MalwareLabelVocab-1.0MAEC VOCABULARIES SCHEMA
The MalwareLabelVocab-1.0 is the default MAEC Vocabulary for common malware labels.
Vocabulary Items
| Item | Description |
|---|---|
| adware | The 'adware' value specifies any software that is funded by advertising. Some adware may install itself in such a manner as to become difficult to remove, hiding components and disabling removal techniques. Adware may also gather sensitive user information from a system. |
| appender | The 'appender' value specifies a file-infecting virus that places its code at the end of the files it infects, adjusting the file's entry point to cause its code to be executed before that of the original file. |
| backdoor | The 'backdoor' value specifies a piece of software which, once running on a system, opens a communication vector to the outside so that the computer can be accessed remotely by an attacker. |
| boot sector virus | The 'boot sector virus' value specifies a virus that infects the master boot record of a storage device. |
| bot | The 'bot' value specifies a program which resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions. |
| clicker | The 'clicker' value specifies a trojan that makes a system visit a specific web page, often very frequently and usually with the aim of increasing the traffic recorded by the site and thus increasing revenue from advertising. Clickers may also be used to carry out DDoS attacks. |
| companion virus | The 'companion virus' value specifies a virus that takes the place of a particular file on a system instead of injecting code into it. |
| cavity filler | The 'cavity filler' value specifies a type of file-infecting virus which seeks out unused space within the files it infects, inserting its code into these gaps to avoid changing the size of the file and thus not alerting integrity-checking software to its presence. |
| data diddler | The 'data diddler' value specifies a type of malware that makes small, random changes to data, such as data in a spreadsheet, to render the data contained in a document inaccurate and in some cases worthless. |
| downloader | The 'downloader' value specifies a small trojan file programmed to download and execute other files, usually more complex malware. |
| dropper file | The 'dropper file' value specifies a type of Trojan that deposits an enclosed payload onto a destination host computer by loading itself into memory, extracting the malicious payload, and then writing it to the file system. |
| file infector virus | The 'file infector virus' value specifies a virus that infects a system by inserting itself somewhere in existing files; this is the "classic" form of virus. |
| fork bomb | The 'fork bomb' value specifies a very simple form of malware, a type of rabbit which simply launches more copies of itself. Once a fork bomb is executed, it will attempt to run several identical processes, which will do the same, the number growing exponentially until the system resources are overwhelmed by the number of identical processes running, which may in some cases bring the system down and cause a denial of service. |
| greyware | The 'greyware' value specifies software that, while not definitely malicious, has a suspicious or potentially unwanted aspect. |
| implant | The 'implant' value specifies code inserted into an existing program using a code patcher or other tool. |
| infector | The 'infector' value specifies a function of malware that alters target files for the purpose of persisting and hiding the injected malware. |
| keylogger | The 'keylogger' value specifies a type of program implanted on a system to monitor the keys pressed and thus record any sensitive data, such as passwords, entered by the user. |
| kleptographic worm | The 'kleptographic worm' value specifies a worm that encrypts information assets on compromised systems so they can only be decrypted by the worm's author, also known as information-stealing worm. |
| macro virus | The 'macro virus' value specifies a virus that uses a macro language, for example in Microsoft Office documents. |
| malcode | The 'malcode' value is short for malicious code, also known as malware. |
| mass-mailer | The 'mass-mailer' value specifies a worm that uses email to propagate across the internet. |
| metamorphic virus | The 'metamorphic virus' value specifies a virus that changes its own code with each infection. |
| mid-infector | The 'mid-infector' value specifies a type of file-infecting virus which places its code in the middle of files it infects. It may move a section of the original code to the end of the file, or simply push the code aside to make space for its own code. |
| mobile code | The 'mobile code' value specifies 1. Code received from remote, possibly untrusted systems, but executed on a local system. 2. Software transferred between systems (e.g across a network) and executed on a local system without explicit installation or execution by the recipient. |
| multipartite virus | The 'multipartite virus' value specifies malware that infects boot records, boot sectors, and files. |
| password stealer | The 'password stealer' value specifies a type of trojan designed to steal passwords, personal data and details, or other sensitive information from the infected system. |
| polymorphic virus | The 'polymorphic virus' value specifies a type of virus that encrypts its code differently with each infection, or generation of infections. |
| premium dialer/smser | The 'premium dialer/smser' value specifies a piece of malware whose primary aim is to dial or send SMS messages to premium rate numbers.. |
| prepender | The 'prepender' value specifies a file-infecting virus which inserts code at the beginning of the files it infects. |
| ransomware | The 'ransomware' value specifies a type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files. |
| rat | The 'rat' value specifies a remote access trojan or RAT, which is a trojan horse capable of controlling a machine through commands issue by a remote attacker. |
| rogue anti-malware | The 'rogue anti-malware' value specifies a fake security product that demands money to clean phony infections. |
| rootkit | The 'rootkit' value generally refers to a method of hiding files or processes from normal methods of monitoring, and is often used by malware to conceal its presence and activities. Originally, the term applied to UNIX-based operating systems - a root kit was a collection of tools to enable a user to obtain root (administrator-level) access to a system and conceal any changes they might make. Such tools often included trojanized versions of standard monitoring software which would hide the root kit operators' activities. More recently the term has generally been applied to malware using stealth techniques. Rootkits can operate at a number of levels, from the application level - simply replacing or adjusting the settings of system software to prevent the display of certain information - through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rook kits, which are activated before the operating system and thus even harder to detect while the system is running. |
| shellcode | The 'shellcode' value specifies 1. A small piece of code that activates a command-line interface to a system that can be used to disable security measures, open a backdoor, or download further malicious code. 2. A small piece of code that opens a system up for exploitation, sometimes by not necessarily involving a command-line shell. |
| spaghetti packer | A packer that obfuscates programs by emitting "spaghetti" code with a complex and tangled control structure. |
| spyware | The 'spyware' value specifies software that gathers information and passes it to a third-party without adequate permission from the owner of the data. It may also be used in a wider sense, to include software that makes changes to a system or any of its component software, or which makes use of system resources without the full understanding and consent of the system owner. |
| trojan horse | The 'trojan horse' value specifies a piece of malicious code disguised as something inert or benign. |
| variant | The 'variant' value refers to the fact that types of malware can be subdivided into a number of families, or groups sharing many similarities, generally based on the same blocks of code and sharing similar behaviours. Within a family, a variant signifies a single individual item that is uniquely different from other members of the same family. |
| virus | The 'virus' value specifies 1. A self-replicating malicious program that requires human interaction to replicate. 2. A self-replicating program that runs and spreads by modifying other programs or files. |
| wabbit | The 'wabbit' value specifies a form of self-replicating malware that makes copies of itself on the local system. Unlike worms, rabbits do not attempt to spread across networks. |
| web bug | The 'web bug' value specifies a piece of code, generally a small file such as a tiny, transparent GIF image, which is used to track data on those viewing the page or mail in which it is hidden. |
| wiper | The 'wiper' value specifies a piece of malware whose primary aim is to delete files or entire disks on a machine. |
| worm | The 'worm' value specifies 1. A self-replicating malicious program that replicates using a network and does not require human interaction. 2. A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. |
| zip bomb | The 'zip bomb' value specifies a file compressed into some archive format and that expands to an enormous size when uncompressed, often by looping over the extraction code until the system's resources are exhausted. |
Fields
| Field Name | Type | Description |
|---|---|---|
| @conditionoptional | ConditionTypeEnum |
This field is optional and defines the relevant condition to apply to the value. |
| @is_case_sensitiveoptional | boolean |
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive. |
| @apply_conditionoptional | ConditionApplicationEnum |
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body. |
| @delimiteroptional | string |
The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##". |
| @bit_maskoptional | hexBinary |
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation. |
| @pattern_typeoptional | PatternTypeEnum |
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'. |
| @regex_syntaxoptional | string |
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'. Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification. Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case. |
| @has_changedoptional | boolean |
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed. |
| @trendoptional | boolean |
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field. |
| @vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
| @vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |