Malicious code behavior

1. Downloader and Starter

Two common types of malicious code are the downloader and the launcher. The Downloader downloads Other malicious code from the Internet and then runs it on the local system. The downloader is typically packaged with exploit (exploit). The downloader frequently uses Windows API functions Urldownloadtofilea and winexec to download and run new malicious code.

The initiator (also known as the loader) is a type of executable that installs malicious code that runs immediately or is secretly executed in the future, and the initiator usually contains a malicious code that it wants to load.

2. Back door (Bookdoor)

The backdoor is another type of malicious code that allows an attacker to remotely access a compromised machine. Backdoor is the most common malicious code, they have a variety of functions, and in many forms and sizes exist. Backdoor code often implements a full set of functions, so when a backdoor is used, attackers usually do not need to download additional malicious code.

Reverse shell: The reverse shell initiates a connection from the infected machine, providing access to the infected machine by the attacker's shell. The reverse shell is either present as a single malicious code or as a component in a complex backdoor. In a reverse shell, an attacker could run commands as if they were on a local system.

Remote control tools

Botnet: is a collection of infected hosts. They are controlled by a single entity, usually by a machine called a zombie controller as a server. The goal of botnets is to infect machines as much as possible. The goal of botnets is to infect as many machines as possible to build a larger network of botnets, which can allow botnets to spread other malicious code or worms, or perform distributed denial of service (DDoS) attacks. When implementing a distributed denial-of-service attack, all zombie hosts visit the same site at the same time, and botnets can hang the site off.

Login Voucher Spy: A program that waits for a user to log in to steal credentials, dumps a program that holds information in a Windows system, and keystrokes the logger.

Survival mechanism: Once malicious code acquires control of the system, it usually resides in the system for a long time, and this behavior of malicious code is known as survival. If the survival mechanism is special enough, it can even be used as a fingerprint of a given malicious code.

Malicious code behavior