Malware Types and Cyber Attack Defense Strategies

Posted on Dec 15, 2025 in Computers

Malware: Malicious Software Defined

Malware is malicious software designed to disrupt systems, steal information, or gain unauthorized access. The primary goals of malware include:

  • Disruption: Shutting down processes or freezing systems.
  • Data Theft: Exfiltrating sensitive data like passwords.
  • Unauthorized Access: Providing attackers with a secret entry point.
  • Covert Control: Enabling remote command and control (C&C) operations, often forming botnets.

The fundamental concept of malware has remained consistent since von Neumann’s 1949 paper on self-replicating automata.

Malware Classification

Viruses

  • Requirement: Need a host file to spread.
  • Infect executable files or boot sectors.
  • Spread when the infected file is executed (e.g., when a user launches an infected game).
  • Often OS and architecture specific.

Worms

  • Requirement: Do not need a host file; they are self-contained.
  • Spread automatically over networks, making them the fastest-moving category.
  • Often less focused on stealth or long-term persistence. (Example: The Morris Worm spread to thousands of UNIX machines in hours.)

Trojans

  • Disguised as legitimate software.
  • Rely on tricking users into installing them.
  • Do not self-replicate.

Bots

Malware that turns a computer into a remotely controlled “zombie,” frequently used in DDoS attacks, spam campaigns, and theft.

Infection Mechanics and Payload

Infection Mechanism (Propagation)

This describes how malware spreads:

  • Inserting into executable files.
  • Overwriting the boot sector (e.g., Brain, Stoned viruses).
  • Copying via USB drives.
  • Scanning networks (worms).
  • Email attachments or macros in documents.

Trigger

What starts the malware execution:

  • A specific date (e.g., Michelangelo Virus on March 6).
  • A certain number of runs (e.g., Elk Cloner activates on the 50th boot).
  • Opening a specific application or visiting malicious content via a browser.

Payload (Damage)

The resulting damage caused by the malware:

  • Stealing passwords.
  • Deleting files.
  • Emailing itself to others (e.g., ILOVEYOU).
  • Installing a backdoor.
  • Encrypting files (Ransomware).

What Defines a Virus

To be classified as a virus, it must meet these criteria:

  1. Must attach to something (file, macro, boot sector).
  2. Spreads when the host file executes.
  3. Typically written in assembly for small size, aiding stealth.

Virus Phases

  1. Dormant: The virus is idle and waiting for a target (not all viruses exhibit this phase).
  2. Trigger: The virus is activated by an event (e.g., detecting the date April 1).
  3. Propagation: The virus spreads itself before delivering the payload (e.g., infecting other .exe files).
  4. Execution: The payload is delivered (e.g., deleting all files).

Worm Propagation and Evasion

Worms exploit vulnerabilities in network services, email clients, and OS bugs, damaging networks, bandwidth, servers, and infrastructure. They replicate via email/messaging, file sharing, remote file transfer (FTP, SFTP), and remote login (VNC, SSH).

Worm Spreading Techniques

  • Random Scanning: Picks random IP addresses to infect; fast but noisy.
  • Hit-List Scanning: Starts with a pre-built list of vulnerable systems, leading to rapid early spread.
  • Topological Scanning: Uses information gathered from the victim (email contacts, browser history, host files).
  • Local Subnet Scanning: Targets nearby machines on the same network (LAN/WiFi); often the fastest spreading method.

How Worms Evade Detection

  • Polymorphic Worm: Encrypts its payload with a new key each time, making signature-based antivirus detection difficult.
  • Metamorphic: The worm rewrites its own code upon spreading, ensuring no two instances are identical.
  • Multiplatform: The worm can target multiple operating systems simultaneously.

Denial of Service (DoS) Attacks

A DoS attack prevents legitimate users from accessing resources by exhausting system capacity (CPU, memory, bandwidth, application resources, disk space).

Common DoS Methods

  • Ping Flood (ICMP): Sends a huge number of ICMP echo requests, overloading network bandwidth and routing capacity; relatively easy to detect.
  • UDP Flood: Sends a large number of UDP packets to random ports; the server wastes CPU cycles sending “port unreachable” responses.
  • TCP SYN Flood Attacks: Exploits the TCP handshake (SYN -> SYN/ACK -> ACK). Attackers send SYNs (often with spoofed IPs) but never send the final ACK, causing the server’s connection table to fill up.

Distributed Denial of Service (DDoS)

DDoS uses many compromised systems (botnets) to attack a victim. This is harder to detect and block because the traffic often appears legitimate.

HTTP-Based Attacks (Application Layer)

These attacks target web servers and are harder to distinguish from normal traffic.

  • HTTP Floods: Overwhelms the server with GET/POST requests, hitting specific endpoints (search, logins).
  • Spidering: A bot starts at the homepage and systematically downloads every image, PDF, and subpage.
  • Slowloris: Sends partial HTTP headers extremely slowly, keeping web server threads tied up waiting for full requests. The server keeps the connection open, targeting thread-based servers.

Historical Malware Examples

Elk Cloner (First Virus, 1982)

Infected Apple II systems via boot sectors on floppy disks. It activated on the 50th boot and displayed a poem.

Brain Virus (First IBM PC Virus)

A boot-sector virus infecting floppy disk boot sectors. It was intended to protect the authors’ software from piracy but infected many computers, providing contact information for “vaccination” services.

Stoned Virus

One of the most widely copied viruses ever. It was simple but persistent, infecting all disks and rewriting itself to the Master Boot Record (MBR) on every reboot.

Michelangelo Virus

A destructive boot-sector virus activated on March 6 (Michelangelo’s birthday), which caused media panic due to its potential to wipe entire hard drives.

Prevention and Mitigation

Effective defense strategies include:

  • Keeping systems patched and updated.
  • Disabling macros by default.
  • Enforcing the principle of least privilege.
  • Implementing ingress/egress filtering.
  • Using rate limiting.
  • Blocking unnecessary ports and services.

DDoS Prevention

Mitigation techniques involve filtering spoofed IPs, using TCP cookies, rate-limiting, deploying CAPTCHAs, and utilizing global mirroring via Content Delivery Networks (CDNs).