Chapter 40 Β· Concepts

Malware Overview β€” Concept Maps

The nine malware types, how they work together, how they arrive, and what stops them.

The Nine Malware Types at a Glance

Overview only β€” Chapters 41–43 cover each type in depth.

TypeSpreads HowPrimary GoalSignature Behavior
Virus Attaches to files; spreads when infected file runs Corruption, propagation File size changes; unexpected program behavior
Worm Auto-propagates across network via vulnerabilities; no host file needed Propagation, payload delivery Unusual network traffic; high CPU/bandwidth
Ransomware Delivered via phishing, drive-by, or worm; executes as payload Extortion via data encryption Mass file encryption; ransom note appears; extensions changed
Trojan Horse User installs it voluntarily, believing it to be legitimate software Initial access, backdoor creation Unexpected outbound connections; new services/processes
Rootkit Installed by other malware or attacker with existing access Persistence, concealment of other malware Security tools report clean despite behavioral anomalies
Keylogger Delivered via Trojan, drive-by, or phishing Credential theft, surveillance Outbound transmissions of keystroke data; unknown processes monitoring input
Spyware Bundled with software, drive-by, or phishing Information gathering, behavior monitoring Unexplained data exfiltration; camera/mic access without user action
Bloatware Pre-installed on device or bundled with software installs Revenue generation; may introduce vulnerabilities Resource consumption; unexplained network activity
Logic Bomb Planted by insiders or embedded in legitimate code Timed sabotage or data destruction Dormant until trigger β€” then sudden mass deletion or destruction

How Malware Types Work Together β€” The Multi-Stage Chain

Malware is rarely a single event. Real-world attacks combine multiple types in a coordinated sequence.

🌐
Step 1: Initial Access
Worm exploits unpatched OS/browser vulnerability or user clicks phishing link / drive-by download fires
↓
πŸšͺ
Step 2: Establish Persistence
Trojan horse or rootkit installs a remote access backdoor; conceals itself; attacker can now return at will
↓
πŸ”‘
Step 3: Credential Harvesting
Keylogger or spyware collects usernames, passwords, session tokens as victim uses the system normally
↓
🌍
Step 4: Lateral Movement
Attacker uses stolen credentials to access additional systems; worm may auto-spread to adjacent hosts
↓
πŸ’£
Step 5: Final Payload
Ransomware encrypts data files across all compromised systems simultaneously; or logic bomb triggers mass deletion; or data is exfiltrated

Infection Vectors β€” How Malware Reaches a System

Email Links & Attachments

Most common vector. Phishing email delivers a malicious link (leads to exploit site) or infected attachment (PDF, Office macro, ZIP containing executable). User action required: clicking the link or opening the attachment.

User must click
Web Page Pop-Ups

Malicious advertisements (malvertising) or fake system alerts on compromised sites prompt the user to click. Clicking triggers a download or redirects to an exploit page.

User must click
Drive-by Download

Visiting a compromised page is sufficient β€” no click required. The page executes exploit code in the browser that targets a vulnerability in the browser itself, a plugin (PDF reader, media player), or JavaScript engine. Malware installs silently in the background.

Page load only β€” no click needed
Worm Propagation

Worms spread entirely without user interaction by exploiting network-facing vulnerabilities in operating systems or services. The victim system does not need to run anything β€” the worm finds it, exploits it, and installs itself automatically.

No user action needed at all

The Value of Data β€” Why Malware Exists

Personal Data
  • Family photos and videos β€” irreplaceable; emotional leverage for ransom
  • Personal documents β€” tax returns, contracts, legal records
  • Credentials β€” banking logins, email passwords, social media accounts
  • Financial data β€” account numbers, card numbers

Valuable for direct financial exploitation (account takeover) or ransomware extortion (pay to recover irreplaceable files).

Organizational Data
  • Employee PII β€” Social Security numbers, addresses, payroll records
  • Financial records β€” accounts payable/receivable, banking details
  • Strategic planning documents β€” competitive intelligence value
  • Intellectual property β€” research data, source code, trade secrets
  • Customer data β€” any data organization is responsible for protecting

Valuable for sale on criminal markets, ransomware extortion (pay or we publish), and espionage. Regulatory breach notification obligations add further cost to exposure.

The Four Defense Fundamentals

DefenseWhat It DoesWhat It StopsCritical Detail
Offline / Immutable Backups Preserves a clean copy of data the malware cannot reach or encrypt Recovery from ransomware, logic bombs, destructive worms Backup must be offline or immutable β€” online/connected backups can be encrypted by ransomware
OS Patching Closes known vulnerabilities in the operating system Worm propagation, drive-by downloads, exploit-based delivery Most worm/drive-by exploits target known CVEs that have patches available β€” unpatched = open door
Application Patching Closes known vulnerabilities in browsers, plugins, office suites, etc. Drive-by downloads, malicious documents, plugin exploits Browsers and plugins are frequent attack targets; vendor patches must be applied promptly
AV / Anti-Malware Signatures Enables security software to recognize known malware by its code pattern Known malware variants distributed in the wild New variants release hourly; signatures must be current to detect recent threats. Ineffective against zero-day malware (no signature exists)

Ransomware: The OS Stays Running β€” Why

The Ransomware Design Choice

Ransomware deliberately encrypts data files (documents, images, databases) while leaving the operating system functional. This is intentional design, not a limitation:

The attacker wants the victim operational but helpless β€” able to act on the ransom demand, but unable to use their own work files until they pay. The OS remaining functional is a feature of the attack, not an oversight.

Public-key cryptography as a weapon: The same mathematical tools used to secure communications are used to encrypt files. The attacker holds the private key; the public key embedded in the ransomware encrypts files. Without the private key, decryption is computationally infeasible. The "unfortunate use of cryptography" framing in the exam refers to this inversion β€” a defensive tool used offensively.