New malware classification system

04 Nov 2004

minute read

Authors

Yury Mashevsky

Kaspersky Lab is currently switching to a new malware classification system

Malware (short for malicious software) refers to any program that is deliberately created to perform an unauthorized, often harmful, action.

.

The new system will make it easier to navigate the virus descriptions.

Naming of malicious programs

Each malicious program is given a name which has several parts.

Any program which is given a name containing the term VirWare, TrojWare, MalWare, RiskWare, AdWare or PornWare will be a malicious program.

The name of each malicious program can be broken down in the following way:

Verdict: verdict clarification

Verdict clarification includes the following categories:

Behaviour[-Sub-behaviour].OS.Name[-Modification:]

Verdict: this is an umbrella description which covers the main characteristics of a virus sample: VirWare, TrojWare, MalWare, RiskWare, AdWare, PornWare, SPAM, or Attack.

Behaviour: this defines the malicious program’s payload. Backdoor, Virus etc. are all examples of Behaviour. A less threatening behaviour will be subsumed by the most threatening behaviour. For example, if a program has a backdoor function, but also infects files, the behaviour will be classified as Virus. If in addition to these behaviours, the malicious program spreads via network connections, the behaviour will be classified as Worm.

Sub-behaviour: this category is only used if the malicious program has a sub-behavior. It defines the main behaviour further. For instance, a malicious program classified as Trojan-Spy has the sub-behaviour Spy and so on. The sub-behaviour term is separated from the behavior term by a dash.

In the case of worms, the sub-behaviour term will be a prefix to the main behaviour term: P2P-Worm, Net-Worm etc.

OS gives the operating system in which the malicious program functions eg. Win32, BAT, IRC etc.

Name: the name which the Virus Lab has given to the malicious program.

Modification: shows the different versions of a malicious program grouped under one name.

An example of a name under the new classification system would be Trojan-Dropper.Win32.Agent.a – a Trojan which drops another malicious program, operates in Win32. The Virus Lab has named this program Agent, and this particular program is modification a, the first in a series.

Names of malicious programs always include the Behaviour, OS, Name and Modification terms.

Authors

Yury Mashevsky

New malware classification system

Latest Posts

Latest Webinars

Reports

New unattributed DuneQuixote campaign targeting entities in the Middle East employs droppers disguised as Total Commander installer and CR4T backdoor in C and Go.

In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021.

Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups.

We unveil a Lazarus campaign exploiting security company products and examine its intricate connections with other campaigns

New malware classification system

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

The antivirus weather forecast: cloudy

Crimeware: A new round of confrontation begins…

Malware Miscellany, September 2009

Malware Miscellany, December 2008

Malware Miscellany, November 2008

The State of Stalkerware in 2023–2024

The dark side of Black Friday: decoding cyberthreats around the year’s biggest shopping season

Gaming-related cyberthreats in 2023: Minecrafters targeted the most

Overview of IoT threats in 2023

How cybercrime is impacting SMBs in 2023

Latest Posts

XZ backdoor story – Initial analysis

DinodasRAT Linux implant targeting entities worldwide

Android malware, Android malware and more Android malware

Threat landscape for industrial automation systems. H2 2023

Latest Webinars

The Future of AI in cybersecurity: what to expect in 2024

Responding to a data breach: a step-by-step guide

2024 Advanced persistent threat predictions

Overview of modern car compromise techniques and methods of protection

Reports

DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware

HrServ – Previously unknown web shell used in APT attack

Modern Asian APT groups’ tactics, techniques and procedures (TTPs)

A cascade of compromise: unveiling Lazarus’ new campaign

Subscribe to our weekly e-mails