M4Lw4₹3 | P4yL04d5 | 5c₹!pT5

 1. Creepernamed for a character on the “Scooby Doo” cartoon show, is generally recognized as the first computer virus. It was written in 1971 by Bob Thomas of BBN Technologies and spread through DEC PDP-10 computers on ARPAnet, displaying the message, “I’m the creeper, catch me if you can!”

According to Garcia, the virus, called Creeper, was written in 1971 by Cambridge, Mass.-based BBN computer programmer Robert (Bob) Thomas. BBN, which stands for Bold, Beranek and Newman (and today is now Raytheon BBN Technologies), built packet switching networks for ARPANET.

2.  Elk Cloner, written in 1982 by then-15-year-old Rich Skrenta of Pittsburgh, was a boot-sector virus designed to infect Apply II computers and was the first to be detected in the wild.

3. Brain, Pakistani brothers Basit and Amjad Farooq Alvi . They created in Pakistan in 1986, was the first PC virus to be found in the wild.

The virus infects the boot sector of storage media formatted with the DOS File Allocation Table (FAT) file system.


And the first antivirus program?

Reaper, which was created to delete Creeper.



Viruses, worms, Trojans, and bots are all part of a class of software called “malware.” Malware is short for “malicious software,” also known as malicious code or “malcode.” It is code or software that is specifically designed to damage, disrupt, steal, or in general inflict some other “bad” or illegitimate action on data, hosts, or networks.

There are many different classes of malware that have varying ways of infecting systems and propagating themselves. Malware can infect systems by being bundled with other programs or attached as macros to files. Others are installed by exploiting a known vulnerability in an operating system (OS), network device, or other software, such as a hole in a browser that only requires users to visit a website to infect their computers. The vast majority, however, are installed by some action from a user, such as clicking an email attachment or downloading a file from the Internet.

Some of the more commonly known types of malware are viruses, worms, Trojans, bots, ransomware, backdoors, spyware, and adware. Damage from malware varies from causing minor irritation (such as browser pop-up ads), to stealing confidential information or money, destroying data, and compromising and/or entirely disabling systems and networks.

In addition to damaging data and software residing on equipment, malware has evolved to target the physical hardware of those systems. Malware should also not be confused with defective software, which is intended for legitimate purposes but contains errors or “bugs.”

Classes of Malicious Software

Two of the most common types of malware are viruses and worms. These types of programs are able to self-replicate and can spread copies of themselves, which might even be modified copies. To be classified as a virus or worm, malware must have the ability to propagate. The difference is that a worm operates more or less independently of other files, whereas a virus depends on a host program to spread itself. These and other classes of malicious software are described below.


Ransomware is a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, which encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.


A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.


Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided. More advanced worms leverage encryption, wipers, and ransomware technologies to harm their targets.


A Trojan is another type of malware named after the wooden horse that the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create backdoors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.


“Bot” is derived from the word “robot” and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information, such as web crawlers, or interact automatically with Instant Messaging (IM)Internet Relay Chat (IRC), or other web interfaces. They may also be used to interact dynamically with websites.

Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or “botnet.” With a botnet, attackers can launch broad-based, “remote-control,” flood-type attacks against their target(s).

In addition to the worm-like ability to self-propagate, bots can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch Denial of Service (DOS) Attacks, relay spam, and open backdoors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector and are often modified within hours of publication of a new exploit. They have been known to exploit backdoors opened by worms and viruses, which allows them to access networks that have good perimeter control. Bots rarely announce their presence with high scan rates that damage network infrastructure; instead, they infect networks in a way that escapes immediate notice.

Advanced botnets may take advantage of common internet of things (IOT) devices such as home electronics or appliances to increase automated attacks. Crypto mining is a common use of these bots for nefarious purposes.

Distribution Channels for Malware

Advanced malware typically comes via the following distribution channels to a computer or network:

  • Drive-by download—Unintended download of computer software from the Internet
  • Unsolicited email —Unwanted attachments or embedded links in electronic mail
  • Physical media—Integrated or removable media such as USB drives
  • Self propagation—Ability of malware to move itself from computer to computer or network to network, thus spreading on its own

For a complete listing of malware tactics from initial access to command and control, see MITRE Adversarial Tactics, Techniques, and Common Knowledge.

Ten Best Practices for Combating Malware

  1. Implementing first-line-of-defense tools that can scale, such as cloud security platforms
  2. Adhering to policies and practices for application, system, and appliance patching
  3. Employing network segmentation to help reduce outbreak exposures
  4. Adopting next-generation endpoint process monitoring tools
  5. Accessing timely, accurate threat intelligence data and processes that allow that data to be incorporated into security monitoring and eventing
  6. Performing deeper and more advanced analytics
  7. Reviewing and practicing security response procedures
  8. Backing up data often and testing restoration procedures—processes that are critical in a world of fast-moving, network-based ransomware worms and destructive cyber weapons
  9. Conducting security scanning of microservice, cloud service, and application administration systems
  10. Reviewing security systems and exploring the use of SSL analytics and, if possible, SSL decryption

Additional Terms

Advanced Persistent Threats (APT)

A set of stealthy and continuous computer hacking processes, often orchestrated by a person or persons targeting a specific entity. An APT usually targets either private organizations, states, or both for business or political motives. APT processes require a high degree of covertness over a long period of time. The “advanced” process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The “persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “threat” process indicates human involvement in orchestrating the attack.


Software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a “pay-per-click” basis if the user clicks on the advertisement.


An undocumented way of accessing a system, bypassing the normal authentication mechanisms. Some backdoors are placed in the software by the original programmer and others are placed on systems through a system compromise, such as a virus or worm. Usually, attackers use backdoors for easier and continued access to a system after it has been compromised.


A malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

Browser Hijacker

Software that modifies a web browser’s settings without a user’s permission to inject unwanted advertising into the user’s browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue. This software often comes in the form of a browser toolbar and is received through an email attachment or file download.


A class of malware designed specifically to automate cybercrime. Crimeware (distinct from spyware and adware) is designed to perpetrate identity theft through social engineering or technical stealth in order to access a computer user’s financial and retail accounts for the purpose of taking funds from those accounts or completing unauthorized transactions that enrich the cyberthief. Alternatively, crimeware may steal confidential or sensitive corporate information.

Denial of Service (DOS) Attacks

Malicious attempts by one or more people to cause the victim, site, or node to deny service to its customers.

Executable File

A computer file that contains a sequence of instructions to run an automatic task when the user clicks the file icon or when it is launched via a command.


A piece of software, a command, or a methodology that attacks a particular security vulnerability. Exploits are not always malicious in intent—they are sometimes used only as a way of demonstrating that a vulnerability exists. However, they are a common component of malware.

Instant Messaging

Applications for personal or business communication that are built around the concept of online presence detection to determine when an entity can communicate. These applications allow for collaboration via text chat, audio, video or file transfer.

Internet Relay Chat

A system for chatting that involves a set of rules and conventions and client/server software.


The action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keylogger can be either software or hardware.

Malicious Crypto Miners

Software that uses system resources to solve large mathematical calculations that result in some amount of cryptocurrency being awarded to the solvers. There are two ways that mining can be performed: either with a standalone miner or by leveraging mining pools. Mining software relies on both CPU resources and electricity. Once a system has a miner dropped on it and it starts mining, nothing else is needed from an adversary perspective. The miner generates revenue consistently until it is removed.

Malicious Mobile Code

Software with malicious intent that is transmitted from a remote host to a local host and then executed on the local host, typically without the user’s explicit instruction. Popular languages for malicious mobile code include Java, ActiveX, JavaScript, and VBScript.


The part of the data transmission that could also contain malware such as worms or viruses that perform the malicious action: deleting data, sending spam, or encrypting data. While packet headers indicate source and destination, actual packet data is referred to as the “payload.”

Point of Sale (POS) Malware

A type of malicious software that is used by cybercriminals to target point of sale (POS) terminals with the intent to obtain credit card and debit card information by reading the device memory from the retail checkout point of sale system. POS malware is released by hackers to process and steal transaction payment data. The card information, which is usually encrypted and sent to the payment authorization, is not encrypted by POS malware but sent to the cybercriminal.

Potentially Unwanted Programs or Applications

Software that a user may perceive as unwanted. This may include adware, spyware, or browser hijackers. Such software may use an implementation that can compromise privacy or weaken the computer’s security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, in some cases without providing a clear opt-out method.


Programs that hide the existence of malware by intercepting (i.e., “Hooking”) and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower to include a hypervisor, master boot record, or the system firmware. Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems.

Social Engineering

Anytime perceived trust is used to elicit information from groups or individuals, it is referred to as “social engineering.” Examples include individuals who call or email a company to gain unauthorized access to systems or information.


Software that aims to gather information about a person or organization without their knowledge, that may send such information to another entity without the consumer’s consent, or that asserts control over a device without the consumer’s knowledge.

Web Crawlers

Programs that systematically browse the internet and index data, including page content and links. These web crawlers help to validate HTML code and search engine queries to identify new web pages or dead links.


A type of destructive malware that contains a disk wiping mechanism such as the ability to infect the master boot record with a payload that encrypts the internal file table. Wipers render the attacked process or component useless to the end user.





Malware, short for malicious software.

It is defined by its malicious intent, acting against the requirements of the computer user. It includes spyware, adware, ransomware, worms, trojan horses and botnets.

Some of the world’s deadliest malware attacks are:

1. CIH Virus – 1998

The CIH virus worked by wiping data from the hard drives of infected devices and overwriting the BIOS chip within the computer, which rendered the device unusable. BIOS chips, originally manufactured by IBM for PCs, are a type of firmware used when a device is booted or turned on. This virus caused tremendous damage because the BIOS chip was not removable on many PCs, requiring the user to replace the entire motherboard.

2. Melissa Worm – 1999

The Melissa worm was a macro virus that caused millions of dollars in damages to infected PCs. The virus spread via email and was supposedly and named after a Florida dancer. The virus used an enticing subject line to get its victims to open it. Once the email was opened, the virus was able to replicate and send to an additional 50 email addresses accessed through the originally infected computer.

3. Code Red Worm – 2001

Code Red was a computer worm that affected almost 360,000 computers by targeting PCs that were running Microsoft’s IIS web server. The worm targeted a vulnerability in Microsoft’s IIS web server using a type of security software vulnerability called a buffer overflow.

Spread of the Code Red worm.

4. Slammer Worm – 2003

In January of 2003, the Slammer worm struck 75,000 users with a DoS attack. The worm targeted a vulnerability found in Microsoft SQL and spread rapidly. Denial-of-service attacks are used by malware writers to overload a companies’ network with meaningless traffic, eventually causing the network to crash. At itspeak, the Slammer Worm sent 55 million database requests across the globe and is said to have spread within just 15 minutes, surpassing the speed of the Code Red Worm from 2001.

5. SoBig.F Worm – 2003

The SoBig.F worm entered a device via email, which if opened could search the infected computer for additional email addresses, then sending messages to those aliases. The worm caused $37.1 Billion in damages and is credited with bringing down freight and computer traffic in Washington D.C, as well as Air Canada. The worm’s creator still remains unknown.

6. My Doom Worm – 2004

The My Doom worm, known as one of the fastest spreading viruses in history. It was transmitted via email. Though its creator still remains unknown, some speculate that it originated in Russia. The worm was first discovered and named by an employee at McAfee for the line, “mydom” that appeared in its code.

7. Stuxnet Worm – 2010

The Stuxnet Worm entered devices through infected USB drives and thus had to be manually inserted into a device in order to spread. Once on a device, the worm would then run a check to see if the infected device had access to industrial control systems. If it did, the worm would then take control of plant centrifuges, causing them to eventually fail. The main victims of Stuxnet’s payload were Iranian nuclear plants and a uranium enrichment plant. Although not verified, some believe that the United States and Israel were responsible for the creation of the worm, in order to hamper Iranian nuclear development.

Stuxnet Diagram

8. Cryptolocker Trojan – 2013

The Cryptolocker Trojan is ransomware that encrypts its victims’ hard drives and then demands a payment. When the ransom message appears on the victim’s computer, they are given a time limit in which they must pay the ransom in order to unlock their files.

Cryptolocker Screenshot.

9. ZeroAccess Botnet – 2013

Known as one of the largest botnets in history, ZeroAccess affected over 1.9 million computers, using them to earn revenue through bitcoin mining and click fraud.

10. WannaCry Ransomware – 2017

WannaCry, the most destructive ransomware variety of 2017 (so far), hit over 150 countries and over 100,000 organizations, including major corporations and various government agencies.

Initial reports said that the United Kingdom National Health Service was infected by the ransomware, affecting up to 16 U.K. hospitals. Wanna Decryptor was a ransomware attack of unprecedented scale and sophistication. Unlike previous ransomware varieties, WannaCry uses a worm to infect other systems, spreading through an entire network.



Top 10 Malware January 2019

Overall, malware activity increased 61% from December 2018 to January 2019. Top 10 Malware activity made up 52% of malware notifications sent, a decrease of 10% from December 2018. This is the first time Top 10 Malware activity accounts for less than 60% of total malware activity since December 2017. The shift in makeup is due to a multi-month decrease in activity by the most prolific malware: Emotet, WannaCry, and Kovter.




In January 2019, the dropped, multiple, and malspam categories experienced an increase in activity, while the network category experienced a decrease. Malspam is the primary infection vector in January, absorbing Emotet, Kovter, Dridex, and NanoCore activity. Activity associated with the network vector decreased as Brambul, an infostealer, did not make the Top 10 list. This leaves WannaCry as the only malware utilizing the network vector by abusing the Server Message Block (SMB) protocol. The multiple category increased slightly due to a rise in ZeuS activity. IcedID, Pushdo, Gh0st, and Mirai notifications sustained the dropped category’s elevated activity from the previous month.



The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor.

Multiple – Refers to malware that currently favors at least two vectors.

Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.

Network – Malware introduced through the abuse of legitimate network protocols or tools, such as SMB or remote PowerShell.

  1. Emotet is a modular infostealer that downloads or drops banking trojans. It can be delivered through either malicious download links or attachments, such as PDF or macro-enabled Word documents. Emotet also incorporates spreader modules in order to propagate throughout a network. In December 2018, Emotet was observed using a new module that exfiltrates email content.
  2. WannaCry is a ransomware cryptoworm using the EternalBlue exploit to spread via SMB protocol. Version 1.0 has a “killswitch” domain, which stops the encryption process.
  3. Kovter is a fileless click fraud malware and a downloader that evades detection by hiding in registry keys. Reporting indicates that Kovter can have backdoor capabilities and uses hooks within certain APIs for persistence.
  4. ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants adopted parts of it’s codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.
  5. Dridex is a malware banking variant that uses malicious macros in Microsoft Office with either malicious embedded links or attachments. Dridex is disseminated via malspam campaigns
  6. IcedID is a modular banking Trojan targeting banks, payment card providers, and payroll websites. IcedID utilizes the same distribution infrastructure as Emotet. The malware can monitor a victim’s online activity by setting up local proxies for traffic tunneling, employing web injection and redirection attacks. It propagates across a network by infecting terminal servers
  7. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device that allows an attacker to fully control the infected device
  8. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale DDoS attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
  9. NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  10. Pushdo is a botnet that has been active since 2007 and operates as a service for malware and spam distribution. Pushdo is known to distribute the Cutwail spambot. The malware uses encrypted communication channels and domain generation algorithms to send instructions to its zombie hosts.






Top 10 Malware January 2018

The MS-ISAC observed a 20% decrease in new malware infections from December 2017 to January 2018. Kovter continued to dominate the SLTT government landscape, accounting for 55% of Top 10 Malware notifications. Every month the MS-ISAC maps the Top 10 Malware observed from monitoring state and local networks to common infection vectors. This is done by using open source observations and reports on each malware type. The malspam vector continues to remain the primary entry vector, increasing by 8% in January 2018, mostly due to the high levels of Kovter. The MS-ISAC did not observe any sustained Emotet campaigns, leading to a decrease in events in January 2018. The MS-ISAC observed and verified a WannaCry 1.0 outbreak, which was the first verified activity since the first WannaCry attack in May 2017.  The malvertising vector continues a steady decline that began in October 2017. It decreased by 56% in January 2018, mostly due to the decline in CoinMiner. The addition of Mirai and Redyms to the Top 10 Malware increased the dropped vector by 48% and due to a slight increase in Zeus, the multiple vector increased by 18.




The MS-ISAC Top 10 Malware refers to the top 10 new actionable event notifications of non-generic malware signatures sent out by the MS-ISAC Security Operations Center (SOC).


Dropped – Malware dropped by other malware already on the system or by an exploit kit.

Malvertising – Malware introduced through a malicious advertisement.

Multiple – Refers to malware that currently favors at least two vectors.

Malspam – Unsolicited emails, which either direct users to download malware from malicious websites or trick the user into opening malware through an attachment.

  1. Kovter is a Trojan, which has been observed acting as click fraud malware or a ransomware downloader. It is disseminated via malspam email attachments containing malicious office macros. Kovter is fileless malware that evades detection by hiding in registry keys. Some reports indicate that Kovter infections have received updated instructions from command and control infrastructure to serve as a remote access backdoor.
  2. Emotet is a modular Trojan that downloads or drops banking Trojans. Initial infection occurs via malspam emails that contain malicious download links, a PDF with embedded links, or a macro-enabled Word attachment. Emotet incorporates spreader modules in order to propagate throughout a network. Emotet is known to download/drop the Pinkslipbot and Dridex banking Trojans. Currently, there are four known spreader modules: Outlook scraper, WebBrowserPassView, Mail PassView, and a credential enumerator.
    1. Outlook Scraper: a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out phishing emails from the compromised account;
    2. WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module;
    3. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module;
    4. Credential Enumerator: a self-extracting RAR file containing a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk.
  3. WannaCry is a ransomware worm that uses the EternalBlue exploit to spread. Version 1.0 is known to have a “killswitch” domain, which stops the encryption process. Later versions are not known to have a “killswitch” domain. WannaCry is disseminated via malspam.
  4. ZeuS/Zbot is a modular banking Trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS/Zbot source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS/Zbot may actually be other malware using parts of the ZeuS/Zbot code.
  5. CoinMiner is a cryptocurrency miner that was initially disseminated via malvertising. Once a machine is infected, CoinMiner uses Windows Management Instrument (WMI) and EternalBlue to exploit SMB and spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence.
  6. Gh0st is a RAT used to control infected endpoints. Gh0st is dropped by other malware to create a backdoor into a device, allowing an attacker to fully control the infected device
  7. NanoCore is a Remote Access Trojan (RAT) spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.
  8. Ursnif, and its variant Dreambot, are banking trojans known for weaponizing documents. Ursnif recently upgraded its web injection attacks to include TLS callbacks in order to obfuscate against anti-malware software. Ursnif collects victim information from login pages and web forms
  9. Mirai is a malware botnet known to compromise Internet of Things (IoT) devices in order to conduct large-scale distributed denial of service (DDoS) attacks. Mirai is dropped after an exploit has allowed the attacker to gain access to a machine.
  10. Redyms is a click-fraud trojan that is primarily downloaded via exploit kit. Redyms has virtualization and sandbox detection and is primarily distributed in the United States.