Albert van der Sel

A ridiculous simple and short overview on Malware types.

Date : 01/12/2013
Version: 0.1
By: Albert
Remarks: It's a ridiculous simple note on on Malware types, only usable if you just want to know some main characteristics in 5 minutes.

Usually, "malware" is a term for "malicious software" in general, so it covers about anything
that would be described as "intentionally bad software".
So, the term malware should be used to collectively point to boot/rootkits, trojans, hijackers, spyware, viruses etc..

However, often "malware" display a sort of "combined functionality", so a thing that could be called a "Trojan", could install code
that resembles "spyware" or a "hijacker". Or it might install code that replicates (like a "virus") etc..

So, if you would insist on a sharp definition of the different malware types: that most often does not work.

Originally, a "virus" was understood to be code that replicates, by (once in memory), infecting files with itself, or infecting
bootstructures. These were the typical viruses of the 80s, 90s, and new code is found all the way up to today.

A "Trojan" is a name for code that carries a sort of hidden payload. The trojan might 'look' like known trusted code, but it
might be stealthy as well.

A "Dropper/Installer" is a often a (smaller) Trojan that, once activated, tries to install/download other (often larger) malware from the network.
So, here we often have a "2 stage" process. The "advantage" of a "dropper" is that it may look rather harmless: it just wants to download something,
and in the process you might get fooled to just get a utility, or add-on, or video etc... The dropper might be stealty, or it might not be stealthy
and it may even display a webcontrol with attractive text and figures.

The term "Bot" is short for "robot" and is often a process that usually automatically "crawls" published web content, for central repository services,
like for Search Engines.
Or it is code which automates certain tasks at certain sites (gaming etc..). In some cases, it might even communicate
with a user, just as if a real person is talking to you.

Apart from the "good" Bots, other Bots were created, with a "nasty" attitude, and they may be involved in Denial of Service attacks,
or stealing (or just gathering) all sorts of information etc..

A "worm" is often understood to be code that tries to infect other nodes over the network. So, while an ordinary traditional "virus" might
replicates to executables on the same system, a main characteristic of a worm is that it explicitly uses a network for replication.
Then, it might display behaviour as shown in any bullet of this listing (like becoming a rootkit on a system).

Note:
Most funny were some early experiments in the '80s and '90s. Communicating similar worms were active on multiple nodes.
If you would kill the worm on "Node A", it's brother on "Node B" would activate it again.

A "bootkit" is code which might infect bootstructures (e.g. MBR, VBR, EFI etc..), and / or, generally, patches or replaces
systemfiles, so that it is able to perform it's tasks using fundamental systemservices.
Often, it's associated with the boot of a system.

A "rootkit" is often named in one sentence with a "bootkit". However, a "bootkit" should act like described above,
while a "rootkit" might be just a replacement of systemfiles or commands, or it is code which is also able to use systemservices,
like in getting Administrative privilege, or patching/replacing systemfiles etc..
But it's not specifically associated with the boot of a system.

Additionally some other types of malware exists, which are named accordingly to their main objective. For example, a "trojan" might install
anything, like for example a browser "hijacker", which redirects your browser to questionable or sites, or sites with a criminal intentention.
Spyware is software usually to be understood to track and monitor your actions on the Web, or to track (and store and possibly send) other activity
you may perform on your workstation.

⇒ Vulnerability and Exploit:

A "Vulnerability" is a found security leak (or hole) in a OS module, or programfile, which may allow malware or a hacker
to gain access to your system. Vulnerabilities are discovered regularly, and are often decribed and categorized
under an international "CVE" (Common Vulnerabilities and Exposures) identifier.

Microsoft related "security bugs" are filed under CVE's too, but they also use their own characterization as well. They publish Vulnerabilities using
the "Bulletin Numbers", following the "MS[year]-[sequence number]" notation, like for example "MS13-099" (meaning Bulletin Number 099, in 2013).
The Bulletin then explains the details around this "Vulnerability". An associated "KB" (security) patch can be downloaded and applied to the system.
Those patches will be slightly later made available in "automatic downloads", and subsequently in the next Service Pack.

An "Exploit" is any sort of means, or action, that uses a "vulnerability", for accessing a computersystem.

The above listing of malware types should mention the main categories, however, it is not complete.

-> To illustrate that, even an "excel macro" might display (intentionally) nasty behaviour, but in general it would be difficult to put in a "catagory"
as listed above.

-> Researchers often subdivide malware further, by investigating how they get control, like in using a vulnerability in heap control,
or how they might get Admin rights, or which "stealth techniques" it uses, or if it uses some sort of encryption etc..

⇒ Other criminal activities:

Some criminals send mails around with malicious intentions. You probably know what "phishing" is.
Basically, it may use any form of communication, but most often email is used.
These mails contain links to false sites but they have the appearance of trustworthy sites (like a Bank, or financial institute).
The aim is to steal passwords, codes, or any other sensitive information, or even to install malware to that purpose.

You are encouraged to do an extensive websearch on "phishing" (fishing).

But many other forms of "scams" exists, targeted at naive users (or desperate users) trying to earn money through the Web.
In such a case, the user receives some mail, telling the user about some "wonderfull" method to earn money while
you yourself are sunbathing on the beach, or do other recreational stuff.

As an example of such practice, a mail tells the user about some "algolrithm" that beats the random number generator of Casino sites.
All you need to do is to install some software, and then the money will pour in automatically...

It's all "Bull" ofcourse. However, the text and format is such, that some naive users are willing to try...

It's garanteed that those sort of practices are 100% fraudulous.