As an introduction to this set of articles about malware analysis, I thought I could sum up my researches about malware types since I found a lot of contradictory articles on the web.
Malware stands for Malicious software. I just wanted to point that out so you keep in mind that malwares are intentionally bad. They are different from software causing harm due to a programmer who made a mistake. Interestingly, those two types of software are sometimes merged into one category and called badwares.
Types of malware
People have a tendency to call every malware a virus. Journalists use the words trojan and rootkit as if they were synonymous. But all of these words have a very specific meaning. One of the most important things to remember is that all the categories I will enumerate below are not mutually exclusive. Why? Because there are several ways of classifying malwares: you can for instance focus on the way they infect a computer, but you can also describe what they do once they are in. As a consequence, a malware almost always belongs to multiple categories, depending on its features.
A virus is a piece of code that attaches itself to a program or file, enabling it to spread from one computer to another exactly like a human virus would do with people. The key thing here is that the virus needs the program or file it infected to be run. It cannot spread by itself.
As opposed to a virus, a worm is a standalone program. It can replicate itself and spread over the network without requiring any particular action from the system or a user. Notably, as worms tend to do lots of copies of themselves, they often slow down the host system or the network even if they don’t carry a payload.
A Trojan (or Trojan horse) is a malware that disguises itself as a normal, useful or interesting file or program in order to trick users into downloading and installing them. Unlike viruses and worms, Trojans are not made to replicate themselves and spread to other machines. Many modern forms of Trojans carry a backdoor so that the attacker can remotely have unauthorized access to the infected computer.
The name rootkit contains the word root and that’s not a coincidence. Rootkits are collections of software designed to maintain root access (or at least unauthorized) to a computer. They are thus built to conceal their existence or the existence of other malwares already installed on the machine. For that, they use very complex techniques of altering filesystems, modifying system configuration, intercepting syscalls, etc. In a word, they are very difficult to find and even more to eradicate, and they are supposed to give full access and control of your computer to an attacker.
A ransomware is a form of malware designed to hold a computer system captive while demanding a ransom. They can lock you out of your computer but most of the time, they prefer encrypting files on your hard drive. Your only choice is then to pay the attacker in order to get the decryption key and recover you data. They are quite trendy nowadays and very effective.
Again, the word spyware speaks for itself: spywares are malwares that spy on you. One may say they are passive malwares. For instance, keyloggers are spywares. More generally, a spyware is designed to collect data from your computer without you knowing it. It can be passwords, financial data, account information, etc. It is not rare that they ship with trusted software, especially on Windows systems. Their role is then to send data like browsing history to a company.
Adwares are more annoying than destructive. Basically, they flood you with advertisement banners and stuff like that. Most of the time, they come with a legit software. An adware is then considered a malware if this trusted software does not warn you about that.
And I’m gonna stick to those ones. Like I said, I read a lot of different points of view. You just read mine. If you disagree, please let me know and I’ll be more than happy to debate about that!