Malware Classification an Executive Overview

The digital age of today demands executives to be aware of the growing concerns of Cyber Security; threats and business risks associated with it.This article is specially organized to provide the executive level  overview of the different classes of malware programs that have been observed in the wild. One thing the reader should note that the following classification of malwares are not mutually exclusive. Specific malware instances may exhibit the characteristics of multiple classes at the same time.

Malware classification

                                                Malware classification


They are Prevalent in networked environments, such as the Internet or Corporate networks, a worm can be defined as:

“A software program that can run independently and can propagate a fully working version of itself to other computing equipment.”

This reproduction is the major characteristic behavior of a worm. The Morris Worm is the first publicly known instance of a software program that exposes worm-like behavior on the Internet.however unlike viruses, they do not infect existing files. Instead, worms are installed directly onto their victims’ computers in a single instance of “self standing” code, before finding opportunities to spread or tunnel themselves into other systems through things like the manipulation of vulnerable computer networks.they infect, like through email, instant messaging or file sharing.  Some worms exist as standalone files, while others reside in computer memory only.

More recently, in July 2001, the Code Red worm infected thousands (359,000) of hosts on the Internet during the first day after its release.

Today, the Storm worm and others are used to create botnets that are rented out by the bot masters to send spam emails or perform distributed denial of service attacks (DDoS) , where multiple worm infected computers try to exhaust the system resources or the available network bandwidth of a target in a coordinated manner. Like the one seen recently conducted on Dyn dns servers using the IoT devices , DVRs and webcams that caused the service failure by major internet companies like Twitter,Spotify,Paypal,Reddit and many more.(you can read more about this attack here.) 


It is the most commonly used terminology to be given to the malicious software. As with worms, viruses usually propagate themselves by infecting every vulnerable host they can find.

“A virus is a piece of code that adds itself to other programs, including operating systems. It cannot run independently, it requires that its “host” program be run to activate it.”

The computer viruses are a type of self-replicating program code that are installed onto existing programs without user consent.They can appear in numerous forms as well, ranging anywhere from email attachments to malicious download links on the Internet, and can perform many harmful tasks on your OS.Virus perform its spread by infecting not only local files but also files on a shared file server like Microsoft sharepoint server, viruses can spread to other computers as well.

Trojan Horses.

These are the Software programs that pretend to be useful, but performs malicious actions in the background. Such type of malicious software programs are called as Trojan horse.

“Trojans are non-replicating programs that pretend to be legitimate, but are actually designed to carry out harmful actions against their victims”.

While a Trojan horse can disguise itself as any legitimate program. Mostly, they pretend to be useful and disguise themselves as a screen-savers, browser plug-ins, or downloadable games. Once installed by user, their malicious part might download additional malware, modify system settings, or infect other files on the system.They have  grown to now come in many forms, like Backdoor Trojans (which try to take over remote administration of their victims’ computers) and Trojan Downloaders (which install malicious code).


Software that retrieves sensitive information that can be business information or personnel information, from a victim’s computer system and transfers this information to the attacker. Such type of software programs are termed as spyware. They steal Information that might be interesting for the attacker including accounts for computer systems or bank account credentials, a history of visited web pages, and contents of business secrete documents and emails. Such type of stealing of information can result in conducting the major attack or disruption of business services.


Ransomware is malware that is designed to extract money from its victim through extortion. It can appear as a pop up, phishing link, or malicious website, and once acted on, will trigger a vulnerability in the user’s system, locking out the keyboard and screen, and sometimes even the entire computer. It’s intended to scam people by falsely accusing them of doing things like using pirated software or watching illegal videos, displaying warning pop ups, trying to make them act quickly by saying the warning message will only be removed if a fine is paid.

Bots and Botnets.

A bot is a piece of malware that allows its maker(i.e.the bot master) to remotely control the infected system. The set of bots collectively controlled by one bot master is denoted a botnet. Bots are commonly instructed to send spam emails or perform spyware activities as described above.Recently bots are also used to conducted the massive Distributed denial of service(DDoS) attack to disrupt the provision of business services.[read details here

Backdoor (RAT).

A Backdoor, or a Remote Administration Tool, is an application that allows a person (the system administrator or a cybercriminal) access to a computer system without user consent or knowledge. Depending on the RAT functionality, an attacker could install and launch other software, send keystrokes, download or delete files, switch the microphone and/or camera on, or log computer activity and send it back to the attacker.


These infections are small pieces of code that are used to quietly take executable files, or files that command your computer to perform indicated tasks, from the server. Once downloaded, through things like email attachments and malicious images, they communicate back to a command server and are then instructed to download additional malware onto your system.



They are the most dangerous and lethal software, designed specifically to conducted the designated task in a covert manner. The main characteristic of a rootkit is its ability to hide certain information (i.e., its presence) from a user of a computer system. Once they infect the system , it is very hard to detect the presence of the rootkit on the system.Rootkit techniques can be applied at different system levels, for example, by instrumenting API calls in user-mode or tampering with operating system structures if implemented as a kernel module or device driver. Manipulating the respective information allows a rootkit to hide processes, files, or network connections on an infected system. 

Moreover, virtual machine based rootkits conceal their presence by migrating an infected operating system into a virtual machine. 


[information source kaspersky,Malware Analysis by ACM]