Chapter 5: Malware — Types, Analysis, and Defense¶

Overview¶

Malicious software — malware — is one of the primary weapons in the modern attacker's arsenal and one of the most pervasive threats facing organizations and individuals. From the crude viruses of the 1980s to today's multimillion-dollar ransomware operations run by organized criminal groups, malware has evolved in sophistication, scale, and impact in ways that track the evolution of computing itself. This chapter provides a comprehensive taxonomy of malware types, surveys the history of major malware events that shaped today's threat landscape, examines how malware reaches its victims, introduces the foundations of malware analysis, and surveys the defenses available to security professionals.

5.1 Defining Malware¶

Malware (a portmanteau of malicious software) refers to any software intentionally designed to cause harm to a computer system, network, or user. This broad definition encompasses an enormous variety of programs with different mechanisms, objectives, and behaviors. What unites them is intent: malware is designed by adversaries to do something the system's legitimate owner would not authorize.

Malware can pursue many objectives simultaneously. A single piece of malware might steal credentials, use the infected machine to mine cryptocurrency, install a backdoor for future access, and encrypt files for ransom — all at once. Understanding malware requires not just knowing what it is, but what it does and how it spreads.

Definition — Malware: Any software that is intentionally designed to disrupt, damage, gain unauthorized access to, or otherwise harm a computer system, network, or user.

5.2 A Brief History of Malware¶

The history of malware is the history of computing itself, shadowing every major technological development with a corresponding evolution in malicious code.

1971 — The Creeper¶

The first program that could be considered malware was Creeper, a self-replicating experimental program created by Bob Thomas at BBN Technologies. It infected ARPANET machines, displaying the message "I'M THE CREEPER, CATCH ME IF YOU CAN!" Creeper was not malicious in intent but established the concept of a self-propagating program. Reaper, a program created to remove Creeper, is sometimes considered the first antivirus software.

1986 — Brain: The First PC Virus¶

The Brain virus, released by Pakistani brothers Basit and Amjad Farooq Alvi in January 1986, is widely regarded as the first virus for IBM-compatible personal computers. Brain targeted the boot sector of 5.25-inch floppy disks. The authors included their names, phone number, and address in the virus's code — ostensibly as an anti-piracy measure for their software business. Brain was relatively benign, causing no data damage, but it established the template for boot sector viruses.

1988 — The Morris Worm¶

The Morris Worm, created by Cornell graduate student Robert Tappan Morris, was the first worm to gain widespread media attention. It exploited vulnerabilities in Unix sendmail, fingerd, and rsh/rexec to propagate across the early internet, infecting approximately 6,000 machines (a significant fraction of the internet at the time). Morris claimed the worm was not intended to cause damage, but a programming error caused infected machines to become overloaded and unusable. Morris was the first person prosecuted under the Computer Fraud and Abuse Act.

1990s — Viruses and Early Email Worms¶

The 1990s saw an explosion of viruses spread via floppy disks and, later, email. The Melissa virus (1999) was a macro virus that spread via email, using Microsoft Word macros to mail itself to the first 50 contacts in victims' Outlook address books. The ILOVEYOU worm (2000, though discovered at the very beginning of the decade's final year) spread via email attachment, overwriting files and propagating itself to all Outlook contacts — infecting an estimated 10% of all internet-connected computers globally.

2000s — Botnets and Financial Crime¶

The 2000s established the modern cybercrime economy. The Conficker worm (2008) infected millions of Windows machines and created a massive botnet. Organized criminal groups began operating malware as a business, with ransomware (in primitive form), banking trojans, and credential-stealing malware becoming primary tools.

2010s–Present — Nation-State Weapons, Ransomware Crises, and Supply Chain Attacks¶

The 2010s were defined by the emergence of malware as a weapon of statecraft (Stuxnet, 2010), the industrialization of ransomware (CryptoLocker 2013, WannaCry 2017, REvil and Conti in the early 2020s), and sophisticated supply chain attacks (SolarWinds 2020). Modern ransomware operations are run with business-like professionalism, including customer support for victims, affiliate programs for distributing malware, and negotiation services.

5.3 Malware Taxonomy¶

Viruses¶

A computer virus is a type of malware that attaches itself to a legitimate program or file, and replicates itself by inserting copies into other programs or files when the infected file is executed. Like biological viruses, computer viruses require a host to propagate.

File infectors attach themselves to executable files (.exe, .com, .dll). When the infected executable runs, the virus first executes its own code, potentially infecting other executables on the system.

Boot sector viruses infect the master boot record (MBR) or volume boot record of a storage device. Because the boot sector executes before the operating system loads, boot sector viruses run before any OS security mechanisms are active and are particularly persistent.

Macro viruses exploit the macro scripting capabilities built into applications like Microsoft Word and Excel. When an infected document is opened and macros are enabled, the virus executes and can spread to other documents. The resurgence of macro-based malware in the 2010s (in documents delivered via phishing emails) demonstrated that this decades-old technique remains effective.

Worms¶

A worm is malware that self-propagates across networks without requiring human interaction or a host file. Worms spread by exploiting network vulnerabilities, sending copies of themselves via email, or scanning for vulnerable systems. The key distinguishing characteristic is self-propagation without user action.

Worms can spread with extraordinary speed: the SQL Slammer worm (2003) infected 75,000 systems in the first 10 minutes after release, doubling its infection count every 8.5 seconds at peak. This speed makes worms particularly dangerous, as they can compromise enormous numbers of systems before defenders can respond.

Trojans¶

A Trojan horse (or simply "Trojan") is malware disguised as legitimate or desirable software. Unlike viruses and worms, Trojans do not self-replicate — they rely on users to download and execute them, deceived by their benign appearance.

Remote Access Trojans (RATs) give attackers remote control over infected systems, typically through a command-and-control (C2) server. The attacker can view the user's screen, access the file system, activate the webcam and microphone, log keystrokes, and execute arbitrary commands.

Backdoors create persistent, covert access points into a compromised system, allowing attackers to return even after the initial exploit has been patched.

Droppers are Trojans whose primary function is to deliver and install other malware on a compromised system. A dropper may install a RAT, a ransomware payload, a botnet client, or any combination of malicious tools.

Ransomware¶

Ransomware encrypts victims' files or locks access to their systems, then demands payment (typically in cryptocurrency) in exchange for the decryption key. It is among the most destructive and profitable forms of malware in the current threat landscape.

Crypto ransomware encrypts files using strong asymmetric cryptography. Without the private key held by the attacker, decryption is computationally infeasible. When deployed against an organization's entire network — including backups — crypto ransomware can result in total data loss if no external backups exist.

Locker ransomware locks the user out of the operating system (typically displaying a full-screen lock screen) without encrypting files. Locker ransomware is generally less damaging than crypto ransomware and is more common against consumer targets.

Modern ransomware operations often employ double extortion: not only encrypting data but exfiltrating it first and threatening to publish it if the ransom is not paid. This eliminates the "restore from backup" defense — even organizations that can recover their data face the threat of data exposure.

Warning: Paying a ransomware demand is not a reliable path to data recovery. A significant percentage of organizations that pay receive a decryption tool that fails to recover all data. Additionally, paying signals willingness to pay and may invite further attacks. Consultation with law enforcement and legal counsel before paying is strongly recommended.

Spyware and Adware¶

Spyware covertly monitors user activity and collects information without the user's knowledge or consent. It may capture keystrokes, screenshots, browsing history, passwords, and personal data, sending them to a remote attacker. Commercial spyware (sometimes marketed as "stalkerware") is used in domestic abuse situations.

Adware displays unwanted advertisements, typically generating revenue for the malware author via ad impressions or click fraud. While usually more of a nuisance than a serious threat, adware can degrade system performance, expose users to malicious ads, and serve as a foothold for more serious malware.

Rootkits¶

A rootkit is a collection of tools that allow an attacker to maintain privileged, covert access to a system while hiding their presence from the OS, security software, and users.

User-mode rootkits operate in user space, manipulating system APIs to hide malicious processes, files, and network connections from system tools. They are detectable by tools that bypass standard APIs and directly examine system structures.

Kernel-mode rootkits operate at the kernel level, modifying the OS kernel itself. They are extremely powerful and correspondingly difficult to detect and remove — in many cases, the most reliable remediation is a complete OS reinstall. The Sony BMG rootkit (2005), discovered on commercially distributed music CDs, was a user-mode rootkit installed without user consent that hid Sony's DRM software and created vulnerabilities that other malware subsequently exploited.

Botnets and Command-and-Control (C2) Infrastructure¶

A botnet is a network of compromised computers (called "bots" or "zombies") controlled by an attacker via a Command-and-Control (C2) server. Individual bots receive instructions from the C2 server and execute them — sending spam, conducting DDoS attacks, mining cryptocurrency, or distributing additional malware.

Modern botnets use sophisticated C2 architectures to avoid takedown, including peer-to-peer (P2P) C2 (where bots communicate with each other rather than a central server), domain generation algorithms (DGAs) that generate thousands of potential C2 domain names daily (making it impossible to blocklist them all in advance), and fast-flux DNS (rapidly changing the IP addresses associated with C2 domains).

Fileless Malware¶

Fileless malware operates without writing executable files to disk, instead residing entirely in memory or exploiting legitimate system tools. It uses built-in operating system utilities (such as PowerShell, WMI, and the Windows Registry) as its execution environment, making it far harder for traditional signature-based antivirus to detect. Fileless attacks often use techniques such as living off the land (LotL) — abusing legitimate system administration tools to achieve malicious objectives.

Because fileless malware leaves minimal forensic artifacts, detecting it typically requires behavioral analysis rather than file scanning.

Keyloggers¶

A keylogger records every keystroke made on an infected system, capturing passwords, credit card numbers, private messages, and any other typed content. Keyloggers may be implemented as software (running as a background process) or hardware (a physical device inserted between keyboard and computer). Software keyloggers are often components of larger malware packages (RATs, banking trojans) rather than standalone tools.

Logic Bombs¶

A logic bomb is code inserted into a legitimate program (often by a malicious insider) that executes a malicious action when specific conditions are met — typically a certain date, a certain user action, or the absence of an expected event (a "deadman switch"). Logic bombs are particularly insidious because they may lie dormant for months or years before triggering, and their code is embedded within otherwise legitimate systems.

A notable case involved a contractor at a financial institution who inserted a logic bomb that would have deleted critical files if his employment status was ever changed to inactive. The bomb was discovered during a routine code review before it triggered.

5.4 Malware Infection Vectors¶

Understanding how malware reaches victims is as important as understanding what it does after infection.

Email Attachments and Malicious Links¶

Email remains the most common initial infection vector. Phishing emails deliver malware via infected attachments (Word documents with malicious macros, PDF files with embedded exploits, ZIP archives containing executables) or via links to malicious websites that exploit browser vulnerabilities or deliver malware downloads.

Drive-By Downloads¶

A drive-by download occurs when a user visits a malicious (or compromised legitimate) website and malware is automatically downloaded and executed without any intentional action by the user. This typically exploits vulnerabilities in the browser, browser plugins (historically Flash, Java), or the operating system. The user may see nothing unusual — the infection happens silently.

USB Drop Attacks¶

Physically planting infected USB drives in locations where targets are likely to find and plug them in is an effective and well-documented technique. As discussed in Chapter 2, the curiosity and opportunism of users makes USB drop attacks surprisingly effective. BadUSB attacks take this further — the USB device presents itself to the OS as a keyboard and automatically types malicious commands.

Malvertising¶

Malvertising involves injecting malicious advertisements into legitimate advertising networks. Because major websites serve third-party ads through ad networks with limited vetting, malicious ads can appear on high-traffic, reputable sites. When users view or click these ads, they may be redirected to exploit kit pages or have malware silently delivered through browser exploits.

Supply Chain Attacks¶

A supply chain attack compromises software or hardware at some point in its development, distribution, or delivery — before it reaches the end user. The victim's organization trusts the compromised software (because it appears to come from a legitimate vendor) and installs it voluntarily. The SolarWinds Orion attack (2020) involved attackers compromising SolarWinds' software build process, inserting malware into a software update distributed to approximately 18,000 organizations, including numerous U.S. government agencies.

Supply chain attacks are particularly dangerous because they undermine the fundamental assumption that software from trusted vendors is safe.

5.5 Malware Analysis Fundamentals¶

Malware analysis is the discipline of examining malicious software to understand its behavior, capabilities, indicators of compromise, and origin. There are two fundamental approaches.

Static Analysis¶

Static analysis examines malware without executing it. Analysts examine the file's binary contents, disassembled code, strings, file headers, import tables, and other characteristics without running the program. Tools used in static analysis include:

File hash identification: Computing the MD5, SHA-1, or SHA-256 hash of the file and checking it against threat intelligence databases like VirusTotal
String extraction: Searching the binary for readable strings (file paths, registry keys, URLs, IP addresses) that reveal the malware's intended actions
Import analysis: Examining which OS functions the malware calls (e.g., CreateRemoteThread, RegSetValueEx, WSAConnect) reveals its capabilities
Disassembly: Tools like IDA Pro, Ghidra (developed by the NSA), and Binary Ninja convert machine code back to assembly language for human analysis

Static analysis is safe (no code execution), but modern malware uses obfuscation, packing, and encryption to hide its true code from static analysis.

Dynamic Analysis¶

Dynamic analysis executes the malware in a controlled environment (a sandbox) and observes its behavior. This reveals what the malware actually does — what files it creates or modifies, what registry keys it touches, what network connections it makes, what processes it spawns. Tools used include:

Sandboxes: Automated malware analysis systems like Cuckoo Sandbox, Any.run, or commercial solutions that automatically execute and analyze samples
Process monitors: Tools like Sysinternals Process Monitor (Windows) capture every file system, registry, and process event in real time
Network traffic capture: Wireshark or other packet capture tools reveal C2 communication, data exfiltration, and lateral movement attempts
API monitors: Hook API calls to observe the exact sequence of OS interactions the malware performs

Dynamic analysis is highly effective but requires isolation — executing malware outside a sandbox on a production network would result in actual infection.

5.6 Defenses Against Malware¶

Defense against malware is a multilayered problem requiring technical controls at multiple levels, combined with user training and sound operational procedures.

Antivirus and Endpoint Detection and Response (EDR)¶

Traditional antivirus software detects malware by comparing file hashes and byte sequences against a database of known malware signatures. While still useful for catching well-known threats, signature-based detection is ineffective against new malware, fileless malware, and heavily obfuscated samples.

Modern Endpoint Detection and Response (EDR) platforms extend antivirus capabilities with behavioral analysis, memory scanning, exploit detection, and forensic telemetry. EDR tools (from vendors such as CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black) monitor process behavior, detect indicators of attack (IoAs) rather than just indicators of compromise (IoCs), and enable rapid investigation and containment of incidents.

Application Whitelisting¶

Application whitelisting (also called application allowlisting) takes a fundamentally different approach: instead of trying to identify and block all bad software, it permits only explicitly approved software to execute. This is highly effective against malware but operationally challenging in environments with large, diverse software inventories. Windows AppLocker and Windows Defender Application Control (WDAC) are Microsoft's implementations of application whitelisting.

Sandboxing¶

Running untrusted code in an isolated sandbox — a controlled environment that limits what the code can do and monitors its behavior — is both a defensive and an analytical tool. Email security gateways commonly sandbox attachments before delivery, executing them in a safe environment to observe behavior before deciding whether to deliver them.

Network Segmentation¶

Network segmentation divides a network into isolated zones, limiting the ability of malware to spread laterally. If a workstation in the accounting department is infected, proper segmentation prevents the malware from accessing servers in the HR, engineering, or executive zones. The principle of "assume breach" — designing networks as if a compromise is inevitable — drives the adoption of Zero Trust architectures in which no implicit trust is granted based on network location.

User Training¶

No technical control can fully compensate for users who click on malicious links, open infected attachments, or plug in unknown USB drives. Security awareness training (as discussed in Chapter 3) specifically addressing malware delivery vectors — particularly phishing, suspicious attachments, and USB media — is an essential complement to technical controls.

Backups and Recovery Planning¶

For ransomware in particular, the most critical defensive measure is a robust backup strategy. The 3-2-1 backup rule provides a useful framework: maintain at least 3 copies of data, on 2 different types of media, with 1 copy stored offsite (or offline). Offline or air-gapped backups are particularly important — network-accessible backups are often encrypted by ransomware before files on the primary system. Regular backup restoration testing ensures that backups are actually usable when needed.

5.7 Real-World Malware Case Studies¶

WannaCry (2017)¶

WannaCry was a ransomware worm that spread globally in May 2017, infecting more than 200,000 systems in 150 countries within days. It exploited EternalBlue, a vulnerability in the Windows SMB protocol that had been discovered by the NSA (and subsequently leaked by the Shadow Brokers hacking group). WannaCry encrypted files and demanded $300 in Bitcoin, later increasing to $600.

The attack had devastating real-world consequences: it shut down approximately one-third of National Health Service (NHS) trusts in the United Kingdom, forcing hospitals to cancel appointments, divert ambulances, and return to paper records. The attack was attributed by the U.S., UK, and Australian governments to North Korean state-sponsored hackers (the Lazarus Group). A kill switch was accidentally discovered by security researcher Marcus Hutchins, who registered a domain name hard-coded into the malware — WannaCry checked for this domain and stopped propagating if it existed.

WannaCry's success stemmed primarily from its exploitation of unpatched systems: Microsoft had released patch MS17-010 two months before the outbreak, but many organizations (particularly those running legacy Windows XP, for which Microsoft initially provided no patch) had not applied it.

NotPetya (2017)¶

NotPetya appeared shortly after WannaCry and, while superficially similar, was fundamentally different in purpose. NotPetya was not ransomware designed to generate revenue — it was a destructive wiper masquerading as ransomware. It overwrote the master boot record and file tables, rendering infected systems unbootable and permanently destroying data. No decryption was possible, and recovery required complete system rebuilds.

NotPetya was initially distributed via a compromised update to M.E.Doc, Ukrainian accounting software used by virtually every business operating in Ukraine — a supply chain attack. It then spread laterally using EternalBlue and credential theft via a Mimikatz-like component.

The collateral damage was staggering. Companies caught in the blast radius included Maersk (the world's largest shipping company, which lost all of its ~45,000 PCs and 1,000 applications, costing an estimated $300 million), pharmaceutical giant Merck ($870 million), FedEx/TNT ($400 million), and Mondelez International ($188 million). Total damages are estimated at over $10 billion. NotPetya is widely regarded as the most destructive cyberattack in history and was attributed to Russian military intelligence (GRU).

Stuxnet (2010)¶

Stuxnet represents a watershed moment in the history of malware: the first publicly known cyberweapon designed to cause physical damage to real-world infrastructure. Discovered in 2010, Stuxnet targeted Siemens programmable logic controllers (PLCs) that controlled centrifuges at Iran's Natanz uranium enrichment facility. It caused the centrifuges to spin at destructive speeds while reporting normal operation to monitoring systems, physically destroying approximately 1,000 centrifuges.

Stuxnet was extraordinary in its sophistication: it exploited four zero-day vulnerabilities simultaneously (an unprecedented number), used two stolen digital certificates for code signing, and included multiple propagation mechanisms. It was evidently developed with significant nation-state resources and intelligence — later reporting attributed it to a joint U.S.–Israeli operation codenamed "Olympic Games."

Emotet¶

Emotet began in 2014 as a simple banking trojan, evolved into one of the most sophisticated and dangerous malware operations in history. By 2019–2020, Emotet had evolved into a malware-as-a-service (MaaS) platform — its operators rented access to their botnet to other criminal groups, delivering Ryuk ransomware, TrickBot, and other payloads to compromised systems.

Emotet was spread primarily through highly convincing phishing emails that used actual email reply chains stolen from infected machines — creating spear-phishing messages that appeared to be legitimate replies to real prior conversations. Its polymorphic design constantly changed the binary's signature, defeating traditional antivirus detection.

Emotet was disrupted in January 2021 by a coordinated international law enforcement operation (involving Europol, Eurojust, and authorities from eight countries) that seized its command-and-control infrastructure. However, Emotet re-emerged in late 2021, demonstrating the resilience of sophisticated criminal operations.

Key Terms¶

Term	Definition
Malware	Software intentionally designed to harm, disrupt, or gain unauthorized access to a computer system
Virus	Malware that replicates by inserting copies of itself into other programs or files
Worm	Self-propagating malware that spreads across networks without requiring a host file or user action
Trojan (Trojan Horse)	Malware disguised as legitimate software that relies on users to execute it
RAT (Remote Access Trojan)	A Trojan providing attackers with remote control over infected systems
Ransomware	Malware that encrypts or locks data and demands payment for restoration
Crypto Ransomware	Ransomware that uses strong encryption to make files inaccessible
Rootkit	Malware designed to maintain privileged, covert access while hiding its presence
Botnet	A network of malware-infected computers (bots) controlled by an attacker
C2 (Command-and-Control)	The infrastructure used by attackers to communicate with and issue commands to compromised systems
Fileless Malware	Malware that operates in memory or via legitimate OS tools without writing executable files to disk
Keylogger	Malware that records keystrokes to capture sensitive input
Logic Bomb	Malicious code embedded in a legitimate program that executes when specific conditions are met
Spyware	Malware that covertly monitors user activity and transmits collected data to attackers
Adware	Malware that displays unwanted advertisements
Drive-By Download	Automatic malware download triggered by visiting a malicious or compromised website
Malvertising	Delivering malware through malicious advertisements in legitimate ad networks
Supply Chain Attack	Compromising software or hardware during development/distribution before it reaches the target
EternalBlue	An NSA-developed exploit for a Windows SMB vulnerability, leaked and used in WannaCry and NotPetya
Static Analysis	Examining malware without executing it (code, strings, structure)
Dynamic Analysis	Analyzing malware by executing it in a controlled environment and observing its behavior
EDR (Endpoint Detection and Response)	Advanced endpoint security platform combining detection, investigation, and response capabilities
Application Whitelisting	A security model permitting only explicitly approved applications to execute
3-2-1 Backup Rule	3 copies of data, on 2 different media, with 1 copy stored offsite or offline
Double Extortion	Ransomware technique combining encryption with data theft and threat of publication

Review Questions¶

Conceptual: Explain the difference between a virus, a worm, and a Trojan horse. For each type, describe the specific mechanism by which it spreads, and provide an example of why an organization's defense strategy needs to address all three differently.
Applied: A company's incident response team receives an alert that multiple workstations on the finance floor are rapidly encrypting files on shared network drives. Based on this behavior, what type of malware is most likely involved? What immediate actions should the team take in the first 15 minutes?
Conceptual: Explain the concept of "fileless malware." What makes it harder to detect than traditional file-based malware, and what class of defensive tools is most effective against it?
Applied: An organization wants to protect itself against ransomware. Propose a layered defense strategy addressing: (a) prevention (stopping the malware from executing), (b) detection (identifying infection quickly), and (c) recovery (restoring operations without paying ransom). Be specific about the controls at each layer.
Conceptual: What is a supply chain attack, and why is it particularly difficult to defend against? Using the SolarWinds example, explain the attack's path from initial compromise to victim infection.
Applied: A malware analyst receives a suspicious executable file. They cannot run it on a production machine. Describe the sequence of static and dynamic analysis steps they would perform to understand the file's purpose, capabilities, and indicators of compromise.
Conceptual: Explain how Command-and-Control (C2) infrastructure works in a botnet. Why do sophisticated attackers use techniques like domain generation algorithms (DGAs) and fast-flux DNS in their C2 infrastructure?
Applied: Comparing WannaCry and NotPetya, both used EternalBlue and appeared superficially similar. What was fundamentally different about their goals and impacts? What lesson does this comparison hold for incident responders who must decide how to respond to a suspected ransomware outbreak?
Conceptual: What is the "double extortion" ransomware technique, and why does it undermine the traditional "restore from backup" response to ransomware? What additional defensive measures are needed to address the double extortion model?
Reflective: The Stuxnet case demonstrated that malware can cause physical damage to real-world infrastructure. How does this change the stakes of cybersecurity as a discipline? What industries or types of infrastructure do you think are most at risk from Stuxnet-style attacks today, and why?