EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationmalwaretaxonomyrema

Types of Malware

A systematic reference covering all eighteen malware categories — from viruses and worms to fileless threats and logic bombs — with real-world examples, detection methods, and the three-question triage framework.

Ashish Revar12 May 202618 min read7 views
Quick Bite

⚡ Quick Bite · 20s

Types of Malware: From Viruses to Ransomware

Viruses vs. worms, Trojans, ransomware — understanding spread mechanisms and data-lock tactics for modern cloud defence.

Watch this 20-second summary before diving into the full article. Sign in to earn 5 leaderboard points.

Overview

Malware is classified by what it does and how it spreads. In practice, these categories overlap constantly. WannaCry (2017) was simultaneously ransomware and a worm. Emotet started as a banking trojan, evolved into a spam botnet, and eventually operated as a dropper-for-hire platform. TrickBot functioned as a downloader, a credential stealer, and a lateral movement framework depending on which modules the operator loaded.

The value of taxonomy is triage speed. When an analyst sees vssadmin delete shadows /all in a Procmon log, the word "ransomware" triggers an immediate containment playbook. Classification is not about putting samples into neat boxes — it is about knowing which box tells you what to do next.

The Three-Question Triage Framework

Before matching a sample against a taxonomy chart, ask three questions in order:

  1. How did it arrive? (phishing, exploit, supply chain, USB)
  2. What does it do once running? (encrypt, spy, persist, spread, destroy)
  3. How does it hide? (packing, fileless, rootkit, LOLBins)

The answers place the sample in the right categories faster than scanning a full taxonomy table from top to bottom.

Refer to REMA eBook 2026, Figure 1.2 for the full three-question triage decision flowchart.

The Eighteen Categories

Virus

Parasitic: inserts its code into legitimate executables. Runs when the host file runs. Needs human action to spread (opening a file, plugging in a USB).

  • Notable family: Sality — polymorphic file infector. Disables security software, downloads secondary payloads.
  • Detection: File integrity monitoring catches modified binaries. AV signatures target polymorphic stub patterns. Procmon reveals abnormal file write volumes and registry Run key creation.

Worm

Self-propagating: copies itself across networks without a host file or user interaction. Exploits vulnerabilities or weak credentials.

  • Notable family: WannaCry (2017) — exploited EternalBlue (MS17-010) over SMBv1 port 445. Infected 230,000+ systems in 150 countries in under 48 hours.
  • Detection: IDS/IPS rules for EternalBlue traffic. Network sensors flag abnormal SMB volume. Behavioural tools detect rapid .WNCRY file creation and shadow copy deletion.

Trojan

Deception: disguises itself as useful software. Does not self-replicate. Spread through phishing, drive-by downloads, or trojanised installers.

  • Notable family: Emotet — arrived as macro-enabled Word docs via phishing. Spawned PowerShell to download modules and additional payloads.
  • Detection: Sandbox shows winword.exe → powershell.exe process chain. Email gateways flag macro-enabled attachments.

Backdoor

Persistent access: provides a covert channel for the attacker to return after initial compromise. Often custom-built with encrypted C2.

  • Notable family: Lazarus Group backdoors — used in APT campaigns (SWIFT banking heists, Sony Pictures). Custom TLS C2 with unique certificate fingerprints.
  • Detection: Login anomaly detection. JA3/JA3S TLS fingerprinting. YARA rules shared via MISP and OTX.

RAT (Remote Access Trojan)

Full remote control: desktop view, webcam, file manager, shell, keylogging.

  • Notable family: Gh0st RAT — TCP port 80 traffic that is not HTTP. Used in espionage campaigns across Asia.
  • Detection: Beaconing pattern to known C2 IPs. Memory forensics: injected DLLs. Endpoint: unauthorised webcam/microphone access events.

Ransomware

Encrypts files and demands payment. Modern variants exfiltrate data first (double extortion).

  • Notable family: Ryuk — delivered via TrickBot or phishing. AES per-file + RSA key wrapping. Targeted hospitals and municipal governments.
  • Detection: SIEM alert on vssadmin delete shadows. File monitoring: mass rename with new extension.

Rootkit

Concealment: modifies OS internals (kernel drivers, boot records, or hypervisor) to hide processes, files, registry keys, and network connections.

  • Notable family: Scranos — kernel-level rootkit with spyware capabilities. Hid its own processes while stealing browser session cookies.
  • Detection: Memory scanning for hidden kernel modules (GMER, Volatility psxview). UEFI/boot integrity verification.

Spyware

Surveillance: records keystrokes, screenshots, clipboard, browser history, GPS location, calls, and messages.

  • Notable family: Pegasus (NSO Group) — zero-click mobile exploit via iMessage. Full device compromise: mic, camera, encrypted messenger content.
  • Detection: Mobile Verification Toolkit (MVT by Amnesty International). Known C2 domain IOCs.

Keylogger

Captures keystrokes and often clipboard data, screenshots, and browser form fills. Exfiltrates via email (SMTP), FTP, or HTTP POST.

  • Notable family: Agent Tesla — .NET-based, sold on underground forums. Exfiltrates via SMTP with stolen credentials.
  • Detection: Keyboard API hooking detection (SetWindowsHookExA with WH_KEYBOARD_LL). Network: outbound SMTP/FTP with encoded credential payloads.

Botnet Agent

Joins a command-and-control network. Awaits instructions: DDoS, spam relay, credential stuffing, cryptomining.

  • Notable family: Mirai (2016) — recruited IoT devices using 61 default credential pairs. Launched 1.2 Tbps DDoS against Dyn DNS.
  • Detection: IoT device logs: unknown processes, unusual CPU load. Network: large-scale TCP SYN scanning. C2 IP blocklists.

Adware

Hijacks browsers, injects advertisements, modifies search engine settings, collects browsing habits.

  • Notable family: Fireball (2017) — 250 million infected machines globally. Hijacked browsers and could download arbitrary code.
  • Detection: Browser integrity checks (modified homepage, unauthorised extensions). Network: repeated calls to known ad-injection domains.

Dropper

Carrier: its only job is to deliver a second-stage payload that it carries embedded inside itself.

  • Notable family: Dridex — banking trojan dropper distributed via macro-enabled Office documents.
  • Detection: Process tree: winword.exe → powershell.exe → rundll32.exe. Memory: thread injection patterns.

Downloader

Same purpose as a dropper, except it fetches the payload from a remote URL instead of carrying it internally.

  • Notable family: TrickBot — modular platform. Downloaded Ryuk or Conti ransomware as its final stage.
  • Detection: Network: encrypted C2 traffic patterns. EDR: known TrickBot DLL module names.

Fileless

Operates entirely in memory. No traditional executable on disk. Abuses PowerShell, WMI, .NET reflection, or LOLBins.

  • Notable family: Astaroth — used WMI + PowerShell + bitsadmin.exe. Stole credentials from Brazilian banks.
  • Detection: Sysmon: suspicious -EncodedCommand arguments. Memory forensics: injected shellcode in system processes. EDR: abnormal WMI event subscriptions.

Wiper

Destruction, not profit. Overwrites files, MBR, or partition tables permanently. Often disguised as ransomware.

  • Notable family: NotPetya (2017) — disguised as Petya ransomware, but encryption was irreversible by design. $10B+ in global damages.
  • Detection: Disk I/O anomalies: raw MBR writes. Rapid file destruction without a functioning ransom payment mechanism.

Crimeware

Targets financial data: banking credentials, KYC documents, cryptocurrency wallets, credit card numbers.

  • Notable family: Gootkit — hooks browser sessions via man-in-the-browser to intercept banking transactions in real time.
  • Detection: Fraud detection: suspicious transactions from infected endpoints. Browser session hooking behaviour in sandbox.

Logic Bomb

Dormant until a trigger condition is met (specific date, user action, removal of an employee account). Then executes destructive payload.

  • Notable family: CIH / Chernobyl (1998) — triggered on April 26. Overwrote the first megabyte of the hard disk and flashed BIOS on some motherboards.
  • Detection: System integrity checks (BIOS hash monitoring). Event correlation: process activations tied to specific dates.

Scareware

Social engineering in software form. Displays fake virus alerts to trick the user into purchasing worthless "security software."

  • Notable family: WinFixer — persistent fake alerts claiming system infection. Sometimes bundled with actual malware.
  • Detection: Reputation services: known fake AV installer hashes. User awareness training remains the most effective defence.

Key Observation

Eighteen categories is a lot to memorise. A practical shortcut: when you pick up a new sample, use the three-question triage. The answers place the sample in the right categories faster than scanning a taxonomy chart from top to bottom.

Important: Categories are not mutually exclusive. A single sample may belong to multiple entries simultaneously. WannaCry is both a worm and ransomware. Emotet shifted from trojan to botnet to dropper over its lifetime.

Quick Reference Table

CategoryPrimary ActionSpread MechanismReal Example
VirusParasitic infectionHost file, USB, user actionSality
WormSelf-propagationNetwork exploits, weak credentialsWannaCry
TrojanDeceptionPhishing, drive-by, fake updatesEmotet
BackdoorCovert accessPost-exploitation, supply chainLazarus Group
RATFull remote controlPhishing, exploit, trojanised appsGh0st RAT
RansomwareEncrypt filesPhishing, worm, RDP brute-forceRyuk
RootkitConcealmentKernel driver, boot record, hypervisorScranos
SpywareSurveillanceZero-click exploit, targeted installPegasus
KeyloggerKeystroke capturePhishing, bundled softwareAgent Tesla
Botnet AgentC2 networkDefault credentials, exploitsMirai
AdwareBrowser hijackBundled installers, drive-byFireball
DropperPayload delivery (embedded)Phishing, trojanised installerDridex
DownloaderPayload delivery (remote)Email attachment, macro documentTrickBot
FilelessMemory-only executionPowerShell, WMI, .NET reflectionAstaroth
WiperIrreversible destructionSupply chain, lateral movementNotPetya
CrimewareFinancial data theftBrowser hookingGootkit
Logic BombConditional destructionInsider threat, embedded in codeCIH/Chernobyl
ScarewareSocial engineeringMalvertising, bundled softwareWinFixer

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

The Binary Physics of Memory Corruption

Two experts break down the foundations of malware analysis and reverse engineering — malware taxonomy, x86 architecture, memory layout, and stack manipulation — using simple, real-world analogies.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

MITRE ATT&CK — Malware Taxonomy

MITRE ATT&CK software catalogue listing documented malware families with techniques, tactics, and real-world usage.

reference
MalwareBazaar — Live Sample Repository

Abuse.ch repository for sharing malware samples. Search by family name to find samples matching each taxonomy category.

tool
More articlesTest your knowledge