Malware Families

Malware Families

Malware is broadly categorized by its primary purpose or delivery mechanism. Recognizing family characteristics helps prioritize analysis and response.

Ransomware

Ransomware encrypts victim files and demands payment for the decryption key. It is currently the most financially significant malware category.

Key Characteristics

File encryption: AES or ChaCha20 for bulk data; RSA or ECC to protect the per-victim key
Shadow copy deletion: vssadmin delete shadows /all /quiet is nearly universal
Ransom note: dropped as README.txt, DECRYPT_FILES.html, etc.
Extension modification: .locked, .encrypted, family-specific extensions (.ryuk, .conti)
Network propagation: modern ransomware (Ryuk, Conti, BlackCat) spreads laterally via SMB, RDP, or domain admin access before encrypting

Analysis Focus

Identify the encryption algorithm and key management scheme
Look for network communication to a key-exchange server
Document which file types are targeted (often skips .exe, .dll)
Identify what’s excluded (system directories, recovery tools, the ransomware binary itself)

Examples

Conti, LockBit, BlackCat (ALPHV), Ryuk, WannaCry

Remote Access Trojans (RATs)

RATs give an attacker remote control over an infected system: shell access, file transfer, keylogging, screen capture.

Key Characteristics

C2 communication: beaconing to a command-and-control server over HTTP(S), IRC, DNS, or custom protocols
Persistence: registry run keys, scheduled tasks, service installation
Capabilities: remote shell, file browser, keylogger, screenshot/webcam capture, credential theft

Analysis Focus

Identify the C2 protocol and extract the server address (often hardcoded or obfuscated)
Decode the configuration structure (many RATs store config in an encrypted blob)
Map capabilities to MITRE ATT&CK techniques

Examples

AsyncRAT, njRAT, QuasarRAT, DarkComet, Remcos

Infostealers

Infostealers harvest credentials, cookies, and sensitive data and exfiltrate it to the attacker.

Key Characteristics

Browser targeting: reads SQLite databases for saved passwords and cookies (Login Data, Cookies)
Clipboard monitoring: captures cryptocurrency wallet addresses
FTP/email credential theft: reads config files from FileZilla, Thunderbird, Outlook
Short dwell time: often runs, exfiltrates, and exits within seconds

Analysis Focus

Identify which applications are targeted
Find the exfiltration endpoint (HTTP POST, Telegram bot, SMTP)
Decode the data format being transmitted

Examples

RedLine, Vidar, Raccoon Stealer, AgentTesla

Droppers and Loaders

Droppers and loaders are delivery mechanisms — their job is to get a payload onto the system and execute it.

Key Characteristics

Dropper: writes the payload to disk, then executes it
Loader: injects the payload directly into memory without touching disk (fileless)
Stager: downloads the payload from a remote server on execution
Obfuscation: heavily obfuscated to bypass AV detection; the malicious payload may be encrypted within a benign-looking document

Analysis Focus

Find and extract the embedded payload
Identify the injection technique (process hollowing, DLL injection, reflective loading)
Analyze the payload separately after extraction

Examples

Emotet (loader), Bazar Loader, GuLoader, Qbot

Rootkits

Rootkits hide the presence of malware by intercepting OS calls that would reveal it.

Key Characteristics

User-mode rootkits: hook Win32 API functions (SSDT hooking, IAT patching) in each process
Kernel-mode rootkits: load as a driver and intercept kernel functions directly (DKOM — Direct Kernel Object Manipulation)
Bootkit: infects the Master Boot Record or UEFI firmware, running before the OS

Analysis Focus

Rootkits are best detected by comparing the OS’s view (what the rootkit shows) against a trusted view (memory forensics, hardware-based analysis)
Look for discrepancies between ps aux and /proc contents, or between netstat and raw socket lists

Examples

Necurs (Windows), Azazel (Linux), LoJax (UEFI bootkit)

Botnets

Botnets are networks of compromised machines (bots) controlled by a single operator. Individual bots may perform DDoS, send spam, mine cryptocurrency, or serve as proxies.

Key Characteristics

C2 infrastructure: centralized (IRC, HTTP panel) or decentralized (P2P, DGA-based)
Domain Generation Algorithms (DGA): generate thousands of candidate C2 domains daily; the operator registers a few, the bot tries all of them
Persistence and resilience: designed to survive reboots and C2 takedowns

Analysis Focus

Reverse-engineer the DGA to predict future C2 domains (useful for sinkholing)
Identify the bot’s capabilities module list
Analyze the C2 protocol to understand operator commands

Examples

Mirai (IoT), Emotet (spam/loader), Trickbot

YARA for Classification

Once you understand a malware family, you can write YARA rules to automatically classify new samples:

rule Ransomware_ShadowCopy_Deletion {
    meta:
        description = "Detects vssadmin shadow copy deletion, common in ransomware"
        author = "CS 492/592 Malware Analysis"
    strings:
        $s1 = "vssadmin" ascii wide nocase
        $s2 = "delete shadows" ascii wide nocase
        $s3 = "/all" ascii wide nocase
    condition:
        all of them
}

Good YARA rules balance specificity (few false positives) with generality (catches variants). Test your rules against large corpora like MalwareBazaar to measure false positive rates.

Useful Resources

MalwareBazaar — tagged sample repository
VX Underground — malware samples and papers
MITRE ATT&CK Software — technique mappings by malware family
Ransomware.live — current ransomware group tracking
theZoo — historical malware samples for study