Malware is a term used to group and describe multiple types of software designed, written, and deployed to attack IT systems. The name comes from Malicious Software. We defined malware and outlined why criminals use it in this post What is Malware?
Below, we list and describe the various malware types currently used to attack computer systems and target people via social engineering. The list is in alphabetical order and not in order of prevalence. You should note that most real-world cyberattacks will use several of these different malware types in combination in hybrid attacks. Hybrid attacks are also sometimes called blended attacks.
Some of the elements in the list below, such as phishing, are not malware, but attackers use them alongside malware in their hybrid attack models.
Adware infects endpoint devices and uses browsing history data to show advertisements and pop-ups. The adware often “clicks” on the ads via software to fool advertisers that users are clicking ads to extract payments for the attackers. This behavior is generally called “click fraud.” In other cases, the ads trick the user into visiting dangerous websites with other malware attacks waiting to infect their devices. Adware (and Spyware - see below) are sometimes called Grayware or Potentially Unwanted Programs (PUPs).
Examples of adware include Fireball, Appearch, DollarRevenue, Gator, and DeskAd.
Botnets are groups of computers (and increasingly other endpoints like IoT devices) that cybercriminals take over to use in targeted attacks such as distributed denial-of-service (DDoS), click fraud or crypto-mining. Botnet malware is the 'client' that infects PCs and other devices to conscript them into the wider botnet. An example of a widespread PC infecting botnet client is Andromeda.
Examples of Botnet attacks include the Mirai Attack in 2016, GitHub Attack (2018), 3ve (2018).
Browser Hijack malware infects devices and then interferes with the browser settings to redirect users to malicious sites that benefit the attackers by showing them ads, installing zero-click malware in a drive-by attack or intercepting and compromising credentials for online accounts.
Examples of browser hijack malware include Babylon Toolbar, Conduit Search, CoolWebSearch, OneWebSearch, Snap.do, and Sweet Page.
Cryptojacking is malware that infects computers and uses the CPU of an infected IT system to 'mine' for cryptocurrencies like Bitcoin. Some types install on the infected clients, and others use web browser scripts to run when users visit web pages. Cryptojacking earns money for the attackers from the sale of the mined cryptocurrencies at the expense of the power and computing resources stolen from the owners of the infected devices.
Examples of cryptojacking malware include Coinhive and Tidbit.
Fileless Malware uses legitimate software and operating system processes to deploy and execute malicious code. Malware files are still downloaded, but reside in memory on the target computer and are not written to disk, making it hard to detect with traditional anti-malware and anti-virus software.
Examples of Fileless Malware include Frodo, Number of the Beast, The Dark Avenger, SQL Slammer, Stuxnet, Astaroth, and UIWIX.
Keyloggers record all keystrokes on an infected device. This contains all the information that a user enters, including potentially personally identifiable and sensitive data, passwords, credit card information, or similar. The info is stored on the network and periodically transferred to the attackers. Sophisticated keyloggers that operate in real-time can even provide an attacker with 2nd factor authentication elements for real-time compromise of accounts.
Logic bombs are types of the other malware described on this list but with that added feature of having a timer built in. When the timer triggers, the malware is run to deliver the payload it is carrying. These are often used in hybrid attacks to pause after initial infection to reduce the likelihood of event correlation in case any malware-related network activity gets detected on the network when cybersecurity defense systems are monitoring the network with heightened alertness. Of course, organizations should constantly monitor the network with alertness.
Malvertising hijacks legitimate ad networks with compromised ads that deliver malware to users whose browsers load the ads, generally taking advantage of known browser vulnerabilities. As with a browser hijack, the user doesn't need to do anything wrong, but rather the malware activates when the compromised ads are displayed.
Examples of malvertising include Angler Exploit Kit, RoughTed, and KS Clean.
Mobile malware is a collective term for multiple malware types that target mobile devices. Billions of mobile devices are now in use and are targeted by attackers directly and in hybrid cyberattacks. As the world has gone mobile, cybercriminals have followed and developed malware to target mobile device users. Both Android and iOS are vulnerable to mobile malware.
Phishing is also included on this list, even though it's not technically a malware type, but an attack method or technique. But it is so prevalent in tactics used to get other types of malware installed on devices that it warrants inclusion. Phishing attacks target people to steal login and additional confidential information by tricking them into clicking malicious links in emails, message apps, or the web. Phishing attacks appear like authentic messages from trusted brands, organizations, or individuals so that the recipients think they are getting a genuine request for information. A targeted form of phishing known as spear-phishing uses information that only authentic senders should know to trick executives and others in targeted organizations. The information used in spear-phishing attacks often comes from data stolen in previous attacks.
Examples of successful cyberattacks that used phishing as an entry point include the Hilary Clinton Campaign email theft, the JP Morgan Chase 2014 breach, the North Korean Sony Pictures breach in 2014, and the BenefitMall 2018 breach.
A RAM scraper is a malware type that copies data held in the memory on a device or server. Criminals often target point-of-sale terminals with RAM scraper malware to steal decrypted financial information during a sales transaction.
Examples of RAM scraper malware include Alina and Sodinokibi.
Ransomware is malware that encrypts data on infected IT systems or generally denies users access to systems or data in some reversible way. The attackers demand a ransom for a code or tool to decrypt or release the infected systems, usually to an anonymous address using Bitcoin or another cryptocurrency. In many cases, even if the ransom gets paid, a working decrypt process is not provided. And many organizations that do pay the ransom are attacked again shortly after using other malware and backdoors that the attackers planted. Ransomware often gets used to mask the deliberate destruction of computer systems by state actors and others. The NotPetya attack against Ukraine that spread globally in 2017 was a pseudo-ransomware attack.
Ransomware attacks often have two threats involved. First, to deny access to systems and/or data and second to compromise the confidentiality of that data by sending it to the attacker.
Examples of ransomware include WannaCry, Petya, Cryptolocker, and Phobos.
Rootkits are collections of system-level software that give attackers deep (or root) control over the targeted systems. Once they have this root access, they can do pretty much anything an authorized system admin can.
Examples of rootkit malware include UEFI rootkit, Cloaker, VGA rootkit, and Zacinlo.
Scareware is malware that pretends to have taken over a computer and asks the user for info or payment, like pseudo ransomware. Scareware often runs as a script from a browser that has been injected into a legitimate website or on an attacker's dummy site. The script will display alerts and messages to the user to say their device is locked and they need to pay to unlock it. Unlike with ransomware, there hasn't been any actual encryption. Scareware will also deliver messages about a device virus infection or some other scare story to get a user to visit a site to remove the virus or pay the attacker to connect to the system live to “fix” the problem. This “fix” process generally involves remote access and becomes a part of a blended attack.
Spyware installs on an infected device and records any activity and personal information accessed or entered. Spyware can steal a lot of information that's useful and valuable to cybercriminals, who can then use it in planning future attacks or sell it on the dark web. Spyware is another type of malware that is sometimes called Grayware.
Examples of Spyware include CoolWebSearch, Zango, HuntBar, and Gator.
Trojan malware hides malicious code inside other legitimate software. The name Trojan Horse is also used to describe them, after the wooden horse that had soldiers hidden in it at the battle of Troy. Once the legitimate software that is hiding the Trojan code gets installed, the malicious code then uses its access to install other malware on the infected systems. The other malware install can be of any type but often includes malware that allows backdoors to enable access for the attackers in the future.
Examples of Trojans include Trickbot, Storm Worm, Zeus (Zbot), Magic Lantern, and QBot.
Formally the most infamous type of malware, until the rise of ransomware. Viruses inject code into systems and other programs, and then the virus code finds and infects other systems and devices on the network. Viruses need interaction to execute their code. This is usually done via a user clicking on a link or opening an attachment to an email with the virus. See the entry for Worms below for a similar malware type that does not need any interaction with uses to spread.
Examples of Viruses include Melissa, Shamoon, Klez, Concept, Anna Kournikova (and many more!)
Worms are malicious malware code that replicates on the network. Worms do not need user intervention to spread, but rather they have the code to locate other devices on the network and then replicate. Worms exploit network protocol and operating system vulnerabilities to bypass security and infect other systems. The worm code can also carry other malware types or install them from the internet when they have a foothold on the network.
Examples of Worms include Morris Worm, Storm Worm, SQL Slammer, Mydoom, Sasser, Blaster, and MyLife.
Another entry on this list that's not a type of malware, but that plays an important part in successful attacks. A zero-day is a cybersecurity vulnerability discovered in a system for which there is no existing patch by the software or hardware vendor. Sometimes zero-day exploits are public, and sometimes they are bought by brokers and state agencies to use for espionage. Zero-days can exist for years before public disclosure. Zero days may see widest spread when the software or hardware manufacturer releases a patch for it as attackers will then know about it, and there is a race to get systems patched before cybercriminals can use the security vulnerability to breach systems.
Examples of zero-day exploits used to attack systems include Stuxnet and the Dridex MS Word Trojan.