Malware Types and Classification
For all intents and purposes, malware and virus mean the same thing. There are many types of malware out there, which have many different purposes.
Self-replicating malware typically spread over networks. Can contain a payload that damages the host computer, or install another piece of malware.
- Vulnerability Exploitation Tool
A tool used by adversaries to take advantage of a known exploit by injecting malicious code, payloads, encoders, no-op generators, etc. into otherwise normal-looking programs. Software that is used for finding and exploiting vulnerabilities.
- Exploit Scanner
A piece of software that searches a target for vulnerabilities. E.g. a port scanner
- Remote Access Tool (RAT)/Implant/Spyware
A piece of software that allows an adversary remote access to the victim's machine. Such a tool could be installed by a worm, by a phishing email, or by the attacker having physical access to the machine.
A dropper or loader is the software that puts the malware onto the target system and launches it. It is designed to be a more subtle installation and go unnoticed by the user. E.g. a RAT client with capabilities to install programs on a remote machine.
Software that, to the victim, looks perfectly safe and normal, but actually contains malicious intent. Once the victim installs the trojan, their computer is now infected with the malware.
This malware locks up some sensitive info of the victim's and holds it for ransom. It could threaten to erase the hard drive, delete sensitive info, send sensitive info to others, blackmail, etc. until the victim pays the attacker's ransom.
Malware which completely wipes the hard drive of the victim's machine. Could be delivered by worm, trojan, dropper, etc.
A background script running on the victim's machine which allows control or administration of the box. Typically also allows access to files on the victim's box.
Fake alerts telling the victim they have a virus, then asking the victim to buy some (likely fake) malware/virus removal tool. This is generally used to get the victim's credit card info. Scareware could be deployed via a pop-up ad, email, or trojan.
Software that displays ads to the user. The ads may run malicious code if clicked prompting the user to download a trojan, or just capture their email for phishing attacks.
A rootkit is malware that gives the attacker admin access to the victim's machine, giving them root access to the operating system, unbeknownst to the victim.
Similar to a rootkit, but can access the master boot record. This enables the bootkit to alter startup commands and infect other computer components (e.g. hard drive, motherboard BIOS).
A bot is a machine infected by malware that executes a specific task over and over again. Bots are often part of a bot-net, a collection of bots working towards the same goal. A machine can become infected/turn into a bot via trojan horse, a phishing email, visiting a malicious website, or having a bot physically installed on the machine.
An active attempt to take down a victim's machine. Conducted remotely by the attacker, or could be executed by a botnet. It overwhelms the victim's machine with requests such that the machine shuts down and goes offline, is unusable, etc.
I miner is a type of bot that uses the victim's machine to mine cryptocurrency for the attacker. This takes up resources on the victim's machine, slowing it down or perhaps taking it over completely.
- Potentially unwanted programs(PUP)/ Browser "Helpers"/Shareware
Shareware is software generally provided for free, and which user of are encouraged to share. The shareware may contain a trojan, turning their computer into a bot, or infect their machine with some other kind of virus.
- FUD /Crypter
FUD malware is malware that is FullyUnDetectable. These typically include root/boot kits, web shells, and perhaps worms. Crypters are used to make malware FUD, or at least obfuscate it from the victim.