Security Threats - Learning Module

Loading content...

0/227

Malware Types

The Malicious Software Ecosystem

Malware—malicious software—is the primary technical mechanism through which security threats materialize in computing systems. Understanding malware taxonomy is essential for security professionals because different malware types require different detection strategies, response procedures, and preventive controls.

The malware landscape has evolved from simple curiosity-driven viruses to sophisticated, profit-driven criminal enterprises. Modern malware often combines multiple techniques, blurring traditional category boundaries. Nevertheless, understanding the fundamental types provides the conceptual foundation for analyzing any malicious software encounter.

What You Will Learn

By the end of this page, you will understand the complete taxonomy of malware types, including viruses, worms, trojans, ransomware, rootkits, spyware, and advanced persistent threat tooling. You'll learn how each type operates, propagates, and persists—knowledge essential for both detection and defense.

Malware Classification Fundamentals

Before examining specific types, we need to understand the dimensions along which malware is classified. Any piece of malware can be characterized by multiple attributes:

Primary classification dimensions:

Malware Classification Dimensions
Dimension	Question Answered	Examples
Propagation Method	How does it spread?	Self-replicating (worm), requires host (virus), manual installation (trojan)
Payload	What does it do once installed?	Data theft, destruction, encryption, surveillance, resource hijacking
Persistence Mechanism	How does it survive reboots?	Registry entries, startup folders, bootkit, fileless techniques
Privilege Level	At what level does it operate?	User-mode, kernel-mode, firmware/BIOS-level
Stealth Technique	How does it avoid detection?	Encryption, polymorphism, metamorphism, rootkit techniques
Target Platform	What systems does it affect?	Windows, Linux, macOS, mobile, IoT, cross-platform

The Blended Threat Reality:

Modern malware typically combines characteristics from multiple categories. Ransomware, for example, might initially spread like a worm (self-propagating), install itself like a trojan (masquerading as legitimate software), employ rootkit techniques for stealth, and deliver a destructive encryption payload.

The traditional categories we'll examine should be understood as building blocks—describing capabilities that are often combined in real-world threats. Understanding each building block helps you analyze complex, blended threats.

Naming Conventions

Malware naming is inconsistent across vendors. The same malware may be called 'Emotet' by one company, 'Geodo' by another, and 'Heodo' by a third. When researching specific malware, use identifiers like SHA-256 hashes rather than names for precision. Organizations like MITRE try to standardize naming, but the industry lacks universal conventions.

Viruses: The Original Malware

A computer virus is malicious code that attaches itself to a legitimate host program and requires that host to execute in order to run. Like biological viruses that need host cells to reproduce, computer viruses cannot run independently—they parasitize legitimate software.

Defining characteristics of viruses:

Requires a host — Must attach to executable code (programs, scripts, documents with macros, boot sectors)
Requires user action — Someone must execute the infected host for the virus to activate
Self-replicating — Once active, it seeks new hosts within the system to infect
Payload delivery — Besides replication, viruses typically carry additional malicious functionality

Virus Types by Infection Target
Virus Type	Infection Target	Mechanism	Historical Example
File Infectors	Executable files (.exe, .com, .dll)	Prepends, appends, or inserts code into executable binaries	CIH (Chernobyl), Sality
Macro Viruses	Documents with macro support (Word, Excel)	Embeds in document macros; executes when document opens	Melissa, Concept
Boot Sector Viruses	Master Boot Record or Volume Boot Record	Loads before OS; extremely persistent and stealthy	Brain, Stoned, MBR threats
Script Viruses	Script files (VBS, JavaScript, PowerShell)	Infects scripts that are executed by interpreters	ILOVEYOU, Anna Kournikova
Multipartite Viruses	Multiple targets simultaneously	Combines file and boot infection for resilience	Tequila, Invader

Virus Lifecycle:

Infection — The virus attaches to a host (executable, document, boot sector)
Dormancy — The infected host waits for execution (may be immediate or delayed)
Triggering — User executes the host; virus code activates
Replication — Virus seeks new hosts on the system and infects them
Payload execution — Virus performs its malicious purpose (data destruction, information theft, etc.)

The Importance of User Action:

Viruses are fundamentally limited by their dependency on user execution. A virus in an email attachment does nothing until someone opens it. This makes user education a powerful defense—trained users who don't execute suspicious files significantly reduce virus risk.

Why 'Virus' Is Often Misused

In popular usage, 'virus' has become a generic term for all malware—leading to confusion. Technically, viruses are only one malware category defined by their host-dependent, user-triggered replication. Worms spread automatically; trojans masquerade without replicating. Precision matters when discussing threats because each type requires different defenses.

Worms: Self-Propagating Threats

A worm is self-replicating malware that spreads across networks without requiring a host program or user interaction. Unlike viruses that wait for users to execute infected files, worms actively exploit vulnerabilities or abuse network services to propagate automatically.

Key distinctions from viruses:

Virus Characteristics

•Requires host program to attach to
•Needs user action to execute
•Spreads locally within one system
•Replication speed limited by user behavior
•Detection through file scanning

Worm Characteristics

•Standalone; no host program required
•Spreads automatically without user
•Propagates across networks
•Can spread exponentially in minutes
•Detection through network monitoring

Worm Propagation Mechanisms:

Worms exploit various channels to spread:

Network vulnerabilities — Exploiting unpatched services (SQL Slammer exploited SQL Server, WannaCry exploited SMB)
Email — Self-mailing worms use address books to spread (Mydoom, Storm)
Removable media — USB worms spread when media is connected (Conficker, Stuxnet)
Instant messaging — Spreading through chat platforms with malicious links
File sharing — Placing copies in shared directories and P2P networks

The Exponential Danger:

Worms can spread exponentially because each infected system becomes an active infection vector. The Code Red worm infected 359,000 computers in under 14 hours. The Slammer worm infected 75,000 systems in 10 minutes, doubling infected hosts every 8.5 seconds at its peak. This speed makes worms devastating—they can saturate networks faster than humans can respond.

Notable Worm Outbreaks
Worm	Year	Propagation Method	Impact
Morris Worm	1988	Unix remote exploits	First major internet worm; 6,000+ systems; estimated $10M+ damage
Code Red	2001	IIS buffer overflow	359,000 servers in 14 hours; defaced websites; DDoS attack
SQL Slammer	2003	SQL Server UDP overflow	75,000 systems in 10 minutes; internet-wide slowdown
Conficker	2008	Windows MS08-067 + USB	10-15 million systems; largest known botnet of its time
Stuxnet	2010	USB + network + zero-days	Targeted Iranian nuclear facilities; first known cyber weapon
WannaCry	2017	EternalBlue SMB exploit	230,000 systems in 150 countries; hospital disruptions; $4B+ damage

The Patching Imperative

Every major worm outbreak exploited known vulnerabilities with available patches. WannaCry exploited MS17-010, patched two months before the outbreak. Organizations that applied patches were immune. Worms don't exploit zero-days—they exploit failure to patch known vulnerabilities. Timely patching is the primary worm defense.

Trojans: Deceptive Malware

A Trojan horse (or simply 'Trojan') is malware that disguises itself as legitimate software to trick users into installing it. Named after the Greek mythology of the wooden horse used to infiltrate Troy, trojans rely on deception rather than exploitation or self-replication.

Defining characteristics:

Deception-based — Appears to be legitimate, useful, or desirable software
No self-replication — Unlike viruses and worms, trojans don't copy themselves
User-installed — The victim voluntarily installs the malware (under false pretenses)
Payload-focused — The primary purpose is delivering malicious functionality

Trojan Categories by Payload
Trojan Type	Primary Purpose	Operation Method	Examples
Remote Access Trojan (RAT)	Provide attacker remote control	Opens backdoor; allows remote command execution	DarkComet, njRAT, Poison Ivy
Banking Trojan	Steal financial credentials	Injects into browsers; captures banking sessions	Zeus, Emotet, TrickBot
Downloader	Fetch and install other malware	Minimal initial footprint; downloads payloads on demand	Many RATs, Smoke Loader
Dropper	Deploy malware already contained within	Extracts and executes embedded payloads	Used for modular malware delivery
Infostealer	Harvest credentials and sensitive data	Searches for stored passwords, cookies, keys	RedLine, Raccoon, Vidar
Proxy Trojan	Route attacker traffic through victim	Turns infected system into anonymization proxy	Used for C2 obfuscation

Distribution Vectors:

Trojans reach victims through various deceptive channels:

Fake software — Pirated applications, cracked games, 'free' premium tools
Malicious attachments — Email attachments disguised as invoices, shipping notices, job applications
Compromised downloads — Legitimate software sites hacked to serve trojanized versions
Malvertising — Malicious advertisements on legitimate websites
Social media — Fake profiles sharing malicious links and downloads
Tech support scams — Convincing victims to install 'support software'

The Social Engineering Core:

Trojans fundamentally exploit human psychology rather than technical vulnerabilities. The attack succeeds when users believe the malware is legitimate. This makes user awareness crucial—technical controls can filter known malicious software, but a convincing enough disguise can bypass technical defenses entirely.

Legitimate Software as Trojan Delivery

Sophisticated attackers increasingly trojanize legitimate software through supply chain attacks. Rather than creating fake software, they compromise genuine software build processes. The SolarWinds attack (2020) injected malicious code into legitimate IT management software used by 18,000+ organizations. Victims installed trusted software that contained hidden malicious functionality—the ultimate trojan.

Ransomware: Extortion Malware

Ransomware is malware that denies victims access to their data or systems until a ransom is paid. It represents the industrialization of cybercrime—a business model where technical capability directly converts to revenue. Ransomware has evolved from nuisance attacks into existential threats to organizations.

Ransomware operational models:

Ransomware Types and Methods
Type	Mechanism	Recovery Challenge	Technical Approach
Crypto Ransomware	Encrypts files with strong cryptography	Decryption requires key held by attacker	AES file encryption + RSA key encryption; keys stored on C2 servers
Locker Ransomware	Locks user out of system interface	System inaccessible but data intact	Disables input, blocks desktop access; technically easier to recover
Leakware/Doxware	Threatens to publish stolen data	Data already exfiltrated; encryption optional	Double extortion: encrypt + threaten publication
Wiper (disguised)	Destroys data while appearing as ransomware	Recovery impossible; destruction is goal	NotPetya destroyed data while displaying ransom demands

The Ransomware Economy:

Ransomware has evolved into a sophisticated criminal ecosystem:

Ransomware-as-a-Service (RaaS) — Developers create ransomware and license it to affiliates who conduct attacks, splitting proceeds (typically 70-80% to affiliates)
Initial Access Brokers (IABs) — Specialists who compromise organizations and sell access to ransomware operators
Negotiation services — Professional negotiators who handle victim communication
Cryptocurrency laundering — Services that clean ransom payments through mixing and chain-hopping

Modern Attack Pattern:

Initial Access — Phishing, exploited VPN, or purchased from IAB
Reconnaissance — Map network, identify valuable data, locate backups
Lateral Movement — Spread through network using stolen credentials
Data Exfiltration — Copy sensitive data for double extortion leverage
Backup Destruction — Delete or encrypt backups to prevent recovery
Ransomware Deployment — Encrypt systems across the organization simultaneously
Extortion — Demand payment; threaten data publication if refused

The Double Extortion Threat

Modern ransomware groups steal data before encryption, creating double extortion: pay to decrypt AND pay to prevent publication. This defeats traditional backup-based recovery—even with perfect backups, stolen data remains with attackers. Organizations must now treat ransomware as data breach + availability attack. The 2023 MOVEit breach demonstrated mass data exfiltration affecting thousands of organizations.

Major Ransomware Families

•LockBit — Currently dominant RaaS operation; fast encryption; affiliates earn 75-80% of ransoms; targeted Colonial Pipeline (via affiliate)
•BlackCat/ALPHV — Rust-based ransomware; cross-platform; highly customizable; sophisticated affiliate program
•Cl0p — Specializes in mass exploitation of enterprise software vulnerabilities (MOVEit, Accellion); data theft focused
•Conti — Former dominant group; disbanded after Ukraine war controversy; spawned multiple successor groups
•REvil/Sodinokibi — High-profile attacks (Kaseya, JBS Foods); disrupted by law enforcement; affiliates reformed under new names

Rootkits: Stealth and Persistence

A rootkit is malware designed to hide its presence (and the presence of other malware) from detection while maintaining persistent privileged access. The term originated from Unix 'root' (administrator) and 'kit' (software tools). Rootkits don't necessarily perform malicious actions themselves—they enable other malware to operate undetected.

Rootkit operating levels:

Rootkit Types by System Level
Type	Operating Level	Stealth Capability	Detection Difficulty
User-mode Rootkit	Application level; runs as process	Hooks API calls; filters file listings; hides processes	Moderate—kernel-level tools can detect
Kernel-mode Rootkit	Operating system kernel; ring 0	Modifies kernel structures; intercepts all system calls	High—requires specialized detection tools
Bootkit	Boot process; loads before OS	Infects MBR/VBR or UEFI; loads rootkit components during boot	Very High—runs before OS defenses load
Firmware Rootkit	BIOS/UEFI firmware	Persists in firmware; survives OS reinstallation and disk replacement	Extreme—requires firmware analysis
Hypervisor Rootkit	Below operating system; virtual machine layer	OS runs as VM under rootkit control; theoretically undetectable from within	Extreme—Blue Pill concept; mostly theoretical

Rootkit Techniques:

Hooking: Rootkits intercept system calls and API functions, filtering results before returning to calling programs:

A directory listing call returns all files except the rootkit's files
A process listing filters out the rootkit's processes
Network connection queries hide the rootkit's C2 connections

Direct Kernel Object Manipulation (DKOM): Kernel-mode rootkits modify kernel data structures directly:

Unlinking process entries from process lists (process becomes invisible)
Modifying kernel tables that map memory to files
Altering permission structures to grant hidden privileges

Persistence Mechanisms:

Registry modifications for user-mode persistence
Driver loading for kernel-mode persistence
MBR/VBR modification for boot-level persistence
UEFI variable manipulation for firmware persistence

The Firmware Frontier

Firmware rootkits represent the ultimate persistence. The Equation Group's firmware implants survived disk reformatting and OS reinstallation—they lived in hard drive firmware. The LoJax UEFI rootkit (2018) was the first in-the-wild UEFI rootkit discovered by security researchers. Firmware-level threats require hardware replacement or specialized firmware flashing for remediation.

Spyware and Stalkerware

Spyware is malware designed to collect information about a user or organization without consent. While all malware that exfiltrates data could be considered spyware, the term typically refers to software whose primary purpose is surveillance rather than immediate financial gain.

Spyware categories:

Spyware Classification
Category	Purpose	Typical Targets	Legal Status
Commercial Spyware	Government surveillance of targets	Journalists, activists, political figures, criminals	Legal for governments; heavily regulated in some jurisdictions
Stalkerware	Individual surveillance (partners, family)	Intimate partners, children, employees	Illegal in many contexts; marketed deceptively
Corporate Spyware	Industrial espionage	Competitors, trade secrets, strategic plans	Illegal; conducted by criminal actors or nation-states
Adware/Tracking	Commercial data collection	General population; advertising profiles	Legal gray area; privacy regulations evolving

Nation-State Spyware:

Government-grade spyware represents the most sophisticated surveillance capability:

Pegasus (NSO Group):

Zero-click exploitation of iOS and Android devices
Full device access: messages, calls, location, camera, microphone
Used by governments worldwide against journalists, activists, and opposition figures
Can exploit devices without any victim interaction

Predator (Cytrox/Intellexa):

Similar capabilities to Pegasus
One-click and zero-click exploitation
Deployed against journalists and civil society

FinFisher/FinSpy:

Sold to law enforcement and intelligence agencies
Desktop and mobile capabilities
Keylogging, screen capture, communication interception

Data Collection Capabilities:

Modern spyware can capture:

Encrypted message content (WhatsApp, Signal, Telegram—captured on device before/after encryption)
Live microphone and camera access
Real-time location tracking
Keystroke logging
Screenshot capture
Contact lists and call logs
Stored passwords and credentials
Application data from any installed app

The Stalkerware Epidemic

Stalkerware—spyware marketed for monitoring partners, children, or employees—enables domestic abuse, harassment, and illegal surveillance. Despite being illegal when used to monitor adults without consent, stalkerware remains readily available. Studies show stalkerware installation is a common precursor to domestic violence. Security professionals should be aware that detecting stalkerware may alert an abusive partner, potentially escalating danger—victim safety organizations have protocols for this scenario.

Botnets and Bots

A bot is malware that converts an infected system into a remotely controlled agent. When many bots are controlled by a single entity, they form a botnet—a distributed network of compromised systems that can be commanded collectively. Botnets represent force multiplication for attackers, enabling operations that would be impossible from a single system.

Botnet capabilities:

What Botnets Enable

•DDoS Attacks — Overwhelming targets with traffic from thousands or millions of sources; impossible to block without affecting legitimate users
•Spam Distribution — Sending billions of spam/phishing emails from distributed, clean-reputation IP addresses
•Credential Stuffing — Testing stolen credentials at scale across many services from distributed IPs
•Click Fraud — Generating fake ad clicks from real user devices, appearing legitimate
•Cryptomining — Mining cryptocurrency using victims' computing resources
•Proxy Networks — Routing attacker traffic through victim systems for anonymization
•Secondary Payload Delivery — Downloading and executing additional malware on demand

Botnet Architecture:

Centralized (Client-Server):

Bots connect to command-and-control (C2) servers to receive instructions
Simple to operate but vulnerable—taking down C2 servers kills the botnet
May use multiple C2 servers with fallback mechanisms

Decentralized (Peer-to-Peer):

Bots communicate with each other without central servers
Extremely resilient—no single point of failure
Commands propagate through the P2P network
Used by sophisticated botnets like Gameover Zeus and Necurs

Hybrid:

Combines centralized control with P2P resilience
P2P used for redundancy when C2 servers are unavailable
Most modern large botnets use hybrid approaches

Notable Botnets
Botnet	Peak Size	Primary Use	Status
Mirai	600,000+ IoT devices	DDoS attacks; record-breaking 1+ Tbps attacks	Source code released; variants still active
Necurs	6+ million systems	Spam; ransomware delivery	Disrupted by Microsoft-led operation (2020)
Emotet	1.5+ million systems	Malware delivery platform	Disrupted, resurrected, disrupted again
TrickBot	1+ million systems	Banking fraud; ransomware delivery	Disrupted but operators reformed under different projects
Qakbot	700,000+ systems	Banking trojan; access broker	Disrupted by FBI (2023); historically resilient

The IoT Botnet Threat

The Mirai botnet (2016) demonstrated the massive scale possible with IoT device compromise. By scanning for devices with default credentials, Mirai built armies of routers, cameras, and DVRs. The Dyn DDoS attack brought down Twitter, Netflix, Reddit, and major sites for hours. With billions of IoT devices deployed (many with poor security), IoT botnets remain a critical infrastructure threat.

Advanced Malware Techniques

Modern malware employs sophisticated techniques to evade detection, resist analysis, and maintain persistence. Understanding these techniques is essential for defenders because basic detection approaches fail against advanced threats.

Evasion and stealth techniques:

Advanced Malware Techniques
Technique	Description	Defense Challenge
Polymorphism	Malware changes its code signature each time it replicates	Signature-based detection fails; behavioral analysis required
Metamorphism	Malware completely rewrites its code while preserving functionality	Even behavioral signatures may vary; requires semantic analysis
Packing/Encryption	Malicious code is encrypted; decrypted only at runtime	Static analysis sees only decryptor; dynamic analysis needed
Fileless Malware	Resides only in memory; no files written to disk	Traditional antivirus ineffective; requires memory forensics
Living-off-the-Land (LOTL)	Uses legitimate system tools (PowerShell, WMI, etc.) for malicious purposes	Legitimate tool usage makes detection difficult
Sandbox Evasion	Detects analysis environments and alters behavior	Analysis shows benign behavior; malicious actions hidden
Anti-debugging	Detects debugger presence; terminates or alters execution	Reverse engineering becomes more difficult
Domain Generation Algorithms (DGA)	Generates random domain names for C2 communication	Blocking specific domains impossible; pattern detection needed

Fileless Malware Deep Dive:

Fileless malware represents a significant evolution in attack techniques:

Initial Execution — Often via macro-enabled documents, exploits, or malicious scripts
Memory-Only Operation — Malicious code exists only in RAM, never as files on disk
Registry Persistence — Commands stored in registry keys; executed on boot without file creation
Living-off-the-Land — Malicious logic executed through PowerShell, WMI, or other built-in tools

Why fileless is dangerous:

Traditional antivirus scans files on disk—no files means no detection
Forensic artifacts are minimal—investigation is difficult
Legitimate tool usage blends with normal administrator activity
Memory clears on reboot, removing evidence (unless persistence established)

Detection requires:

Behavioral analysis of process execution patterns
Memory scanning capabilities
Script block logging for PowerShell and similar engines
Anomaly detection for legitimate tool misuse

The Detection Arms Race

Malware development is an adversarial game. As defenders develop detection capabilities, attackers develop evasion techniques. Signature-based detection led to polymorphism. Sandboxes led to sandbox evasion. Behavioral analysis led to living-off-the-land. Modern defense requires layered approaches combining multiple detection methods—no single technique suffices against sophisticated threats.

Summary: The Malware Landscape

We've surveyed the major categories of malicious software, from classic viruses to modern fileless threats. This taxonomy provides the vocabulary for discussing specific threats and the conceptual foundation for understanding how malware operates.

Key Takeaways

•Viruses require hosts and user action; they attach to and spread through executable code, documents, or boot sectors.
•Worms are self-propagating; they spread automatically across networks by exploiting vulnerabilities—capable of global spread in minutes.
•Trojans rely on deception; they masquerade as legitimate software to trick users into installation, delivering various payloads (RATs, banking trojans, downloaders).
•Ransomware has industrialized into a criminal economy with RaaS, double extortion, and sophisticated operator/affiliate structures.
•Rootkits provide stealth and persistence at various system levels—from user-mode to firmware—enabling other malware to operate undetected.
•Spyware ranges from nation-state surveillance tools (Pegasus) to stalkerware enabling domestic abuse—all designed for covert data collection.
•Botnets enable force multiplication—distributed denial of service, spam, credential stuffing, and more—through armies of compromised systems.
•Advanced techniques like fileless malware, polymorphism, and living-off-the-land challenge traditional detection approaches, requiring behavioral and memory-based analysis.

What's Next:

With malware types understood, we'll examine Attack Vectors—the pathways through which malware and other threats reach their targets. Understanding how threats are delivered is essential for implementing effective preventive controls.

Page Complete

You now understand the complete taxonomy of malicious software. Each category—virus, worm, trojan, ransomware, rootkit, spyware, botnet—has distinct characteristics that inform both detection strategies and defensive controls. Modern threats often blend multiple categories, but understanding the fundamentals enables analysis of even the most sophisticated malware.