- COMP.SEC.100
- 7. Malware & Attack Technologies
- 7.2 Operation of malware
Operation of malware¶
The operation of malware can be conceptualised using the Cyber Kill Chain model (presented in a more general form here):
| Phase | Activity |
|---|---|
| Reconnaissance | Searching for and compiling email addresses and vulnerable targets |
| Weaponisation | Planning and implementation of the attack and the required malicious code |
| Delivery | Delivering the code to victims via email, URLs, vulnerable targets, etc. |
| Exploitation | Exploiting vulnerabilities so that the code is executed. |
| Installation | This may include actions that promote persistence of the installation or downloading additional code from external sources. |
| Command and control | Enabling remote control. |
| Actions on objectives | Carrying out actions aligned with the objective on victim systems, i.e. executing the code’s payload. This can include anything that the compromised system allows. Typical examples include stealing data, modifying data, spamming, denial-of-service attacks against other systems, breaking in on other systems, encrypting data for extortion, clicking online advertising links, and mining cryptocurrency. The attacker may also wait for the sale of the compromised resource or for later actions. The malware may also be updated as needed. |
Malware makes use of combinations of these phases. Botnets are a typical example of a long-term threat formed by malware that utilises all parts of the malware attack chain model. Malware is also used as part of an Advanced Persistent Threat (APT), in which the attack is intended to remain hidden and unobtrusive. An APT is long-term and may use several different channels, so it is not limited solely to malware. For example, social engineering techniques may be employed. The attack targets a specific organisation, and the goal is industrial espionage or financial gain. An APT is typically also well resourced. A botnet may be one of the tools used in an APT.
The malware ecosystem¶
Initially, malware consisted of individual attacks. Today (May 2026), malware operations are complex and well resourced. They are typically backed by organised crime or state actors. Various tools and services are available and can be purchased to support attacks. More about the ecosystem later here and here. These now also include such large language models, i.e. AI services, which have no restrictions on producing malicious code (and all kinds of other harmful material) — unlike most services currently available to the general public.
Malware analysis¶
Malware is analysed in order to understand its operation and thereby to develop defensive measures. By analysing a program, it may also be possible to trace the author or the attacking network.
On analysis techniques¶
With regard to analysis techniques, it is important for everyone to understand the principles of dynamic and static analysis. These techniques are used by malware defence professionals, but they can also be applied within organisations and, why not, by an enthusiastic hobbyist.
- Dynamic analysis
- In dynamic analysis, malware is executed in a protected environment and the effects it causes are examined. For example, network traffic generated by the malware can be monitored and analysed. The malware may also require input, which can be provided. In addition, changes caused by the malware to the system can be observed. It is important that the analysis environment is well protected, so that no harm is caused to outsiders. The code may also be executed to the extent that packed or encrypted content is revealed, enabling the use of static analysis.
- Static analysis
- Static analysis refers to analysing source code, binaries, or intermediate forms of these. Dynamic analysis does not reveal everything, as malware may be designed to activate certain functions only in specific pre-programmed situations. It is also possible that malware detects that it is in an analysis environment and prevents its behaviour from being revealed. In static analysis, the aim is to understand the code through reverse engineering. This usually requires proficiency in machine code. Malware authors often attempt to hinder code analysis, for example through obfuscation, packing, and encryption. Professional malware analysts have tools and understanding, and they seek to understand the code despite these hindrances. Nowadays, however, so much malware is produced that not all samples are even attempted to be analysed manually — often identification and basic information about functionality suffice.