Introducing Stealth Malware Taxonomy
by Joanna Rutkowska - from - Monday, 4 December 2006.
At the beginning of this year, at Black Hat Federal Conference, I proposed a simple taxonomy that could be used to classify stealth malware according to how it interacts with the operating system. Since that time I have often referred to this classification as I think it is very useful in designing system integrity verification tools and talking about malware in general. Now I decided to explain this classification a bit more as well as extend it of a new type of malware - the type III malware.

Before I start describing various types of malware, I would like to first define what I understand by the term malware:

Malware is a piece of code which changes the behavior of either the operating system kernel or some security sensitive applications, without a user consent and in such a way that it is then impossible to detect those changes using a documented features of the operating system or the application (e.g. API).

The above definition is actually different from the definition used by A/V industry (read most other people), as e.g. the simple botnet agent, coded as a standalone application, which does not hook OS kernel nor any other application, but just listens for commands on a legally opened (i.e. opened using documented API functions) TCP port, would not be classified as malware by the above definition. However, for completeness, I decided to also include such programs in my taxonomy and classify them as type 0 malware.

Download the paper in PDF format here.


Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Fri, Nov 21st