Malware analysis

Malware spotlight: Hybrid malware

Fakhar Imam
January 9, 2020 by
Fakhar Imam


Hybrid malware, also known as combo malware, is a combination of two or more different types of attacks — usually a Trojan horse or worm with adware or malware attached. Hybrid malware can also act like a bot, aiming at making infected machines as a part of the bigger bot network controlled by the botnet masters. Once the infected machines are connected to the botnet, hackers can rent them out to other threat actors for their own purposes.

In addition, hybrid malware may also combine a virus’s ability to alter program code with a worm’s ability to hide in live memory. Moreover, it also has the ability to propagate without any action on the part of a user. 

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

In his book “Malware: Fighting Malicious Code,” Ed Skoudis wrote that most modern viruses fall into the hybrid category because, in addition to infecting files like a virus, they used the worm's propagation technique to disseminate themselves throughout the network.

How dangerous is hybrid malware? Why do cybercriminals create hybrid malware? What is one example of hybrid malware and what are the best defenses against it? Here is some help.

How dangerous is hybrid malware?

To understand the impacts of hybrid malware, first and foremost, we need to figure out the damages of its potential components. For example, the following malware types can form a single packaged attack — the hybrid malware — and we will briefly explore each of them:

  • The virus can infect boot sectors, host files, document files (e.g., Microsoft Office, AutoCAD, DOCX files, PDFs or TXT files) and executable files using companion infection techniques, appending infection techniques, overwriting infection techniques and prepending infection techniques
  • Worms are spread across the network by exploiting vulnerabilities in an operating system. They can harm your computer by overloading web servers and consuming bandwidth. Moreover, they can also hold payloads that can damage your host machines
  • Trojan horses can steal passwords cached in your browser history, allow hackers to remotely access your credit cards and online banking, and delete and destroy files from your computer. It can even detect and kill your firewall and antivirus programs

Hybrid malware uses cross-breeding propagation strategies where a single piece of malware can disseminate through the mobile code vectors, worm and virus, all at the same time. The malicious actors can launch even more devastating attacks using this combination malware.

The above-mentioned malware types are the building blocks that combine together into a single nasty package.

Why do cybercriminals create hybrid malware?

Unlike traditional malware, the amalgam that is hybrid malware utilizes the advantages of each disparate building block (e.g., worms, viruses or Trojans). Hybrid malware is extremely effective in its attacks and can exploit a considerably tight defense system.

Generally, security programs are designed for one or more specific computer viruses. The combined forces of malware may trick the security application in detecting the actual virus, or it may be skipped in false positives. For example, the Security Information and Event Management (SIEM) tool often generates too many false positives due to anomalous or suspected events. The security analysts in Security Operation Centers (SOCs) cannot resolve each false positive manually and, thus, they have to focus on the more serious ones while discarding the others.

There is no need to write new code for every aspect of the hybrid malware. Instead, attackers can borrow code from the already-existing malware specimens and integrate this code into their latest wares.

Example of hybrid malware

In 2001, a malware developer calling himself “Lion” released a hybrid malware — a worm/rootkit combo. Rootkits allow hackers to manipulate operating system files, while worms are powerful vectors used to spread code pieces rapidly. Imagine what happens when malicious actors crossbreed Rootkits and worms to harness the capabilities of both in hybrid malware.

This malicious combination could certainly wreak havoc: it inflicted damage on more than 10,000 Linux systems in 2001. As a matter of fact, worm/rootkit combo malware was designed to specifically exploit the vulnerabilities in Linux systems.

What are the best defenses against hybrid malware?

Although hybrid malware is very sophisticated and difficult to detect, some proactive security measures can still save you from disaster:

  • Use multilayered or defense-in-depth security equipped with a solid antivirus and anti-malware program. Keeping them up to date is also essential for security teams. Anti-malware programs will detect and immediately remove the controlling components of the hybrid malware from the memory
  • Use a firewall, as it can help to monitor incoming and outgoing traffic and create a barrier against unwanted or dangerous connections. You can also define some custom rules over there. Firewall can interrupt the communication of a botnet’s command-and-control server with a victim machine
  • Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are also invaluable to network security
  • System configurations should be hardened properly
  • Tighten your browser security
  • Upgrade all security applications regularly and patch them properly through their official vendors
  • Educate your employees about common malware types and how those types can collectively form hybrid malware. Avoid clicking on unusual or unwanted links. Do not download unknown files, and never torrent files or visit questionable sites

Conclusion: The way forward

Hybrid malware is a dangerous piece of code that is created by combining the capabilities of two or more malware programs, such as worms, backdoors or rootkits. It’s complex and difficult to detect. 

However, taking some proactive security measures can save your organization from disaster. To this end, you need to deploy multilayered security with antivirus and anti-malware programs, firewalls, IDS/IPS, browser security, patches, upgrades and user awareness training programs.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.



  1. Ed Skoudis and Lenny Zeltser, “Malware: Fighting Malicious Code,” Prentice Hall, 2003
  2. Hybrid virus/worm, SearchSecurity
  3.  9 types of malware and how to recognize them, CSO
  4. Did You Know These 5 Types of Malware?, SysGroup
  5. What Is a Trojan Horse?, McAfee
  6. What is a computer worm?, Veracode
  7. Configuring custom firewall rules, Symantec
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.