4.1 Malware types and classifications

Malware poses a significant threat to computer systems and networks. Understanding its various types and classifications is crucial for effective network security and forensics. This knowledge helps professionals detect, prevent, and respond to malicious software incidents.

Malware can infect systems through various methods, including email attachments, compromised websites, and infected removable media. Each type of malware, from viruses and worms to ransomware and rootkits, has unique characteristics and behaviors that security experts must be familiar with to protect against them.

Types of malware

• Malware, short for malicious software, refers to any program or code designed to harm computer systems or networks
• Malware can infect systems through various methods and exhibit a wide range of malicious behaviors
• Understanding the different types of malware is crucial for effective detection, prevention, and incident response in network security and forensics

Viruses vs worms

Top images from around the web for Viruses vs worms

• 

  Ransomware View original

  Is this image relevant?

• 

  CS406: The Security Risks of Viruses, Worms, and Trojan Horses | Saylor Academy View original

  Is this image relevant?

• 

  Frontiers | Handling User-Oriented Cyber-Attacks: STRIM, a User-Based Security Training Model View original

  Is this image relevant?

• 

  Ransomware View original

  Is this image relevant?

• 

  CS406: The Security Risks of Viruses, Worms, and Trojan Horses | Saylor Academy View original

  Is this image relevant?

1 of 3

Top images from around the web for Viruses vs worms

• 

  Ransomware View original

  Is this image relevant?

• 

  CS406: The Security Risks of Viruses, Worms, and Trojan Horses | Saylor Academy View original

  Is this image relevant?

• 

  Frontiers | Handling User-Oriented Cyber-Attacks: STRIM, a User-Based Security Training Model View original

  Is this image relevant?

• 

  Ransomware View original

  Is this image relevant?

• 

  CS406: The Security Risks of Viruses, Worms, and Trojan Horses | Saylor Academy View original

  Is this image relevant?

1 of 3

• Viruses attach themselves to legitimate programs or files and spread when the infected host file is executed or shared
  • Viruses require human interaction (running an infected program) to replicate and spread
  • Common types of viruses include file infectors, boot sector viruses, and macro viruses (spread through Microsoft Office documents)
• Worms are standalone malware that can replicate and spread independently without human interaction or host programs
  • Worms exploit vulnerabilities in operating systems or applications to propagate across networks
  • Notable examples include the Morris worm (one of the first Internet worms) and the WannaCry ransomware worm

Trojans and backdoors

• Trojans masquerade as legitimate software but contain hidden malicious functionality
  • Users are tricked into installing Trojans through social engineering or disguised as benign files (games, utilities)
  • Once activated, Trojans can perform various malicious actions such as data theft, system damage, or creating backdoors
• Backdoors are hidden access points that allow attackers to bypass normal authentication and gain unauthorized access to systems
  • Backdoors can be installed by Trojans, other malware, or planted by attackers who have compromised a system
  • Remote Access Trojans (RATs) are a common type of backdoor malware used for spying and remote control

Ransomware and cryptoware

• Ransomware encrypts files on infected systems and demands payment (usually in cryptocurrency) for the decryption key
  • Ransomware attacks can target individuals, businesses, and even critical infrastructure, causing significant financial and operational damage
  • Examples include CryptoLocker, Petya, and WannaCry, which have caused widespread disruption and losses
• Cryptoware, a subset of ransomware, specifically focuses on encrypting files and holding them for ransom
  • Cryptoware often uses strong encryption algorithms (AES, RSA) to make decryption nearly impossible without the attacker's key
  • Some cryptoware variants also steal data before encryption for additional extortion leverage

Adware and spyware

• Adware displays unwanted advertisements on infected systems, often as pop-ups or injected into web pages
  • Adware can be bundled with free software or installed through drive-by downloads
  • While not always malicious, adware can be annoying, impact system performance, and lead to further malware infections
• Spyware collects information about user activities (keystrokes, browsing habits, credentials) without consent
  • Spyware can be used for targeted surveillance, identity theft, or sold to third parties for marketing or other nefarious purposes
  • Examples include keyloggers, screen scrapers, and tracking cookies

Rootkits and bootkits

• Rootkits are stealthy malware that hide their presence and provide privileged access to infected systems
  • Rootkits can modify operating system files, drivers, or firmware to evade detection and maintain persistence
  • Kernel-mode rootkits operate at the lowest level of the OS, making them difficult to detect and remove
• Bootkits are a type of rootkit that infects the master boot record (MBR) or unified extensible firmware interface (UEFI)
  • Bootkits load before the operating system and can bypass security measures and maintain control over the system
  • Examples include TDL4 (a kernel-mode bootkit) and Nemesis (a UEFI bootkit)

Hybrid and advanced malware

• Hybrid malware combines characteristics of multiple malware types to increase effectiveness and evasion
  • For example, a Trojan that downloads a worm component for self-propagation and a ransomware payload for monetization
  • Hybrid malware can adapt to different environments and objectives, making them more challenging to detect and defend against
• Advanced malware employs sophisticated techniques to hide, persist, and achieve its goals
  • Advanced malware may use polymorphic or metamorphic code to change its signature and evade detection
  • Fileless malware resides only in memory and leverages legitimate system tools (PowerShell, WMI) to avoid leaving traces on disk
  • Advanced persistent threats (APTs) are targeted, stealthy, and long-term campaigns often orchestrated by nation-states or organized crime groups

Malware infection vectors

• Malware infection vectors are the methods and pathways through which malware spreads and compromises systems
• Understanding common infection vectors is essential for implementing effective preventive measures and educating users
• In network security and forensics, identifying the initial infection vector can help trace the origin and scope of a malware incident

Email attachments and links

• Email is a common delivery method for malware, exploiting user trust and curiosity
  • Malicious attachments (documents, archives, executables) can contain malware that activates when opened
  • Phishing emails trick users into clicking on malicious links that lead to drive-by downloads or fake login pages
• Attackers often use social engineering techniques to make emails appear legitimate and entice users to open attachments or click links
  • Spoofing sender addresses, crafting urgent or authoritative subject lines, and personalizing content based on recipient research
  • Spear-phishing targets specific individuals or organizations with tailored messages and insider information for higher success rates

Compromised websites and drive-by downloads

• Attackers can compromise legitimate websites to host malware or redirect visitors to malicious sites
  • Exploiting web application vulnerabilities (SQL injection, cross-site scripting) to inject malicious code
  • Planting malicious ads (malvertising) on popular websites to reach a wide audience
• Drive-by downloads automatically download and execute malware when users visit infected websites, without requiring interaction
  • Exploiting browser or plugin vulnerabilities (Java, Flash) to silently install malware
  • Using obfuscated JavaScript or iframes to hide malicious code and evade detection

Infected removable media

• Removable media (USB drives, SD cards) can carry malware and infect systems when connected
  • Attackers can plant infected USB drives in public places (parking lots, coffee shops) to tempt users into plugging them in
  • Malware can automatically run from removable media using autorun features or disguised as legitimate files
• Infected removable media can bypass network-based security controls and introduce malware to air-gapped systems
  • Stuxnet, a sophisticated cyber-weapon, initially spread through infected USB drives to reach its target
  • Rubber Ducky, a programmable USB keystroke injection tool, can quickly deliver malicious payloads when inserted

Malicious apps and software updates

• Mobile devices and software repositories can be sources of malware infection
  • Malicious apps masquerading as legitimate software can be distributed through official app stores or third-party marketplaces
  • Fake app updates or pirated software can bundle malware alongside the expected functionality
• Software supply chain attacks can introduce malware through compromised updates or dependencies
  • Attackers can infiltrate software development pipelines to plant malware in official software releases
  • Compromised open-source libraries or plugins can propagate malware to downstream applications

Social engineering tactics

• Social engineering manipulates users into inadvertently installing malware or divulging sensitive information
  • Phishing, as mentioned earlier, is a common social engineering tactic for delivering malware via email
  • Watering hole attacks compromise websites frequented by a specific target group to infect visitors with malware
• Pretexting involves creating a fabricated scenario to trick users into performing actions or sharing information
  • Impersonating IT support and requesting users to install "security software" that is actually malware
  • Baiting with enticing offers (free gifts, exclusive content) that require downloading a malicious file or visiting a compromised site

Malware payloads and behaviors

• Malware payloads are the malicious actions or behaviors that malware exhibits once it has infected a system
• Malware can have multiple payloads and adapt its behavior based on the environment or attacker objectives
• Understanding common malware payloads and behaviors is crucial for detecting, analyzing, and responding to malware incidents in network security and forensics

Data theft and exfiltration

• Many malware variants aim to steal sensitive data from infected systems and exfiltrate it back to the attacker
  • Keyloggers capture user keystrokes to steal credentials, financial information, or other sensitive input
  • Screen scrapers take periodic screenshots to capture displayed information and user activities
  • Network sniffers intercept and capture unencrypted data transmitted over the network
• Data exfiltration techniques can vary in stealth and volume
  • Malware may encrypt and compress data before exfiltration to evade detection and minimize transfer size
  • Data can be exfiltrated in small chunks over an extended period to avoid triggering network anomaly detection
  • Malware may use common protocols (HTTP, DNS, ICMP) or hide data within benign traffic to blend in with normal network activities

System corruption and destruction

• Destructive malware aims to damage or disable infected systems, causing operational disruption and financial losses
  • Disk wipers overwrite critical files or entire disk partitions with random or garbage data, rendering systems unbootable
  • Firmware corruptors modify device firmware (BIOS, UEFI) to cause persistent hardware damage or brick devices
• Logic bombs are malicious code snippets that trigger destructive actions based on specific conditions or events
  • Time bombs activate on a predetermined date or after a certain duration, delaying the visible impact
  • Logic bombs can be triggered by external events (news headlines, stock prices) for added unpredictability

Resource hijacking for botnets

• Botnets are networks of compromised devices (bots) controlled by an attacker (botmaster) for various malicious purposes
  • Malware can infect devices and recruit them into botnets without the owner's knowledge or consent
  • Botnets can be used for distributed denial-of-service (DDoS) attacks, spamming, cryptocurrency mining, or hosting illegal content
• Malware may hijack system resources to perform computationally intensive tasks for the botnet
  • Cryptocurrency mining malware uses infected devices' CPU/GPU power to mine digital currencies for the attacker's benefit
  • Proxy botnets turn infected devices into relay nodes to hide the true origin of malicious traffic or evade geo-restrictions

Persistence mechanisms

• Malware employs various techniques to maintain a persistent presence on infected systems, even after reboots or removal attempts
  • Modifying system registry keys or startup folders to automatically launch malware upon system startup
  • Installing rootkits or bootkits to deeply embed malware into the operating system or boot process
  • Hijacking legitimate system binaries or DLLs through process injection or side-loading to disguise malware execution
• Fileless malware resides only in memory and uses native system tools (PowerShell, WMI) to persist and execute malicious actions
  • Fileless techniques leave minimal traces on disk, making traditional file-based detection ineffective
  • "Living off the land" tactics abuse legitimate admin tools and scripts to blend in with normal system activities

Evasion and anti-analysis techniques

• Malware creators employ various techniques to evade detection by security software and hinder analysis efforts
  • Obfuscation methods (encryption, packing) hide malware code and make reverse engineering more difficult
  • Anti-debugging tricks detect or interfere with debuggers and analysis tools, preventing runtime inspection
  • VM and sandbox detection avoids executing malware in controlled analysis environments by checking for artifacts
• Polymorphic and metamorphic malware can change its code structure or behavior with each infection to evade signature-based detection
  • Polymorphic malware uses encryption and decryption routines to mutate its appearance while preserving functionality
  • Metamorphic malware completely rewrites its code with each iteration, making it extremely difficult to identify and analyze

Command and control communication

• Most malware variants establish communication channels with attacker-controlled command and control (C2) servers
  • C2 communication allows attackers to remotely control infected systems, update malware configuration, or exfiltrate stolen data
  • Centralized C2 architectures use a single or a few fixed servers, providing a single point of failure but easier management
  • Decentralized or peer-to-peer (P2P) C2 architectures use infected devices as both clients and servers, making takedowns more difficult
• Malware may use various protocols and techniques to establish and disguise C2 communication
  • Standard web protocols (HTTP/HTTPS) are commonly used for C2, blending in with normal web traffic
  • Domain generation algorithms (DGAs) dynamically create and rotate C2 domain names to evade IP/domain-based blocking
  • Steganography can hide C2 messages within innocuous images, audio files, or network protocols to avoid detection

Malware analysis and detection

• Malware analysis involves examining and understanding the behavior, functionality, and indicators of malicious code
• Effective malware detection relies on a combination of static and dynamic analysis techniques, as well as signature-based and behavioral approaches
• In network security and forensics, malware analysis and detection are critical for identifying threats, developing defenses, and investigating incidents

Static vs dynamic analysis

• Static analysis examines malware code and structure without executing it
  • Reviewing source code (if available) or disassembled instructions to understand malware logic and functionality
  • Analyzing file properties, metadata, and embedded strings for indicators of compromise (IOCs) or attacker clues
  • Using tools like disassemblers, decompilers, and hex editors to inspect malware internals
• Dynamic analysis observes malware behavior during execution in a controlled environment
  • Running malware in isolated sandbox environments (physical or virtual) to monitor its actions and impact
  • Capturing network traffic, system calls, registry changes, and file modifications for behavioral analysis
  • Using debuggers, API hooking, and instrumentation to trace malware execution flow and data flow

Signature-based detection

• Signature-based detection identifies malware by matching known patterns or indicators
  • File hashes (MD5, SHA-1) uniquely identify malware samples and can be used for quick lookups in threat databases
  • Byte sequences or string patterns in malware code can serve as signatures for detection by antivirus software
• Signature-based detection is effective for known malware but struggles with novel or polymorphic variants
  • Malware creators can modify code to evade signature detection while preserving functionality
  • Signature databases need frequent updates to keep up with the rapidly evolving threat landscape

Heuristic and behavioral analysis

• Heuristic analysis uses rules and algorithms to identify malware based on suspicious characteristics or anomalies
  • Static heuristics analyze code structure, entropy, or metadata for signs of packing, obfuscation, or other malware traits
  • Dynamic heuristics monitor runtime behavior for suspicious activities like API calls, network connections, or file modifications
• Behavioral analysis focuses on identifying malware based on its actions and impact rather than specific code patterns
  • Baselining normal system behavior and detecting deviations or anomalies that may indicate malware activity
  • Using machine learning models trained on malware and benign samples to classify and detect new threats

Memory forensics for malware

• Memory forensics analyzes the contents of system memory (RAM) to identify and investigate malware infections
  • Capturing memory dumps from infected systems to preserve volatile evidence and malware artifacts
  • Analyzing process memory, kernel structures, and network connections for signs of malware or suspicious activities
  • Extracting encryption keys, command and control information, or unpacked malware code from memory
• Memory forensics is particularly useful for detecting fileless malware and other threats that leave minimal traces on disk
  • Identifying injected code, hooked functions, or hidden processes that may not be visible through traditional disk forensics
  • Reconstructing malware execution timelines and extracting valuable IOCs for further analysis and threat hunting

Reverse engineering of samples

• Reverse engineering involves deconstructing compiled malware code to understand its inner workings and functionality
  • Disassembling executable code into assembly instructions for low-level analysis and debugging
  • Decompiling binary code into high-level source code (C, C++) for easier comprehension and modification
  • Identifying and analyzing key malware components, such as encryption routines, C2 communication, or persistence mechanisms
• Reverse engineering requires specialized skills and tools but provides deep insights into malware behavior and origins
  • Interactive disassemblers (IDA Pro) and debuggers (OllyDbg, WinDbg) are commonly used for manual reverse engineering
  • Automated decompilers (Hex-Rays, Ghidra) can help accelerate the process but may produce imperfect or obfuscated code

Automated malware analysis systems

• Automated malware analysis systems streamline the process of analyzing large volumes of malware samples
  • Sandboxing solutions (Cuckoo Sandbox, Joe Sandbox) automatically execute malware in isolated environments and generate behavior reports
  • Static analysis platforms (VirusTotal, Intezer) scan malware files against multiple antivirus engines and provide aggregated detection results
  • Dynamic analysis tools (Procmon, Wireshark) capture and visualize system and network activities for rapid behavior profiling
• Automated analysis systems enable faster triage,