Classes of Malware based on Behaviour

The standard technical classification of malware is based on the function that the code performs. The most common form of classification that one most commonly comes across is based on the family of malware (CrowTi, Zeus etc. ). The classes defined in this post are a bit more general and specify the order of classification, as will become clear after defining the classes, most malware in the wild belong in multiple classes according to the function they perform. The main class of Malware is then assigned based on hierarchy. Let’s look at the classes first. The different classes of malware are:

  • Infectors
  • Network Worms
  • Trojan Horse
  • Backdoors
  • Information Stealers
  • Ransomware

 

Infectors

Infectors are computer viruses that infect files in the local file system by attaching copies of themselves to files. Usually the files that a particular infector virus attacks is of specific file extension. The most popular file infectors today are: Executable viruses, Macro viruses and Scipts.

Executable Viruses target files that are executable. Their specific style changes based on the platform, version of the Operating System, for eg. the executable file format for Linux (ELF) is different from that of Windows (PE), while older versions of Windows NT has DOS viruses that do not work on the later versions.

A macro is basically a set of instructions that performs a series of movements automatically, for eg. a series of mouse clicks and ketstrokes that the can be repeated over and over again without the user having to do it manually. This is used a lot in word processing and spreadsheets to automate text formatting and number crunching. Thus, macro viruses are viruses created using an application specific language, eg VBA for Windows Office. Scripts are similar to Macros in the general sense. VBS (Visual Basic Script) is used to write viruses for Windows applications while Javascript is used to write browser-based or PDF (Portable Document Format) Viruses.

 

Network Worms

A worm is a malware that replicated itself to multiple systems across networks with little or no user intervention. Early worms depended on social engineering while most advanced worms use vulnerabilities to infect other systems. Given that infectors spread only across files and physical media, the broader reach/spread of malware is attributed to worms , since anyone connected to the network is a potential victim. Network worms are further classified based on their mode of propogation:

Mass Mailers: spread via email. Uses social engineering to fool the user to download/open the attachment or click a link.

File-Sharing Worms: spread by fooling the user to download them from file-sharing websites or software etc. Usually named as latest cracks to paid software etc, software that most users would download.

Instant Messaging & Internet Relay Chat Worms: both propagate by sending messages that contain links to download or instructions to execute, that would lead to the unaware client to install malware on the system.

Internet Worms: Internet worms propagate by scanning the Internet for machines that are running services, software or OS that contain known vulnerabilities. This is done by port scanning or banner-grabbing.

Trojan Horse

A trojan horse is malware that disguises itself as a program with some other feature, a game or a tool etc, to hide in plain sight. A trojan’s main aim is the destruction of files. Some places the class Trojan is used to represent classes of malware that are not viruses (non-self replicating) while in other places it is used based on whether the malware executes a payload.

Backdoors

A backdoor is a program that allows an attacker to gain access to the compromised system, by bypassing any authentication through the use of undocumented OS functions and network functions. The access is usually in the form of a shell with root permission since this is relatively easy to mask among other processes, though GUI versions too exist (which are sometimes classified into a different class called Remote Access Trojans). The objective is for the backdoor to be available for use for as long as possible undetected.

Information Stealers

Information Stealers are malware that do exactly what their name suggests. The common ones are: keyloggers, Desktop recorders and Memory Scrapers. Keyloggers capture keystrokes and logs them. Note that hardware implementations of keyloggers exist too. To counter the invention of keyloggers, authentication methods such as the vitual keyboard etc were invented, to counter which Desktop Recorders were designed, which basically take screenshots of the desktop at predefined intervals or in the presence of a trigger. Memory Scrapers are programs that steal information while it is in Memory (we mean RAM here) since all information and data in memory is in its raw format.

Ransomware

Ransomware are malware that hold systems, files hostage till the user pays a ransom. This is accomplished by encoding the files using an encryption method resistant to cryptanalytic attacks. Hence the data is encrypted, user locked out without a key that the attacker holds.

 

Summary

Since malware that targets a certain system or malware that is built to compromise as many systems as possible need not be a member of a particular class, classification is done based on the hierarchy as described above, hence a malware that is both a ramsomware and a worm will be first classified as a worm. Though this is the default, most conversations involving malware are spoken about as families since the properties/ vulnerabilities used by each family is the topic of most discussions.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s