Malware Types Malware can be classified by it’s behavior, target platform, or attack commands. Of the three classifications, we will look more specifically at malware based on behavior. These can be divided into 8 different categories:
- I. Infectors
- II. Network Worms
- III. The Trojan Horse
- IV. Backdoors
- V. Remote Access Trojans
- VI. Information Stealers
- VII. Ransomware
- VIII. Rootkits
Infectors often take the form of direct file infectors, macros and scripts, boot-sector, and multipartite. They can further be identified by the objects they infect.
Direct File Infectors (Overwriting, Companion, and Parasitic) immediately infect files as soon as they are executed. Can be limited to files located in the same folder or
- Overwriting viruses overwrite the host files they infect with their own malware code, making the original host file unusable. Without a backup there is no way to recover this file.
- Companion viruses operate by renaming the host file’s extension and then create a copy of itself with the original name of the host file. The renamed host file is then given a hidden attribute. When the file is called by the user or the operating system, the companion virus will execute it’s malicious code and then pass the instruction to the renamed/hidden original file.
- Parasitic viruses attach themselves to the host file during infection. A prepending parasitic virus attaches itself to the top of the host file, while an appending parasitic virus attaches itself to the end of the host file.
- Macro and Script viruses are created using an application-specific macro language. Although macros are not confined to Microsoft Office alone, it has become the main platform for macro viruses. An example of this would be the Melissa virus from 1999 which spread via email and embedded itself in both saved and new documents. The macro language is a form of scripting and macro viruses showed the malicious possibilities of scripts. A script is code that exists independently and is executed by the operating system or service to do an action. Again, they are used to automate a routine task.
- Boot-Sector viruses infect the boot-sector of a disk to get control of the systems execution flow, in most cases, before the operating system. The virus works by hijacking the first instruction in the boot-sector, pointing to the malicious code, and then releasing control back to the boot-sector code.
- Multipartite viruses are viruses that infect both boot-sector and files. When a multipartite virus is executed, it looks for files to infect and then looks for the presence of disks in drives and infects their boot sector. Examples are Flip from 1990 and Junkie from 1994.
- Direct File Infectors (Overwriting, Companion, and Parasitic) immediately infect files as soon as they are executed. Can be limited to files located in the same folder or
Network Worms are malware that replicates itself to multiple systems in the network with little to no user intervention via network services such as browsing, e-mail, and chat just to name a few. Network worms are usually classified based on their network-propagating features (Mass Mailers, File-Sharing, Instant Messaging, Internet Relay Chat (IRC), LAN, and Internet).
- Mass mailer worms spread via e-mail. Usually involves social engineering techniques to fool the user into opening or clicking links/attachments. Utilizes the users address book to spread.
- File-Sharing worms spread by adding copies of themselves to publicly facing file-sharing folders with enticing names. The idea is to get other users to see via a peer-to-peer program.
- Instant Messaging worms, as the name indicates, use IM software as the main vectors for infection and is similar to the Mass Mailer worm. It infects the user’s contact list and sends malicious links that result in downloading/installing itself on the next target machine. Since IM is coming from a “known” contact it is likely to be accepted.
- Internet Relay Chat (IRC) worms spread, yup you guessed it, through IRC channels by sending messages containing malicious links or instructions that socially engineer the user to type in a series of commands that can result in infection not just of the user’s system, but the other users in the channel as well.
- Local Area Network (LAN) worms spread within the confines of a LAN by scanning for write-able shared folders on hosts connected to the network and copying itself into said folders. It also searches for public folders in a network to drop a copy of itself.
- Internet worms spread to other systems by scanning the Internet for vulnerable machines.
- The Trojan Horse (or Trojan to most) is malware in disguise. A Trojan’s main goal is destruction of files, software, or the entire operating system itself. Typically the easiest way to recover from a Trojan is to reinstall a fresh copy of your OS or restore from a clean backup.
- Backdoors enable an attacker to gain access to a compromised system and bypassing any form of safeguards and authentication. This access can be in the form of a shell with root/system privileges. Backdoors can be embedded in software or can be a stand-alone exectuable.
- Remote Access Trojans (RAT) are malicious administrative tools that have backdoor capabilities. The difference between a RAT and a traditional backdoor is the RAT has a user interface or client like component that the attacker can issue commands to the server (RAT) component; this gives the attacker control over compromised machines.
Information Stealers are exactly that; they steal information. The most common information stealers are Keyloggers, Desktop Recorders, and Memory Scrapers.
- Keyloggers capture keystrokes and log them. These logs can either be stored locally for later retrieval or sent to a remote server setup by the attacker. Keyloggers are not limited to software alone, there are also hardware implementations available.
- Desktop Recorders work by taking screenshots or active window on the users platform. They can be setup on a time interval or when triggered by an event such as a mouse click or a pressing of the enter/return key. The downside of this malware is the amount of data that results from this type of operation. The file size of each screenshot can add up quickly.
- Memory Scrapers steal information in memory while it is being processed. Data that is processed in memory is unencrypted which makes it an ideal place to target.
- Ransomware is a malicious program that holds data or access to systems/resources containing data unless the user pays a ransom. This kind of virtual extortion can be labled as the encryption of data and withholding the password, a trojan threat of destruction, or a user lockout until a ransom is paid.
Rootkits are a set of tools that enables root, or administrator, level access on a computer system. In the malicious software realm, a rootkit is a a set of techniques coded into malware to gain root access and complete control of the OS and it’s underlying hardware. As a result of this level of control, the malware is able to accomplish one major survival goal; the ability to hide its presence and persistence in the system. There are two different kinds of rootkits are User-mode and Kernel-mode rootkits.
- User-Mode rootkits operate in user mode or ring 3 of the Computer Security Protection Ring. Their control and influence is limited to the user or the process space of the affected application. User-mode rootkits operate mostly by hooking or hijacking system function calls made by an application.
- Kernel-mode rootkits operate in kernel mode or ring 0 of the Computer Security Protection Ring. This rootkit is much more powerful b/c it places itself in the lowest level possible. This means it has more control over the OS and the underlying hardware. Ideally, a kernel-mode rootkit is what malware authors want their rootkits to be, but since it requires familiarity with OS internals and hardware it is not always possible considering the time needed to build these skills. Poorly written rootkits in kernel-mode that has system influence will most likely crash the system.