Malware has come a long way since the first virus was written in 1971, both in sophistication as well as proliferation. As ever more information becomes digital, so too do attempts to steal that information, often including malware as part of the attack chain. This is the first blog post in a series that aims to give a high level overview of malware, specifically the different types out there, to increase understanding of the various tactics and goals of different types of malware.
New variants and increasing complexity
The increasing intricacy of malware and multi-intent variants necessitate a different way of thinking about the types of malware being distributed, so we will also be categorizing them to help you understand. The outdated strings created and used by antivirus software such as “Win32/Trojan…” don’t fully capture many variants that encompass multiple different types used in such strings, instead opting to choose as single type to describe the variant regardless of how many types it actually qualifies as.
These strings do describe aspects of the malware and are still very useful, though. They capture the various behaviors and aspects of malware, but they simply don’t capture ALL aspects and behaviors given how multifaceted malware has become. Even the term “malware” has taken years to properly catch on as the appropriate term for most malware out there, and today there are some who still refer to all malware as “viruses” despite this representing a specific type of malware.
The static analysis software most well known for detecting malware is still referred to as “antivirus” rather than “anti-malware,” granted its use now describes the particular techniques used more so than the intent. The origin of antivirus software was during a time when viruses were the most common type of malware being used and distributed, hence the namesake. These viruses often did more than simply propagate themselves, but they were nowhere near as sophisticated and multifaceted as most malware today.
The changes in malware since then largely relate to a shift in motive, or rather the incorporation of two very substantial motives that are the basis for most malware distributed today: national/political goals and financial gain. The first virus and first worm were written simply to prove that they could be.
The amount and nature of the data available digitally, the creation and evolution of marketplaces to buy and sell such data, as well as how important that data is — both to the organizations that have it as well as others — have evolved how malware is written and used. This, in turn, has evolved how malware is detected as well.
The evolution of malware detection
Anti-malware software uses several different techniques these days, although unfortunately traditional antivirus is the one most accessible and affordable to end users outside of business environments. This technique involves searching files, memory, network traffic, or the like for specific byte sequences known to be associated with malware. This is where the aforementioned classification strings come into play because internally these map to the byte sequences that were used to detect the malware. This is a form of static analysis — analysis that doesn’t require the execution of the file to be performed — but it is not the only technique used these days. A variety of more advanced static analysis options also exist, often backed by machine learning to aid detection. Barracuda Advanced Threat Protection uses one such technology as part of its detection.
The other main type of malware analysis and detection is dynamic analysis, which involves executing the sample and observing the behavior and actions performed. Given this potentially involves executing a malicious file, this is obviously not something that should be performed on the machines of the end-user. Typically, the file is uploaded to a server that has a secure sandbox to run the file and observe the behaviors, which is why dynamic analysis is sometimes referred to as “sandboxing.” Dynamic analysis can also emulate the execution of the malware, but this is a complicated process and most solutions prefer to simply use a sandbox environment. Dynamic analysis is both the origin and core of Advanced Threat Protection because other methods are either for specific file types or may miss things.
Looking ahead
Over the course of this blog series, each blog will cover a different major type of malware in the context of four categories that describe the aspects of malware: infection method, payload/objective, propagation method, and evasion method.
For example, the “Trojan” string from the previous example refers to an infection method — the means by which malware infects a device. Once the infection is successful, other actions will be performed by the malware to achieve its objective(s), which is the payload/objective. This may be one simple objective such as downloading another piece of malware and installing it on the system, or it may consist of many objectives such as stealing saved passwords, followed by implanting a bot on the system and scanning the rest of the network for other vulnerable machines. The malware might try to copy itself either to the infected machine or other machines, which is propagation. Finally, the malware might use specific advanced but common design patterns to evade detection, which is evasion method.
The types in each category will all relate to the classification strings used by traditional antivirus software, but because malware can encompass multiple types, these categories will help differentiate the behavior the type is actually describing. What each type of malware actually means and does will be covered, along with ways to defend against it where applicable — aside from the obvious “install antivirus” protection method — as well as relevant history and evolution. Notable examples will also be included to help connect the type of malware to high-profile instances that embodied it.