Malware is a broad term that refers to destructive software or that which has malicious intent. Malware can be classified based on their nature and functionality. The most common classifications are:
- Viruses – A program that attaches itself to another program or file to enable it to spread between different devices/ machines.
- Worms – This is a program that spreads itself to other devices/machines but doesn’t need a host program to aid in this or human intervention.
- Trojan Horses– This is software that masquerades itself as useful software but will actually do damage once installed on a device/machine.
- Rootkits – This is a program designed to gain root/administrative privileges to a computer
- Spyware – This is software that is used to log/monitor activity either passively or actively e.g. Keyloggers
The General Structure of malware has 3 main components:
- Replicator – Function that deals with spreading of the malware depending on its nature.
- Concealor – Feature or Function that enables the malware to remain unpredictable/ undetected even by antivirus programs
- Bomb – The function that causes actual damage to a device/ machine
How Malware Stays Hidden
- Stealth – This refers to hiding of Viral activity in different forms as shown below:
- Size Stealth– Malware fakes the actual change in size of an infected file.
- Full Stealth– Malware disinfects a host file on open or infects it again on close depending on nature
- Redirection Stealth (Memory Based Stealth) – Malware redirects all checks to infected files towards uninfected ones. This is done in memory as the application runs.
- Tunneling – Tunnels are System Entry Points. Malware in this respect tries to be the first in system calls or to check interrupts to identify infection points or triggers.
- Armoring – This is basically making malware harder to analyse where an author obfuscates or protects his code and malware behaviour from analysis tools using obfuscation, encryption or system checks
- Aggression- This is a method used by malware authors to attempt to stop regular functioning of protection programs e.g. antiviruses, antispyware etc.
- Polymorphism – This is the ability of malware to take many forms making it less predictable and harder to detect, it takes many forms:
- Oligomorphic malware– This is where malware changes its concealer slightly. It can use a series of concealers instead of just one as was the case in the malware : Whale
- Polymorphic malware– These are more advanced and change their concealers even though dealing with one to millions of possible instances of the same.
- Metamorphic malware-This is malware that creates a new generation of itself it does not only change one of its constituents but the whole body of the virus i.e. concealer, replicator and bomb. This has led to this type of malware being termed as body polymorphic malware. A good example of this is: metaPHOR (metamorphic permutating highly obfuscating replicator) by the Mental Driller.