Malware Types & Detection Techniques
Understand common malware families, how they operate, and the detection capabilities used by defenders.
Malware Classification
| Category | Description | Examples & Notes |
|---|---|---|
| Viruses | Self-replicating code that attaches to legitimate files/executables. | I love you, Michelangelo. Requires user action to execute infected file. |
| Worms | Self-propagating malware exploiting network vulnerabilities. | Conficker, WannaCry. Spreads without user interaction. |
| Trojans | Malicious payload hidden inside seemingly legitimate software. | Emotet loader, remote access Trojans (RATs). Delivered via phishing, cracked software. |
| Ransomware | Encrypts data and demands payment for decryption. | LockBit, Conti, Ryuk. Double extortion: data exfil + encryption. |
| Spyware/Stealers | Captures keystrokes, credentials, or sensitive data. | AgentTesla, RedLine, keyloggers, screen scrapers. |
| Adware/PUPs | Displays unwanted ads or installs unwanted programs. | Bundled toolbars, click-fraud bots. May degrade performance. |
| Rootkits | Hide presence of malware by modifying OS/kernel components. | TDL4, ZeroAccess. Can operate at firmware or hypervisor level. |
| Bootkits | Persist in boot loaders or EFI firmware. | TrickBoot, FinSpy. Survive OS reinstalls if firmware not reflashed. |
| Fileless/Memory Resident | Operate in memory using LOLBins, scripts, WMI. | Powershell Empire, Cobalt Strike beacons, living off the land. |
| Mobile Malware | Targets Android/iOS platforms. | Bankbot, Pegasus. Distribution via side-loading, malicious apps. |
| Industrial/OT Malware | Targets ICS/SCADA environments. | Stuxnet, Triton, Industroyer. Manipulates PLCs, safety systems. |
Typical Malware Campaign Lifecycle
- Delivery: Phishing email, drive-by download, exploit kit, USB drop, supply chain.
- Execution: Initial payload runs (script, macro, dropper, LOLBin).
- Persistence: Registry run keys, scheduled tasks, services, bootkits.
- Privilege Escalation & Defence Evasion: Credential theft, token impersonation, disabling AV.
- Command & Control (C2): HTTP/S, DNS, TLS, covert channels (steganography, social media).
- Actions on Objective: Data theft, encryption, lateral movement, system sabotage.
- Cleanup & Monetisation: Covering tracks, exfil payment, reselling access.
Malware Detection Approaches
Static Analysis
- Signature-based (hashes, byte patterns, YARA rules).
- Heuristic scanning (suspicious code constructs, entropy, packer detection).
- File metadata checks (authenticode, certificates, PE header anomalies).
- Limitations: easy to evade with polymorphism, packing, encryption.
Dynamic Analysis
- Sandbox execution (Cuckoo, ANY.RUN, cloud sandboxes) observing behaviour.
- API call monitoring, network traffic analysis, filesystem/registry changes.
- Behavioural indicators stored in SIEM/EDR detection rules.
- Limitations: environment-aware malware may detect virtualization or timeouts.
Machine Learning / AI
- Static ML: feature extraction from binaries (imports, n-grams, opcodes).
- Behavioural ML: modelling process chains, user behaviour analytics.
- Requires large labelled datasets and retraining to avoid concept drift.
Cloud & Endpoint Telemetry
- EDR platforms: monitor process, memory, registry, script activity.
- Cloud workload protection: container, serverless, VM introspection.
- Network detection (IDS/IPS, DNS monitoring, TLS fingerprinting).
Indicators of Compromise (IOCs)
- File indicators: Hashes (MD5/SHA1/SHA256), file paths, filenames, digital certificate anomalies.
- Network indicators: IP addresses, domains, URLs, JA3/JA3S TLS fingerprints, user agents.
- Behavioural indicators: Unusual parent-child process chains, persistence mechanisms, script execution patterns.
- Memory indicators: Injected modules, suspicious mutexes, strings, reflective loaders.
- Leverage STIX/TAXII feeds, ISACs, VirusTotal, MISP for sharing IOCs.
Layered Malware Defence
Prevent
- Patch management, application whitelisting, least privilege.
- Secure email gateways, sandboxing, zero trust network access.
- User awareness training and phishing simulations.
Detect
- Endpoint detection & response (EDR), anti-malware engines.
- SIEM correlation rules, anomaly detection, threat hunting.
- Network traffic analysis: IDS/IPS, DNS monitoring, proxy logs.
Respond
- Containment playbooks (isolation, account resets, firewall blocks).
- Forensic imaging, evidence preservation.
- Eradication (rebuild systems, remove persistence), recovery (restore from clean backups).
Tools & Labs
- Static Analysis: PEStudio, Detect-It-Easy (DIE), YARA, Ghidra, IDA Free.
- Dynamic Analysis: Remnux, FLARE VM, Cuckoo Sandbox, ANY.RUN.
- Threat Intel Platforms: MISP, OpenCTI, VirusTotal Intelligence.
- EDR/AV Solutions: Microsoft Defender for Endpoint, CrowdStrike, SentinelOne.
- Training Labs: Malware Traffic Analysis, TryHackMe, Blue Team Labs Online.