The human mind loves to categorise things, and malware is no exception. We here at CSO have done our part: our malware explainer breaks down malware based on how it spreads (self-propagating worms, viruses piggybacking on other code, or sneakily disguised Trojans) as well as by what it does to infected machines (rootkits, adware, ransomware, cryptojacking, and malvertising, oh my).
CSOs can find a lot of this type of technical taxonomy, and there's certainly utility to it. In particular, it can be helpful to differentiate different types of malware infection vectors rather than lumping everything together as a "virus," despite popular usage of the term. But we can also put too much emphasis on these sorts of divisions.
"A lot of the terminology used to describe malware in the 90s and early 00s is still technically accurate, but maybe less relevant than it once was," said Jacob Ansari, Security Advocate and Emerging Cyber Trends Analyst for Schellman, a global independent security and privacy compliance assessor.
"While malware of the prior decades got installed on the target system and then ran by itself without human intervention, most modern attack campaigns are operated by groups of people, what we commonly call threat actors. Attackers still attempt to evade detection and persist despite defences, and make use of a variety of programming or scripting languages to produce their hostile code."
So we asked Ansari and other security pros about how they break down the categories of malware they deal with. In general, we found that there are two different perspectives on malware taxonomy: users can think of how viruses do their dirty work (i.e., what they do to us), or about where they fit into an ecosystem (i.e., what they do for an attacker).
9 common types of computer virus
- Macro viruses
- Polymorphic viruses
- Resident viruses
- Boot sector viruses
- Multipartite viruses
- Command and control
Virus types defined by what they do to businesses
If CSOs want a great perspective on the different types of malware, they could do worse than talk to someone who writes it for a living. That's Dahvid Schloss's job: he's the managing lead for offensive security at cyber security professional services firm Echelon Risk + Cyber, where he works on malware meant to emulate real threat actors to execute command-and-control platforms on his company's adversarial emulation and red team engagements. He broke down the different types of viruses he works with by their function.
"This category is probably the most common malware technique in the world," said Schloss. "Roughly 92 per cent of external attacks begin with phishing, and macros are the core of the problem. A macro is an automated execution of keystrokes or mouse actions that a program can do without user interaction — typically, we're talking about Microsoft Word/Excel macros, which can automate repetitive tasks on the worksheet or document."
Macros are an extremely common malware type. "The delivery method is believable, especially when it looks work related," said Schloss. "Also, the coding language (Visual Basic, in Microsoft’s case) is quite simplistic. Thus, macro viruses reduce the amount of technology skill required to write them."
Lauren Pearce, incident response lead at cloud security company Redacted, agreed. "We continue to see significant damage from unsophisticated malware," she said. "The simple Office document macro reigns supreme as an initial infection vector."
"While the macro virus is the easiest to code, this type [the polymorphic virus] would be the most complex due to the virus being exactly what its name says: polymorphic," said Schloss. "Each time the code runs, it executes slightly differently, and typically every time it moves to a new machine, its code will be slightly different."
CSOs should treat all their children (or enemies) equally, but Schloss admitted that "this category of viruses is my favourite, as it’s intricate and is extremely hard to investigate and detect."
This is a particularly pernicious category: a disembodied virus that doesn't exist as part of a file. "The virus itself is actually executing within the RAM of the host," said Schloss.
"The virus code is not stored within the executable that called it; instead it’s usually stored on a web-accessible site or storage container. The executable that calls the resident code is usually written as non-malicious by intent to avoid detection by an antivirus application."
The term resident virus implies the existence of a non-resident virus, of course. Schloss defines this as "a virus that is contained within the executable that is calling it. These viruses most commonly spread by abusing enterprise services."
Boot sector viruses
"This category I like to call the 'nation state cocktail,'" Schloss explained. "These types of viruses are meant to provide the threat actor with unrestricted and deep persistence. They will infect all the way down to the computer’s master boot record (MBR), meaning that even if users re-image machines, the virus will persist and will be able to execute within the memory of the host upon boot.
"These types of viruses are rare to see outside of nation-state threat actors, and almost always rely on a zero-day exploit to be able to reach the level of the MBR or are spread through physical media such as infected USB or hard drives."
While some malware developers may specialise, others take an "all of the above" approach, attacking everywhere all at once.
"These types of viruses are usually the hardest to contain and deal with," said Schloss. "They will infect multiple parts of a system, including memory, files, executables, and even the boot sector. We see more and more viruses of this variety, and these types of viruses will spread in whatever way they can, usually implementing multiple techniques to maximise spread."
Types of malware defined by what they do for the attacker
Another way of thinking about different malware users will encounter is how they fit into the larger picture of an overall attack. Remember what Schellman's Ansari said above: modern malware is deployed by teams, and the viruses themselves can be thought of as a team as well.
"Many malware campaigns consist of an array of components, sometimes each developed separately or even sourced from other threat actors," Ansari said. He breaks down some of the different players:
Droppers: "This piece of malware is intended to drop other malware onto the infected system," Ansari said. "Victims may get infected with a dropper from a hostile link, attachment, download, or the like—and it typically does not persist after dropping the next stage of malware."
"Macro malware falls into the category of a dropper," added Redacted's Pearce. "It's malware made for the sole purpose of downloading and executing additional malware."
Beacon/payload: These malware types are the next stage in the attack. "Often installed by a dropper, a beacon or payload is the malware that signals back to the threat actor its newly installed means of access," said Ansari. "From here, an attacker can access the victim systems through the means established by the beacon and access the system, the data it contains, or other systems on the network."
Packers: These components package other components, using cryptographic techniques as a means of evading detection. “Some sophisticated malware campaigns use a series of packers, nested like a stacking doll," said Ansari. "Each contains another packed item, until the final payload is able to execute."
Command and control: Every team needs a leader, and that's the role command and control plays for these collaborative malware components.
"These systems, sometimes called C&C, CNC, or C2, operate outside of the victim's environment and allow the threat actor to communicate with the other components of the malware campaign installed on the target system," said Ansari. "When law enforcement targets a threat actor, they often seize the command and control systems as part of their efforts to stop the threat."
Classifying computer viruses
In the end, whatever taxonomy we use shouldn't be overly rigid, but should instead make it easier to communicate important information about cyber threats. And that means tailoring language for the audience, said Ori Arbel, CTO of CYREBRO, a security services provider.
"If I'm writing for CISOs, they would think about it from a risk perspective," he said, "while the general public would better understand commonly used names in the news. These virus categorisations are presented from the point of view of what will be most easily understood — but doing it that way doesn't necessarily communicate the best actions for security professionals to take.
"If I'm writing for a group of threat intelligence pros, I would use terms related to geolocation and the attacker's motivation rather than what the virus actually does."
We'll end with one last way to categorise viruses, one that really only makes sense from the perspective of the virus hunters themselves: viruses that are worthy adversaries, and those that are not.
"As a reverse engineer, I take pleasure from the puzzle of reversing," said Redacted's Pearce. "Macros present a significant threat to a network, but they are not particularly fun to reverse. I enjoy reversing samples that use anti-analysis techniques to actively fight against being reversed.
"Malware may use anti-debugging techniques that detect and respond to a debugger via methods such as check summing or timing attacks. Use of anti-analysis techniques indicate a skilled malware author and serve to increase the amount of time in between detection of a sample and extraction of useful indicators to counter it."
Just because adversaries are criminals doesn't mean CSOs can't respect them for putting pride into their work.