Classification of Malware Based on Compositions and Combination
Introduction
Nowadays, in the age of information technology, it is already difficult to find people who are not familiar with such terms as malware, computer virus, computer worm, trojan, ransomware, etc. In addition, most people from this group also know or suspect that such malware can be combined; for example, a trojan can hide ransomware, and a worm can cooperate with a virus, and so on. In addition, there is a fairly large number of books and articles describing malware and their compositions with each other. Therefore, a logical question arises: why is another article describing the classification of malware needed?
There are several reasons for this. Firstly, when describing one or another type of malware, there are cases where several different functions from different malware are merged together (for example, when ransomware and lockers are described as viruses), or secondary functions are attributed to one malware while ignoring its basic ones (for example, when describing a trojan, it is often not about its function to “deceive” a person, but about a specific execution logic). Secondly, the composition of malware in literature is often described through particular cases without attempting to generalize already studied primitives into certain classes of software with similar characteristics.
Thus, the goal of this article will be:
1) reducing the description of malware to their basic functions,
2) generalizing the relationships of heterogeneous software according to their more fragmented classifications.
Further in the work, I will sometimes shorten “malicious software” to “malware”.
---
Types of Malware
Before starting the classification of malware, we first need to consider the primitives on the basis of which malware classes will be formed. The task of this chapter is to reduce the functions of each malware to its minimum, to its basic (pure) function, excluding additional actions that are not inherent to the malware itself de facto.
Virus
The main characteristic of a virus is its self-replication, due to which it becomes capable of injecting its code into other software, thereby infecting them. The infected software, as a result of infection, becomes capable of further self-replicating the virus code to other software. A pure virus does not carry any other logic except self-replication.
Currently, macro viruses that embed themselves into files such as .docs, .xlsx, etc., are the most common, while classic viruses have practically died out due to increasingly complex and advanced operating systems, compilers, and the diversity of programming languages. The need to take into account all possible variations of software, OS protection, compiler optimizations, and so on has minimized the use of classical viruses.
Trojan
The main characteristic of a trojan is to deceive victims by using the shell of non-malicious software. As a result, the pure form of a trojan is expressed only by its shell, nothing more.
Compared with a virus (as well as with many other types of malware), a trojan does not have execution algorithms as such, because it is only a shell, a form without content. By itself it is meaningless, just like a virus that does not execute a specific logic, but only due to such reductions to pure functions will we later be able to consider compositions of heterogeneous software more effectively.
Worm
The main characteristic of a worm is its self-replication, due to which it becomes capable of duplicating itself both within a single system by creating numerous copies in directories and by moving across systems, creating its own copy in each system.
Unlike a virus, which also has a self-replication mechanism, a worm does not embed itself into existing software but creates its own copy as a separate file.
Ransomware
The main characteristic of ransomware is the encryption of files on the victim’s system in such a way that the victim cannot recover the previously encrypted data. In such a case, the victim simply loses all files that were ever saved.
Ransomware is often also called extortionware, which is justified to some extent since it often offers a method to decrypt previously encrypted files in exchange for payment.
Unlike previously discussed viruses, trojans, and worms, which do not necessarily contain destructive logic, ransomware represents an openly destructive process as its pure logic.
Locker
The main characteristic of a locker is blocking the victim’s actions while working in the system. In such a case the victim may not be able to move the mouse, view files, or even access the file system.
Lockers are sometimes also called extortionware when they block the screen and display a password input field together with payment details to “buy back” the ability to continue using the system.
Unlike ransomware, which blocks access to files by encrypting them, lockers block the interface without damaging the files themselves.
Remote Access Program
A remote access program by itself is not malware, but it can be used as such. In the representation of pure functions, remote access programs represent only the transfer of data from one system to another, nothing more.
Associated actions (including destructive ones) can be considered as a combination of the use of several programs.
Remote access programs used as malware are also called RAT (Remote Access Trojan). From the perspective of our concept this is not entirely correct, because remote access programs in their pure form are separated from trojans and therefore do not represent a method of deception. In addition, a remote access program can be installed by other methods besides trojans, which causes the term RAT to lose its validity.
For further shortening I will sometimes use the abbreviation RAP — Remote Access Program.
Stealer
The main characteristic of a stealer is the automatic theft of information from the victim’s system. Unlike viruses, worms, trojans, and remote access programs, a stealer reduces its pure function to a specific action-result, similar to lockers and ransomware.
Stealers exist in many forms, from spyware programs that read information from keyboards and webcams in real time to stealers stored on flash drives or embedded into Arduino code for automatic execution.
Rootkit
The main characteristic of a rootkit is hiding actions, covering tracks, or ensuring the fault tolerance of specifically defined programs. A rootkit in its pure form does not inherit destructive logic like ransomware, lockers, and stealers, but ensures concealment of their actions or prevents them from being prematurely terminated.
Thus, rootkits can be considered helpers that ensure uninterrupted execution of specific external functions.
Bootkit
The main characteristic of a bootkit is executing programs before the operating system loads, allowing it to effectively hide previously started processes that cannot be seen using standard OS tools.
The pure function of a bootkit represents only the possibility of executing predefined actions without determining their purpose.
In other words, a bootkit in its pure technical representation may be harmless, for example writing “hello, world” into a specific HDD or SSD sector before the OS loads.
Botnet
The main characteristic of a botnet is the cooperation of many infected victims (bots) to perform a planned action requiring significant computing resources.
Examples include miners calculating hashes for Proof-of-Work tasks or distributed denial-of-service (DDoS) attacks.
Botnets can be centralized or decentralized. The decentralized form may be divided into two types: controlled and uncontrolled botnets. In the first case there is a controlling node; in the second case no control exists, meaning hardcoded settings cannot be changed remotely.
Spammer
The main characteristic of a spammer is creating, displaying, or replacing advertising banners in browsers, applications, and websites, as well as possibly sending messages through messengers, social networks, and email.
Among malware that represents specific functions such as ransomware, lockers, stealers, and botnets, spammers are the least harmful.
This type of malware is also known as adware.
Installer
The main characteristic of an installer is automatic downloading and launching of programs.
Installers are somewhat similar to remote access programs because both are used to transport data. However, unlike remote access programs, whose actions are performed manually by the attacker toward the victim, installers act autonomously according to predefined algorithms and their actions are directed from the victim toward the attacker.
Logic Bomb
The main characteristic of a logic bomb is reading a condition under which certain software will be unpacked and/or executed.
Unlike many other malware types, a logic bomb is not self-sufficient and can be considered useless on its own, just like remote access programs, viruses, trojans, worms, rootkits, and bootkits without accompanying payload logic.
Wiper
The main characteristic of a wiper is the irreversible deletion of all possible files on the victim’s system.
Unlike many ransomware programs that allow file recovery after payment, wipers act more radically.
Initializer
The main characteristic of an initializer is installing malware into the automatic startup process of the operating system.
It is one of the most common helper components due to its simplicity and ability to ensure program execution even after a system reboot.
In addition to the fifteen types of malware listed above, there are many other programs, from software endlessly opening and closing disk drives to programs filling disk space and BIOS-level malware.
However, the above list is sufficient to analyze combinations and start classifying malware according to how it is used together with other malware.
---
Classification of Malware
All the malware types described above can be classified according to their pure functions.
Some malware types have a strictly defined final execution logic as their pure function, such as ransomware, lockers, stealers, spammers, botnets, and wipers. They can theoretically exist independently from other malware and perform their payload. These types will be referred to as executors.
Another pattern can also be observed among other malware types — transportation. Trojans, worms, remote access programs, and installers represent methods of transferring malware from one system to another. These will be referred to as distributors.
Finally, the remaining malware types — viruses, rootkits, bootkits, logic bombs, and initializers — can be classified as helpers, whose pure function is supporting other malware, providing resilience, persistence, and concealment.
Helpers exist within a single system and support the main purpose of other malware.
---
Compositions of Malware Classes
It is rare to encounter executors, distributors, or helpers in pure form. Without composition, malware samples quickly become ineffective. Most malware represents a composition of several types and classes.
Using malware without compositions is practically meaningless. For example, spreading through systems without payload is pointless, but having payload without spreading or persistence is also ineffective.
Various compositions are therefore used.
Executor + Distributor is one of the most common combinations. For example: Worm + Ransomware or Trojan + Stealer.
Executor + Helper often forms the core of malware, ensuring stable execution of the payload.
Executor + Executor may also exist, such as Ransomware + Locker.
Helper + Distributor is used to ensure persistence of distributors.
Helper + Helper strengthens resilience.
Distributor + Distributor is a powerful spreading mechanism, such as Trojan + Worm.
Executor + Helper + Distributor represents the most complete and stable composition, combining scalability and survivability.
---
Compositions in the Real World
WannaCry
Consists of ransomware, a worm, and an initializer.
Petya
Uses a worm, a bootkit, a locker, and destructive encryption.
PlugX
Consists of a trojan, worm, remote access program, and initializer.
Nscpucnminer
A combination of trojan, botnet, and initializer used for cryptocurrency mining.
ZeuS
Initially consisted of trojan, stealer, and initializer, later expanded with remote access programs, botnets, and spammers.
---
Conclusion
As a result of the above analysis, a classification of malware based on compositions was formed. The main classes were identified as executors, distributors, and helpers.
This model allows a more accurate deconstruction and analysis of existing malware by viewing them as compositions of basic primitives.
Introduction
Nowadays, in the age of information technology, it is already difficult to find people who are not familiar with such terms as malware, computer virus, computer worm, trojan, ransomware, etc. In addition, most people from this group also know or suspect that such malware can be combined; for example, a trojan can hide ransomware, and a worm can cooperate with a virus, and so on. In addition, there is a fairly large number of books and articles describing malware and their compositions with each other. Therefore, a logical question arises: why is another article describing the classification of malware needed?
There are several reasons for this. Firstly, when describing one or another type of malware, there are cases where several different functions from different malware are merged together (for example, when ransomware and lockers are described as viruses), or secondary functions are attributed to one malware while ignoring its basic ones (for example, when describing a trojan, it is often not about its function to “deceive” a person, but about a specific execution logic). Secondly, the composition of malware in literature is often described through particular cases without attempting to generalize already studied primitives into certain classes of software with similar characteristics.
Thus, the goal of this article will be:
1) reducing the description of malware to their basic functions,
2) generalizing the relationships of heterogeneous software according to their more fragmented classifications.
Further in the work, I will sometimes shorten “malicious software” to “malware”.
---
Types of Malware
Before starting the classification of malware, we first need to consider the primitives on the basis of which malware classes will be formed. The task of this chapter is to reduce the functions of each malware to its minimum, to its basic (pure) function, excluding additional actions that are not inherent to the malware itself de facto.
Virus
The main characteristic of a virus is its self-replication, due to which it becomes capable of injecting its code into other software, thereby infecting them. The infected software, as a result of infection, becomes capable of further self-replicating the virus code to other software. A pure virus does not carry any other logic except self-replication.
Currently, macro viruses that embed themselves into files such as .docs, .xlsx, etc., are the most common, while classic viruses have practically died out due to increasingly complex and advanced operating systems, compilers, and the diversity of programming languages. The need to take into account all possible variations of software, OS protection, compiler optimizations, and so on has minimized the use of classical viruses.
Trojan
The main characteristic of a trojan is to deceive victims by using the shell of non-malicious software. As a result, the pure form of a trojan is expressed only by its shell, nothing more.
Compared with a virus (as well as with many other types of malware), a trojan does not have execution algorithms as such, because it is only a shell, a form without content. By itself it is meaningless, just like a virus that does not execute a specific logic, but only due to such reductions to pure functions will we later be able to consider compositions of heterogeneous software more effectively.
Worm
The main characteristic of a worm is its self-replication, due to which it becomes capable of duplicating itself both within a single system by creating numerous copies in directories and by moving across systems, creating its own copy in each system.
Unlike a virus, which also has a self-replication mechanism, a worm does not embed itself into existing software but creates its own copy as a separate file.
Ransomware
The main characteristic of ransomware is the encryption of files on the victim’s system in such a way that the victim cannot recover the previously encrypted data. In such a case, the victim simply loses all files that were ever saved.
Ransomware is often also called extortionware, which is justified to some extent since it often offers a method to decrypt previously encrypted files in exchange for payment.
Unlike previously discussed viruses, trojans, and worms, which do not necessarily contain destructive logic, ransomware represents an openly destructive process as its pure logic.
Locker
The main characteristic of a locker is blocking the victim’s actions while working in the system. In such a case the victim may not be able to move the mouse, view files, or even access the file system.
Lockers are sometimes also called extortionware when they block the screen and display a password input field together with payment details to “buy back” the ability to continue using the system.
Unlike ransomware, which blocks access to files by encrypting them, lockers block the interface without damaging the files themselves.
Remote Access Program
A remote access program by itself is not malware, but it can be used as such. In the representation of pure functions, remote access programs represent only the transfer of data from one system to another, nothing more.
Associated actions (including destructive ones) can be considered as a combination of the use of several programs.
Remote access programs used as malware are also called RAT (Remote Access Trojan). From the perspective of our concept this is not entirely correct, because remote access programs in their pure form are separated from trojans and therefore do not represent a method of deception. In addition, a remote access program can be installed by other methods besides trojans, which causes the term RAT to lose its validity.
For further shortening I will sometimes use the abbreviation RAP — Remote Access Program.
Stealer
The main characteristic of a stealer is the automatic theft of information from the victim’s system. Unlike viruses, worms, trojans, and remote access programs, a stealer reduces its pure function to a specific action-result, similar to lockers and ransomware.
Stealers exist in many forms, from spyware programs that read information from keyboards and webcams in real time to stealers stored on flash drives or embedded into Arduino code for automatic execution.
Rootkit
The main characteristic of a rootkit is hiding actions, covering tracks, or ensuring the fault tolerance of specifically defined programs. A rootkit in its pure form does not inherit destructive logic like ransomware, lockers, and stealers, but ensures concealment of their actions or prevents them from being prematurely terminated.
Thus, rootkits can be considered helpers that ensure uninterrupted execution of specific external functions.
Bootkit
The main characteristic of a bootkit is executing programs before the operating system loads, allowing it to effectively hide previously started processes that cannot be seen using standard OS tools.
The pure function of a bootkit represents only the possibility of executing predefined actions without determining their purpose.
In other words, a bootkit in its pure technical representation may be harmless, for example writing “hello, world” into a specific HDD or SSD sector before the OS loads.
Botnet
The main characteristic of a botnet is the cooperation of many infected victims (bots) to perform a planned action requiring significant computing resources.
Examples include miners calculating hashes for Proof-of-Work tasks or distributed denial-of-service (DDoS) attacks.
Botnets can be centralized or decentralized. The decentralized form may be divided into two types: controlled and uncontrolled botnets. In the first case there is a controlling node; in the second case no control exists, meaning hardcoded settings cannot be changed remotely.
Spammer
The main characteristic of a spammer is creating, displaying, or replacing advertising banners in browsers, applications, and websites, as well as possibly sending messages through messengers, social networks, and email.
Among malware that represents specific functions such as ransomware, lockers, stealers, and botnets, spammers are the least harmful.
This type of malware is also known as adware.
Installer
The main characteristic of an installer is automatic downloading and launching of programs.
Installers are somewhat similar to remote access programs because both are used to transport data. However, unlike remote access programs, whose actions are performed manually by the attacker toward the victim, installers act autonomously according to predefined algorithms and their actions are directed from the victim toward the attacker.
Logic Bomb
The main characteristic of a logic bomb is reading a condition under which certain software will be unpacked and/or executed.
Unlike many other malware types, a logic bomb is not self-sufficient and can be considered useless on its own, just like remote access programs, viruses, trojans, worms, rootkits, and bootkits without accompanying payload logic.
Wiper
The main characteristic of a wiper is the irreversible deletion of all possible files on the victim’s system.
Unlike many ransomware programs that allow file recovery after payment, wipers act more radically.
Initializer
The main characteristic of an initializer is installing malware into the automatic startup process of the operating system.
It is one of the most common helper components due to its simplicity and ability to ensure program execution even after a system reboot.
In addition to the fifteen types of malware listed above, there are many other programs, from software endlessly opening and closing disk drives to programs filling disk space and BIOS-level malware.
However, the above list is sufficient to analyze combinations and start classifying malware according to how it is used together with other malware.
---
Classification of Malware
All the malware types described above can be classified according to their pure functions.
Some malware types have a strictly defined final execution logic as their pure function, such as ransomware, lockers, stealers, spammers, botnets, and wipers. They can theoretically exist independently from other malware and perform their payload. These types will be referred to as executors.
Another pattern can also be observed among other malware types — transportation. Trojans, worms, remote access programs, and installers represent methods of transferring malware from one system to another. These will be referred to as distributors.
Finally, the remaining malware types — viruses, rootkits, bootkits, logic bombs, and initializers — can be classified as helpers, whose pure function is supporting other malware, providing resilience, persistence, and concealment.
Helpers exist within a single system and support the main purpose of other malware.
---
Compositions of Malware Classes
It is rare to encounter executors, distributors, or helpers in pure form. Without composition, malware samples quickly become ineffective. Most malware represents a composition of several types and classes.
Using malware without compositions is practically meaningless. For example, spreading through systems without payload is pointless, but having payload without spreading or persistence is also ineffective.
Various compositions are therefore used.
Executor + Distributor is one of the most common combinations. For example: Worm + Ransomware or Trojan + Stealer.
Executor + Helper often forms the core of malware, ensuring stable execution of the payload.
Executor + Executor may also exist, such as Ransomware + Locker.
Helper + Distributor is used to ensure persistence of distributors.
Helper + Helper strengthens resilience.
Distributor + Distributor is a powerful spreading mechanism, such as Trojan + Worm.
Executor + Helper + Distributor represents the most complete and stable composition, combining scalability and survivability.
---
Compositions in the Real World
WannaCry
Consists of ransomware, a worm, and an initializer.
Petya
Uses a worm, a bootkit, a locker, and destructive encryption.
PlugX
Consists of a trojan, worm, remote access program, and initializer.
Nscpucnminer
A combination of trojan, botnet, and initializer used for cryptocurrency mining.
ZeuS
Initially consisted of trojan, stealer, and initializer, later expanded with remote access programs, botnets, and spammers.
---
Conclusion
As a result of the above analysis, a classification of malware based on compositions was formed. The main classes were identified as executors, distributors, and helpers.
This model allows a more accurate deconstruction and analysis of existing malware by viewing them as compositions of basic primitives.
