IOC and Malware

Types of Malware

  • Viruses
  • Crypto Malware
  • Ransomware
  • Worm
  • Trojan
  • Rootkit
  • Keylogger
  • Adware
  • Spyware
  • Bots
  • RAT
  • Logic bomb
  • Backdoor

Malware Attacks

Delivery – How it get to the target.

Propagation – How malware spreads.

Payload – What malware does once it’s there.

Indicators of Compromise(IoC) – An artifact observed on a network or in an OS that with high confidence indicates a computer intrusion.


Definition : A program intended to damage a computer system.


Armored Viruses

A virus that is protected in a way that disassembling is difficult. The difficulty makes it armored against antivirus programs that trouble getting to, and understand its’ code.

Companion Virus

A virus that creates a new program that run in the place of the expected program of the same name.

Macro Virus

A software exploitation virus that using the macro feature included in many application such as MS office.

Multipartite Virus 

A virus that attack the system in more than one way

Phage Virus

A virus that modifies/alters other programs and databases.

Polymorphic Virus

Virus that changes it state/structure in order to avoid detection.


Virus that attack or bypasses anti-virus programs installed on a computer.

Stealth Virus

A virus that attempts to avoid detection by anti-virus software and from the OS by remaining in the memory

Crypto Malware and Ransomware

Malware that uses cryptography as part of the attack.

Prevents users from accessing personal files or their system through encryption and demands ransom payment in order to regain access.

Ransomware authors order that payment to be sent via cryptocurrency, online payment systems, or credit card.

Examples: Cryptolocker, Wannacry, Locky, zCrypt, NotPetya


A clandestine(kept secretly) computer program designed to provide continued privileged access to a computer while actively hiding its presence.

Software program that has the ability to obtain admin/root privilege access and hide from the OS.

Examples : NTrootkit, Zeus, NTRootkit, Stuxnet, Knark, Adore

Trojan/Trojan Horse

A harmful piece of software that looks like legitimate or is included with legitimate applications

Any applications that tends to masquerades  as one thing in order to get past scrutiny and does something malicious

One of the major differences between virus and trojan is, trojan does not replicate themselves.

Examples: BackOrifies, Stuxnet, Zeus


Use the network to replicate copies of themselves to systems or devices automatically(without human intervention)

To spread, worms either exploit a vulnerability in the target system or use social engineering to trick users into executing.

A worms takes advantage of file-transport or information-transport features on the system, allowing to travel unaided.

Examples: ILoveYou, MyDoom, StromWorm, Anna Kuovarnikova, SQL Slammer

Logic or Time Bomb

Any Code that hidden within an application and causes something unexpected to happen based on some criteria being met.

For example:

A programmer could create a program that always makes sure her name appears on the payroll roster, else erase the base files automatically.

Keylogger / Keystroke Loggers

Software Programs or hardware devices that track the activities from input devices.

  • Keys pressed of a keyboard
  • Mouse Clicks
  • Screen recorders or scrappers

Form of spyware where users unaware that their actions being recorded.

Stores the keystrokes typically in a file, which might be automatically emailed to the advisory later on, or accessed later.


Bot – An automated software program(network robot) that collect information from the web.

In its malicious form,  a bot is a compromised computer being controlled remotely.

Bots are also known as “Zombie computers”; due to their ability to operate remote direction without their owners knowledge.

Botnet – A network of compromised computer under the control of malicious actor.

The attackers that control botnets are referred to as “bot herders” or “bot-masters”


An undocumented way of accessing the system, bypassing the normal authentication mechanisms.

An opening left in a program application (usually by the developer) that allows additional access to the systems or data. These should be closed when the system is moved to the production.

Can check the system for a backdoor, using vulnerability analysis and pentesting.

RATs (Remote Access Trojan or Remote Administration Tools)

Software that remotely gives full control for a tech device.

Programs that provide he capability to allow covert surveillance or the ability to gain unauthorized access to a victim PC.

Provide the capability for an attacker  to unauthorized remote access to the victim machine via specially configured communication protocols or backdoors created upon infection.

Example : SubSeven, Back Orifice, ProRat, Turkojan, Poison-Ivy

Spyware / Adware

Applications that covertly monitors online behavior without the user’s knowledge or permission.

Collected data relayed to outside parties, often for use in advertising.

Otherwise , does not harm the infected computer, user or data.

There is a line in between illegal spyware and legitimate data collection.

Advanced Persistent Threat (APT)

A set of stealthy and continuous computer hacking process often orchestrated by a person or persons targeting a specific entity.

Usually targets either private organizations, states, or both for political and business motives.

APT requires highest degree of covertness over a long period of time.

  • The ‘advanced’ process signifies sophisticated techniques using malware to exploit vulnerabilities in systems.
  • The persistent process suggests that an external command and control system is continuously monitoring and extracting data from targeted system.
  • The ‘threat’ process indicates human involvement in orchestrating the attack.

Leave a comment

Your email address will not be published. Required fields are marked *