Unambiguous terminology for different kinds of malware?

Question

I noticed in the literatures that there are no exact boundaries for numerous information security terms such as malware, virus, etc. Some people say malware i the umbrella under which viruses, worms, rootkits, and every harmful software lies. Others categorize them as totally different concepts.

First, is there a standard defining these terms in an unambiguous way?

Second, if malware is the umbrella for all harmful software, I am thinking of categorizing it into a dichotomy of exploits and executables. The former needs vulnerabilities to work and does not require the user to execute it, and the latter are self-contained which require the user to execute them. Would this would be a good taxonomy or is it flawed?

Answer 1

Malware terminology

First, is there a standard defining these terms in an unambiguous way?

Malware is a broad term that includes any software which performs malicious actions. There are several common names for various classes of malware. The specific definitions often change over time, as is the case with the term "virus". Common definitions for various forms of malware are:

• Viruses modify existing programs, "infecting" them so their execution also triggers the spread of the virus, until the computer is entirely filled up with maliciously modified software. True viruses are fairly rare now days, but the term continues to be used synonymously with malware.
• Trojans disguise themselves as harmless programs, such as video games or screen savers. They require user interaction to execute. These are common in torrents.
• Worms spread by themselves through the network, often by exploiting software vulnerabilities in networking services. A worm that exploits popular software can spread extremely rapidly. One of the early worms, SQL Slammer, a 376 byte program, infected 75,000 computers within the first 10 minutes. It slowed down the entire internet just as a result of the aggressive replication.
• Rootkits are self-hiding privilege escalation toolkits. They are designed to embed themselves in a system with a high privilege level, ensuring that nothing that runs on the computer can detect it. Rootkits are often able to completely evade antivirus software. Rootkits that infect the boot process to hijack the system early during system start are often called bootkits.
• Ransomware is old, but has gained popularity recently. Simple ransomware simply locks the victim's computer until a ransom is paid. More modern and sophisticated ransomware actually encrypts files and refuses to decrypt until a ransom is paid. These programs often make little effort to avoid removal, as their job is done as soon as they execute for the first time.
• Spyware is any class of malicious software that monitors a user's private activities and reports it back to the owner of the spyware. It can be used by anyone from stalkers to identity thieves.
• Adware is among the least harmful forms of malware. Adware includes any software that displays or injects advertisements on a computer. It is considered malicious when it is installed without consent, or makes attempts to avoid removal. It is commonly implemented as browser toolbars.

Malware can belong to multiple classes. A program that spreads over the network and embeds itself in the kernel for persistence would be both a worm and a rootkit, for example.

Exploits vs executables

Second, in case malware is the umbrella for all harmful softwares, I am thinking of categorizing it into a dichotomy of exploits and executables.

Exploits are not malicious. An exploit is anything that attempts to utilize a security vulnerability to violate the confidentiality, integrity, or availability of a service or task. Sophisticated malware, especially worms, may contain exploits to break security barriers to spread. However, all malware would fall under the classification of executables, as they are all software (or at least executable code, as in the case of shellcode which is not an executable file by itself, but rather is injected into a running process).

What you appear to be describing is the difference between a worm or browser exploit (able to spread with no or little interaction), and a trojan (requires user interaction to trigger infection). This taxonomy doesn't add anything to the existing situation. Improving the terminology is not particularly necessary, as these terms tend to be casual descriptions of generally malicious behavior.

Answer 2

First, is there a standard defining these terms in an unambiguous way?

Not that I know of. It is simply that the terms evolved over time as new kinds of malware emerged and others lost importance. And given that changes in the threat landscapes are still happen these terms will probably evolve in the future too. Additionally, the various terms describe different aspects: Ransomware, Adware or Spyware describe the impact, Trojan and Worm describe how it is delivered, Rootkit describes where it resides in the victim etc.

Do you think this would be a good taxonomy or flawed?

Whatever taxonomy you use will probably be either biased to a few specific aspects or will be overly complex and unusable. The taxonomy you propose concentrates on a single aspect - automatic execution vs. user-driven execution. It might fit your specific purpose but other useful aspects are how a malware gets delivered, what kind of impact it has, if it is targeted or not, what kind of systems it targets, if it is self-replicating and how etc.

Thus, the question is not if a taxonomy is good by itself. Only if the use case for a taxonomy is known one can decide if it fits this use case or not. Since your use case is unknown it is not clear if this is a good taxonomy for your use case or not. Personally I find your proposal lacking the (for me) important aspect on how the software gets to the user in the first place - but again, it might fit your unknown use case.