86 lines
1.4 KiB
Markdown
86 lines
1.4 KiB
Markdown
# Malware Classification
|
|
|
|
## Malware Categories
|
|
|
|
All malware samples should be classified into one of the categories listed in the table below.
|
|
|
|
<dl>
|
|
<dt>Virus</dt>
|
|
<dd><dd>
|
|
|
|
<dt>Worm</dt>
|
|
<dd><dd>
|
|
|
|
<dt>Trojan</dt>
|
|
<dd><dd>
|
|
|
|
<dt>Ransomware</dt>
|
|
<dd><dd>
|
|
|
|
<dt>Rootkit</dt>
|
|
<dd><dd>
|
|
|
|
<dt>Downloader</dt>
|
|
<dd><dd>
|
|
|
|
<dt>Adware</dt>
|
|
<dd><dd>
|
|
|
|
<dt>Spyware</dt>
|
|
<dd><dd>
|
|
|
|
<dt>Botnet</dt>
|
|
<dd><dd>
|
|
|
|
</dl>
|
|
|
|
## Obfuscation Classification
|
|
|
|
All malware samples should be classified into one of the categories listed in the table below.
|
|
|
|
<dl>
|
|
<dt>no-obfuscation</dt>
|
|
<dd>No obfuscation is used<dd>
|
|
<dt>encryption</dt>
|
|
<dd>encryption<dd>
|
|
<dt>oligomorphism</dt>
|
|
<dd>oligomorphism<dd>
|
|
<dt>metamorphism</dt>
|
|
<dd>metamorphism<dd>
|
|
<dt>stealth</dt>
|
|
<dd>stealth<dd>
|
|
<dt>armouring</dt>
|
|
<dd>armouring<dd>
|
|
<dt>encryption</dt>
|
|
<dd>encryption<dd>
|
|
<dt>tunneling</dt>
|
|
<dd>tunneling<dd>
|
|
<dt>XOR</dt>
|
|
<dd>XOR<dd>
|
|
<dt>BASE64</dt>
|
|
<dd>BASE64<dd>
|
|
<dt>ROT13</dt>
|
|
<dd>ROT13<dd>
|
|
</dl>
|
|
## Payload Classification
|
|
|
|
|
|
## Memory Classification
|
|
|
|
|
|
# Machine-parsable Malware Classification
|
|
|
|
The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
|
|
along with their human-readable description. The software can use both
|
|
representation on the user-interface and store the tag as machine-parsable.
|
|
|
|
~~~~
|
|
malware_classification:malware-category="virus"
|
|
~~~~
|
|
|
|
Based on:
|
|
|
|
https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848
|
|
|
|
|