I’ve been considering writing a “101” series for a while, so, here we have it. I’ll start from the very most basic, and build up from there, over time, to analyzing documents, executables, scripts, etc.
For our purposes, I’m going to assume that you have a basic understanding of host and network technologies, but know nothing about malware.
So, to start with, what is malware? My working definition is “malware is any software used for a malicious purpose.” In other words, remote desktop or powershell are malware if they’re used maliciously; NjRAT is not malware if it’s being used legitimately for remote system administration. Simple enough, right?
Now, we tend to broadly categorize malware into a number of areas, just to make it a bit simpler to approach:
- Virus – a virus is a piece of malicious software that “infects” legitimate files; that is to say, it has the ability to add malicious code to an existing file. Viruses were, at one time, the most prevalent form of malware, but in truth, we seldom see them anymore.
- Trojan – a trojan, short for “trojan horse” is a piece of malware intended to fool you into installing it either by claiming to be something else, or by actually providing a legitimate capability, but sneaking in malicious capabilities as well. Downloading that cracked version of your favorite antivirus program may well lead to installation of a trojan.
- Worm – a worm is a piece of malware that is able to spread on its own, either by exploiting network/host vulnerabilities, or by exploiting human ignorance; an example of the latter might be malware which emails itself to everyone in your address book, then counts on their ignorance to install itself and spread further.
- RAT – A remote access trojan is a piece of malware which allows an attacker to remotely access your computer. Often, these are billed as “remote administration tools,” because, well, they can be used for that. Remember, it’s only malware if used maliciously.
- Ransomware – ransomware is malware which encrypts files and asks for payment in order to have those files restored. Paying the ransom may or may not actually lead to file restoration.
- Logic bomb – another kind of malware we seldom see anymore, a logic bomb is a piece of malware which lays dormant until some trigger is activated, and then engages in malicious activity; most traditionally, these would wait for a certain date, and then destroy data.
Now, it’s important to note that these broad categories are less useful than they used to be. Malware increasingly blurs the lines between them. WannaCry ransomware, for example, was both a worm and ransomware. This piece of malware was both a USB worm and a logic bomb. Still, these categories can provide a model for helping us to understand malware, especially in the early days of learning.