Know Your Malware: Classification is Key to Understanding Purpose and Function

What are the different types of malware? A Guide to Malware Classification.

A computer virus is a self-replicating program that spreads without the owner’s permission or knowledge.

Worms are the entities that spread by exploiting vulnerabilities; viruses do not.

Viruses are only expected to spread via the host, according to their strict classification.

Suppose a virus has infected a file; if the file’s owner then transfers it to any system, the virus has a chance to spread and survive.

Viruses can be subdivided into the following categories:

  • Resident - When the virus executes and becomes resident in memory. It awaits certain events, such as the loading of another program. It then infects additional programs, etc.
  • Non-resident - The virus will search for files to infect upon execution. After infecting them, it will cease to exist. When the infected program is executed again, it will continue to find new targets to infect.
  • Boot sector - Disseminated via boot sectors. For instance, if a user leaves an infected CD-ROM in a computer while turning it off. The next time the system boots up, the boot sector virus will become active and spread to the hard drive, which will then spread to flash drives. When the flash drives are relocated, the cycle is repeated.
  • Multi-Partite - These viruses have multiple types of infection mechanisms, including Boot-Sector and Resident viruses, among others.

Worms are essentially pieces of software that exploit network/system vulnerabilities to spread from system to system. They are typically part of other software, such as rootkits, and serve as the system’s entry point. They compromise the system (locally or remotely) and grant access to additional malware.

A rootkit is malicious software designed to conceal the fact that a system has been compromised or to perform the compromise at a deeper level. A rootkit serves as a supplement to other malicious software.

Essentially, rootkits can be used to:

  • hide processes;
  • implement backdoors;
  • hide files on the file system;
  • create vulnerabilities.

The installation of a rootkit compromises the entire operating system. Rootkits are available for every major operating system.

They are known to exist at the following levels (even lower levels are possible):

  • Application Level - They replace programs with duplicates of other programs.
  • Library Level - Assume that ten applications share a library. Controlling the library entails controlling all ten applications.
  • Kernel Level - This is the most prevalent variety. They are resistant to removal because they share the same privilege level as antivirus software.
  • Hypervisor Level - Current processors have implemented virtualization support. Rootkits that utilize such processor-specific technologies, such as blue pill and SubVirt, are known as hypervisor rootkits.
  • Firmware Level - It is known that rootkits for firmware such as BIOS, ACPI tables, and device ROMS exist. They have the best chance of surviving because there are currently no tools to verify or scan firmware-level rootkits. They are set up as drivers (or kernel modules).

Bootkits begin attacking the operating system prior to the operating system’s initialization. They are capable of completely breaching the operating system’s security.

A trojan (or trojan horse) is a type of malware that facilitates unauthorized access to the owner’s computer while appearing to perform a function.

When you install a game downloaded from the Internet onto your computer, but it contains additional malicious code that is not part of the game, this is an example of a trojan.

During gameplay, the secondary code would execute to carry out its unknown purposes.

A backdoor is software (or a modification of software) that circumvents authentication mechanisms, keeping remote access available for later unauthorized purposes while attempting to remain hidden.

For instance, a backdoor in a login system may grant access when a specific username and password are entered, even if the credentials are invalid.

RATs (Remote Access Trojans) are similar to backdoors.

A Remote Access Trojan (RAT) is a malicious remote administration tool used by an attacker to send commands to a compromised host. A RAT employs a client-server architecture and a user interface to facilitate administration.

Spyware is software that secretly monitors user activities in order to collect information about them, such as the websites they frequently visit.

After a certain amount of data has been collected, it is sent to the author or owner of the spyware program.

Typically, a system with spyware also contains other types of malware, such as rootkits or trojans, in order to conceal their tracks and maintain control of the system.

Botnets refers to a network of compromised computers that autonomously and automatically execute commands with the aid of a command and control server. Typically, botnets are created when multiple clients install the same malware. Typically, the hosts are infected via drive-by downloads.

Bot master refers to the controller or owner of the botnet, who typically issues commands to the bots.

The bot master uses botnets for purposes such as DDoS, spamming, etc.

Ransomware - This type of malware encrypts files and demands that the victim send bitcoins in exchange for the key to decrypt the files.

The victim’s files are held hostage until the ransom is paid, hence the term ransomware.

They are also known as extortion malware because they demand payment in exchange for data restoration.

Information stealers - This type of malware essentially steals data such as private encryption keys, login credentials, credit card data, competitor data (such as proprietary data, intellectual property, etc.), and other crucial information that could be used for a variety of malicious purposes.

In essence, it is important to note that there is no clear distinction between different types of malware.

Malware are typically found in pairs, with multiple variants concurrently active on the target system.

Knowing malware and its classification will allow you to comprehend the malware’s purpose and potentially what actions it has taken or will take.

Want to learn practical Malware Analysis? Enrol in MCSI’s MRE - Certified Reverse Engineer Certification Programme.