Malware, also known as "malicious software," can be classified several ways in order to distinguish the unique types of malware from each other. Distinguishing and classifying different types of malware from each other is important to better understanding how they can infect computers and devices, the threat level they pose and how to protect against them.
Kaspersky Lab classifies the entire range of malicious software or potentially unwanted objects that are detected by Kaspersky’s antivirus engine – classifying the malware items according to their activity on users’ computers. The classification system used by Kaspersky is also used by a number of other antivirus vendors as the basis for their classifications.
The malware "classification tree"
Kaspersky’s classification system gives each detected object a clear description and a specific location in the ‘classification tree’ shown below. In the ‘classification tree’ diagram:
- The types of behaviour that pose the least threat are shown in the lower area of the diagram.
- The types of behaviour that pose a greater threat are displayed in the upper part of the diagram.
Malware types with multiple functions
Individual malware programs often include several malicious functions and propagation routines – and, without some additional classification rules, this could lead to confusion.
For example, a specific malicious program may be capable of being spread via an email attachment and also as files via P2P networks. The program may also have the ability to harvest email addresses from an infected computer, without the consent of the user. With this range of functions, the program could be correctly classified as an Email-Worm, a P2P-Worm or a Trojan-Mailfinder. To avoid this confusion, Kaspersky applies a set of rules that can unambiguously categorise a malicious program as having a particular behaviour, regardless of the program functions:
- The ‘classification tree’ shows that each behaviour has been assigned its own threat level.
- In the ‘classification tree’ the behaviours that pose a higher risk outrank those behaviours that represent a lower risk.
- So… in our example, the Email-Worm behaviour represents a higher level of threat than either the P2P-Worm or Trojan-Mailfinder behaviour – and thus, our example malicious program would be classified as an Email-Worm.
Multiple functions with equal threat levels
- If a malicious program has two or more functions that all have equal threat levels – such as Trojan-Ransom, Trojan-ArcBomb, Trojan-Clicker, Trojan-DDoS, Trojan-Downloader, Trojan-Dropper, Trojan-IM, Trojan-Notifier, Trojan-Proxy, Trojan-SMS, Trojan-Spy, Trojan-Mailfinder, Trojan-GameThief, Trojan-PSW or Trojan-Banker – the program is classified as a Trojan.
- If a malicious program has two or more functions with equal threat levels – such as IM-Worm, P2P-Worm or IRC-Worm – the program is classified as a Worm.
Protect your devices and data against all classes of malware
Discover more about the threats… and how Kaspersky can defend you against them: