Malware Classifications | Types of Malware Threats | Kaspersky Lab US
With so many different types of malware – and the vast range of malicious software programs within each type – it’s important that every malware item can be unambiguously classified and easily distinguished from other malicious programs.
Kaspersky Lab classifies the entire range of malicious software or potentially unwanted objects that are detected by Kaspersky’s antivirus engine – classifying the malware items according to their activity on users’ computers. The classification system used by Kaspersky is also used by a number of other antivirus vendors as the basis for their classifications.
The malware ‘classification tree’
Kaspersky’s classification system gives each detected object a clear description and a specific location in the ‘classification tree’ shown below. In the ‘classification tree’ diagram:
- The types of behavior that pose the least threat are shown in the lower area of the diagram.
- The types of behavior that pose a greater threat are displayed in the upper part of the diagram.
Malware types with multiple functions*
Individual malware programs often include several malicious functions and propagation routines – and, without some additional classification rules, this could lead to confusion.
For example, a specific malicious program may be capable of being spread via an email attachment and also as files via P2P networks. The program may also have the ability to harvest email addresses from an infected computer, without the consent of the user. With this range of functions, the program could be correctly classified as an Email-Worm, a P2P-Worm, or a Trojan-Mailfinder. To avoid this confusion, Kaspersky applies a set of rules that can unambiguously categorize a malicious program as having a particular behavior, regardless of the program functions:
- The ‘classification tree’ shows that each behavior has been assigned its own threat level.
- In the ‘classification tree’ the behaviors that pose a higher risk outrank those behaviors that represent a lower risk.
- So… in our example, the Email-Worm behavior represents a higher level of threat than either the P2P-Worm or Trojan-Mailfinder behavior – and thus, our example malicious program would be classified as an Email-Worm.**
Multiple functions with equal threat levels
- If a malicious program has two or more functions that all have equal threat levels – such as Trojan-Ransom, Trojan-ArcBomb, Trojan-Clicker, Trojan-DDoS, Trojan-Downloader, Trojan-Dropper, Trojan-IM, Trojan-Notifier, Trojan-Proxy, Trojan-SMS, Trojan-Spy, Trojan-Mailfinder, Trojan-GameThief, Trojan-PSW, or Trojan-Banker – the program is classified as a Trojan.
- If a malicious program has two or more functions with equal threat levels – such as IM-Worm, P2P-Worm, or IRC-Worm – the program is classified as a Worm.
Protect your devices and data against all classes of malware
Discover more about the threats… and how Kaspersky can defend you against them:
*These rules only apply to malware and do not concern adware, riskware, pornware, or other objects detected using proactive defense (which take the PDM: prefix) or the heuristic analyzer (which take the HEUR: prefix).
**The rule for choosing the highest ranking behavior only applies to Trojans, viruses, and worms. It does not apply to Malicious Tools.