Malware Types and Classifications
NOTE: In this blog, we typically focus on specific aspects of malware, cybercrime, security threats, and network breaches. For this post, we thought we’d take a large step backward and provide some foundational information as context for understanding the capabilities and variations of today’s malware.
Malware, short for malicious software, is an umbrella term used to refer to a variety of forms of hostile or intrusive software. Cybercriminals design malware to compromise computer functions, steal data, bypass access controls, and otherwise cause harm to the host computer, its applications or data.
Researchers classify the many types of malware in several different ways, including:
- The delivery method or attack methodology. Examples include drive-by downloads that distribute malware simply by visiting a website, Phishing emails that trick victims into divulging data, Man-in-the-Middle attacks that take over control of a computer, and Cross-Site Scripting where an attacker injects malicious code into the content of a website.
- The specific type of vulnerability that the malware exploits. Examples include SQL Injection used by attackers to gain access to or modify data, and domain spoofing where bad actors seduce web visitors to click on links to their ads or websites by making them look like other legitimate sites.
- The goal or objective of the malware. For instance, Ransomware has a purely financial goal, whereas Spyware is out to capture confidential or sensitive information, and Keyloggers capture usernames and passwords.
- By the platform or device that the malware targets, such as mobile malware, or attacks that target a specific operating system.
- The malware’s approach to stealth, or how it attempts to hide itself. Rootkits, that typically replace legitimate operating system components with malicious versions are an example.
- Specific behaviors and characteristics—like how the malware replicates and spreads, or other attributes that distinguish it from other forms of malware. This is the most common method for classifying malware.
A basic understanding of how malware is classified, as described above, is sufficient for most readers. So, we’ll forego a more detailed and exhaustive description.
However, it’s essential for anyone involved with cybersecurity to have at least a fundamental knowledge of the most significant and common varieties of malware.
The Most Significant and Common Malware Types
The list below provides an overview.
Adware is the name given to programs designed to display advertisements on your computer, redirect your search requests to advertising websites and collect marketing data about you. For example, adware typically collects the types of websites that you visit so advertisers can display custom advertisements.
Many consider adware that collects data without your consent to be malicious adware. Another example of malicious adware is intrusive pop-up advertisements for supposed fixes for non-existent computer viruses or performance issues.
Spyware is, as the name implies, software that spies on you. Designed to monitor and capture your Web browsing and other activities, spyware, like adware, will often send your browsing activities to advertisers. Spyware, however, includes capabilities not found in adware. It may, for example, also capture sensitive information like banking accounts, passwords, or credit card information.
While not all spyware is malicious, it is controversial because it can violate privacy and has the potential to be abused.
The primary characteristic of a computer virus is malicious software that cybercriminals program to reproduce. It usually does so by attacking and infecting existing files on the target system. Viruses must execute to do their dirty work, so they target any type of file that the system can execute.
Viruses have been around, at least in concept, since the early days of computers. John von Neumann did the first academic work on the theory of self-replicating computer programs in 1949. The first examples of actual viruses appeared in the ‘70s.
Although their threat has diminished in recent years and other forms of malware have moved into the spotlight, viruses have been the cause of widespread destruction over the years. In addition to stealing and corrupting data, they consume system resources—often rendering the host system ineffective or even useless.
Another characteristic common to viruses is that they are covert, making them hard to detect. Viruses arrive uninvited, hide in secrecy, reproduce by infecting other files when executed, and usually work in obscurity.
Like a virus, worms are infectious and cybercriminals design them to replicate themselves. However, a worm replicates without targeting and infecting specific files that are already present on a computer. Worms carry themselves in their own containers and often confine their activities to what they can accomplish inside the application that moves them. They use a computer network to spread, relying on security failures on the target computer to access it, and steal or delete data.
Many worms are designed only to spread and do not attempt to change the systems that they pass through.
A Trojan is a malicious program that misrepresents itself to appear useful. Cybercriminals deliver Trojans in the guise of routine software that persuades a victim to install it on their computer. The term is derived from the Ancient Greek story of the wooden horse used to invade the city of Troy by stealth. Trojan horses are just as deadly on computers.
The payload can be anything but is usually a form of a backdoor that allows attackers unauthorized access to the affected computer. Trojans also give cybercriminals access to the personal information of a user like IP addresses, passwords and banking details. They are often used to install keyloggers that can easily capture account names and passwords, or credit card data, and disclose the data to the malware actor. Most ransomware attacks are carried out using a Trojan horse, by housing the harmful code inside an apparently harmless piece of data.
Security experts consider Trojans to be among the most dangerous types of malware today, particularly Trojans designed to steal financial information from users. Some insidious types of Trojans actually claim to remove any viruses from a computer but instead introduce viruses.
A keystroke logger, or keylogger, records every keystroke entry made on a computer, often without the permission or knowledge of the user. Keyloggers have legitimate uses as a professional IT monitoring tool. However, keystroke logging is commonly used for criminal purposes, capturing sensitive information like usernames, passwords, answers to security questions, and financial information.
A Rootkit is a set of software tools, typically malicious, that gives an unauthorized user privileged access to a computer. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine.
Rootkits cannot self-propagate or replicate. They must be installed on a device. Because of where they operate (in the lower layers of the operating system’s application layer, the operating system kernel, or in the device basic input/output system (BIOS) with privileged access permissions), they are very difficult to detect and even more difficult to remove.
When a rootkit is discovered, some experts recommend completely wiping your hard drive and reinstalling everything from scratch.
Phishing and Spear Phishing
Phishing is a cybercrime where a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure the victim into providing sensitive data, such as personally identifiable information, banking, and credit card details, and passwords.
Technically, phishing is not a malware type, but rather a delivery method criminals use to distribute many types of malware. We have listed it here among malware types because of its significance and to illustrate how it works.
Often, a phishing attack lures an individual to click on a malware-infected URL that fools the victim into thinking they are visiting their bank or another online service. The malicious site then captures the victim’s ID and password, or other personal or financial information.
Spear Phishing refers to an attack that is targeting a specific individual or set of individuals, such as the CFO of a corporation to gain access to sensitive financial data. Regular “phishing” is aimed at the masses.
Bots and Botnets
Also known as robots, bots are malicious programs designed to infiltrate a computer and automatically respond to and carry out instructions received from a central command and control server. Bots can self-replicate (like worms) or replicate via user action (like viruses and Trojans).
An entire network of compromised devices is known as a botnet. One of the most common uses of a botnet is to launch distributed denial of service (DDoS) attack in an attempt to make a machine or an entire domain unavailable.
Ransomware is a type of malware that locks the data on a victim’s computer, typically by encryption. The cybercriminal behind the malware demands payment before decrypting the ransomed data and returning access to the victim.
The motive for ransomware attacks is nearly always monetary, and unlike other types of attacks, the victim is usually notified that an exploit has occurred and is given instructions for making payment to have the data restored to normal.
Payment is often demanded in a virtual currency, such as Bitcoin so that the cybercriminal’s identity remains hidden.
Many More Types of Malware
The above list describes only the most common types of malware in use today. In reality, there are many additional types and variations of malware, and cybercriminals are continually developing more, although most are simply new techniques to carry out one of the objectives described above.
At some point in the future, there will no doubt be new malware that doesn’t look anything like the above categorizations. That means that those of us responsible for network security needs to be forever diligent in looking for new types of malware that don’t fit the mold. We can never let our guard down.
The good news is that the vast majority of the new malware threats we’ll encounter will fall into one or more of the above classifications. New malware is largely a variation on an old theme.
Latest posts by Bert Rankin (see all)
- RSA Hot Topic — IoT Security and Managing Unknown Devices - April 18, 2018
- Machine Learning for Cybersecurity: Good, but Imperfect - April 17, 2018
- Hot Topics for RSAC 2018 - April 11, 2018