Malware Taxonomy
Malware is not one thing — it is a zoo, and knowing the species tells you how it spreads, hides, and gets caught.
01 Classifying by propagation and purpose
"Malware" is an umbrella for any software written to act against the interests of a system's owner. The classic categories are distinguished by how they spread and what they do, and the terms are often blurred together colloquially — a discipline worth resisting, because the distinctions guide defense.
- Virus — malicious code that attaches to a host file or program and spreads when a user runs the infected host. It requires human action to propagate.
- Worm — self-propagating code that spreads across networks on its own, exploiting vulnerabilities without needing a user to do anything. Worms cause explosive, exponential outbreaks.
- Trojan — malware disguised as something desirable. It does not self-replicate; it relies on deception to get the user to run it.
These categories are not mutually exclusive. Modern threats are modular and combine traits — a trojan that drops a worm that installs ransomware is entirely ordinary.
02 Payloads: what malware does once inside
Where the previous categories describe delivery, these describe purpose — the payload:
- Ransomware — encrypts the victim's files (and increasingly exfiltrates them first for "double extortion") and demands payment. The dominant profit-driven threat of the last decade.
- Rootkit — software designed to hide the attacker's presence, often burrowing into the operating system kernel or below it to subvert the very tools you would use to detect it.
- RAT (Remote Access Trojan) — grants the operator hands-on remote control: keystrokes, webcam, files, the lot.
- Botnet — a network of compromised machines ("bots" or "zombies") controlled en masse, rented out for spam, DDoS, or crypto-mining.
- Dropper / loader — a small first-stage program whose only job is to fetch and install the real payload, keeping the initial footprint minimal and evasive.
03 Living off the land and fileless malware
Traditional antivirus hunts for malicious files. Modern adversaries increasingly avoid leaving any. Fileless malware operates primarily in memory, never writing a recognizable executable to disk, so signature-based scanning has nothing to match.
Closely related is living off the land (LOTL): instead of bringing their own tools, attackers abuse the legitimate, trusted programs already present on the system — the so-called LOLBins (living-off-the-land binaries). Administrative and scripting tools built into the operating system are perfect cover, because a defender cannot simply block them; the business depends on them.
The stealthiest attacker does not smuggle in a weapon — they pick up the tools you already trust and turn them against you.
This shift has reshaped defense. Because there is no file to fingerprint, defenders lean on behavioral detection: watching for anomalous patterns of activity — a document spawning a scripting engine that then reaches out to the internet — rather than known-bad files. Endpoint Detection and Response (EDR) tools exist largely to catch these behavioral chains.
04 Command-and-control (C2)
Most malware is not autonomous; it needs to receive orders and send back stolen data. The channel it uses to reach its operator is command-and-control, universally abbreviated C2 (or C&C). Understanding C2 is central to defense because it is one of the most reliable places to catch an intrusion in progress.
Attackers work hard to make C2 traffic blend in. Techniques include:
- Hiding in common protocols — tunneling commands over HTTPS, or even DNS queries, so the traffic looks routine.
- Beaconing — the implant "phones home" at intervals, often with randomized timing (jitter) to avoid an obvious rhythm.
- Domain generation algorithms (DGAs) — generating a stream of pseudo-random domain names so defenders cannot simply block one fixed address.
- Redirectors and fronting — routing traffic through intermediaries so the true operator's infrastructure stays hidden.
05 Case studies: four families that defined an era
Studying real families anchors the taxonomy in history.
- Stuxnet (discovered 2010) — a breathtakingly sophisticated worm that crossed from IT into the physical world. It targeted Siemens PLCs controlling uranium-enrichment centrifuges at Iran's Natanz facility, spread via USB to bridge air-gapped networks, and chained four zero-day vulnerabilities. Widely attributed to a U.S.–Israeli operation, it proved malware could cause physical destruction.
- WannaCry (2017) — ransomware with a worm component built on EternalBlue, an SMBv1 exploit leaked from the NSA. It tore through unpatched systems worldwide in hours, crippling parts of the UK's NHS. Its spread was halted when researcher Marcus Hutchins registered a domain that acted as an accidental kill switch.
- Emotet — began around 2014 as a banking trojan, then evolved into a modular loader and botnet-for-hire that delivered other gangs' payloads (like TrickBot and Ryuk ransomware). A coordinated international law-enforcement action disrupted it in January 2021.
- Mirai (2016) — a botnet built from insecure IoT devices (cameras, routers) reachable with default credentials. It launched record-breaking DDoS attacks, including one against DNS provider Dyn that disrupted Twitter, Reddit, and Netflix. Its source code was released publicly, spawning countless variants.
⌘ Field Glossary
- Virus
- Malicious code that attaches to a host file or program and requires a user to execute the host in order to spread.
- Worm
- Self-propagating malware that spreads across networks autonomously by exploiting vulnerabilities, causing rapid, exponential outbreaks.
- Ransomware
- Malware that encrypts (and often first steals) a victim's data and demands payment for its return; the dominant profit-driven threat of the last decade.
- Rootkit
- Malware designed to conceal an attacker's presence by subverting the operating system, often at kernel level, so it can lie to detection tools.
- Living off the land (LOTL)
- An attacker technique of abusing legitimate, pre-installed system tools (LOLBins) instead of bringing custom malware, to evade file-based detection.
- Command-and-control (C2)
- The communication channel malware uses to receive orders and exfiltrate data; a prime detection point because implants must eventually phone home.
- Dropper / loader
- A minimal first-stage program whose purpose is to fetch and install the real payload, keeping the initial footprint small and evasive.
Knowledge Check
Field Assessment
01 What fundamentally distinguishes a worm from a virus?
02 Why is behavioral detection important against fileless and living-off-the-land attacks?
03 Why is command-and-control traffic considered a valuable detection opportunity?