From macro viruses and boot sector viruses to droppers and packers – here is an overview of 9 common virus types, how they work and what they do for attackers. […]
The human mind loves to categorize things, and malware is no exception. Our malware explanation breaks down malware according to how it spreads (self-propagating worms, viruses that rely on other code, or cleverly disguised Trojans) and what it does to infected computers (rootkits, adware, ransomware, cryptojacking and malvertising).
This type of technical taxonomy is widely used, and it has its uses. In particular, it can be helpful to distinguish different types of malware infection vectors, rather than lumping everything together and calling it a "virus," despite the fact that that term is widely used. But we can also overemphasize this type of division.
"Many of the terms used to describe malware in the '90s and early '00s are still technically correct, but perhaps not as relevant as they once were," said Jacob Ansari, security advocate and emerging cyber trends analyst at Schellman, a globally active, independent assessor for security and data protection. “Whereas the malware of earlier decades was installed on the target system and then ran by itself without human intervention, most modern attack campaigns are carried out by groups of people we commonly refer to as threat actors. Attackers continue to evade detection and persist despite all defenses, using a variety of programming or scripting languages to create their malicious code.”
We asked Ansari and other security experts how they break down the malware categories they deal with. In general, we've found that there are two different ways of looking at malware taxonomy: one can think about how viruses do their dirty work (ie, what they do to you), or where they fit into an ecosystem (ie, what they do for an attacker).
9 common types of computer viruses
Macro VirusesPolymorphic VirusesResident VirusesBoot Sector VirusesMultipart VirusesDropperBeacon/PayloadPackerCommand and Control
Virus Types Defined by What They Do to YouIf you want to get an overview of the different types of malware, you should talk to someone who deals with malware professionally. That's Dahvid Schloss's job: he's the Managing Lead for offensive security at Echelon Risk + Cyber, working on malware designed to mimic real-world threat actors to create command-and-control platforms for emulating adversaries and Red Team operations of his to carry out the company. He broke down the different types of viruses he works with by their function.
"This category is probably the most prevalent malware technology in the world," says Schloss. “Approximately 92% of external attacks start with phishing, and macros are at the heart of the problem. A macro is an automated execution of keystrokes or mouse actions that a program can perform without user interaction—typically they are Microsoft Word/Excel macros that can be used to automate repetitive tasks in a spreadsheet or document.”
Macros are an extremely common type of malware. "The delivery method is believable, especially when it looks work-related," says Schloss. “Also, the programming language (Visual Basic, in the case of Microsoft) is quite simple. Macro viruses therefore require less technical knowledge to write them.”
Lauren Pearce, Incident Response Lead at cloud security company Redacted, agrees. "We continue to see significant damage from simple malware," she says. “The simple macro of an Office document is the most common infection vector.
"While the macro virus is the easiest to code for, this type [the polymorphic virus] would be the most complex because the virus is exactly what its name suggests: polymorphic," says Schloss. "Every time the code runs, it runs a little differently, and typically every time the code is ported to a new machine, it's going to be a little different."
Schloss admits that "this category of viruses are my favorite viruses because they are very complex and extremely difficult to study and detect."
This is a particularly dangerous category: a disembodied virus that does not exist as part of a file. "The virus itself runs in the host's RAM," says Schloss. "The virus code is not stored in the executable file that invoked it, but usually on an Internet-accessible website or in a storage container. The executable that invokes the resident code is typically written to be non-malicious to avoid detection by an antivirus application.”
Of course, the term "resident virus" also implies the existence of a non-resident virus. Schloss defines this as “a virus contained in the executable file that invokes it. These viruses most commonly spread through misuse of corporate services.”
Boot Sector Viruses
"I like to refer to this category as the 'nation-state cocktail,'" explains Schloss. “This type of virus is intended to allow the attacker unrestricted and deep entrenchment. They infect all the way down to the computer's Master Boot Record (MBR), which means that even if the computer is re-imaged, the virus persists and can run in host memory at boot time. Rarely found outside of government threat actors, these types of viruses almost always rely on a zero-day exploit to reach the MBR layer, or are propagated through physical media such as infected USB or hard drives.”
While some malware developers specialize, others take an all-of-the-above approach, attacking everywhere at once. "These types of viruses tend to be the most difficult to contain and combat," says Schloss. “They infect multiple parts of a system, including memory, files, executables, and even the boot sector. We are seeing more and more viruses of this type, and these types of viruses spread in every imaginable way, typically employing multiple techniques to maximize spread.”
Malware types, defined by their usefulness to the attacker
"This malware is designed to drop other malware onto the infected system," Ansari said. "Victims can be infected via a malicious link, attachment, download or similar with a dropper, which is usually gone after dropping the next malware level."
"Macro malware falls into the category of droppers," adds Pearce of Redacted. "It's malware designed for the sole purpose of downloading and running additional malware.
These types of malware are the next level of attack. A beacon or payload is the malware that signals the attacker that it has newly installed accessibility,” says Ansari, “it is often installed by a dropper. "From here, an attacker can access the victim systems through the path set up by the beacon and access the system, the data it contains, or other systems on the network."
These components wrap other components and use cryptographic techniques to bypass detection. "Some sophisticated malware campaigns use a series of packers nested inside one another like a stacking doll," says Ansari. "Each component contains another packaged element until finally the payload can be executed."
Command and control
Every team needs a leader, and that is precisely the role played by command and control for these cooperative malware components. "Sometimes referred to as C&C (Command and Control), CNC, or C2, these systems operate outside of the victim's environment and allow the threat actor to communicate with the other components of the malware campaign installed on the target system," says Ansari. "Often when law enforcement targets a threat actor, they seize the command and control systems as part of their effort to stop the threat."
Classification of computer viruses
Ultimately, the taxonomy we use should not be too rigid, but should make it easier to convey important information about cyber threats. And that means tailoring your language to your audience, says Ori Arbel, CTO of CYREBRO, a security services provider.
“When I write for CISOs, they look at the issue from a risk perspective,” he says, “while the general public has a better understanding of the names that are often used in the news. These virus categorizations are presented from the perspective of what's easiest to understand—but that doesn't necessarily convey the best actions security professionals should take. If I'm writing for a group of threat intelligence professionals, I would use terms related to the attacker's geolocation and motivation rather than what the virus actually does.”
Finally, there is one last way to categorize viruses that really only makes sense from the perspective of the virus hunters themselves: viruses that are worthy adversaries and those that are not.
"As a reverse engineer, I enjoy the conundrum of inversion," says Pearce of Redacted. "Macros pose a significant threat to a network, but they're not particularly fun to decode. I enjoy inverting examples that employ anti-analysis techniques to actively resist being inverted. Malware can use anti-debugging techniques that detect and respond to a debugger through methods such as check-summing or timing attacks. The use of anti-analysis techniques indicates a skillful malware author and serves to increase the time between detecting a sample and extracting useful indicators to combat it.”
Just because your opponents are criminals doesn't mean you can't respect them for taking pride in their work.
*Josh Fruhlinger is a writer and editor based in Los Angeles.