Overview
This lecture introduces malware taxonomy, focusing on how malware is classified based on behavior and characteristics to predict its actions and inform responses.
Malware Classification Approaches
- Malware can be classified by behavior (e.g., infector, worm, Trojan, backdoor, remote access, info stealer).
- Other classification methods include dependencies (what it needs to run) or vector (how it spreads, such as email or video).
- Malware often fits multiple categories simultaneously due to complex designs.
Infector Malware (Viruses)
- Infectors, commonly called viruses, attach malicious code to a host and are typically self-replicating.
- Historically, infectors spread via removable media like floppy disks (sneaker net), but now mostly use internet vectors (email, web).
- Subcategories include file infectors, boot sector infectors, and multipartite (multi-part) infectors.
File Infectors
- File infectors attach themselves to host application files, making the file larger and passing control back to the original program after execution.
- They may remain dormant until the infected file is run, causing delayed activation.
Memory Injection
- Memory injection infects operating memory rather than files on disk, lying in wait until a target application runs.
- Modern systems make memory injection more challenging due to improved protections.
Executables, Macros, and Scripts
- Executable infectors target files like .exe and .com, using methods such as overwriting, companion, or parasitic approaches.
- Macro viruses exploit applications like Excel using scripts (VBA), while script viruses use languages such as VBS, Python, and JavaScript.
Infection Techniques
- Overwriting replaces the original file code, often causing the application to fail.
- Companion viruses use the operating system’s file search order to execute malicious code instead of the intended program.
- Parasitic methods attach to files but allow the original program to run, making detection harder.
System Path and Infection
- Malware can exploit the system path variable to ensure their version of a file runs before the legitimate one.
- Using full file paths (e.g., C:\Windows\System32\Notepad.exe) when launching programs helps prevent accidental execution of malware.
Key Terms & Definitions
- Malware — Malicious software designed to harm or exploit systems.
- Infector (Virus) — Self-replicating malware attaching to host files.
- Vector — The method or channel used to spread malware.
- File Infector — Malware that attaches to and infects files on the system.
- Boot Sector Infector — Malware targeting a drive’s boot sector.
- Multipartite — Malware combining multiple infection methods.
- Memory Injection — Technique where malware infects system memory instead of files.
Action Items / Next Steps
- Review pages 28–29 for deeper understanding of infector types and mechanisms.
- Be familiar with the terms and examples discussed for future lectures or quizzes.