Introduction to Malware
Malware (malicious software) refers to any software intentionally designed to cause damage to computers, servers, networks, or their users. Understanding the different types of malware is crucial for effective cybersecurity strategy and protection of digital assets. This cheatsheet provides a comprehensive overview of common malware types, their behaviors, detection methods, and prevention strategies.
Core Malware Concepts
Key Malware Characteristics
| Characteristic | Description |
|---|---|
| Infection Vector | Method by which malware enters a system (email attachments, downloads, exploits) |
| Payload | The malicious action the malware performs once activated |
| Persistence | Ability to remain on a system after reboot or initial infection |
| Propagation | Method by which malware spreads to other systems or files |
| Stealth | Techniques used to avoid detection (encryption, obfuscation, rootkit capabilities) |
| Trigger | Event or condition that activates the malware’s payload |
Common Malware Objectives
- Data Theft – Stealing sensitive information
- Financial Gain – Extracting money through ransoms or fraud
- Resource Hijacking – Using victim’s computing resources (cryptocurrency mining)
- Sabotage – Damaging systems or disrupting operations
- Espionage – Gathering intelligence from specific targets
- Backdoor Creation – Establishing persistent access for future exploitation
Major Malware Categories
Viruses
Definition: Malicious code that attaches to legitimate files or programs and executes when the host file is executed.
Types of Viruses
| Virus Type | Characteristics | Examples |
|---|---|---|
| Boot Sector Virus | Infects the master boot record; executes when system boots | Brain, Michelangelo |
| File Virus | Attaches to executable files (.exe, .com) | Jerusalem, Cascade |
| Macro Virus | Written in macro language (e.g., VBA); infects documents | Melissa, Concept |
| Polymorphic Virus | Changes its code to avoid detection | Storm Worm, Virlock |
| Multipartite Virus | Infects both boot sectors and files | Flip, Invader |
| Resident Virus | Remains in memory after execution; infects opened files | Randex, CMJ |
Virus Infection Cycle
- Dormancy – Virus is inactive until triggered
- Propagation – Virus replicates by attaching to other files
- Triggering – Specific condition activates the virus
- Execution – Virus performs its intended malicious function
- Infection – Virus spreads to new files or systems
Worms
Definition: Self-replicating malware that spreads across networks without requiring user action or host files.
Key Worm Characteristics
| Characteristic | Description |
|---|---|
| Self-Replication | Reproduces without host files or user interaction |
| Network-Based | Primarily spreads through network connections |
| Resource Intensive | Often consumes significant bandwidth and processing power |
| Autonomous Operation | Functions independently after initial infection |
Notable Worm Examples
| Worm Name | Year | Notable Features |
|---|---|---|
| Morris Worm | 1988 | First recognized internet worm; crashed ~10% of internet |
| ILOVEYOU | 2000 | Spread via email; caused $10+ billion in damage |
| SQL Slammer | 2003 | Infected 75,000 servers in 10 minutes |
| Conficker | 2008 | Infected millions of computers across 190+ countries |
| WannaCry | 2017 | Combined worm with ransomware; exploited EternalBlue vulnerability |
| NotPetya | 2017 | Disguised as ransomware but designed for destruction |
Trojans
Definition: Malware disguised as legitimate software that performs malicious actions when executed.
Trojan Types by Function
| Trojan Type | Primary Function | Examples |
|---|---|---|
| Backdoor Trojan | Provides remote access to attackers | Dark Comet, Gh0st RAT |
| Banking Trojan | Steals financial information | Zeus, Emotet, TrickBot |
| Downloader Trojan | Downloads additional malware | Emotet, Trickbot |
| DDoS Trojan | Participates in distributed denial of service attacks | Mirai, HOIC |
| Data Theft Trojan | Searches for and exfiltrates sensitive data | Loki, RedLine Stealer |
| Mailfinder Trojan | Harvests email addresses | Bayrob |
| FakeAV Trojan | Impersonates antivirus software to extract payment | WinWebSec, System Doctor |
Common Trojan Delivery Methods
- Phishing emails with malicious attachments
- Malicious downloads disguised as legitimate software
- Drive-by downloads from compromised websites
- Social engineering tactics (fake updates, tech support scams)
- Malvertising (malicious advertising)
- Infected USB drives and removable media
Ransomware
Definition: Malware that encrypts victim’s files and demands payment (ransom) for the decryption key.
Ransomware Attack Cycle
- Infection – Enters system through vulnerability, phishing, etc.
- Deployment – Ransomware components are installed and executed
- Scanning – Searches for valuable files to encrypt
- Encryption – Locks files using strong encryption
- Communication – Contacts command & control server for keys
- Notification – Displays ransom demand to victim
- Deletion – Often deletes shadow copies and backups
- Cleanup – May remove evidence of initial infection
Notable Ransomware Families
| Ransomware | Year | Notable Features |
|---|---|---|
| CryptoLocker | 2013 | One of the first widespread ransomware; used RSA encryption |
| Locky | 2016 | Spread through malicious macros in Office documents |
| WannaCry | 2017 | Worm capabilities; affected 200,000+ computers in 150+ countries |
| Ryuk | 2018 | Targeted large organizations; high ransom demands |
| REvil/Sodinokibi | 2019 | Ransomware-as-a-Service model; double extortion |
| DarkSide | 2020 | Used in Colonial Pipeline attack; sophisticated affiliate model |
| BlackCat/ALPHV | 2021 | First professional ransomware written in Rust; triple extortion |
| LockBit | 2022-23 | Fast encryption; focuses on enterprise targets |
Ransomware Innovations and Tactics
- Double Extortion – Stealing data before encryption and threatening to publish
- Triple Extortion – Adding DDoS attacks or contacting customers as additional pressure
- Ransomware-as-a-Service (RaaS) – Subscription-based model for criminal affiliates
- Big Game Hunting – Targeting large organizations for higher ransoms
- Initial Access Brokers – Specialized criminals who gain access then sell to ransomware operators
Additional Malware Types
Spyware and Adware
| Type | Description | Examples |
|---|---|---|
| Keyloggers | Records keystrokes to capture passwords and sensitive data | Ardamax Keylogger, BlackNurse |
| Screen Scrapers | Captures screenshots at regular intervals or triggered events | CaptureEze, Spytech SpyAgent |
| Browser Hijackers | Modifies browser settings; redirects searches | CoolWebSearch, Babylon Toolbar |
| Adware | Displays unwanted advertisements; tracks browsing habits | Fireball, BonziBUDDY |
| Stalkerware | Monitors activities on devices; often used for domestic surveillance | FlexiSPY, mSpy |
Fileless Malware
Definition: Malware that operates entirely in memory without writing files to disk, making it difficult to detect with traditional methods.
Fileless Malware Techniques
- Memory-Only Execution – Runs entirely in RAM
- Script-Based Attacks – PowerShell, WMI, Windows Registry
- Living Off The Land (LOL) – Uses legitimate system tools
- Registry Manipulation – Stores payloads in Windows Registry
- DLL Injection – Inserts malicious code into legitimate processes
Advanced Persistent Threats (APTs)
Definition: Sophisticated, long-term targeted attacks, often state-sponsored, designed to maintain persistent access to networks.
APT Characteristics
- Sophisticated Targeting – Specific organizations or industries
- Extended Campaigns – Months or years of activity
- Advanced Evasion – Custom tools and zero-day exploits
- Data Exfiltration – Focused on stealing specific information
- Persistence – Multiple backdoors and access methods
Mobile Malware
| Type | Characteristics | Examples |
|---|---|---|
| SMS Trojans | Sends premium SMS messages | FakePlayer, OpFake |
| Banking Trojans | Steals financial credentials | Gustuff, Anubis |
| Spyware Apps | Monitors activities and data | Pegasus, FinSpy Mobile |
| Rogue Apps | Fake applications with hidden functionality | Joker, FluBot |
| Adware | Aggressive advertising; data collection | HummingBad, Shedun |
Malware Comparison
Comparison by Propagation Method
| Malware Type | Self-Replicating | Requires Host File | Requires User Action | Network Based |
|---|---|---|---|---|
| Virus | Yes | Yes | Usually | Sometimes |
| Worm | Yes | No | Rarely | Yes |
| Trojan | No | No | Yes | No |
| Ransomware | Sometimes | No | Usually | Sometimes |
| Spyware | No | No | Usually | No |
| Rootkit | No | No | Yes | No |
| Botnet | Yes (components) | No | Initially | Yes |
Comparison by Detection Difficulty
| Malware Type | Traditional AV Detection | Behavior-Based Detection | Memory Analysis | Network Analysis |
|---|---|---|---|---|
| Standard Virus | High | Medium | Medium | Low |
| Polymorphic Virus | Low | Medium | Medium | Low |
| Worm | Medium | High | Medium | High |
| Trojan | Medium | High | Medium | Medium |
| Ransomware | Medium | High | Medium | Medium |
| Fileless Malware | Very Low | High | High | Medium |
| Rootkit | Low | Medium | High | Low |
| APT Components | Low | Medium | High | Medium |
Common Malware Defense Challenges and Solutions
| Challenge | Solution |
|---|---|
| Zero-Day Exploits | Deploy behavior-based detection; use application whitelisting; implement security patches promptly |
| Polymorphic Malware | Use heuristic and behavioral analysis; employ machine learning detection |
| Fileless Attacks | Deploy EDR solutions with memory scanning; monitor PowerShell and script execution |
| Phishing Attacks | Implement email filtering; conduct regular security awareness training |
| Supply Chain Attacks | Verify software integrity; monitor vendor security practices; use software bills of materials (SBOMs) |
| Insider Threats | Apply principle of least privilege; implement data loss prevention (DLP); monitor for unusual access patterns |
| Encrypted Traffic | Deploy TLS inspection where appropriate; focus on endpoint security |
| IoT Vulnerabilities | Segment IoT networks; update firmware regularly; implement strict access controls |
Malware Prevention Best Practices
Organizational Defenses
- Defense in Depth – Layer multiple security controls
- Principle of Least Privilege – Restrict user and application permissions
- Network Segmentation – Isolate critical systems and limit lateral movement
- Regular Patching – Maintain up-to-date systems and applications
- Email Security – Deploy advanced filtering and anti-phishing solutions
- Employee Training – Conduct regular security awareness training
- Incident Response Plan – Develop and regularly test procedures
- Backup Strategy – Implement 3-2-1 backup rule (3 copies, 2 different media, 1 off-site)
Technical Controls
- Endpoint Protection – Next-gen antivirus and EDR solutions
- Application Whitelisting – Allow only approved applications to run
- Script Control – Restrict PowerShell and other scripting environments
- Network Monitoring – Deploy IDS/IPS and network traffic analysis
- DNS Filtering – Block connections to known malicious domains
- Web Filtering – Control access to potentially malicious websites
- Email Security – SPF, DKIM, and DMARC implementation
- Multi-Factor Authentication – Require additional verification for access
Personal Device Protection
- Keep Systems Updated – Apply security patches promptly
- Use Strong Antivirus – Install and maintain reputable security software
- Practice Email Caution – Verify sender before opening attachments or clicking links
- Download From Trusted Sources – Avoid unofficial app stores and websites
- Use Password Managers – Create and store strong, unique passwords
- Enable Multi-Factor Authentication – Add extra layer of account security
- Regular Backups – Maintain recent backups of important data
- Device Encryption – Encrypt sensitive data on devices and storage media
Malware Response and Recovery
Initial Response Steps
- Isolate Affected Systems – Disconnect from network to prevent spread
- Identify Malware Type – Determine what you’re dealing with
- Assess Damage – Evaluate compromised data and systems
- Document Evidence – Record indicators of compromise for analysis
- Notify Stakeholders – Inform relevant parties per incident response plan
- Engage Specialists – Involve cyber incident response team if necessary
Recovery Process
- Contain the Threat – Ensure complete isolation of affected systems
- Eradicate the Malware – Remove all traces of infection
- Restore from Clean Backups – Rebuild systems from known clean sources
- Patch Vulnerabilities – Address the entry point that allowed the infection
- Verify Security – Test systems before returning to production
- Monitor for Reoccurrence – Maintain heightened vigilance
- Perform Post-Incident Review – Learn from the incident and improve defenses
Resources for Further Learning
Organizations and Information Sources
- MITRE ATT&CK Framework – Comprehensive knowledge base of adversary tactics and techniques
- CISA (Cybersecurity & Infrastructure Security Agency) – Government resources and alerts
- SANS Institute – Research and education in security awareness
- VirusTotal – File and URL analysis service
- Malware Analysis Websites – Hybrid Analysis, Joe Sandbox, Any.Run
Recommended Books
- “Practical Malware Analysis” by Michael Sikorski and Andrew Honig
- “Malware Analyst’s Cookbook” by Michael Ligh et al.
- “The Art of Memory Forensics” by Michael Hale Ligh et al.
- “Rootkits and Bootkits” by Alex Matrosov, Eugene Rodionov, and Sergey Bratus
- “Reversing: Secrets of Reverse Engineering” by Eldad Eilam
Online Courses and Learning Platforms
- SANS FOR610: Reverse-Engineering Malware
- Pluralsight Malware Analysis courses
- Cybrary Malware Analysis courses
- Udemy Ethical Hacking courses
- TryHackMe and HackTheBox labs
Tools for Malware Analysis
- Static Analysis – IDA Pro, Ghidra, PE Explorer, PEiD
- Dynamic Analysis – Process Monitor, Process Explorer, Wireshark
- Sandboxing – Cuckoo Sandbox, Windows Sandbox, VMware/VirtualBox
- Memory Analysis – Volatility Framework, Rekall
- Disassemblers/Debuggers – x64dbg, OllyDbg, Radare2