Security for Beginners
by Sergey Okinchuk
Ransomware: Encryption Turned Against YouChapter 7: Attacks on Systems and Networks
Topic 28

How Malware Gets In and What It Does

Concept

Malware — software written to harm or take over a device — can't do anything to Olivia while it's sitting on some attacker's computer far away. It has to reach her device and start running first. So the whole story of a malware infection begins with one question: how did it get in?

The answer is reassuringly short. There are only a handful of doors, and most of them are familiar. A tricked click, a bad attachment, a fake download, a hacked website, an infected USB stick. Knowing the doors is most of the story, because it explains why the defenses later in the course are shaped the way they are.

Think of malware like a burglar. A burglar gets in through whichever door or window was left open, and then does different damage depending on why they came. The way they got in and what they want are two separate things. Malware works the same way: the entry route and the goal are two different questions, and we'll take them one at a time.

A malware infection has two separate halves: getting in, then doing its job
Entry routelink · attachment · download · USB · flaw
It runscode starts on the device
Payloadsteal · spy · encrypt · botnet

What Are the Common Ways In?

Most malware arrives through routes you have already met in this course. The biggest one is the human attacks from Chapter 3: a phishing message tricks Olivia into clicking a link or opening an attachment, and the malware rides in on that click.

Close behind are fake downloads. Olivia goes looking for a free version of an app, or a "cracked" copy of paid software, and the file she gets is the malware wearing the costume of the thing she wanted.

The rest of the doors are quieter. A malicious ad on an otherwise normal page, a legitimate website that attackers have quietly compromised, or an infected USB drive plugged into the machine. In every one of these cases something from the outside world reaches the device — a file, a page, a plugged-in stick — and that contact is the way in.

Does Malware Always Need a Click?

Not always, and this is the part that surprises people most. Some malware never waits for Olivia to do anything.

Software has flaws — small mistakes in how it was written. When a flaw is discovered, the maker releases an update (a patch) that fixes it. But until that update is installed, the flaw is an open window. A patch is just the maker's repair for a known flaw; "unpatched" means that repair hasn't been applied yet.

Some malware is built to climb through exactly those open windows. It finds a device running an old, unpatched version of some software and slips in through the known flaw — no click, no download, no attachment. The user did nothing wrong in the moment; the software was simply out of date. This is the whole reason "keep your software updated" is a security measure and not just housekeeping, a point Chapter 8 returns to.

What Does It Do Once It's Inside?

Getting in is only half the burglary. Once the malware is running, it does whatever it was built to do — and this part is called the payload, the actual harm the malware delivers.

Payloads vary. Some malware steals data: it hunts for passwords, files, or banking details and sends them back to the attacker. Some spies: it quietly watches what Olivia types or does and reports back over time. Some encrypts her files and demands payment to unlock them — the ransomware you met in the previous topic.

And some malware does something less obvious: it quietly turns the device into a soldier in someone else's army. A botnet is a large group of hijacked machines, all secretly controlled by one attacker. Olivia's laptop keeps working normally while, in the background, it helps the attacker carry out bigger attacks on other targets. She may never notice, because staying hidden is the whole point.

Why So Many Defenses Instead of One?

Look back at the two halves. The entry routes are different from one another, and the payloads are different from one another. A bad attachment and an unpatched flaw are nothing alike, and stealing passwords is nothing like joining a botnet.

Because the doors and the goals vary this much, no single defense can cover all of them. Something that blocks bad attachments does nothing about an unpatched flaw; something that keeps software updated does nothing about a USB stick. So defenders stack several measures, each covering a different door or a different stage. That stacking is called layered defense, and it is exactly what Chapter 8 is built around.

Common Confusions
  • "Malware can just appear on a device with no way in." It always needs an entry route — a click, a download, a flaw, a plugged-in drive. Closing those routes is most of the defense, which is why the doors are worth knowing.
  • "I'd have to download a file for malware to get in." A download is one common route, but some malware slips through an unpatched software flaw with no download and no click at all. That is exactly why updates count as a security measure.
  • "If malware were on my device, it would announce itself." A lot of malware stays hidden on purpose. Spyware and botnet clients work best when no one notices them, so silence is not the same as safety.
Why It Matters
  • It connects the human attacks from Chapter 3 to malware: phishing and fake downloads are often just the delivery, and the malware is the cargo.
  • Separating entry route from payload gives you a clean way to read any infection story: how did it get in, and what did it do once inside?
  • It explains why Chapter 8 stacks several defenses instead of one — because the doors and the goals vary too much for any single measure to cover them all.

Knowledge Check

Which of these is a common way malware first gets onto a device?

  • Purchasing a brand-new laptop from a shop
  • Opening a fake or cracked download
  • Installing an official software update
  • Switching the device off overnight

Why can keeping software up to date stop some malware that needs no click at all?

  • Because newer software runs faster and leaves less time to attack
  • Because updating makes the device invisible to the wider internet
  • Because updates fix flaws that no-click malware slips through
  • Because updating wipes your files so there's nothing left to steal

A device keeps working normally, but in the background it is secretly being controlled along with thousands of others to help attack different targets. What is this?

  • Ransomware locking the user's files for payment
  • The device has been joined to a botnet
  • A normal software update running in the background
  • A data leak sending files to the attacker

Why do defenders stack several measures instead of relying on one?

  • Because one carefully chosen defense already covers every route
  • Because entry routes and goals vary too much for one defense
  • Because running many defenses is meant to slow the device down
  • Because malware needs no entry route, so every layer is guesswork

You got correct