Lesson 35 of 214
In Progress

Malware classification

Christophe November 29, 2021

This lesson isn’t a requirement for the CompTIA Security+ exam, meaning that we’re going beyond the scope of this exam for a few minutes, but I wanted to include it because I believe that this is helpful and practical knowledge that you can apply to your personal life but also on the job. So if you’re not interested, feel free to complete this lesson and move on to the next, but if you are interested, let’s dive in.

Understanding malware classification

Let’s talk about understanding malware classification.

Whenever an anti-virus or anti-malware tool detects something potentially malicious, it uses a specific type of format to help you or other professionals know exactly what kind of threat you are dealing with. The format might look a little bit like this:

Type:Platform/Family.Variant!Suffixes

It won’t always look exactly like this, because as you’ll remember, not every company or tool uses the same standards, but in general, they all look pretty similar.

This format is referred to as the Computer Antivirus Research Organization (CARO) malware naming scheme, and it’s been widely adopted, even if with slight variations, just like we talked about.

For example, here are some real examples:

HEUR:Backdoor.MSIL.Broide.gen Trojan.MSIL.Broide.m!c
Code language: CSS (css)

Both of those are actually the same malware that was detected in a scan, but recognized by different tools. As you can see, it’s talking about the same malware, it’s just labeling it a tad differently.

The first label is being more specific by saying that it’s a Backdoor Trojan, while the second just says Trojan.

Let’s break it down a bit further

Type

The type of malware — which is the first thing you’ll see, helps provide an initial overview of what threat you are dealing with. Is it a type of trojan? Is it a virus? Is it a worm or backdoor or ransomware?

This label helps define that.

Platform

Next, we have the platform classification. This is used to describe the operating system that this threat is designed to work on, like specific to Windows, Linux, Android, or MacOS versions.

It can also be used to describe programming languages, macros, or file types.

In our prior example, MSIL stands for Microsoft Intermediate Language.

Family

The family classification tends to be a bit all over the place, but it’s used to try and differentiate between malware that shares a common code base.

For example, if you’ve ever heard the terms “WannaCry,” “Stuxnet,” or even “CryptoLocker,” these names do not represent types of malware — they are family names.

Stuxnet is considered a worm because of what it was designed to do. It’s obviously not the first worm to ever have existed, but it was developed in such a way that made it unique. When it was identified and researched after having been used, researchers decided to give it a family name of Stuxnet.

Variant

We also have variants. Following along with our Stuxnet example, if someone were to grab the original implementation of Stuxnet and make a few modifications, meaning that it essentially shared the same codebase with a few differences, then that would become a variant of Stuxnet.

Without getting even further into the weeds, family and variant information can be different when talking about detection versus identification of malware.

For example, detection software will typically use incremental letters and numbers or even hashes to set the variant, while malware identifiers may use actual names.

Malware named Stars, Flame, and Nitro Zeus are examples of what’s thought to be variants of Stuxnet. But if software were to detect those variants, it would probably use incremental letters, numbers, or hashes to describe them.

Example of families and variants

Suffixes

Finally, we have suffixes. Suffixes are used to provide additional details about a specific threat. For example, suffixes can be used to denote how a specific malware threat is packaged. Is it compressed? If so, it may have a suffix of !lnk if it uses that file format, which is a Windows extension which can be used to execute Powershell scripts, and those Powershell scripts could be used to download the malware itself while evading detection.

Or, as another example, a suffix might be .DLL, which represents malware that uses DLLs. DLL stands for Dynamic Link Library, which is just a simple file extension that can be used by applications in Windows to enhance functionality. In fact, if you were to browse through applications that you use on a daily basis, you would likely see a large number of DLL files stored on your computer.

Malware can use the DLL format to get transported and then executed, and in those cases, detection software may add the .DLL suffix to represent that.

Conclusion

Keep in mind that different vendors will sometimes change how they use or display this type of information. Unfortunately, there doesn’t seem to be any updated convention that everyone uses and sticks to, and it often feels like a pretty big mess. It certainly doesn’t help the media, which then amplifies the problem by commonly misusing terms or classifications, which then confuses everybody else.

All that to say — it’s entirely possible that you’ll come across different formats over time. With that said, hopefully this gave you a general sense of how to read and understand this type of information, especially as we move along and discuss malware in more detail.

While you don’t have to understand this for the exam, I thought it would be a good addition to the course because it is very useful knowledge to have.

Reference Material

Responses

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.