The human mind likes to categorize things, and malware is no exception. At CSO, we’ve done our part: our Malware Explainer breaks down malware by how it spreads (self-spreading worms, viruses layering on other code or slyly disguised Trojans) as well as ‘depending on what they do to infected machines (rootkits, adware, ransomware, cryptojacking and malvertising, oh my).
You can find a lot of this kind of technical taxonomy, and there’s definitely a use for it. In particular, it can be useful to differentiate between different types of malware infection vectors rather than lumping everything together under the name “virus”, despite the popular use of the term. But we can also put too much emphasis on these kinds of divisions.
“Much of the terminology used to describe malware in the 1990s and early 2000s is still technically accurate, but perhaps less relevant than it once was,” says Jacob Ansari, an advocate for security and emerging cyber trends analyst for Schellman, an independent global security and privacy assessor. “While malware of previous decades installed itself on the target system and then ran on its own without human intervention, most modern attack campaigns are carried out by groups of people, what we commonly call threat actors. Attackers always attempt to evade detection and persist despite defenses, and use a variety of programming or scripting languages to produce their hostile code.”
So we asked Ansari and other security professionals how they or they break down the categories of malware they face. In general, we’ve found that there are two different perspectives on malware taxonomy: you can think of how viruses do their dirty work (i.e., what they do to you) or their place in an ecosystem (i.e., what they do for an attacker).
9 Common Types of Computer Viruses
- macro virus
- Polymorphic viruses
- Resident viruses
- Boot sector virus
- Multipart virus
- command and control
Types of viruses defined by what they do to you
If you want to get a good perspective on the different types of malware, you could do worse than talk to someone who writes it for a living. That’s Dahvid Schloss’s job: He’s the head of offensive security at cybersecurity professional services firm Echelon Risk + Cyber, where he works on malware designed to mimic real-life threat actors to run malicious platforms. -forms of command and control over the adversarial emulation and commitments of his company’s red team. . He broke down the different types of viruses he works with based on their function.
macro virus. “This category is probably the most common malware technique in the world,” says Schloss. “About 92% of external attacks start with phishing, and macros are at the heart of the problem. A macro is an automated execution of keystrokes or mouse actions that a program can perform without user interaction Typically, we’re talking about Microsoft Word/Excel macros, which can automate repetitive tasks on the spreadsheet or document.”
Macros are an extremely common type of malware. “The method of delivery is believable, especially when it feels work-related,” says Schloss. “Also, the coding language (Visual Basic, in Microsoft’s case) is quite simplistic, so macro viruses reduce the amount of technological skill required to write them.”
Lauren Pearce, incident response manager at cloud security firm Redacted, agreed. “We continue to see significant damage from unsophisticated malware,” she says. “The simple Office document macro reigns supreme as an initial infection vector.”
Polymorphic viruses. “While the macro virus is the easiest to code, this type [the polymorphic virus] would be the most complex because the virus is exactly what its name suggests: polymorphic,” explains Schloss. “Each time the code runs, it runs slightly differently, and usually each time it moves to a new machine, its code will be slightly different.”
You should treat all of your children (or enemies) equally, but Schloss admits that “this class of virus is my favorite because it is complex and extremely difficult to investigate and detect.”
Resident viruses. This is a particularly pernicious category: a disembodied virus that does not exist in a file. “The virus itself actually runs in the host’s RAM,” Schloss explains. “The virus code is not stored in the executable that called it; it is usually stored on a web-accessible site or storage container. The executable that calls the resident code is usually written as not malicious with the intent to evade detection by an antivirus application.”
The term resident virus implies the existence of a non-resident virus, of course. Schloss defines it as “a virus that is contained in the executable that calls it. These viruses are most often spread by abusing company services.”
Boot sector virus. “I like to call this category the ‘nation-state cocktail,'” Schloss explains. “These types of viruses are intended to provide the threat actor with deep, unlimited persistence. They will infect right down to the master boot record (MBR) of the computer, which means that even if you reimage your machine, the virus will persist and be able to run in the host’s memory on startup.These types of viruses are rare outside of nation-state threat actors, and almost always rely on a zero-day exploit to be able to reach the MBR level or spread via physical media such as infected USB sticks or hard drives.”
Multipart virus. While some malware developers may specialize, others take an “all of the above” approach, attacking everywhere at once. “These types of viruses are usually the hardest to contain and treat,” Schloss says. “They will infect multiple parts of a system, including memory, files, executables, and even the boot sector. We are seeing more and more viruses of this variety, and these types of viruses are spreading in all ways possible, usually implementing several techniques to maximize diffusion.”
Types of malware defined by what they do for the attacker
Another way to think about the different malware you will encounter is how it fits into the bigger picture of an overall attack. Remember what Schellman’s Ansari said above: modern malware is deployed by teams, and viruses themselves can also be considered a team. “Many malware campaigns consist of an array of components, sometimes each developed separately or even sourced from other threat actors,” Ansari explains. He breaks down some of the different players:
Dropper. “This malware is intended to drop other malware onto the infected system,” Ansari said. “Victims can be infected with a dropper from a hostile link, attachment, download, etc., and it usually does not persist after the next stage of malware is removed. “
“Macro malware falls into the dropper category,” adds Redacted’s Pearce. “This is malware created for the sole purpose of downloading and executing additional malware.”
Beacon/payload. These types of malware are the next stage of the attack. “Often installed by a dropper, beacon, or payload, the malware notifies the threat actor of their newly installed means of access,” Ansari explains. “From there, an attacker can gain access to victim systems through the means established by the beacon and gain access to the system, the data it contains, or other systems on the network.”
Packers. These components bundle other components together, using cryptographic techniques as a way to evade detection. “Some sophisticated malware campaigns use a series of packers, nested like a stacking doll,” Ansari explains. “Each contains another packed item, until the final payload can run.”
Command and control. Every team needs a leader, and that’s the role that command and control plays for these collaborative malware components. “These systems, sometimes called C&C, CNC, Where C2operate outside the victim’s environment and allow the threat actor to communicate with other malware campaign components installed on the target system,” Ansari explains. “When law enforcement targets a threat actor, they often seize command and control systems as part of their efforts to stop the threat.
Classification of computer viruses
Ultimately, whatever taxonomy we use should not be too rigid, but rather should facilitate the communication of important information about cyber threats. And that means tailoring your language to your audience, says Ori Arbel, CTO of CYREBRO, a security services provider.
“If I was writing for CISOs, they would think about it from a risk perspective,” he says, “whereas the general public would better understand commonly used names in the news. These virus categorizations are presented from the perspective of view of what will be easier to understand, but doing it this way doesn’t necessarily communicate the best steps for security professionals to take. If I’m writing for a group of threat intelligence professionals, I would use terms related to the geolocation and motivation of the attacker rather than what the virus actually does.”
We’ll end with one last way to categorize viruses, which only really makes sense from the perspective of the virus hunters themselves: which viruses are worthy adversaries, and which aren’t. “As an inverse engineer, I enjoy the puzzle of inversion,” says Pearce of Redacted. “Macros pose a significant threat to a network, but they’re not particularly fun to reverse. I like to reverse samples that use anti-analysis techniques to actively combat the reverse. Malware can use anti-debugging techniques that detect and respond to a debugger via methods such as checksum or timing attacks.The use of anti-analysis techniques indicates a skilled malware writer and serves to increase the time between the detection of a sample and the extraction of useful indicators to counter it.
Just because your opponents are criminals doesn’t mean you can’t respect them for taking pride in their work.
Copyright © 2022 IDG Communications, Inc.