Ruslan Rakhmetov, Security Vision
We've previously told you about the different types of malware (malicious software), but we want to pay extra attention not only to how they spread and infect devices, but also to the purposes they serve. In the current review, we'll cover the different groups of malware and what they do. First, let's focus on classifications. Like any software, malware varies in architecture, being either modular (consisting of several components that work together) or monolithic (which is a single entity without being divided into parts). Let's look at other types of classifications below.
In terms of the method of propagation, VPOs can be divided into stand-alone programmes (spread without user participation, like network worms), those spread through social engineering (when attackers use psychological manipulation to deceive the user), exploits (vulnerabilities in software for automatic penetration) and those requiring human intervention (e.g. opening a virus-infected email or file). The latter group includes interactive (e.g., requiring clicking on a link) and non-interactive VPOs (e.g., rootkits).
By infection method, malware can be file-based (if they infect executable files like *.exe, *.dll, etc.), fileless (if they work only in RAM), network-based (for example, worms that spread via the Internet), and bootable (these malware infect the boot sectors of hard discs or USB devices to run with or before the system).
These groups can include different VPOs targeting applications (e.g., browsers or office software), physical devices ( IoT , routers, industrial systems that require special protection), operating systems, BIOS, and drivers.
Malware can also differ in the way it disguises itself. Specialists distinguish between stealthy programs that disguise themselves in the system to avoid detection (e.g. rootkits), polymorphic programs that modify their code to avoid detection by antivirus, and metamorphic programs that completely rewrite their code each time they are infected.
These classifications can be combined in any combination: for example, an encryptor can be network-based, stealthy, and targeting mobile systems. Therefore, we will focus on the other groups and identify 12 types.
1. Adware - A VPO that constantly displays advertisements (via pop-ups with ads or redirects to third-party sites) and often includes hidden features (e.g. tracking). This type of VPO acts like an annoying street vendor that follows you around and constantly shouts out calls to buy its products. To protect yourself from this rather harmless pest, you should limit the installation of programmes and use anti-spam systems and special ad blockers.
Specialists separately distinguish Mobile Spyware, which is installed on smartphones to spy on the user: reading messages, tracking location or listening to calls. This type of Spyware is often installed manually by the attacker or the victim's partner and then captures calls, messages, GPS data. For transmission to the attacker. It acts like a private investigator watching the target or like a hidden camera in a hotel and a radio bug.
3. Ransomware often encrypts data and demands a ransom for its recovery, blocks access to files and demands money after entering the system. The most notorious kidnappers demanding ransom for a stolen wallet in the IT world are the WannaCry and Petya encryptors. You can save yourself by making backups, using antivirus and sandboxes, and simply not opening suspicious email attachments.
4. Scareware intimidates the user with false information, such as "virus detection" or "data threat" messages. They usually demand payment to "solve the problem". They first show users some kind of pop-up or scare message (e.g., "Your system is infected!"), then offer to download an antivirus or pay for a service to clean the system. Even if the victim pays, the programme either does nothing or installs even more malware on the device.
Scareware programmes act like quacks who diagnose diseases to sell a "cure", or like a fake scarecrow that scares birds away from a farm. Such a false "fire alarm" causes people to panic and evacuate for no reason, and actually works like a "Beware of Dog" sign, even when no vicious dog is behind the fence.
5. Encryptors (Ransomware) are RPOs that block access to user data by encrypting it and then demanding a ransom to restore it. They are ransomware or part of ransomware, spread via infected attachments, malicious websites or exploits, then encrypt the user's files, making them inaccessible. An encryptor acts like a door closed with a new lock, the key to which is in the thief's possession. In doing so, a kidnapper may manifest itself, demanding a ransom for the victim's release.
6. Exploits are toolkits that exploit vulnerabilities in a system and automatically find weaknesses and exploit them for attacks. For example, an Exploit Kit that attacks through the browser. They act like thieves looking for unlocked doors in a house. Installing an OS update and restricting access to unnecessary services can help in your defence.
7. Spam Bots - automatically send spam (adverts, phishing links, malicious attachments) to emails or social networks. The infected device becomes part of the botnet, and the programme itself sends messages to thousands of addresses. One of the most common examples of bot-like activity is a spam call with advertisements or a person who knocks on doors selling useless products and floods apartment building mailboxes with flyers.
8. Bots and Botnets are devices infected with software to participate in a network that can be used for attacks or spam. Such devices follow the attacker's commands, for example, participating in DDoS attacks . This is how Mirai Botnet acted in attacking servers. Devices are infected via Trojans, exploits or phishing emails and connect to a control server (C&C). The resources of the infected devices are then used for attacks or other tasks.
Botnets act like a mob of zombies in an apocalypse film, obeying the commands of the villain. You can protect yourself by configuring routers and IoT devices, which we described earlier.
IoT Malware is recognised by experts as a separate group. This is specific software targeting smart home devices (cameras, thermostats, smart TVs) or industrial equipment. Attackers scan the internet for vulnerable smart devices and gain access for espionage via exploits or simple passwords. Such malware controls devices without your knowledge, like a puppeteer in a puppet theatre or a neighbour who connects to your Wi-Fi network without permission.
9. Cryptojackers use the device's resources (CPU, video card) to mine cryptocurrency without the owner's knowledge. They are installed via Trojans, downloaders or malicious websites and start cryptocurrency mining, while slowing down the device and increasing power consumption. All the funds earned are sent to the attacker. It works like an intruder eating your food and using electricity, or like an illegal factory in your basement.
10. Logic Bombs are hidden malicious instructions that are activated when certain conditions occur, such as at a certain time or when a specific programme is launched. This group of VPO masquerades in a legitimate programme and waits for a condition (such as a certain date) to be met when it can delete files, damage the system or disable hardware. It is similar to a time bomb that explodes at a designated time or a sleeper spy that waits for a command to act. A harmless programme on the outside but harmful on the inside, a real spoon in the honey barrel.
11. Advanced Persistent Threats (APTs) are sophisticated and long-lasting attacks that target specific organisations, governments or companies. Attackers use an array of tools (including exploits, Trojans, and spyware) to gain access to a system, remain undetected, and collect data. They use phishing, vulnerabilities or social engineering, implement rootkits or backdoors to maintain access and spy on the user and systems, copying data. Like a slow poison, this VPO acts stealthily on the body over time and stays inside until it is uncovered.
12. Phishing software masquerades as normal websites, applications, or emails to trick victims into providing sensitive data such as passwords, credit card numbers, or logins. To do this, attackers create fake interfaces, such as a "malicious" copy of a bank login page. The victim is persuaded to enter their details thinking they are interacting with a real website, but the information entered is sent to the hacker who can use it to steal money or access the system. Phishing programmes work like a fake ATM machine that steals card details or a fake charity whose fees are used for personal gain.
It is important for a novice or student to understand the basic principles of UPR operation, detection and prevention. We have looked at different aspects that will help build a solid foundation in past reviews (here and here).
We also offer a small checklist of technical protection measures:
- use anti-virus and anti-spyware programmes
- regularly update software and operating systems
- carefully configure firewalls
- encrypt the data.
Behavioural measures complement this list: do not open suspicious emails and links, avoid downloading files from unreliable sources, use complex passwords and two-factor authentication. Companies should also conduct regular security audits and restrict access rights to critical data.