Malware: types, analysis and protective measures

Malware (malicious software) is the umbrella term for all software developed with malicious intent. No other issue occupies IT security teams as intensely: According to the BSI, over 310,000 new malware variants are discovered every day. Those who understand malware—its types, techniques, and objectives—can protect themselves more effectively.

Malware Taxonomy

Malware can no longer be neatly divided into categories—modern malware typically combines multiple functions. Nevertheless, classifications help with understanding:

Viruses and Worms

Computer virus: Attaches itself to legitimate files or programs and spreads when they are executed or shared. Requires user action to spread.

Worm: Can spread autonomously across a network—without user action. WannaCry (2017) was a classic worm: it exploited the EternalBlue vulnerability (SMBv1) and infected 200,000 systems worldwide within hours.

Polymorphic malware: Changes its own signature with each propagation to evade antivirus detection.

Metamorphic malware: Completely rewrites itself (code transformation)—no longer has a recognizable signature.

Trojan (Trojan Horse)

Software that disguises itself as a legitimate program but contains malicious functions. Named after the Trojan horse.

Remote Access Trojan (RAT): Gives attackers full remote control over infected systems. Keylogging, screenshot capture, file transfer, webcam activation. Known RATs: AsyncRAT, njRAT, QuasarRAT.

Banking Trojans: Specialized in financial fraud—modifies banking websites in the browser (web injection), intercepts transactions. Emotet began as a banking Trojan and evolved into a universal malware loader.

Loader/Dropper: Initial payload that downloads additional malware. Emotet, IcedID, and Qakbot are examples—they retrieve the actual payload (ransomware, stealer) after infection.

Spyware and Stealers

Spyware: Monitors user activities without the victim’s knowledge. Keyloggers, screenshots, microphone/webcam access, GPS tracking (mobile spyware).

Info Stealers / Credential Stealers: Specialized in stealing login credentials. Scans browser password databases, stored cookies, session tokens, and cryptocurrency wallets.

Active Infostealers in 2024: RedLine, Vidar, Raccoon, LummaC2, StealC. Rented as "Malware-as-a-Service" for $100–$500/month.

What stealers target:

Browser passwords (Chrome, Firefox, Edge—all store passwords encrypted, but stealers use the same API as the browser)
Session cookies (required for session hijacking without a password)
MFA tokens (TOTP seeds from browser extensions)
VPN credentials and configuration files
Cryptocurrency wallet files and private keys
SSH keys, RDP connection data

Rootkits

Rootkits hide themselves and other malware on the system—they manipulate operating system functions to conceal their own existence.

User-Mode Rootkit: Intercepts operating system API calls. Easier to implement, but detectable via integrity monitoring.

Kernel-Mode Rootkit: Operates at the operating system kernel level—invisible to standard security tools. Modern security solutions use kernel isolation.

Firmware Rootkit: Infects UEFI/BIOS or hard drive firmware—survives operating system reinstallations. MoonBounce (2022) was the first publicly known UEFI rootkit attributed to a state actor.

Bootkit: Infects the Master Boot Record or UEFI bootloader—loads before the operating system. Secure Boot (TPM) protects against this.

Ransomware

Ransomware encrypts files or locks systems and demands a ransom. It is the dominant malware category in the enterprise context:

Locker ransomware: Locks the screen, does not encrypt data (older variant, easier to remove)
Crypto-ransomware: Encrypts files using strong cryptography (typically AES-256 + RSA-2048)
Double extortion: Steals data BEFORE encryption and threatens to publish it
Triple extortion: Additionally, a DDoS attack on the victim or contact with customers/partners

Adware and PUP

Adware: Displays unwanted ads, collects browsing history. Often bundled as "free software."

PUP (Potentially Unwanted Program): Browser toolbars, system "cleaners," mining software without user consent.

Cryptominers

Use the computing power of infected systems to mine cryptocurrencies (typically Monero, as it is particularly privacy-friendly). Consequences: increased CPU load, power consumption, potential hardware damage.

Cryptojacking: Browser-based via JavaScript—the miner runs as long as the website is open.

Modern Malware Techniques

Fileless Malware / Living-off-the-Land (LotL)

The Concept: No malicious files on the hard drive—malware resides exclusively in RAM and uses legitimate operating system tools.

Frequently Abused Windows Tools:

PowerShell: Script execution, payload download, AMSI bypass
WMI (Windows Management Instrumentation): Persistence, lateral movement
MSHTA: Execution of VBScript/JScript
Regsvr32: DLL registration to bypass application whitelisting
Certutil: Downloading files (LOLBin)
Scheduled Tasks: Persistence without autorun registry entries

Why it’s hard to detect: No known malware hash; only legitimate system processes are active.

Process Injection

Malware injects code into legitimate processes (explorer.exe, svchost.exe) to:

Run under the process name and avoid detection
Access the target process’s privileges and resources
Complicate memory forensics

Techniques: DLL injection, process hollowing, thread execution hijacking, reflective DLL loading.

Command & Control (C2)

Malware requires communication with the attacker to: receive commands, exfiltrate data, and receive updates.

C2 communication channels:

HTTP/HTTPS: Disguises itself as web traffic (difficult to block without TLS inspection)
DNS tunneling: Encodes data in DNS queries – bypasses almost all firewalls
ICMP: Ping packets as a covert channel
Social media APIs: Twitter, Telegram as C2 channels (genuine API, legitimate traffic)
Cloud Storage: Dropbox, Google Drive, OneDrive as command repositories

Beacon Pattern: Regular "check-in attempts" at short intervals. Detectable via NDR/SIEM rules that identify frequent small connections to unknown hosts.

Anti-Analysis Techniques

Malware developers actively implement measures against analysis:

VM Detection: Checks whether running in VMware/VirtualBox (no malicious behavior in that case)
Sandbox Evasion: Time delay (sleep for 10 minutes) before activity begins
Anti-debugging: Detects attached debuggers
String obfuscation: Readable strings are stored in encrypted form
Packer/Crypter: Encrypts the payload; it is only unpacked in RAM

Malware Analysis: Methods

Static Analysis

Analysis without execution:

Hash comparison against the VirusTotal database
Extract strings (domains, IPs, registry keys, commands)
Analyze imports (which Windows API functions are used?)
Disassembly and decompilation (Ghidra, IDA Pro)

# Calculate hash
sha256sum suspicious.exe

# VirusTotal check (API)
curl -X POST &quot;https://www.virustotal.com/api/v3/files&quot; \
  --header &quot;x-apikey: <api_key>&quot; \
  --form &quot;file=@suspicious.exe&quot;

# Extract strings
strings suspicious.exe | grep -E &quot;(http|https|\.onion|192\.168)&quot;

Dynamic Analysis (Sandboxing)

Execution in an isolated environment and behavior monitoring:

File system changes
Registry modifications
Network connections
Process creation

Public Sandboxes: any.run, Joe Sandbox, Hybrid Analysis, Tria.ge

Custom Sandbox: Cuckoo Sandbox (Open Source) for internal, sensitive samples.

Memory Forensics

RAM analysis after infection—critical for fileless malware:

# Volatility Framework
volatility -f memory.img pstree    # Process tree
volatility -f memory.img netscan   # Network connections
volatility -f memory.img cmdline   # Command lines of all processes
volatility -f memory.img malfind   # Injected code segments

Protective Measures

Endpoint Detection and Response (EDR)

Modern EDR solutions replace traditional antivirus:

Behavior-based detection instead of just signatures
Detection of fileless attacks and LotL techniques
Forensic capabilities: Complete process trees, network connections
Automated response: Automatically terminate infected processes, isolate hosts

Market leaders: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Sophos Intercept X.

Application Whitelisting

Only known, explicitly approved programs are allowed to run. PowerShell scripts from unknown sources are blocked.

Windows: AppLocker, WDAC (Windows Defender Application Control).

Email Security

Over 90% of all malware infections begin with a phishing email containing a malicious attachment or link:

Disable (or block) macros in Office documents
Sandboxed link analysis (URLs are checked before clicking)
DMARC/DKIM/SPF for your own domains (prevents spoofing)

Patch Management

Malware exploits known, patched vulnerabilities—if the patch hasn’t been applied. WannaCry exploited a 2-month-old Windows vulnerability for which a patch already existed.

Network Segmentation and Monitoring

Prevents lateral movement after the initial breach. NDR detects anomalies such as port scans or unusual DNS queries that indicate malware.

Backup and Business Continuity

The last line of defense against ransomware: the 3-2-1 backup rule:

3 copies of the data
2 different media/technologies
1 offsite/air-gapped (not accessible from the production network)

Offline backups are crucial—ransomware encrypts active network drives as well.

Malware and NIS2

NIS2 Article 21 explicitly requires: "Incident detection" and "detection, analysis, and containment of cybersecurity incidents"—which directly targets malware protection and response. Affected companies must:

Implement technical measures for malware detection (EDR/AV)
Define reporting processes for significant incidents (24-hour early warning)
Conduct regular security training (human attack vector)</api_key>