Introduction: The Digital Menagerie
"Malware is like biological disease—it evolves, mutates, and spreads. Understanding its nature is the first step to developing immunity." — Mikko Hyppönen, F-Secure
The term "malware" (malicious software) encompasses a vast ecosystem of digital threats. From the first computer virus in 1986 (Brain) to today's sophisticated ransomware-as-a-service operations, malware has evolved from curiosity to industry.
In 2023 alone, AV-TEST registered over 450,000 new malware samples per day. Understanding malware types, behaviors, and analysis techniques is essential for any security professional.
🎯 Lesson Objectives
- Classify different malware types and understand their characteristics
- Analyze malware using static and dynamic analysis techniques
- Identify Indicators of Compromise (IOCs) for threat detection
- Implement defense strategies against various malware families
1. Malware Classification
1.1 The Malware Family Tree
Virus
Behavior: Attaches to legitimate files; requires host to spread
Spread: User must execute infected file
Example: ILOVEYOU (2000) - Spread via email, caused $10B damage
Defense: Antivirus, file integrity monitoring, user awareness
Worm
Behavior: Self-replicating; spreads without user action
Spread: Network vulnerabilities, email, USB
Example: WannaCry (2017) - Exploited SMB vulnerability, hit 200,000 systems in 150 countries
Defense: Patch management, network segmentation, firewall rules
Trojan Horse
Behavior: Disguised as legitimate software; doesn't self-replicate
Spread: User downloads thinking it's legitimate
Example: Emotet - Banking trojan turned malware-as-a-service platform
Defense: Download from trusted sources, application whitelisting
Ransomware
Behavior: Encrypts files; demands payment for decryption
Spread: Phishing, RDP exploitation, vulnerabilities
Example: LockBit, Conti, REvil - Modern RaaS operations
Defense: Backup strategy (3-2-1 rule), endpoint protection, network segmentation
Rootkit
Behavior: Hides deep in OS; provides persistent backdoor access
Spread: Usually delivered by another malware
Example: Sony BMG rootkit (2005), LoJax UEFI rootkit
Defense: Secure boot, integrity monitoring, specialized detection tools
RAT (Remote Access Trojan)
Behavior: Provides remote control of victim system
Spread: Phishing, drive-by downloads
Example: DarkComet, njRAT, Poison Ivy
Defense: Network monitoring, outbound traffic analysis, EDR
Keylogger/Spyware
Behavior: Records keystrokes, screenshots, credentials
Spread: Bundled with software, trojans, physical installation
Example: HawkEye, Agent Tesla
Defense: Endpoint protection, password managers, virtual keyboards
Cryptominer
Behavior: Uses victim's resources to mine cryptocurrency
Spread: Browser scripts, trojans, vulnerable servers
Example: Coinhive (now defunct), XMRig
Defense: Ad blockers, CPU monitoring, browser protection
1.2 Fileless Malware: The Invisible Threat
Traditional malware writes files to disk. Fileless malware operates entirely in memory, using legitimate system tools (PowerShell, WMI, macros) to avoid detection.
⚠️ Why Fileless Malware is Dangerous
- No files on disk = traditional AV can't detect it
- Uses trusted tools = harder to distinguish from legitimate admin activity
- Lives in memory = disappears on reboot (but persistence mechanisms survive)
- 78% of successful attacks in 2023 used fileless techniques (CrowdStrike)
💡 Fileless Attack Chain Example
- Delivery: User receives email with malicious link
- Execution: Link runs PowerShell command via mshta.exe
- Download: PowerShell downloads payload directly to memory
- Persistence: Creates scheduled task or WMI subscription
- Action: Payload runs in memory, steals credentials, moves laterally
Detection: Script block logging, PowerShell logging, behavioral analysis, memory forensics
2. Ransomware: The Modern Plague
Ransomware has evolved from simple encryption malware to a sophisticated criminal industry with revenues exceeding $1 billion annually.
2.1 Ransomware Evolution
AIDS Trojan
First ransomware. Distributed via floppy disks at WHO conference. Demanded $189 to P.O. Box in Panama.
CryptoLocker
Modern ransomware pioneer. Strong encryption, Bitcoin payments. Earned $27M before takedown.
WannaCry
Global outbreak using EternalBlue exploit. 200,000+ systems in 150 countries. NHS hospitals offline for days.
Double Extortion Era
Maze pioneered data theft + encryption. Pay or we leak your data publicly.
Triple Extortion & RaaS
Add DDoS threats, contact customers. Ransomware-as-a-Service model dominates.
2.2 Ransomware-as-a-Service (RaaS)
The Criminal Business Model
Developers create ransomware and infrastructure → Affiliates deploy and collect ransom → Revenue split (typically 70/30 or 80/20)
This model allows sophisticated malware to be deployed by less skilled criminals, dramatically increasing attack volume.
2.3 Major Ransomware Groups (2023-2024)
| Group | Model | Notable Attacks | Status |
|---|---|---|---|
| LockBit | RaaS | Royal Mail UK, Boeing, hospitals | Disrupted by Operation Cronos (Feb 2024) |
| BlackCat/ALPHV | RaaS | MGM Resorts, Reddit | Exit scammed affiliates (2024) |
| Cl0p | Extortion-focused | MOVEit vulnerability campaign | Active |
| Akira | RaaS | Stanford, Nissan | Active, targeting VPNs |
🇮🇳 Case Study: AIIMS Delhi Ransomware Attack (Nov 2022)
Target: All India Institute of Medical Sciences, New Delhi
Impact: 5 servers infected, 1.3TB data encrypted. Hospital operations disrupted for over 2 weeks. Patient records, appointments, billing systems offline.
Attack Vector: Reportedly improper network segmentation and unpatched systems
Response: CERT-In, Delhi Police, NIA involved. Systems gradually restored from backups.
Lesson: Healthcare is a prime target. Critical infrastructure needs defense-in-depth.
3. Malware Analysis Techniques
Security analysts examine malware to understand its capabilities, identify IOCs, and develop defenses.
3.1 Static Analysis
Examining malware without executing it. Safe but limited—obfuscation can defeat static analysis.
File Metadata
File type, size, timestamps, digital signatures. Discrepancies (e.g., .pdf.exe) reveal deception.
Hash Analysis
MD5, SHA-1, SHA-256 hashes. Compare against threat intelligence databases (VirusTotal, MISP).
String Extraction
Extract readable strings: URLs, IP addresses, registry keys, file paths, error messages.
PE Analysis
For Windows executables: imports, exports, sections, resources. Unusual imports (network, crypto) are suspicious.
# Static Analysis Example Commands
# Calculate file hashes
md5sum suspicious_file.exe
sha256sum suspicious_file.exe
# Extract strings (Linux)
strings suspicious_file.exe | grep -E "(http|https|ftp)://"
# Check file type
file suspicious_file.exe
# PE analysis (using pefile Python library)
import pefile
pe = pefile.PE("suspicious_file.exe")
for section in pe.sections:
print(section.Name, hex(section.VirtualAddress))
3.2 Dynamic Analysis
Executing malware in a controlled environment (sandbox) to observe behavior.
⚠️ Safety First!
Always perform dynamic analysis in isolated virtual machines with no network access to production systems. Popular sandboxes: Cuckoo Sandbox, ANY.RUN, Joe Sandbox, Hybrid Analysis.
| Observable | Tools | What to Look For |
|---|---|---|
| File System Activity | Process Monitor, Procmon | Created/modified files, dropped payloads |
| Registry Changes | Regshot, Process Monitor | Persistence mechanisms (Run keys, services) |
| Network Activity | Wireshark, Fiddler, FakeNet | C2 communication, DNS requests, data exfiltration |
| Process Activity | Process Explorer, API Monitor | Child processes, injected code, API calls |
| Memory | Volatility, Rekall | Injected code, unpacked malware, credentials |
3.3 Sandbox Evasion Techniques
Sophisticated malware detects sandboxes and behaves differently:
- Environment Checks: VM artifacts (VMware tools, VirtualBox registry keys)
- Timing Attacks: Sleep for extended periods; sandboxes often fast-forward time
- User Interaction: Only execute after mouse movement or clicks
- Hardware Checks: Low RAM, single CPU, no GPU = likely sandbox
- Network Checks: No internet = sandbox; specific DNS = sandbox
4. Indicators of Compromise (IOCs)
IOCs are forensic artifacts that indicate a security breach has occurred or is in progress.
4.1 Types of IOCs
| IOC Type | Examples | Detection Method |
|---|---|---|
| File Hashes | MD5, SHA-1, SHA-256 of malware | Endpoint protection, file scanning |
| IP Addresses | C2 server IPs, attacker infrastructure | Firewall logs, network monitoring |
| Domain Names | C2 domains, phishing domains | DNS logs, web proxy logs |
| URLs | Malware download URLs, phishing pages | Web proxy, browser history |
| Email Artifacts | Sender addresses, subject lines, attachment names | Email gateway logs |
| Registry Keys | Persistence locations, configuration | Endpoint detection, registry monitoring |
| File Paths | Malware locations, dropped files | File integrity monitoring |
| Mutex Names | Unique identifiers used by malware | Process monitoring, memory analysis |
4.2 The Pyramid of Pain
David Bianco's Pyramid of Pain illustrates that not all IOCs are equally valuable:
TTPs (Tactics, Techniques, Procedures)
Hardest for attackers to change. Most valuable for defenders.
Tools
Custom malware, exploit kits. Annoying to replace.
Network/Host Artifacts
Registry keys, file paths, user agents. Challenging to change.
Domain Names
C2 domains. Takes some effort to change.
IP Addresses
Easy to change—just spin up new server.
Hash Values
Trivial to change—single bit flip creates new hash.
Key Insight
Blocking hash values makes attackers recompile. Blocking TTPs makes attackers rethink their entire approach. Focus defense efforts on what causes attackers the most pain.
5. Defense Strategies
5.1 Defense-in-Depth Against Malware
Prevention: Stop Malware Delivery
Email filtering, web proxy, application whitelisting, user awareness training
Detection: Identify Malware Execution
Endpoint Detection & Response (EDR), behavioral analysis, SIEM correlation
Containment: Limit Malware Spread
Network segmentation, micro-segmentation, automatic isolation
Recovery: Restore Operations
Backup/restore procedures, incident response playbooks, business continuity
5.2 The 3-2-1 Backup Rule
Ransomware-Resistant Backups
3 copies of your data
2 different storage media
1 offsite (preferably air-gapped or immutable cloud storage)
📝 Key Takeaways
Malware types include viruses, worms, trojans, ransomware, rootkits, RATs, and cryptominers—each with unique characteristics
Fileless malware operates in memory using legitimate tools—traditional AV can't detect it
Ransomware has evolved to RaaS model with double/triple extortion tactics
Static analysis examines malware without execution; dynamic analysis observes behavior in sandbox
The Pyramid of Pain: TTPs are most valuable IOCs—focus defenses where it hurts attackers most
✅ Lesson Complete!
You now understand malware types and analysis. Next: Social engineering and the human factor.