Alternative classifications

An alternative approach to classifying detected objects

In order to identify trends in malware evolution, Kaspersky Lab also uses an alternative classification system.

New threats continue to appear; successful scams continue to evolve. For these reasons, it’s often necessary to identify subsets among the group of all detected objects which cover the most prominent and threatening trends in malware development.

The classification approach described above for Worms and Viruses is based on the propagation methods used, whereas other malicious programs are classified according to what actions they perform. However, these characteristics are often not sufficient for analysts to identify a particular trend in malware evolution, which is why additional factors are also used to classify objects. This alternative approach helps identify the requisite behaviours from among a wide variety of detected objects and group them into categories.

Kaspersky Lab and many other antivirus vendors use the following categories to cover some of the most prevalent, persistent and threatening recent trends:

These categories are explained below.

Crimeware

Crimeware covers malicious programs specifically designed to commit financial crimes.

Malicious users have written hundreds of different programs that fall into this category. These can be programs that track the appearance of a banking system connection window on the screen in order to intercept any confidential data that is entered in the window, or programs that copy the contents of the clipboard when a connection is established to an e-payment system. In the latter case, the malicious user doesn’t have to do much at all – more often than not, users don’t enter their passwords manually in the connection window but copy it using the clipboard from another location where the password has been stored.

There are no limits to the imagination of cyber criminals who are coming up with even more sophisticated ways to get access to user accounts.

Examples of this type of malicious program are Trojan-Spy.Win32.Goldun and Trojan-Spy.Win32.Webmoner and many others, including all Trojan-Banker programs.

Trojan-Banker and Trojan Spy are the most prevalent behaviours in the Crimeware category. However, in accordance with Figure 2 and the rules for classifying detected objects with multiple functions, the following behaviours also have functions that can be used to commit financial crimes (although they are used considerably less often than Trojan-Banker and Trojan-Spy): Trojan, Backdoor, Virus, IM-Worm, P2P-Worm, IRC-Worm, Worm, Email-Worm and Net-Worm.

Crimeware is a subset of the Malware class and may overlap with other subsets/categories of malicious programs.

Spyware

Spyware covers malicious programs which are used to track a user’s actions and/or to collect data without the user’s consent.

These can include keyloggers, which log all of the keys pressed by a user to a file which will then be sent to a malicious user, or programs that harvest email addresses from a computer without the user knowing, and then send the email addresses to spammers, etc.

Examples of Spyware include Trojan-Spy.Win32.Keylogger, Trojan-PSW.Win32.PdPinch, and many others. Programs demonstrating Trojan-Spy and Trojan-PSW behaviour are also considered Spyware, as are all programs classified as Trojan-GameThief, Trojan-IM, Trojan-Mailfinder, Trojan-Banker, and Trojan-Notifier.

Despite the fact that Trojan-Banker is considered Crimeware, it could also be classified as Spyware as programs exhibiting this behaviour collect data about the user. In this case, we have a typical overlap between the Crimeware and Spyware subsets.

Trojan-Notifier is also covered by Spyware as it stealthily notifies its “master” when a victim computer connects to a network.

According to the rules for classifying detected objects with multiple functions, Spyware can also cover programs which exhibit the behaviours mentioned above, i.e. Trojan, Backdoor, Virus, IM-Worm, P2P-Worm, IRC-Worm, Worm, Email-Worm, and Net-Worm.

Note: unlike many antivirus companies, Kaspersky Lab does not include Adware programs in the Spyware category, even when Adware is used to collect data for use in marketing research. It is Kaspersky Lab’s view that these types of malicious programs are not Spyware, as they collect data about the user with his/her consent. Problems arise when the user does not carefully read the licensing agreement, where permission to collect these data is often implicitly rather than explicitly stated. Naturally, the vendors of these types of programs deliberately write the licensing agreements in this way, but technically, the user has been warned that data will be collected.

Any malicious programs that perform actions covered by the Spyware category are that fall within the definition of Spyware are unambiguously classified by Kaspersky Lab as malicious (not Adware/Riskware!) and are grouped with Malware.

Ransomware

Ransomware covers malicious programs which block access to data or disrupt computer’s performance. This payload is delivered without user consent; such programs are used by cyber criminals in order to demand a ransom.

Examples of Ransomware include the Trojan-Ransom.Win32.Gpcode and Trojan-Ransom.Win32.Krotten families. Gpcode encrypts files, and specifically targets the data most valued by the user (documents, databases, etc.), after which a message is displayed giving instructions on who to contact for “help” restoring the data. Krotten modifies the system registry, making it impossible to use the computer. Computer performance is restored once a “ransom” has been paid.

Ransomware is primarily made up of programs exhibiting Trojan-Ransom behaviour, but according to the rules for classifying detected objects with multiple functions, programs with the following, higher-threat behaviours, can also be categorized as Ransomware: Trojan, Backdoor, Virus, IM-Worm, P2P-Worm, IRC-Worm, Worm, Email-Worm, and Net-Worm.

Bot-clients

Bot-clients cover malicious programs used to unite infected computers into a botnet (bot network, aka zombie network). This gives malicious users centralized control over all infected machines without the users knowing. For instance, botnets may be created to mass mail spam and conduct DDoS attacks.

This category is primarily made up of programs exhibiting Backdoor behaviour, but according to rules for classifying detected objects with multiple functions, programs with the following, higher-threat behaviours can also fall into this category: Virus, IM-Worm, P2P-Worm, IRC-Worm, Worm, Email-Worm, and Net-Worm. In fact, Worms quite often have a function which can unite infected computers into a botnet.