Brief Overview: Malware History and Taxonomy

    The term malware is a contraction for malicious software. A simple definition is any piece of software that was written with the intent to damage computer assets, steal data, or frankly conduct any form of malicious activity within an environment. Malware is considered a general term for a variety of different types of malicious software, as modern day malware may include many characteristics that place it into multiple classes. The lines between individual types of malicious software continue to blur and erroneous classification happens all the time within the industry.

    We can divide malware into some specific classifications to make it easier to analyze and subsequently contain the spread once the malware strain has been identified, and containment processes are in place based on the malware characteristics.

Virus

    This is the most commonly used term to define malicious software outside of the term malware. A virus refers to a self-replicating form of malicious code that is designed to propagate through an environment by infecting victim host files or other system areas. Some viruses can be self-modifying making them more complex in nature and often more difficult to find once the environment is infected. The initiation of a virus typically requires user interaction through various means such as social engineering.

Worm

    A worm is similar to a virus in the sense that it will self-replicate through an environment, however the methodology is where the two diverge. Worms will often spread through a network by exploiting vulnerabilities within the operating system. This exploitation will provide further access for propagation within the network environment. Once a system is infected, it is used as a foothold for further infection within the infrastructure it can access.

Trojan

    A concept so old it might as well be ancient. Not to be mistaken for the illustrious SAIT collegiate sports teams, the Trojan horse style of malware masquerades as legitimate software that contain malicious binaries which will infect a system and perform a variety of nefarious tasks. Executing Trojan based malware may show legitimate program activity, while the malicious actions are taking place in the background. These legitimate programs can come in many forms such as drivers, system tools and utilities, vendor issued tools and utilities, or a wide variety of other benign programs.

RAT/Backdoor

    The term RAT refers to a Remote Access Terminal, which is an elaborate description of a backdoor style of malware. Backdoor malware allows for remote access to a compromised machine for the attacker, and can provide valuable information such as user keystrokes, administrative level access, sensitive information being input and stored, as well as any existing sensitive information that may reside on the file system.

Downloader/Launcher

    This style of malware is designed to download additional payloads on an infected system. This style of malware is typically one of the first binaries loaded onto a system by an attacker during the post-exploitation phase of their attack. Downloaders may be loaded directly into memory instead of loading onto disk as a means of avoiding detection.

Information Stealing

    This malware conducts its malicious activities by stealing sensitive information
such as login info, credit card data, or sensitive personally identifiable information. It sends this information back to an attacker controlled server, and may include login data for multiple services such as user web mail, banking, and corporate account information. This is accomplished through memory scraping, reading local file data, and injecting re-directs into login forms.

Adware

    These binaries are not always inherently malicious but will often be installed without user consent. Adware will often collect information such as user browser activity, and customize pop-ups to suit the user’s browsing habits. Often this type of software consumes excessive host resources, and may introduce some vulnerabilities that were not present prior to the adware download.

Scareware

    The only purpose of this malware is to scare the user into either paying a fine to “fix the issue” or downloading additional malware executables to “remove the threat” from their systems. This malware presents itself through pop-up mechanisms or lock screens in order to capture the user’s attention. Some variants may inhibit the user experience depending on how it is executed on the user’s machine.

Spam-Sending

    Spam has become less of a threat in recent years, however spam-sending malware still poses problems for corporate and personal users alike. This malware is designed to send large amounts of unauthorized and unwanted email to unwilling recipients, often within the user’s address book. This malware is more of a nuisance, however the business impact is still high, as the business can experience an increase in negative reputation, and may ultimately lose clients or partners as a result of an outbreak.

Ransomware

    Ransomware is designed to encrypt user files in an attempt to hold them hostage until a ransom is paid to the attackers. Often targets known locations for files that may be impossible to replace such as important documents or photos. Once ransomware is loaded onto a machine, often a series of rapid file deletes and creates are observed within the affected machine’s event log as the files become encrypted and unusable. If the user pays the ransom, the files are decrypted provided the attacker opts to follow through with their end of the transaction. The encryption is developed in such a way that it cannot be decrypted, which has led to a spike in this type of malware within many industries and related organizations.

Rootkit

Rootkits are installed after attaining the highest level of access possible on a machine, which is typically root or system level permissions. This allows it to persist beyond administrative level actions such as deleting malicious code, which means the only effective way to eliminate a rootkit is to re-image the machine from a known good backup. Rootkits come in two known styles, user-mode and kernel-mode. User-mode rootkits contain tools and the ability to modify user environments, meaning when a user is conducting a search for malicious binaries, all of the file searching efforts undertaken may not return any indication a rootkit is installed. Similarly, a kernel-mode rootkit has the ability to modify kernel level components to hide itself and persist through eradication actions taken by administrators. Rootkits can conduct any means of nefarious activity depending on the attackers intended outcome, and while concealing its activities, may steal sensitive data, create system backdoors, or anything else the author may have designed it to do.

PUA (Potentially Unwanted Application)

    These binaries fall into a similar class as adware. They may not be inherently malicious, but may consume excessive system resources for unauthorized means,
conduct overly permissive tracking efforts, congest network traffic with unimportant traffic, or even lead to further infection and compromise of a system.

Credit:

A.J