This section provides an overview of the most common types of malware. As we will discuss later in the thesis, there exists several more types than the ones mentioned in this section. These however, can arguably be characterized as subclasses of the types mentioned.
2.2.1 Virus
A virus is a file that inserts itself into one or more files to perform one or more actions. A virus infection usually consists of two phases; insertion and execution [26].
Boot Sector Virus
This type of virus infects the master boot record to be able to run alongside the host oper-ating system. This is achieved by that the virus makes a copy of the MBR, the first section of the hard drive that includes the identifier of where the operating system is located, so that when the system is booted, the virus is run first. Then the MBR is executed, so that the virus can control execution [26].
Figure 1: Illustration of boot sector virus [1]
Executable
An executable virus infects executable programs. This is commonly achieved by inserting itself into the file right after the file header, so that the payload is run first when the file is executed [26].
Multipartite
A multipartite virus is a combination of the two former types, i.e. a virus that can infect boot sectors or programs [26].
TSR Virus
Abbreviation for Terminate and Stay Resident. Such a virus is able to stay resident in memory after the infected application is terminated, or when bootstrapping is done (in case of boot sector infection) [26].
Encrypted
An encrypted virus encrypts the malicious payload in an attempt to avoid antivirus de-tection. The only clear text code is the decryption routine [26].
Polymorphic
A polymorphic virus changes its form each time it infects another program. In the case of an encrypted virus, the antivirus scanner was ultimately able to detect these when recognizing the decryption routine. The polymorphic virus use another way to conceal itself from antivirus scanners by the means that the decryption routine was changed from each new infection [26].
Macro
A macro virus is a set of interpreted instructions. Usually within a word, excel or pdf file.
Especially utilized in Microsoft Office 97, but execution of macros have been disabled by default in later versions [26].
2.2.2 Worm
A worm is a malware that is able to propagate to other hosts [26], and actively seeks to do this by exploiting software or network vulnerabilities. Other propagation methods includes email, file sharing and removable USB-drives [27].
2.2.3 Trojan
A Trojan Horse is a malware that presents itself as a file or a program with legitimate purposes while having concealed malicious behavior as well [26], e.g. password stealing.
Often used to capture and send various information from the infected host. It can also be used as a part of an attack such that the trojan, when executed downloads another piece of malware, for example infecting the host to turn in into a bot [25].
2.2.4 Backdoor
A backdoor is an entry point to a system that allows someone aware of this to gain access to a system or program without having to go through the standard security procedures.
Backdoors are commonly used by programmers as well, that are utilized to debug
soft-ware and where special privileges are in need. This means that a backdoor is not
neces-sarily malicious by nature, but it is malicious when people use it for malicious purposes
[27].
"During the development of Multics, penetration tests were conducted by an Air Force “tiger team” (simulating adversaries). One tactic employed was to send a bogus operating system update to a site running Multics. The update contained a Trojan horse that could be activated by a backdoor and that allowed the ti-ger team to gain access. The threat was so well implemented that the Multics developers could not find it, even after they were informed of its presence." [27].
2.2.5 Rootkit
Rootkits are tools that are able to alter the host’s behavior to remain hidden in the system while enabling an attacker to have all privileges on the infected host. The administrator account on unix systems are called "root", which has lead to the name of this type of malware [27]. Rootkits can be divided into different groups, depending on their specific behavior:
Persistent: Activates each time the system boots. The rootkit must store code in a persistent store, such as the registry or file system, and configure a method by which the code executes without user intervention. This means it is easier to detect, as the copy in persistent storage can potentially be scanned [27].
Memory based: Has no persistent code and therefore cannot survive a reboot.
However, because it is only in memory, it can be harder to detect [27].
User mode: Intercepts calls to APIs (application program interfaces) and mod-ifies returned results. For example, when an application performs a directory listing, the return results don’t include entries identifying the files associated with the rootkit [27].
Kernel mode: Can intercept calls to native APIs in kernel mode. The rootkit can also hide the presence of a malware process by removing it from the kernel’s list of active processes [27].
Virtual machine based: This type of rootkit installs a lightweight virtual ma-chine monitor, and then runs the operating system in a virtual mama-chine above it. The rootkit can then transparently intercept and modify states and events occurring in the virtualized system [27].
External mode: The malware is located outside the normal operation mode of the targeted system, in BIOS or system management mode, where it can directly access hardware [27].
2.2.6 Bot
Bot, short for robot, is a type of malware that usually makes the infected host a part
of a botnet. A botnet is a network consisting of other infected hosts which a botmaster
can control to perform a variety of malicious actions, such as distributed denial of
ser-vice attacks, click fraud or bitcoin mining [28]. The last few years, botnets have become
more business-oriented in the way that there are possible for "everyone" to rent a
bot-net, or a part of a botbot-net, enabling the "customer" to perform these malicious actions
by him-/herself [29]. Other utilizations of infected hosts are the usage of keyloggers to
collect user credentials, banking information and credit card details and email addresses
from the bots, but these capabilities are typically not part of the bot itself. Instead this is
achieved by downloading a specific trojan horse to perform the wanted actions.
Origin-ally, bot-malware was named "remote access trojan horses" [30].
Figure 2: Kernel mode rootkit [2]
In document
Feature Extraction and Static Analysis for Large-Scale Detection of Malware Types and Families
(sider 24-27)