Part 1: Introduction to Malware and Taxonomy
Part 2: Malware Architecture and Components
Part 3: Delivery and Initial Compromise
Part 4: Social Engineering Attacks
Part 5: Specialized Malware Components
Part 6: Defenses Against Malware

The Morris Worm: A Wake-Up Call

On November 2, 1988, Robert Tappan Morris Jr., a graduate student at Cornell University, released what would become known as the Morris Worm: the first major malware incident to capture worldwide attention. The worm exploited several vulnerabilities in VAX computer systems running the BSD variant of UNIX. It attempted to crack local passwords using dictionary attacks with 432 common passwords and account name combinations. It looked for readable .rhosts files that might grant free remote shell access to other systems. It performed a buffer overflow exploit on the fingerd daemon using the unsafe gets() function, which allowed it to load a small 99-line C program. This program would connect back to the sender and download the full worm. The worm also used the DEBUG command of sendmail, which allowed remote command execution.

The attack was devastatingly effective. The worm propagated itself onto any system it could successfully log into, and then the process repeated. The incident made front-page news in The New York Times, with a headline declaring "Author of Computer 'Virus' Is Son of N.S.A. Expert on Data Security." The worm infected thousands of systems. While it was not designed to cause harm, it failed to check whether a version of the software was already running on a compromised computer. This caused multiple instances of the software to run concurrently, bringing significant portions of the early Internet to a standstill.

This incident marked a turning point in computer security. It demonstrated that malicious software could spread autonomously across networks, causing widespread disruption. The Morris Worm wasn't the first malicious program, but it was the first to show the Internet's vulnerability to automated attacks and the potential for exponential propagation.

What Is Malware?

The term "malware" is a portmanteau of two words. The prefix "mal" comes from French and ultimately from Latin, meaning "bad" or "wrong", as in words like malfunction, malnourished, or malicious. The suffix "ware" is simply short for "software," which itself derives from the Proto-Germanic "warjaz," meaning "dwellers of."

Malware, then, is software intentionally designed to perform unwanted, unexpected, or harmful actions on a target system. This definition has three key components:

The software must be intentional (bugs don't count as malware),
It must be unwanted by the system's legitimate owner,
And it must cause some form of harm or perform unauthorized actions.

The harm caused by malware ranges widely. Some malware steals sensitive data, such as passwords or credit card numbers. Other malware encrypts your files and demands payment to restore them. Still other malware conscripts your computer into an army of compromised machines used to attack others. Some malware simply destroys data for the sake of causing damage. The variety is huge, and new forms continue to emerge as attackers develop new techniques and pursue new objectives.

Categorizing Malware by Function

Understanding malware requires a classification framework. While malware can be categorized in many ways -- by how it spreads, which platform it targets, or when it was created -- one of the most useful frameworks classifies malware by its primary function. This functional classification helps us understand what attackers are trying to accomplish and what defenses might be most effective. We'll explore the following categories:

Propagation: how malware spreads
Stealth and access: how it hides
Financial motivation: making money
Data theft: stealing information
Remote control: coordinating distributed attacks
Destructive: causing damage
Nuisance: annoyances and advertising

Propagation: How Malware Spreads

Some malware is specifically designed to spread from system to system. These self-propagating types represent some of the most dangerous threats because they can grow exponentially, reaching thousands or millions of systems in short order.

Viruses attach themselves to host files, whether executable programs or documents that support macros. When you run an infected program or open an infected document, the virus activates. It typically then looks for other files it can infect, copying itself to spread within the system and potentially to other systems when infected files are shared.

The Melissa virus from 1999 was the first widespread example of this approach. It was a macro virus embedded in Word documents that, when opened, would infect the user's system and email itself to the first 50 contacts in the victim's address book. Viruses require user action to spread between systems: someone must run the infected program or open the infected document.

Worms, in contrast, are self-contained programs that spread autonomously across networks. Once a worm has infected one system, it typically scans the network for other vulnerable systems and attempts to infect them automatically, without user intervention.

The WannaCry ransomware from 2017 included worm functionality that allowed it to spread rapidly through the EternalBlue exploit, an SMB (Microsoft's file sharing protocol) vulnerability. Within days, WannaCry had infected over 200,000 computers in 150 countries, affecting healthcare systems, transportation infrastructure, and manufacturing facilities worldwide.

The key difference is agency: viruses need users to help them spread, while worms spread on their own.

Stealth and Unauthorized Access

Another category of malware focuses on hiding its presence and maintaining unauthorized access to compromised systems.

Trojan horses are perhaps the most deceptively named type of malware. Named after the legendary wooden horse of Troy, these programs appear to be legitimate, useful software that users willingly install. A Trojan might masquerade as a system optimizer, a cache cleaner, a license key generator for commercial software, or a cracked version of a popular game. Users install the software expecting one thing, but they end up installing malware, such as a backdoor, spyware, or ransomware. The overt purpose (cleaning your cache) may even work, but the covert purpose (installing a keylogger) proceeds without the user's knowledge or consent.

Backdoors provide remote access to a system, bypassing normal authentication mechanisms. These allow attackers to return to compromised systems whenever they wish. Back Orifice, released in 1998, became one of the most notorious backdoor programs for Windows systems. It gave attackers complete remote control over infected machines. Modern backdoors tend to be more sophisticated, but the principle remains the same: they create a secret entrance that lets attackers come and go as they please.

Rootkits take stealth to a whole new level. These programs operate at the kernel or system level and are designed to evade detection by security tools. A rootkit can conceal files, processes, network connections, and registry entries. When you run an antivirus scan, the rootkit intercepts the requests and lies about what's on your system. The files are there, the malicious processes are running, but the rootkit makes them invisible. The Sony BMG rootkit from 2005 provides a notorious example. Sony included rootkit technology on music CDs to prevent copying, but the rootkit created security vulnerabilities and was difficult to remove. The incident resulted in class-action lawsuits and widespread criticism.

Financial Motivation

Much modern malware is created for direct financial gain. This category has grown explosively over the past two decades as criminals have realized the profit potential of cybercrime and as cryptocurrency has made anonymous payments much easier.

Ransomware encrypts victims' data and demands payment, usually in cryptocurrency, for the decryption key. The impact can be devastating. WannaCry demanded $300-600 in Bitcoin and caused an estimated $4 billion in damages globally. LockBit, a more recent ransomware family, has been responsible for thousands of attacks, with ransom demands sometimes reaching millions of dollars. Organizations facing ransomware must choose between paying the ransom (which may not actually result in file recovery), restoring from backups (if they have them), or accepting data loss.

Cryptojackers use victims' CPU and GPU resources to mine cryptocurrency. The victim doesn't lose access to their data, but their computer slows down and consumes more electricity due to the constant intensive computation. Coinhive was a browser-based miner that websites could embed to monetize traffic by using visitors' computers to mine Monero cryptocurrency. While Coinhive itself shut down in 2019, the concept remains popular with attackers who install cryptojacking software without permission. The techniques have become more diverse than simply running JavaScript mining code, including targeting exposed Docker containers and misconfigured servers.

Banking trojans specifically target financial credentials. They may intercept online banking sessions, modify transaction amounts, steal login credentials, or redirect money transfers. Zeus, also known as Zbot, first appeared in 2007 and became one of the most successful banking trojans ever created. At its peak, Zeus had infected millions of computers and was responsible for stealing hundreds of millions of dollars through theft of banking credentials and direct fraud.

Data Theft and Surveillance

Some malware exists solely to spy on users and steal information.

Spyware monitors user activity without consent. It may track which websites you visit, record your searches, monitor your application usage, or collect personal information. This information might be sold to advertisers, used for identity theft, or employed in targeted attacks. The line between spyware and legitimate analytics can sometimes be blurry, but true spyware operates without proper disclosure or user consent.

Keyloggers record every keystroke you make. This captures passwords as you type them, credit card numbers, messages, and anything else you type. Keyloggers can be implemented in software (running as a program or driver on your system) or hardware (a physical device attached to your keyboard cable). Software keyloggers are more common, but hardware keyloggers are nearly impossible to detect through software means since they sit outside the computer itself.

Information stealers target specific types of data. They might extract saved passwords from your browser, copy authentication cookies, steal cryptocurrency wallet files, or exfiltrate documents matching certain criteria. These stolen credentials are often sold on dark web markets, where they're purchased by other criminals for account takeovers, identity theft, or further attacks. RedLine and Raccoon Stealer are examples of information-stealing malware that have been widely distributed through various infection methods.

Sidebar: The Evolution of Emotet

Emotet shows how malware can evolve from a single-purpose tool into a sophisticated platform. First discovered in 2014, Emotet began as a banking trojan designed to steal financial credentials. It used fairly standard techniques, like spreading through spam emails with malicious attachments and stealing banking information from infected systems.

However, rather than focusing solely on banking fraud, Emotet's operators began developing It as a modular platform capable of delivering other malware families. By 2017-2018, Emotet had transformed into what security researchers called a "dropper": malware whose primary purpose was to download and install other malware.

The transformed Emotet operated as a malware-as-a-service platform. It would infect systems through phishing campaigns, establish persistent access, and then sell that access to other criminal groups. One infection might lead to multiple different attacks: TrickBot (another banking trojan) might be installed to steal credentials, Qbot might be added for additional information theft, and eventually Ryuk ransomware might be deployed when the attackers decide to monetize the access directly.

Emotet also added self-propagation capabilities, spreading through networks by using stolen credentials and exploiting vulnerabilities in network protocols. It harvested email addresses and content from infected systems to make its phishing campaigns more convincing—using real email threads stolen from victims to make replies appear legitimate.

By 2020, Emotet had become one of the most dangerous malware families in operation, responsible for a significant percentage of malware infections worldwide. The infrastructure supporting Emotet included hundreds of compromised servers used for command-and-control and malware distribution.

Law enforcement agencies from eight countries coordinated a takedown operation in January 2021, seizing servers and disrupting the infrastructure. However, the Emotet codebase and techniques influenced numerous other malware families that continue to operate today. The evolution from banking trojan to malware platform illustrates how successful malware operations adapt to maximize profit and impact.

Remote Control and Distributed Attacks

Some malware turns your computer into part of an attacker-controlled network.

Bots, short for robots, are individual compromised computers under remote attacker control. The bot software connects to a command-and-control (C2) server and awaits instructions. A single bot has limited value, but bots are almost never deployed individually.

Botnets are networks of thousands or millions of bots working together. When coordinated, these massive networks can launch distributed denial-of-service (DDoS) attacks that overwhelm targeted servers with traffic, send billions of spam emails, mine cryptocurrency at scale, or perform credential stuffing attacks against online services. The Mirai botnet, discovered in 2016, infected over 600,000 Internet of Things (IoT) devices -- primarily home routers, cameras, and DVRs -- by exploiting default passwords like "admin/admin." Mirai launched DDoS attacks reaching over 1 terabit per second, temporarily taking down major internet services.

Incidentally, the Mirai botnet was created by a Rutgers student (Paras Jha of Fanwood, NJ), who used it to launch a series of DDoS attacks on various Rutgers services, including the university's central authentication server. In 2017, the author released the source, leading a proliferation of copycats. Rutgers cited the costs for improved cybersecurity stemming from this attack as one of the reasons for raising its tuition northjersey.com. Mr. Jha was ordered to pay 8.6 million in restitution and serve six months of home incarceration justice.gov.

Remote Access Trojans (RATs) give attackers complete control over a victim's machine. An attacker with RAT access can view your screen, access your files, activate your camera or microphone, log your keystrokes, and execute any commands they wish. RATs like DarkComet and njRAT have been used in both targeted espionage campaigns and opportunistic criminal attacks.

Destructive Malware

Not all malware seeks financial gain or stolen data. Some malware exists purely to cause damage.

Wipers permanently destroy data with no possibility of recovery. While wipers sometimes masquerade as ransomware, they have no intention of returning your files even if you pay. NotPetya, which spread in 2017, initially appeared to be ransomware but was actually a wiper that caused over $10 billion in damages globally. Shamoon, used in attacks against Saudi Aramco in 2012, wiped data from 30,000 computers. These attacks often have geopolitical motivations rather than financial ones.

Logic bombs are pieces of malicious code that remain dormant until triggered by specific conditions. A disgruntled employee might plant a logic bomb that activates after their departure date or when their user account is disabled. The bomb might delete critical data, corrupt databases, or cause system failures. The trigger condition might also be a specific date, a certain number of system reboots, or the absence of a particular file (which serves as a "dead man's switch").

Nuisance Malware

Finally, some malware is more annoying than dangerous.

Adware displays unwanted advertisements and tracks browsing behavior. While often less harmful than other malware types, adware represents a privacy violation and degrades system performance. Adware commonly comes bundled with free software installers, pirated content, or fake download buttons on sketchy websites. The line between adware and "potentially unwanted programs" (PUPs) is often blurry. Browser toolbars, search hijackers, and pop-up injectors fall into this category.

The Evolution of Malware Over Time

Seeing how malware has evolved helps us appreciate current threats and (maybe) anticipate future ones.

In the 1980s and 1990s, malware was relatively simple. Boot sector viruses and macro viruses dominated. Motivations were primarily notoriety, curiosity, and pranks. The Brain virus (1986) is considered the first PC virus. Michelangelo (1992) made headlines with predictions of widespread damage on March 6. Melissa (1999) demonstrated the power of macro viruses to spread via email. This was the era of script kiddies and hobbyist hackers experimenting with new techniques.

The 2000s saw the beginning of widespread monetization. Worms, spam bots, and adware proliferated as criminals realized they could profit from compromised systems. ILOVEYOU (2000) spread through email and caused billions of dollars in damages. Blaster (2003) and Code Red (2001) showed how worms could spread automatically through internet-connected systems. This decade marked the transition from malware as experimentation to malware as business.

The 2010s brought sophistication and professionalism to cybercrime. Ransomware became a major threat with the rise of cryptocurrency, making anonymous payments feasible. Banking trojans grew more advanced. Advanced Persistent Threats (APTs), sophisticated, often state-sponsored attack campaigns, became common. CryptoLocker (2013) pioneered modern ransomware techniques. Stuxnet (2010) exposed how advanced malware could cross air-gapped environments and target industrial control systems. The Zeus banking trojan spawned numerous variants and copycats. This was the era of cybercrime-as-a-service, where criminals could purchase malware, exploit kits, and access to compromised systems from underground markets.

The 2020s have seen the rise of supply chain attacks, fileless malware that operates in memory without touching disk, polymorphic malware that constantly changes to evade detection, and AI-enhanced attacks. SolarWinds (2020) showed how compromising a software vendor could affect thousands of organizations. DarkSide ransomware (2021) shut down a major US fuel pipeline. LockBit 3.0 (2022) introduced new extortion techniques. The trend is toward increasingly targeted, sophisticated attacks that combine multiple techniques.

Modern Malware Combines Multiple Types

Contemporary malware rarely fits neatly into a single category. They combine propagation mechanisms, financial motivations, technical sophistication, and destructive capabilities into multi-faceted threats. WannaCry demonstrates how different malware types can be combined into a single, devastating attack.

WannaCry was simultaneously:

A worm that self-propagated via the EternalBlue exploit targeting SMB vulnerabilities.
Ransomware that encrypted files and demanded Bitcoin payment
A wiper that destroyed data if payment wasn't made within the deadline

This attack affected over 200,000 computers in 150 countries within days. Healthcare systems couldn't access patient records. Transportation systems experienced disruptions. Manufacturing facilities had to halt production. The estimated global damages reached $4 billion.

Because modern attacks don't fit neat categories, defending against malware requires a layered approach; no single defense can stop all attacks.

Understanding this taxonomy provides a foundation for the technical details we'll explore next: how malware is structured internally, how it's delivered to victims, and what components it uses to achieve its objectives. Each category we've discussed represents not just a classification but a set of techniques, a business model, and a set of defensive challenges. As we move forward, we'll see how these different types relate to specific delivery methods, social engineering techniques, and technical implementations.

In the next part, we'll examine the internal architecture of malware: the stages of an attack, how components work together, and the infrastructure that supports malware operations.

Malware