it.
There are many, many other aspects to malware and malware research. The tools that I just explained to you are called "dynamic analysis" tools because they observe the behavior of the malware once it is running. There is also static analysis, where you examine the file's data, strings, function imports, API calls, and more before you ever run it. In fact, you can use a disassembler to view the x86 assembly code of the malware and learn A LOT. This is what I do on a regular basis at my job. If you ever want to know more, feel free to contact me.
Linux and Mac malware exist, but aren't currently as prevalent as Windows malware. However, Mac malware is definitely becoming a bigger thing these days. If you're a Linux guy, check out Remnux, it's got everything you need to analyze malware to your hearts content. If you ever want to do so, run an UPDATED virtual machine and make sure it's de-networked from any computers you care about.