Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Appendix B: Malware types

The following table lists malware types and attacks that are identified by FortiSandbox.

Malware type

Description

Infector

Infector malware is used to steal system and user information. The stolen information is then uploaded to command and control servers. Once the infector installs on a computer, it attempts to infect other executable files with malicious code.

Worm

Worm malware replicates itself in order to spread to other computers. This type of malware does not need to attach itself to an existing program. Worms, like viruses, can damage data or software.

Botnet

Botnet malware is used to distribute malicious software. A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform a task. Computers that are infected by botnet malware can be controlled remotely. This type of malware is designed for financial gain or to launch attacks on websites or networks.

Hijack

Hijack malware attempts to hijack the system by modifying important registry keys or system files.

Stealer

Stealer malware is used to harvest login credentials of standalone systems, networks, FTP, email, game servers and other websites. Once the system is infected, the malware can be customized by the attacker.

Backdoor

Backdoor malware installs a network service for remote access to your network. This type of malware can be used to access your network and install additional malware, including stealer and downloader malware.

Injector

Injector malware injects malicious code into system processes to perform tasks on its behalf.

Rootkit

Rootkit malware attempts to hide its components by replacing vital system executables. Rootkits allow malware to bypass antivirus detection as they appear to be necessary system files.

Adware

Adware malware is a software package which attempts to access advertising websites. Adware displays these unwanted advertisements to the user.

Dropper

Dropper malware is designed to install malicious software to the target system. The malware code may be contained within the dropper or downloaded to the target system once activated.

Downloader

Downloader malware attempts to download other malicious programs.

Trojan

Trojan malware is a hacking program which gains privileged access to the operating system to drop a malicious payload, including backdoor malware. Trojans can be used to cause data damage, system damage, data theft or other malicious acts.

Riskware

Riskware malware has security-critical functions which pose a threat to the computer.

Grayware

Grayware malware is a classification for applications that behave in a manner that is annoying or undesirable. Grayware includes spyware, adware, dialers, and remote access tools that are designed to harm the performance of computers on your network.

Unknown

No definitions currently exist for this type of attack.

FortiSandbox scans executable (Windows .exe and .dll script files), JavaScript, Microsoft Office, Adobe Flash, PDF, archives, and other file types the user defines. JavaScript and PDF are the two common software types that malware uses to execute malicious code. For example, JavaScript is often used to create heap sprays and inject malicious code to execute in other software products such as Adobe Reader (PDF).

When a malware is scanned inside a FortiSandbox VM environment, FortiSandbox scans its outgoing traffic for connections to botnet servers and determines the nature of the traffic and connection hosts.

Appendix B: Malware types

The following table lists malware types and attacks that are identified by FortiSandbox.

Malware type

Description

Infector

Infector malware is used to steal system and user information. The stolen information is then uploaded to command and control servers. Once the infector installs on a computer, it attempts to infect other executable files with malicious code.

Worm

Worm malware replicates itself in order to spread to other computers. This type of malware does not need to attach itself to an existing program. Worms, like viruses, can damage data or software.

Botnet

Botnet malware is used to distribute malicious software. A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform a task. Computers that are infected by botnet malware can be controlled remotely. This type of malware is designed for financial gain or to launch attacks on websites or networks.

Hijack

Hijack malware attempts to hijack the system by modifying important registry keys or system files.

Stealer

Stealer malware is used to harvest login credentials of standalone systems, networks, FTP, email, game servers and other websites. Once the system is infected, the malware can be customized by the attacker.

Backdoor

Backdoor malware installs a network service for remote access to your network. This type of malware can be used to access your network and install additional malware, including stealer and downloader malware.

Injector

Injector malware injects malicious code into system processes to perform tasks on its behalf.

Rootkit

Rootkit malware attempts to hide its components by replacing vital system executables. Rootkits allow malware to bypass antivirus detection as they appear to be necessary system files.

Adware

Adware malware is a software package which attempts to access advertising websites. Adware displays these unwanted advertisements to the user.

Dropper

Dropper malware is designed to install malicious software to the target system. The malware code may be contained within the dropper or downloaded to the target system once activated.

Downloader

Downloader malware attempts to download other malicious programs.

Trojan

Trojan malware is a hacking program which gains privileged access to the operating system to drop a malicious payload, including backdoor malware. Trojans can be used to cause data damage, system damage, data theft or other malicious acts.

Riskware

Riskware malware has security-critical functions which pose a threat to the computer.

Grayware

Grayware malware is a classification for applications that behave in a manner that is annoying or undesirable. Grayware includes spyware, adware, dialers, and remote access tools that are designed to harm the performance of computers on your network.

Unknown

No definitions currently exist for this type of attack.

FortiSandbox scans executable (Windows .exe and .dll script files), JavaScript, Microsoft Office, Adobe Flash, PDF, archives, and other file types the user defines. JavaScript and PDF are the two common software types that malware uses to execute malicious code. For example, JavaScript is often used to create heap sprays and inject malicious code to execute in other software products such as Adobe Reader (PDF).

When a malware is scanned inside a FortiSandbox VM environment, FortiSandbox scans its outgoing traffic for connections to botnet servers and determines the nature of the traffic and connection hosts.