Malware (a portmanteau of malicious software) is the term used to describe any software intentionally designed to cause disruption to a computer or computer network, leak private information, gain unauthorised access to information or systems, deprive access to information, or which unknowingly interferes with the user’s computer security and privacy.
Malware researchers tend to classify malware into one or more sub-types based on various characteristics including infection vector, propagation, persistence, activity, and damage caused.
In this blog post, I will identify the majority of malware types and their characteristics.
Virus
A virus is a form of malware which is typically hidden within another program that can produce copies of itself and insert them into other programs or files.
Viruses are the oldest form of malware and whilst they usually perform a harmful action, such as destroying data, variants have been known to exist that simply display messages, or alter device settings.
They have been likened to biological viruses in that in order to propagate to other hosts, a virus must be transported via some mechanism such as a file, or communication message.
One of the first documented cases of a virus is that of the Creeper system which was an experimental self-replicating program designed in 1971.
Worm
A computer worm is a stand-alone malware software that actively transmits itself over a network to infect other computers. It can achieve this without the need to infect a host, carrier file.
The first computer worm was the Morris Worm. Named after Robert Morris who was a computer science student at Cornell University, the worm was an experimental self-propagating and replicating computer program that took advantage of flaws in certain e-mail protocols.
Morris released the worm onto the Internet whilst he was a guest at the Massachusetts Institute of Technology, abut due due of a mistake in its code, rather than just sending copies of itself to other computers, the software kept replicating itself on each infected system, filling all the available computer memory.
Before a fix was found to the rapidly spreading code, the worm had brought some 6,000 computers (one-tenth of the Internet at the time) to a halt.
Rootkit
Once some malicious software is installed on a system, it is essential that it stays concealed to avoid detection.
Malware variants known as rootkits allow for this concealment by modifying the host’s operating system so that the malware is hidden from the user.
Rootkits can prevent a harmful process from being visible in the system’s list of processes, or keep its files from being examined as part of a forensic investigation.
The term rootkit originally referred to a maliciously modified set of administrative tools for a Unix-like operating system that granted “root” access.
If an intruder could replace the standard administrative tools on a system with a rootkit, the intruder could obtain root access over the system whilst simultaneously concealing these activities from the legitimate system administrator.
The first computer virus to target the personal computer was discovered in 1986, and used cloaking techniques to hide itself: the Brain virus intercepted attempts to read the boot sector, and redirected them to elsewhere on the disk, where a copy of the original boot sector was kept.
The first rootkit for the Windows NT operating system appeared in 1999 whereas, the first rootkit targeting Mac OS X appeared in 2009.
Backdoor
A backdoor is a computer program that allows an attacker to gain unauthorised remote access to a victim’s machine often without their knowledge.
An attacker typically uses another attack vector (such as a trojan, worm or virus) to gain initial access to a victim system and then will proceed to install the backdoor application.
A backdoor can also be a side effect of a software bug in legitimate software that is exploited by an attacker to gain access to a victim’s computer or network.
Trojan
A Trojan (named after the wooden horse of Troy) misrepresents itself to masquerade as a regular, benign program or utility in order to persuade a victim to install it.
A Trojan usually carries a hidden destructive function that is activated when the application is started.
Although their payload can be anything, many modern forms of Trojans act as a backdoor, contacting a controller (phoning home) which can then have unauthorised access to the affected computer, potentially installing additional software such as keyloggers and cryptominers.
Unlike computer viruses and worms, Trojan horses generally do not attempt to inject themselves into other files or otherwise propagate themselves.
Trojans are often also called Trojan droppers, and are a sub-type of Trojans that solely aim to deliver other malware upon the system that they infect with the desire to subvert detection through stealth and a light payload.
Ransomware
Ransomware prevents a user from accessing their files until a ransom is paid. There are two variations of ransomware:
- Crypto-ransomware
- Locker ransomware
Locker ransomware locks down a computer system without encrypting its contents, whereas crypto-ransomware locks down a system and encrypts its contents.
Potentially Unwanted Program (PUP)
A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary.
Such software may use an implementation that can compromise privacy or weaken the computer’s security.
Companies often bundle a wanted program with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method.
A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project’s knowledge or consent.
Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent.
Adware
As the name suggests, adware is the product of other malware which installs an ability for the adware code to inject unwanted adverts into content being accessed by the victim.
Scareware
Similar in behaviour to the adware described above, scareware is the product of other malware which installs an ability for the scareware code to inject unwanted adverts into content being accessed by the victim. The difference here however is that these adverts will carry an implied threat that something is wrong with the victims system, and as such scares the victim into performing an action which benefits an attacker – such as purchasing a fake anti-malware solution, etc.
Spyware
Spyware is the term given to programs designed to monitor users’ web browsing, or to display unsolicited advertisements, or redirect affiliate marketing revenues.
Spyware programs do not spread like viruses; instead they are generally installed by exploiting security holes. They can also be hidden and packaged together with unrelated user-installed software.
Naming Malware
Over the years, computer malware experts have invented some quite scary terms for the malware they investigate, however there is not a standardised approach to how malware is named.
CARO (Computer Antivirus Research Organization) is an organisation that was established in 1990 to research and study malware and produced the CARO malware naming scheme .
This naming mechanism remains the scheme that is the most widely used in anti-virus products – despite being criticized for the fact that no product has absolute compliance with it.
The CARO format follows the following pattern:
[<type>://][<platform>/]<family>[.<group>][.<length>].<variant>[<modifiers>][!<comment>]
Tags in square brackets are optional.
So, as an example, a malware name following the CARO format would look something like:
Worm:Win32/Taterf.K!dll
This describes a worm malware which affects the Windows 32-bit platform. It is a part of the Taterf family of worms, and is the 11th variant known (K). The additional information suggests that it manifests on a victim device as a DLL file (Dynamic Link Library)