Malware Taxonomy: Viruses, Trojans, Ransomware and More

A virus is code that inserts a copy of itself into a host file (an executable, a document with macro support, or a boot sector) and relies on user action or file sharing to propagate. The host file must be executed for the virus to activate. File-infecting viruses append or prepend code to executables; macro viruses embed in office documents and run when the document is opened with macros enabled; boot-sector viruses overwrite the master boot record or volume boot record, running before the operating system loads. Each insertion type leaves specific artefacts: modified file hashes, anomalous file sizes, or boot-sector contents that do not match the baseline.

A worm requires no host file and no user action to spread. It is a standalone executable that exploits a vulnerability in a network service (a remote code execution flaw, a default credential, or an open share) to copy itself to the next host. The WannaCry worm (2017) exploited the EternalBlue vulnerability in Windows SMBv1 and infected hundreds of thousands of machines across 150 countries within days. The Conficker worm (2008) used multiple propagation methods simultaneously: MS08-067 (a Windows RPC vulnerability), weak network share passwords, and infected USB drives. Worm infections generate distinctive network artefacts: port-scanning traffic as the worm searches for new targets, outbound connection attempts on the exploited service port, and dropped copies of the worm binary in shared directories.

Polymorphic and metamorphic variants complicate detection. A polymorphic virus encrypts its body and changes the decryption stub with each copy, so the byte signature varies. A metamorphic virus rewrites its own code entirely between generations, with no fixed signature at all. Both evade signature-based antivirus but leave behavioural artefacts: the decryption routine executes before the payload, which appears as an anomalous code sequence in memory; metamorphic engines introduce structural patterns recognisable to heuristic analysis.

A trojan (formally, a trojan horse) disguises itself as legitimate software to persuade the user to execute it willingly. Unlike a virus, it does not self-replicate; unlike a worm, it does not exploit network vulnerabilities autonomously. Its propagation depends entirely on social engineering: the user is deceived into running a file that appears to be a game, a utility, a software crack, or a legitimate installer. Once executed, the trojan installs its payload (a keylogger, a backdoor, a bot client, or a downloader) and optionally presents the expected legitimate functionality to avoid suspicion.

Remote access trojans (RATs) give the attacker interactive control of the compromised machine: file system access, camera and microphone activation, keystroke logging, and the ability to deploy further tools. Banking trojans (such as Zeus, Dridex, and Emotet) target financial credentials by injecting malicious content into banking website sessions (web injection), redirecting transactions, or intercepting one-time passwords. Information stealers harvest browser-saved passwords, cookies, and cryptocurrency wallet files and exfiltrate them to the attacker.

Trojan artefacts on a Windows host typically include: a new or modified registry run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run or the equivalent HKLM path) pointing to the trojan binary; a scheduled task or Windows service entry; the binary itself in a user-writable directory such as %APPDATA% or %TEMP%; prefetch files confirming execution; and network connections in SIEM or firewall logs to the attacker's C2 infrastructure. Deleted files may be partially recoverable from the volume shadow copy or unallocated disk space.

Ransomware encrypts victim files and demands payment for the decryption key. Modern ransomware uses a hybrid cryptographic scheme: the malware generates a unique AES-256 (or similar symmetric) key per victim, encrypts files with that key, then encrypts the symmetric key itself with the attacker's RSA or elliptic-curve public key. The attacker's matching private key is held on infrastructure outside the victim's reach. Without that private key or a flaw in the implementation, decryption is computationally infeasible. Victims are directed to a payment address, typically cryptocurrency, in an on-screen ransom note.

Double extortion ransomware, which became the dominant model after 2019, exfiltrates data before encrypting it. The attacker threatens to publish the stolen data if the ransom is not paid, creating pressure independent of whether the victim has backups. Triple extortion adds a DDoS component or targets the victim's customers and partners directly. From an investigative standpoint, double extortion means there are two incident types to investigate simultaneously: the encryption event and the prior data exfiltration, which may have occurred weeks earlier.

Ransomware investigations generate cryptocurrency tracing requirements. Ransom payments on public blockchains (Bitcoin, Monero less so) are visible on the ledger, and blockchain analytics firms track attacker wallets across victim incidents. Attribution links are established by clustering wallet addresses used across multiple attacks, connecting payment addresses to known ransomware-as-a-service (RaaS) infrastructure, and correlating on-chain flows with exchange know-your-customer data obtained via legal process.

Spyware monitors user activity and exfiltrates information without the user's knowledge or consent. Keyloggers record keystrokes (capturing passwords, messages, and documents typed); screen capturers take periodic screenshots; form grabbers intercept form submissions before they are encrypted by HTTPS. Commercial spyware such as FinFisher and the NSO Group's Pegasus operate at a higher technical level, exploiting zero-day vulnerabilities to install themselves without any user interaction and concealing their presence using rootkit techniques. Pegasus has been documented on devices in multiple countries, with confirmed targets including journalists, lawyers, and human rights defenders.

Adware generates revenue by displaying unsolicited advertising, redirecting browser searches, or injecting ads into web pages. At the lower end it is a nuisance; at the higher end it modifies browser settings, installs browser extensions without consent, and exfiltrates browsing history. Stalkerware is spyware marketed for intimate partner surveillance. It is installed on the victim's device by a person with physical access and hides its presence from the device owner. Several antivirus vendors have added stalkerware detection to their products following advocacy from domestic abuse organisations.

A rootkit's defining function is concealment: it subverts the operating system's reporting mechanisms so that other malicious components (processes, files, network connections, registry entries) are hidden from standard tools and from the user. The level at which a rootkit operates determines both its capability and the technique required to detect it.

User-mode rootkits run with user-level privileges and hook userspace API calls (Windows Native API functions such as NtQuerySystemInformation or NtQueryDirectoryFile). When a tool calls the hooked function to list processes or files, the rootkit intercepts the result and removes its own entries before returning the list. User-mode rootkits are easier to implement and easier to detect: scanning from an account with higher privilege or from a bootable environment bypasses the hooks.

Kernel-mode rootkits run at ring 0 (the kernel's privilege level) and modify kernel data structures directly. The DKOM (Direct Kernel Object Manipulation) technique unlinks a process from the kernel's process list so it does not appear in any process enumeration, even from tools with administrator privileges, because the list itself has been altered. Driver-level rootkits load as signed or unsigned kernel drivers. Bootkit variants infect the master boot record or UEFI firmware and load before the OS, making them survive OS reinstalls. Detection of kernel-mode rootkits requires booting from trusted external media and analysing the disk offline, or using a virtual machine monitor (hypervisor) that sits below the infected OS and can inspect its memory state without trusting the OS.

A botnet is a network of compromised machines (bots or zombies) under centralised attacker control via a C2 channel. The attacker deploys a bot client on each victim machine, typically via a trojan or worm, and issues commands through the C2 infrastructure. Botnet uses include distributed denial-of-service (DDoS) attacks, spam and phishing campaigns, credential-stuffing attacks, and hosting infrastructure for further malware distribution. Historically, botnet C2 used dedicated IRC channels or HTTP-based control servers; modern botnets use domain generation algorithms (DGAs), peer-to-peer (P2P) architectures, and fast-flux DNS to make takedown more difficult.

Cryptominers (cryptojackers) hijack victim CPU and GPU resources to mine cryptocurrency for the attacker, generating revenue without the victim's consent. They are often less damaging in terms of data loss than other malware families but cause measurable performance degradation and electricity consumption. Wiper malware, at the opposite end of the payload spectrum, overwrites or deletes files with no recovery mechanism, often as sabotage by nation-state actors. The NotPetya wiper (2017), attributed to Russian state actors by multiple governments, caused an estimated $10 billion in damage globally by targeting Ukraine and spreading to multinational companies through supply-chain infection of accounting software.

The legal framework for malware-related offences varies by jurisdiction but converges on the same core prohibitions. In India, deploying malware is prosecuted under sections 43 and 66 of the Information Technology Act 2000, with cyberterrorism provisions under section 66F for attacks on critical infrastructure, read alongside offences under the Bharatiya Nyaya Sanhita 2023. In the United States, the Computer Fraud and Abuse Act (18 U.S.C. 1030) covers unauthorised access and damage to protected computers; ransomware deployment may also attract wire fraud and extortion charges. In the United Kingdom, the Computer Misuse Act 1990 (as amended by the Police and Justice Act 2006 and the Serious Crime Act 2015) covers unauthorised access, unauthorised modification, and supply of hacking tools. The Budapest Convention on Cybercrime (2001), ratified by over 60 states, provides the international framework that most of these national statutes implement, and its Article 24 on mutual legal assistance is the principal mechanism for cross-border evidence exchange in malware investigations.