MalwareLabelVocab-1.0MAEC Vocabularies Schema

The MalwareLabelVocab-1.0 is the default MAEC Vocabulary for common malware labels.


Vocabulary Items

Item Description
adware The 'adware' value specifies any software that is funded by advertising. Some adware may install itself in such a manner as to become difficult to remove, hiding components and disabling removal techniques. Adware may also gather sensitive user information from a system.
appender The 'appender' value specifies a file-infecting virus that places its code at the end of the files it infects, adjusting the file's entry point to cause its code to be executed before that of the original file.
backdoor The 'backdoor' value specifies a piece of software which, once running on a system, opens a communication vector to the outside so that the computer can be accessed remotely by an attacker.
boot sector virus The 'boot sector virus' value specifies a virus that infects the master boot record of a storage device.
bot The 'bot' value specifies a program which resides on an infected system, communicating with and forming part of a botnet. The bot may be implanted by a worm or trojan, which opens a backdoor. The bot then monitors the backdoor for further instructions.
clicker The 'clicker' value specifies a trojan that makes a system visit a specific web page, often very frequently and usually with the aim of increasing the traffic recorded by the site and thus increasing revenue from advertising. Clickers may also be used to carry out DDoS attacks.
companion virus The 'companion virus' value specifies a virus that takes the place of a particular file on a system instead of injecting code into it.
cavity filler The 'cavity filler' value specifies a type of file-infecting virus which seeks out unused space within the files it infects, inserting its code into these gaps to avoid changing the size of the file and thus not alerting integrity-checking software to its presence.
data diddler The 'data diddler' value specifies a type of malware that makes small, random changes to data, such as data in a spreadsheet, to render the data contained in a document inaccurate and in some cases worthless.
downloader The 'downloader' value specifies a small trojan file programmed to download and execute other files, usually more complex malware.
dropper file The 'dropper file' value specifies a type of Trojan that deposits an enclosed payload onto a destination host computer by loading itself into memory, extracting the malicious payload, and then writing it to the file system.
file infector virus The 'file infector virus' value specifies a virus that infects a system by inserting itself somewhere in existing files; this is the "classic" form of virus.
fork bomb The 'fork bomb' value specifies a very simple form of malware, a type of rabbit which simply launches more copies of itself. Once a fork bomb is executed, it will attempt to run several identical processes, which will do the same, the number growing exponentially until the system resources are overwhelmed by the number of identical processes running, which may in some cases bring the system down and cause a denial of service.
greyware The 'greyware' value specifies software that, while not definitely malicious, has a suspicious or potentially unwanted aspect.
implant The 'implant' value specifies code inserted into an existing program using a code patcher or other tool.
infector The 'infector' value specifies a function of malware that alters target files for the purpose of persisting and hiding the injected malware.
keylogger The 'keylogger' value specifies a type of program implanted on a system to monitor the keys pressed and thus record any sensitive data, such as passwords, entered by the user.
kleptographic worm The 'kleptographic worm' value specifies a worm that encrypts information assets on compromised systems so they can only be decrypted by the worm's author, also known as information-stealing worm.
macro virus The 'macro virus' value specifies a virus that uses a macro language, for example in Microsoft Office documents.
malcode The 'malcode' value is short for malicious code, also known as malware.
mass-mailer The 'mass-mailer' value specifies a worm that uses email to propagate across the internet.
metamorphic virus The 'metamorphic virus' value specifies a virus that changes its own code with each infection.
mid-infector The 'mid-infector' value specifies a type of file-infecting virus which places its code in the middle of files it infects. It may move a section of the original code to the end of the file, or simply push the code aside to make space for its own code.
mobile code The 'mobile code' value specifies 1. Code received from remote, possibly untrusted systems, but executed on a local system. 2. Software transferred between systems (e.g across a network) and executed on a local system without explicit installation or execution by the recipient.
multipartite virus The 'multipartite virus' value specifies malware that infects boot records, boot sectors, and files.
password stealer The 'password stealer' value specifies a type of trojan designed to steal passwords, personal data and details, or other sensitive information from the infected system.
polymorphic virus The 'polymorphic virus' value specifies a type of virus that encrypts its code differently with each infection, or generation of infections.
premium dialer/smser The 'premium dialer/smser' value specifies a piece of malware whose primary aim is to dial or send SMS messages to premium rate numbers..
prepender The 'prepender' value specifies a file-infecting virus which inserts code at the beginning of the files it infects.
ransomware The 'ransomware' value specifies a type of malware that encrypts files on a victim's system, demanding payment of ransom in return for the access codes required to unlock files.
rat The 'rat' value specifies a remote access trojan or RAT, which is a trojan horse capable of controlling a machine through commands issue by a remote attacker.
rogue anti-malware The 'rogue anti-malware' value specifies a fake security product that demands money to clean phony infections.
rootkit The 'rootkit' value generally refers to a method of hiding files or processes from normal methods of monitoring, and is often used by malware to conceal its presence and activities. Originally, the term applied to UNIX-based operating systems - a root kit was a collection of tools to enable a user to obtain root (administrator-level) access to a system and conceal any changes they might make. Such tools often included trojanized versions of standard monitoring software which would hide the root kit operators' activities. More recently the term has generally been applied to malware using stealth techniques. Rootkits can operate at a number of levels, from the application level - simply replacing or adjusting the settings of system software to prevent the display of certain information - through hooking certain functions or inserting modules or drivers into the operating system kernel, to the deeper level of firmware or virtualization rook kits, which are activated before the operating system and thus even harder to detect while the system is running.
shellcode The 'shellcode' value specifies 1. A small piece of code that activates a command-line interface to a system that can be used to disable security measures, open a backdoor, or download further malicious code. 2. A small piece of code that opens a system up for exploitation, sometimes by not necessarily involving a command-line shell.
spaghetti packer A packer that obfuscates programs by emitting "spaghetti" code with a complex and tangled control structure.
spyware The 'spyware' value specifies software that gathers information and passes it to a third-party without adequate permission from the owner of the data. It may also be used in a wider sense, to include software that makes changes to a system or any of its component software, or which makes use of system resources without the full understanding and consent of the system owner.
trojan horse The 'trojan horse' value specifies a piece of malicious code disguised as something inert or benign.
variant The 'variant' value refers to the fact that types of malware can be subdivided into a number of families, or groups sharing many similarities, generally based on the same blocks of code and sharing similar behaviours. Within a family, a variant signifies a single individual item that is uniquely different from other members of the same family.
virus The 'virus' value specifies 1. A self-replicating malicious program that requires human interaction to replicate. 2. A self-replicating program that runs and spreads by modifying other programs or files.
wabbit The 'wabbit' value specifies a form of self-replicating malware that makes copies of itself on the local system. Unlike worms, rabbits do not attempt to spread across networks.
web bug The 'web bug' value specifies a piece of code, generally a small file such as a tiny, transparent GIF image, which is used to track data on those viewing the page or mail in which it is hidden.
wiper The 'wiper' value specifies a piece of malware whose primary aim is to delete files or entire disks on a machine.
worm The 'worm' value specifies 1. A self-replicating malicious program that replicates using a network and does not require human interaction. 2. A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself.
zip bomb The 'zip bomb' value specifies a file compressed into some archive format and that expands to an enormous size when uncompressed, often by looping over the extraction code until the system's resources are exhausted.

Fields

Field Name Type Description
@conditionoptional ConditionTypeEnum

This field is optional and defines the relevant condition to apply to the value.

@is_case_sensitiveoptional boolean

The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.

@apply_conditionoptional ConditionApplicationEnum

This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.

@delimiteroptional string

The delimiter field specifies the delimiter used when defining lists of values. The default value is "##comma##".

@bit_maskoptional hexBinary

Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.

@pattern_typeoptional PatternTypeEnum

This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

@regex_syntaxoptional string

This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.

Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.

Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.

@has_changedoptional boolean

This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.

@trendoptional boolean

This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.

@vocab_nameoptional string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.