The dangers of malicious code

The dangers of malicious code

What do you think the cost of cyber-crime is in the UK?

According to police, in 2020-21 there were over 31,000 reports of cybercrime in the UK, with reported losses of £9.6 million – and let’s not forget the emotional distress and psychological impact of these crimes on victims.

This threat is only going to increase, so it’s imperative that you are ready to deal with the danger posed by malicious code in the world of cybersecurity, the old cliché of ‘know your enemy’ holds true.

So how prepared are you? Here’s a recap of some common methods for spreading malicious code to help fill in any gaps in your understanding.

What is malicious code?

The US government’s cybersecurity agency defines it as unwanted files or programs that can cause harm to a computer or compromise data stored on a computer.

Also called malware, it can appear on devices and computers as legitimate software, or it can attach itself to a host program much like a biological virus attaches itself to a host organism.

How does malicious code infect a system?

The way in which malicious code infects a system is called an infection vector and its means of spreading is a propagation method.

You can categorise malicious code under many familiar names - viruses, worms, trojan horses - that differ in the way that they infect systems and propagate. You’ll find out about these in more detail in the next step.

Here’s an overview of some common malware:

Decorative icon: Virus


A virus is a piece of code that inserts itself into a host program - including operating systems - to propagate and spread. It requires a host program as it’s not able to run independently. When the host program is run it activates and begins to replicate.

A common class of virus is the macro virus which is written in a macro, or scripting language like Visual basic. Macro Viruses are often found in Microsoft Office files, such as Word and Excel, and spread throughout a system by infecting documents and spreadsheets.

Decorative icon: Worm


A worm is a program that can run independently and will consume the resources of its host machine from within in order to maintain itself. It can propagate a complete working version of itself onto other machines without the need of a host program.

Its ability to consume considerable resources means that the servers or networks affected slow down and even stop when subject to excessive replication loads, leading to denial of service.

Decorative icon: Trojan


Borrowing its name from the wooden horse of Greek myth, a Trojan appears to be a normal, useful program, but causes damage when installed or run on a computer. Trojans infect a system by executing code delivered through an email, as a download from a website or wrapped up in some other guise, like a PDF or a ZIP file.

Some Trojans have been designed to simply be annoying, doing things like changing the desktop or displaying threatening messages. But some cause serious damage by deleting or encrypting files and creating system ‘backdoors’ that provide access to confidential or personal information for malicious users.​

Unlike viruses and worms, Trojans don’t propagate by infecting other files; instead, they operate and execute independently on a computer.

Decorative icon: Root kit


A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer system.

​They often have full administration privileges – root access – and can hide themselves. So, the rootkit could be running as a process on the system but won’t appear in the list of running processes in Task Manager.

​When the file system is reviewed, the rootkit code will be hidden and maybe even protected using access control lists, so users can’t get to it. ​Think of a rootkit as malware that infects the core of the operating system and becomes inexorably intertwined with it.​

​Rootkits are very difficult to detect and even harder to remove. Specific software is needed to detect rootkit indicators of compromise and specialist help is generally required to remove the infection.

Decorative icon: Backdoors


Backdoors, also known as trapdoors, are entry points to code within a program. They take an abnormal input construction and use the action of the software receiving the input to achieve an unexpected result. ​This could be user input from a website form, or a message received over the network.​

Backdoors are sometimes discovered in commercial off-the-shelf (COTS) products and freeware products. One notorious form of backdoor was found in early versions of Microsoft Excel where small snippets of embedded code did unusual things if a specific input triggered them. These were known as Easter Eggs and one example used a special key sequence to launch a computer game. ​

Trojans often use backdoors to support an attack. For example, if a Trojan was accidentally downloaded onto a system, it might appear benign to start with, then open a backdoor to receive instructions through the network. This technique is often used in botnet infections.​

Logic bombs are similar to backdoors. It’s malware which ‘explodes’ when a specific date, time, system event or other condition occurs. When the malware is executed, it does some kind of damage – like deleting all the files on the hard disk.


In June 2021, the chief of the UK’s National Cyber Security Centre warned that ransomware was the key threat facing the UK and urged the public and business to take it very seriously.

Ransomware is a type of malicious software that infects a computer and encrypts a victim's files, which restricts users' access to it until a ransom is paid to unlock it. Ransomware attacks have been observed for several years and often attempt to extort money from victims by displaying an on-screen alert.  Ransomware then establishes a foothold, expands to other endpoints, and moves to discover, collect, stage, and encrypt target data. Once the damage is done, it covers its tracks and exfiltrates data for use or sale on the deep or dark web.

Ransomware as a Service (RaaS) is a business model used by ransomware developers, selling, or leasing malware to users on dark web forums. These affiliate schemes provide low-level attackers with the ability to distribute and manage ransomware campaigns, with the developer behind the ransomware receiving a cut of each ransom victim's pay for the decryption key. If you’re a victim, there is no guarantee if you pay that you will get your data back.

Zero day attacks

Zero-day attacks are the worst kind of threats to IT systems. These include malware and attack techniques which attempt to exploit vulnerabilities that are previously unknown to IT and security specialists.
Anti-malware software provides a line of defence against zero-day attacks by using heuristic, or behaviour-based, methods to detect anomalous activity. These rely on being able to ‘train’ the software to recognise normal behaviour. Heuristic methods are prone to generating false positives, especially during the initial training period.
Once a zero-day attack has been discovered and the cause of the vulnerability identified, product vendors can develop and distribute a patch. If the vulnerability’s particularly severe, the patch is classified as critical; in these cases, it should be applied as quickly as possible.

Blended attacks

A popular infection strategy is to use a blended attack. This is a multi-pronged attacked that combines several methods simultaneously to give the best chance of success.

Blended attacks are designed to propagate quickly, like worms, but instead of relying on a single attack vector (such as email), they use whatever propagation paths exist to initiate, transmit and spread an attack.

Here’s a hypothetical blended attack to give you an idea of what one might look like:

Step 1

The attackers use a Distributed Denial of Service (DDoS) to take down a bank's website.

Step 2

Once the site is down, the bank's customers receive emails apologising for the inconvenience, directing them to an ‘emergency site'. This site is, of course, fake, and malicious, set up by the attackers to fool customers into revealing confidential information such as login or banking details.

Decorative image: Social engineering attacks

Social engineering attacks

Another vector of attack is through manipulating and exploiting human behaviour to gain access to a system or to infect a system with malicious software. Here’s a quick outline of some social engineering attack techniques:


The act of attempting to acquire information such as usernames, passwords, credit card details, etc., by masquerading as a trustworthy entity in an electronic communication – typically email.

Spear phishing

These are phishing attempts directed at specific individuals or companies. Attackers may gather personal information before launching an attack to increase their probability of success.

Clone phishing

A legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email.


Several recent phishing attacks have been directed specifically at senior executives and other high-profile targets within businesses. The term whaling has been coined for these kinds of attacks.


This is a security attack in which the user is tricked into downloading a Trojan horse, virus or other malware onto his cellular phone or other mobile device. SMiShing is short for 'SMS phishing'.


Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorised entities. A vishing attack can be conducted by voice email, VoIP (voice over IP), or landline or mobile phone.


A cyber-attack intended to redirect a website's traffic to another – fake – site. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software.


A form of false advertisement, uses hyperlink text or a thumbnail link that is designed to attract attention and to entice users to follow that link and read, view, or listen to the linked piece of online content, with a defining characteristic of being deceptive, by being typically sensationalised or misleading.


A watering hole attack works by identifying a website that is frequented by users within a targeted organisation, or even an entire sector – such as defence, government, or healthcare. That website is then compromised to enable the distribution of malware.


Pretexting is a certain type of social engineering technique that manipulates victims into divulging information. A pretext is a made-up scenario developed by threat actors for the purpose of stealing a victim’s personal data.


Diversion Fraud process where cyber criminals pose as trusted and recognised entities and use a sense of authority and urgency to manipulate individuals and employees into making a bank transfer or providing confidential information.

Tab napping or tab nabbing

The criminal activity of stealing an Internet user's personal information by substituting a fake web page at an inactive tab during an Internet browsing session


Audio or video that have been made to look and sound like a real person, doing or saying something that that person has never done or said.

What’s next?

Next up, QA’s cyber-security expert is going to talk you through a number of attack methods in detail.


In this course on malicious software, you will learn about the various types of malicious code in detail, contrast the different types before looking at look at the countermeasures used to combat them. You’ll also encounter non-technical controls and see the OWASP top 10 security threats.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.