Malware authors use a variety of physical and virtual means to spread malware that infects devices and networks. This list describes some of the main physical and virtual means in which malware is distributed.
Physical distribution refers to the nature of the malware itself, rather than how it is distributed. Physical distribution typically involves physical hardware or even physical or virtual machines, usually hosted in physical data centers or as part of physical or virtual networks. To simulate physical distribution of malware, victims are attacked in a similar fashion to computer intrusions: by compromising their legitimate access credentials, generally by way of credentials stored on an infected computer or its hard drive.
This types of physical distribution can be very successful because it involves physical access to the computers or networks the malware is communicating with.
For example, the most recent infections of the WannaCry ransomware strain spread in this manner: infected machines were infected using credentials that were saved in Windows session files, stored in an insecure Windows filesystem. Once these credentials were stored on the compromised machines, the malware could communicate with a command and control server and spread itself from machine to machine. As the threat spreads, more and more computers are compromised.
While physical distribution is quite effective, network distribution is harder to detect because it does not involve a compromised machine. Instead, the malware spreads via computer infrastructure. In this scenario, the malware spread itself to computer servers or their attached storage devices. If the storage devices are USB keys, attackers can infect these devices by looking at their code and searching for an unknown file. When this file is executed, it would create a lock icon on the infected machine that can be used to lock the machine.
All the infected files can then be transferred to the infected victims by way of email or by way of file sharing.
Virtually any storage device, including digital storage devices (e.g., SD cards, memory sticks, USB drives, etc.), can be used to transmit malware files. In most cases, it would not be necessary to use specific device, although USB keys are particularly attractive because they allow infection in such a simple way.
Using this technique, the same ransomware strains that can spread from computer to computer are also able to spread from a USB key to another computer or even to a new device. This makes the USB key the most widely used weapon for spreading malware today. A notable example is the recent ransomware campaign of the Petya family, which spread from infected USB drives.
Virtual distribution does not involve a compromised machine. Instead, it involves the creation of a fake user account, often via social engineering. This fake user account can be used by malware authors to spread malware from computer to computer in a variety of ways: the fake account can be used to install malware on an unsuspecting computer, using the installation image that was downloaded on the infected computer.
In cases like these, the fake user account can be a compromised user account, too, and the attackers can use that user account to exploit vulnerabilities in other software or to impersonate legitimate users. Such a user account could also be used by malicious insiders, who use it to execute the malicious payloads installed on the infected machine. In this way, malicious insiders are able to use malicious code with higher privileges than the regular user account.