From a2f7a9bc9f218b1c3c81fcb13c77cdb5c5b53f8b Mon Sep 17 00:00:00 2001 From: Richard van den Berg Date: Fri, 28 Oct 2016 11:07:24 +0200 Subject: [PATCH] Add Stealth Malware Taxonomy as defined by Joanna Rutkowska --- README.md | 1 + stealth-malware/README.md | 35 +++++++++++++++++++++++++++++++ stealth-malware/machinetag.json | 37 +++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 stealth-malware/README.md create mode 100644 stealth-malware/machinetag.json diff --git a/README.md b/README.md index 0d698d8..946f043 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ The following taxonomies are described: - [NATO Classification Marking](./nato) - [Open Threat Taxonomy v1.1 (SANS)](./open-threat) - [OSINT Open Source Intelligence - Classification](./osint) +- [Stealth Malware Taxonomy as defined by Joanna Rutkowska](./stealth-malware) - [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./pap) - [TLP - Traffic Light Protocol](./tlp) - Vocabulary for Event Recording and Incident Sharing [VERIS](./veris) diff --git a/stealth-malware/README.md b/stealth-malware/README.md new file mode 100644 index 0000000..b52a266 --- /dev/null +++ b/stealth-malware/README.md @@ -0,0 +1,35 @@ +# Stealth Malware Taxonomy + +## Malware Types + +All malware samples should be classified into one of the categories listed in the table below. + +
+
Type 0
+
No OS or system compromise. The malware runs as a normal user process using only official API calls.
+ +
Type I
+
The malware modifies constant sections of the kernel and/or processes such as code sections.
+ +
Type II
+
The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.
+ +
Type III
+
The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.
+
+ +# Machine-parsable Stealth Malware Taxonomy + +The repository contains a [JSON file including the machine-parsable tags](machinetag.json) +along with their human-readable description. The software can use both +representation on the user-interface and store the tag as machine-parsable. + +~~~~ +stealth_malware:type="II" +~~~~ + +Based on: + +https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf + + diff --git a/stealth-malware/machinetag.json b/stealth-malware/machinetag.json new file mode 100644 index 0000000..4a06789 --- /dev/null +++ b/stealth-malware/machinetag.json @@ -0,0 +1,37 @@ +{ + "namespace": "stealth_malware", + "description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf", + "version": 1, + "refs": [ + "https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf" + ], + "predicates": [ + { + "value": "type", + "expanded": "Stealth techninque type" + } + ], + "values": [ + { + "predicate": "type", + "entry": [ + { + "value": "0", + "expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls." + }, + { + "value": "I", + "expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections." + }, + { + "value": "II", + "expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections." + }, + { + "value": "III", + "expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques." + } + ] + } + ] +}